[ previous ] [ next ] [ threads ]
 
 From:  Dana Spiegel <dana at sociableDESIGN dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  Brian Buys <bbuys at tritel dot com>
 Subject:  Re: [m0n0wall] IPSEC VPN problem on 1.1
 Date:  Wed, 25 Aug 2004 20:42:47 -0400
My understanding is that the m0n0wall ipsec server takes care of this 
automatically, and it doesn't need to be added to the firewall by hand.

Anyway, I've added this to my firewall rules on both sides, and I still 
get the same error.

These are the errors that appear in log. These appear with or without 
the ESP firewall rule:

Aug 25 20:31:40 racoon: ERROR: isakmp.c:861:isakmp_ph1begin_r(): 
couldn't find configuration.
Aug 25 20:31:39 racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): 
delete phase 2 handler.
Aug 25 20:31:39 racoon: ERROR: isakmp.c:1786:isakmp_chkph1there(): 
phase2 negotiation failed due to time up waiting for phase1. ESP 
216.220.96.17->68.174.123.110
Aug 25 20:31:08 racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin 
Aggressive mode.
Aug 25 20:31:08 racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): 
initiate new phase 1 negotiation: 
68.174.123.110[500]<=>216.220.96.17[500]
Aug 25 20:31:08 racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): 
IPsec-SA request for 216.220.96.17 queued due to no phase1 found.
Aug 25 20:31:02 racoon: ERROR: isakmp.c:1447:isakmp_ph1resend(): phase1 
negotiation failed due to time up. 4fdb0a1d5d7dfbe0:0000000000000000


sociableDESIGN  ::  www.sociableDESIGN.com
123 Bank Street, Suite 510, New York, NY 10014




On Aug 25, 2004, at 6:52 PM, Brian Buys wrote:

> Hello!  You may want to check your firewall rules, and make sure that 
> you
> have allowed ESP protocol on port 500 so that the authentication can 
> occur.
> Perhaps check your firewall logs and see if it is being blocked.
>
> hth,
>
> Brian
>
> ----- Original Message -----
> From: "Dana Spiegel" <dana at sociableDESIGN dot com>
> To: "'M0n0wall'" <m0n0wall at lists dot m0n0 dot ch>
> Sent: Wednesday, August 25, 2004 2:25 PM
> Subject: [m0n0wall] IPSEC VPN problem on 1.1
>
>
>> I'm having trouble getting a site to site vpn up and running. I've
>> followed the instructions in the m0n0wall documentation for 
>> configuring
>> the vpn, but I keep getting the following error on my soekris box 
>> error
> log:
>>
>> racoon: ERROR: isakmp.c:861:isakmp_ph1begin_r(): couldn't find
>> configuration.
>>
>> My setup is a soekris box on a cable modem (Time warner cable in the 
>> US)
>> connecting to a generic PC (cd-rom based m0n0wall) on a symmetric
>> 1.5mbps DSL line.
>>
>> Here are the two racoon.conf files:
>>
>> Generic PC CD-ROM
>> -----------------------------
>>
>> path pre_shared_key "/var/etc/psk.txt";
>>
>> remote 68.174.123.110 {
>> exchange_mode aggressive;
>> my_identifier address "216.220.101.74";
>> peers_identifier address 68.174.123.110;
>> initial_contact on;
>> support_proxy on;
>> proposal_check obey;
>>
>> proposal {
>> encryption_algorithm blowfish;
>> hash_algorithm sha1;
>> authentication_method pre_shared_key;
>> dh_group 2;
>> lifetime time 28800 secs;
>> }
>> lifetime time 28800 secs;
>> }
>>
>> sainfo address 10.1.0.0/16 any address 10.0.0.0/24 any {
>> encryption_algorithm blowfish;
>> authentication_algorithm hmac_sha1;
>> compression_algorithm deflate;
>> lifetime time 86400 secs;
>> }
>>
>>
>>
>> Soekris
>> ------------
>>
>> path pre_shared_key "/var/etc/psk.txt";
>>
>> remote 216.220.96.17 {
>> exchange_mode aggressive;
>> my_identifier address "68.174.123.110";
>> peers_identifier address 216.220.96.17;
>> initial_contact on;
>> support_proxy on;
>> proposal_check obey;
>>
>> proposal {
>> encryption_algorithm blowfish;
>> hash_algorithm sha1;
>> authentication_method pre_shared_key;
>> dh_group 2;
>> lifetime time 28800 secs;
>> }
>> lifetime time 28800 secs;
>> }
>>
>> sainfo address 10.0.0.0/24 any address 10.1.0.0/16 any {
>> encryption_algorithm blowfish;
>> authentication_algorithm hmac_sha1;
>> compression_algorithm deflate;
>> lifetime time 86400 secs;
>> }
>>
>> The are mirror images of each other... so I can't figure out why the 
>> VPN
>> won't connect... the psk.conf files are identical.
>>
>> I've even tried "ping -S 10.0.0.1 -c4 10.1.0.10" (and the like) from
>> both endpoints using exec.php, but the pings just time out...
>>
>> Can someone help me out? I'm at my wits end...
>> -- 
>>
>> *D a n a   S p i e g e l*
>> *s o c i a b l e D E S I G N*  *::*  *www.sociableDESIGN.com
>> <http://www.sociableDESIGN.com>*
>> 123 Bank Street, Suite 510, New York, NY 10014
>> p  +1 917 402 0422  ::  e  dana at sociableDESIGN dot com
>> <mailto:dana at sociableDESIGN dot com>
>>
>
>