[ previous ] [ next ] [ threads ]
 
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  "Manuel Kasper" <mk at neon1 dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPsec problem
 Date:  Mon, 1 Sep 2003 01:53:08 -0400
----- Original Message ----- 
From: "Manuel Kasper" <mk at neon1 dot net>
To: "Christopher M. Iarocci" <iarocci at eastendsc dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Monday, September 01, 2003 1:32 AM
Subject: Re: [m0n0wall] IPsec problem


> On Mon, 1 Sep 2003, Christopher M. Iarocci wrote:
>
> > Anyone seen this error when trying to establish an IPSec tunnel?
> >
> > racoon: WARNING: ipsec_doi.c:3099:ipsecdoi_checkid1(): ID value
mismatched
>
> Yep, I've seen that before. Even when I was almost absolutely positive
> that the my_identifier/peers_identifier settings on both sides were
> matching. Add to the fact that racoon has extremely helpful error messages
> (if you can't tell - I'm being sarcastic ;)... Another common problem with
> racoon seems to be that it doesn't support IP address ranges in phase 2,
> just subnets. Some commercial VPN gateways like to use ranges, though, and
> that's when phase 2 fails. That isn't the case here, though.
>
> > The tunnel seems to establish ok because I see this after the above
error:
> >
> > racoon: INFO: pfkey.c:1134:pk_recvupdate(): IPsec-SA established:
AH/Tunnel
> > 24.184.150.82->24.190.174.211 spi=45794267(0x2bac3db)
>
> Looks good so far.
>
> > The problem I have is, if I now try and communicate with the LAN on the
> > other side, I can't seem to pass any packets through to it.  I've tried
> > opening up the firewall, even as far as wide open, and nothing.  Still
can't
> > pass any packets.  When I look at the remote side (It's a Netopia R9100
> > without hardware acceleration which is why I'm using AH), I doesn't show
any
> > packets arriving at that end.  Any ideas?
>
> To be honest, I haven't really tried AH before due to its limited
> usefulness (most people want encryption when they use IPsec ;). Could you
> give us the output of the following commands, entered on /exec.php ? :
>
> cat /var/etc/racoon.conf

Here is output of above:

path pre_shared_key "/var/etc/psk.txt";

remote 24.184.150.82 {
	exchange_mode main;
	my_identifier address "24.190.174.211";
	peers_identifier address 24.184.150.82;
	initial_contact on;
	support_proxy on;
	proposal_check obey;
	proposal {
		encryption_algorithm des;
		hash_algorithm md5;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 864000000 secs;
	}
	lifetime time 864000000 secs;
}

sainfo address 192.168.2.0/24 any address 192.168.5.0/24 any {
	encryption_algorithm des,3des,blowfish,cast128,rijndael;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 864000000 secs;
}


> /usr/sbin/setkey -DP

Here is output of above:

192.168.5.0/24[any] 192.168.2.0/24[any] any
	in ipsec
	ah/tunnel/24.184.150.82-24.190.174.211/require
	spid=2 seq=1 pid=600
	refcnt=1
192.168.2.0/24[any] 192.168.5.0/24[any] any
	out ipsec
	ah/tunnel/24.190.174.211-24.184.150.82/require
	spid=1 seq=0 pid=600
	refcnt=1

> /usr/sbin/setkey -D

Here is output of above:

24.190.174.211 24.184.150.82
	ah mode=tunnel spi=3978665421(0xed259dcd) reqid=0(0x00000000)
	A: hmac-md5  eb49e601 33529789 73f5ff76 286326fc
	seq=0x00000010 replay=4 flags=0x00000000 state=mature
	created: Sep  1 10:31:34 2003	current: Sep  1 10:45:11 2003
	diff: 817(s)	hard: 864000000(s)	soft: 4005232(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=1 pid=605 refcnt=2
24.184.150.82 24.190.174.211
	ah mode=tunnel spi=77374825(0x049ca569) reqid=0(0x00000000)
	A: hmac-md5  f2a08da5 c723c537 f45040f4 9927c4a4
	seq=0x00000000 replay=4 flags=0x00000000 state=mature
	created: Sep  1 10:31:34 2003	current: Sep  1 10:45:11 2003
	diff: 817(s)	hard: 864000000(s)	soft: 4005232(s)
	last:                     	hard: 0(s)	soft: 0(s)
	current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 0	hard: 0	soft: 0
	sadb_seq=0 pid=605 refcnt=1

>
> Also, does the filter log indicate any dropped packets when you try to
> communicate with the other end after the tunnel is established?

I'm going to assume you mean the firewall log entries.  Each time I try and
send a ping to 192.168.5.1 (LAN interface of other router) I get one of
these lines for each ping I send.  (I'm also assuming each entry in the
firewall log entries shows a blocked or dropped packet.  Why would you want
to display allowed packets?)

10:46:38.167031 fxp0 @0:5 B 24.190.174.211 -> 24.184.150.82 PR ah len 20
(104) OUT


Thanks for any help,

Chris



---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.512 / Virus Database: 309 - Release Date: 8/19/2003