[ previous ] [ next ] [ threads ]
 
 From:  "Kevin Roosdahl" <kevin at prestigecomputers dot ca>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Problem setting up IPSec between two Soekris net4501 running m0n0wall 1.0
 Date:  Fri, 23 Jul 2004 06:23:20 -0700
I have two Soekris net4501's running m0n0wall 1.0 and would like to
setup an IPSEC VPN between them.
I had it working last year so I'm not sure what has changed.

The Hifn 7951 hardware crypto is installed so I have chosen 3DES/SHA1.

I cut/pasted the pre-shared key so they should be the same (snipped in
the example)
I have search/replaced the public IP's to A.A.A.A and B.B.B.B

I have included the system logs showing the errors, as well as some
configuration information below:
Let me know if you need more....

Thanks,

Kevin

SYSTEM LOGS FROM A.A.A.A:
=========================================

Jul 23 05:42:39 racoon: ERROR: isakmp.c:851:isakmp_ph1begin_r():
couldn't find configuration. 
Jul 23 05:42:02 racoon: INFO: isakmp.c:1358:isakmp_open():
172.16.100.22[500] used as isakmp port (fd=9) 
Jul 23 05:42:02 racoon: INFO: isakmp.c:1358:isakmp_open(): A.A.A.A[500]
used as isakmp port (fd=8) 
Jul 23 05:42:02 racoon: INFO: isakmp.c:1358:isakmp_open():
192.168.0.1[500] used as isakmp port (fd=7) 
Jul 23 05:42:02 racoon: INFO: isakmp.c:1358:isakmp_open():
127.0.0.1[500] used as isakmp port (fd=6) 
Jul 23 05:42:01 racoon: INFO: main.c:175:main(): @(#)This product linked
OpenSSL 0.9.7c 30 Sep 2003
Jul 23 05:42:01 racoon: INFO: main.c:174:main(): @(#)internal version
20001216 sakane at kame dot net 
Jul 23 05:42:01 racoon: INFO: main.c:172:main(): @(#)package version
freebsd-20030826a 

SYSTEM LOGS FROM B.B.B.B:
=========================================

Jul 23 08:42:55 racoon: ERROR: isakmp.c:490:isakmp_main(): can't start
the quick mode, there is no ISAKMP-SA,
0d02a0e084ede01d:adde7fb52254e37e:0000d25a 
Jul 23 08:42:55 racoon: ERROR: isakmp_inf.c:328:isakmp_info_send_nx():
no configuration found for peer address. 
Jul 23 08:42:46 racoon: ERROR: isakmp.c:490:isakmp_main(): can't start
the quick mode, there is no ISAKMP-SA,
0d02a0e084ede01d:adde7fb52254e37e:0000d25a 
Jul 23 08:42:46 racoon: ERROR: isakmp_inf.c:328:isakmp_info_send_nx():
no configuration found for peer address. 
Jul 23 08:42:39 racoon: ERROR: isakmp.c:490:isakmp_main(): can't start
the quick mode, there is no ISAKMP-SA,
0d02a0e084ede01d:adde7fb52254e37e:0000d25a 
Jul 23 08:42:39 racoon: ERROR: isakmp_inf.c:328:isakmp_info_send_nx():
no configuration found for peer address. 
Jul 23 08:42:36 last message repeated 3 times 
Jul 23 08:42:09 racoon: ERROR: isakmp.c:851:isakmp_ph1begin_r():
couldn't find configuration. 
Jul 23 08:42:04 racoon: INFO: isakmp.c:1358:isakmp_open():
172.16.40.23[500] used as isakmp port (fd=8) 
Jul 23 08:42:04 racoon: INFO: isakmp.c:1358:isakmp_open(): B.B.B.B[500]
used as isakmp port (fd=7) 
Jul 23 08:42:04 racoon: INFO: isakmp.c:1358:isakmp_open():
127.0.0.1[500] used as isakmp port (fd=6) 
Jul 23 08:42:03 racoon: INFO: main.c:175:main(): @(#)This product linked
OpenSSL 0.9.7c 30 Sep 2003
Jul 23 08:42:03 racoon: INFO: main.c:174:main(): @(#)internal version
20001216 sakane at kame dot net 
Jul 23 08:42:03 racoon: INFO: main.c:172:main(): @(#)package version
freebsd-20030826a 

RACOON CONF FROM SYSTEM A.A.A.A:
=========================================

path pre_shared_key "/var/etc/psk.txt";

remote B.B.B.B {
	exchange_mode main;
	my_identifier address "A.A.A.A";
	peers_identifier address B.B.B.B;
	initial_contact on;
	support_proxy on;
	proposal_check obey;
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo address 172.16.100.0/22 any address 172.16.40.0/22 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;
}

SPD 
172.16.40.0/22[any] 172.16.100.0/22[any] any
	in ipsec
	esp/tunnel/B.B.B.B-A.A.A.A/unique#16398
	spid=14 seq=1 pid=69814
	refcnt=1
172.16.100.0/22[any] 172.16.40.0/22[any] any
	out ipsec
	esp/tunnel/A.A.A.A-B.B.B.B/unique#16397
	spid=13 seq=0 pid=69814
	refcnt=1
 
SAD 
No SAD entries.

RACOON CONF FROM SYSTEM B.B.B.B:
=========================================

path pre_shared_key "/var/etc/psk.txt";

remote A.A.A.A {
	exchange_mode main;
	my_identifier address "B.B.B.B";
	peers_identifier address A.A.A.A;
	initial_contact on;
	support_proxy on;
	proposal_check obey;
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo address 172.16.40.0/22 any address 172.16.100.0/22 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;
}

SPD 
172.16.100.0/22[any] 172.16.40.0/22[any] any
	in ipsec
	esp/tunnel/A.A.A.A-B.B.B.B/unique#16386
	spid=2 seq=1 pid=185
	refcnt=1
172.16.40.0/22[any] 172.16.100.0/22[any] any
	out ipsec
	esp/tunnel/B.B.B.B-A.A.A.A/unique#16385
	spid=1 seq=0 pid=185
	refcnt=1
 
SAD 
No SAD entries.

PARTIAL CONFIGURATION FROM A.A.A.A:
=========================================

<filter>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>esp</protocol>
			<source>
				<address>B.B.B.B</address>
			</source>
			<destination>
				<address>A.A.A.A</address>
			</destination>
			<descr>ESP for IPSec from Seattle</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>udp</protocol>
			<source>
				<any/>
				<port>500</port>
			</source>
			<destination>
				<any/>
				<port>500</port>
			</destination>
			<descr>UDP 500 for IPSec</descr>
		</rule>

	<ipsec>
		<tunnel>
			<interface>wan</interface>
			<local-subnet>
				<network>lan</network>
			</local-subnet>
			<remote-subnet>172.16.100.0/22</remote-subnet>
			<remote-gateway>B.B.B.B</remote-gateway>
			<p1>
				<mode>main</mode>
				<myident>
					<myaddress/>
				</myident>
	
<encryption-algorithm>3des</encryption-algorithm>
				<hash-algorithm>sha1</hash-algorithm>
				<dhgroup>2</dhgroup>
				<lifetime>28800</lifetime>
	
<pre-shared-key>snipped!</pre-shared-key>
			</p1>
			<p2>
				<protocol>esp</protocol>
	
<encryption-algorithm-option>3des</encryption-algorithm-option>
	
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
				<pfsgroup>2</pfsgroup>
				<lifetime>86400</lifetime>
			</p2>
			<descr>Seattle</descr>
		</tunnel>
		<enable/>
	</ipsec>

PARTIAL CONFIGURATION FROM B.B.B.B:
=========================================

<filter>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>esp</protocol>
			<source>
				<address>A.A.A.A</address>
			</source>
			<destination>
				<address>B.B.B.B</address>
			</destination>
			<descr>ESP for IPSec from Manfredi</descr>
		</rule>
		<rule>
			<type>pass</type>
			<interface>wan</interface>
			<protocol>udp</protocol>
			<source>
				<any/>
				<port>500</port>
			</source>
			<destination>
				<any/>
				<port>500</port>
			</destination>
			<descr>UDP 500 for IPSec</descr>
		</rule>

	<ipsec>
		<enable/>
		<tunnel>
			<interface>wan</interface>
			<local-subnet>
				<network>lan</network>
			</local-subnet>
			<remote-subnet>172.16.40.0/22</remote-subnet>
			<remote-gateway>A.A.A.A</remote-gateway>
			<p1>
				<mode>main</mode>
				<myident>
					<myaddress/>
				</myident>
	
<encryption-algorithm>3des</encryption-algorithm>
				<hash-algorithm>sha1</hash-algorithm>
				<dhgroup>2</dhgroup>
				<lifetime>28800</lifetime>
	
<pre-shared-key>snipped!</pre-shared-key>
			</p1>
			<p2>
				<protocol>esp</protocol>
	
<encryption-algorithm-option>3des</encryption-algorithm-option>
	
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
				<pfsgroup>2</pfsgroup>
				<lifetime>86400</lifetime>
			</p2>
			<descr>Manfredi</descr>
		</tunnel>
	</ipsec>