[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPsec problem
 Date:  Mon, 1 Sep 2003 07:32:11 +0200 (CEST)
On Mon, 1 Sep 2003, Christopher M. Iarocci wrote:

> Anyone seen this error when trying to establish an IPSec tunnel?
> racoon: WARNING: ipsec_doi.c:3099:ipsecdoi_checkid1(): ID value mismatched

Yep, I've seen that before. Even when I was almost absolutely positive
that the my_identifier/peers_identifier settings on both sides were
matching. Add to the fact that racoon has extremely helpful error messages
(if you can't tell - I'm being sarcastic ;)... Another common problem with
racoon seems to be that it doesn't support IP address ranges in phase 2,
just subnets. Some commercial VPN gateways like to use ranges, though, and
that's when phase 2 fails. That isn't the case here, though.

> The tunnel seems to establish ok because I see this after the above error:
> racoon: INFO: pfkey.c:1134:pk_recvupdate(): IPsec-SA established: AH/Tunnel
>> spi=45794267(0x2bac3db)

Looks good so far.

> The problem I have is, if I now try and communicate with the LAN on the
> other side, I can't seem to pass any packets through to it.  I've tried
> opening up the firewall, even as far as wide open, and nothing.  Still can't
> pass any packets.  When I look at the remote side (It's a Netopia R9100
> without hardware acceleration which is why I'm using AH), I doesn't show any
> packets arriving at that end.  Any ideas?

To be honest, I haven't really tried AH before due to its limited
usefulness (most people want encryption when they use IPsec ;). Could you
give us the output of the following commands, entered on /exec.php ? :

cat /var/etc/racoon.conf
/usr/sbin/setkey -DP
/usr/sbin/setkey -D

Also, does the filter log indicate any dropped packets when you try to
communicate with the other end after the tunnel is established?