Date: Tue, 15 Apr 2003 17:58:44 -0400 From: Damian Gerow <damian@sentex.net> To: net@freebsd.org Subject: IPSec tunnel setup problems Message-ID: <20030415215844.GY648@sentex.net>
next in thread | raw e-mail | index | archive | help
Tried sending this to -questions, now trying -net. I'm pretty sure it's something obvious I'm missing, just don't know what. ----- I'm trying to set up an IPSec tunnel between two gateways, with little luck. I'm pretty sure I have my setkey entries done properly, it seems to be the negotiations that are failing. Local is 10.0.1.1, and remote is 10.0.2.1. Their is only a tunnel between the two remote LANs, there's no transport encryption. >From the initiating side, I see (roughly): 2003-04-04 15:33:19: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 10.0.2.1 2003-04-04 15:33:19: INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA request for 10.0.2.1 queued due to no phase1 found. <debug output> 2003-04-04 15:33:20: DEBUG: isakmp_agg.c:162:agg_i1send(): authmethod is pre-shared key 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 52, next type 4 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 192, next type 10 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 16, next type 5 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 8, next type 0 2003-04-04 15:33:20: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin. <debug output> 2003-04-04 15:33:20: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.0.1.1[500] 2003-04-04 15:33:20: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.0.1.1[500] 2003-04-04 15:33:20: DEBUG: sockmisc.c:425:sendfromto(): send packet to 10.0.2.1[500] 2003-04-04 15:33:20: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 312 bytes message will be sent to 10.0.1.1[500] <plogdump> 2003-04-04 15:33:20: DEBUG: isakmp.c:1449:isakmp_ph1resend(): resend phase1 packet d7824158efb89160:0000000000000000 So it /looks/ to be initiating correctly, no? The only thing that confuses me is that 10.0.1.1 is sending to 10.0.1.1, according to the debug output... I believe the problem is with the remote end: 2003-04-04 15:36:23: DEBUG: isakmp.c:222:isakmp_handler(): 312 bytes message received from 10.0.1.1[40418] <plogdump> 2003-04-04 15:36:23: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin. <packet dump> 2003-04-04 15:36:23: DEBUG: remoteconf.c:134:getrmconf(): no remote configuration found. 2003-04-04 15:36:23: ERROR: isakmp.c:851:isakmp_ph1begin_r(): couldn't find configuration. So it looks like the remote racoon.conf isn't finding the 'remote 10.0.1.1' section, as it's failing in Phase I (Phase II would mean it can't find 'sainfo ...', right?). The two psk.txt's are exactly the same, the two /etc/ipsec.conf's are exact mirrors, and the two racoon.conf's are mirrors (with configuration names changed to match directions). It /feels/ like the remote (10.0.2.1) isn't finding the 'remote 10.0.1.1' configuration section that exists in there. I yanked the 'remote anonymous' and 'sainfo anonymous' configurations to help narrow this down. Does anyone have any pointers? Please reply personally, as I'm not subscribed. - Damian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030415215844.GY648>