Date: Wed, 16 Apr 2003 01:03:10 +0300 From: Ruslan Ermilov <ru@freebsd.org> To: Damian Gerow <damian@sentex.net> Cc: net@freebsd.org Subject: Re: IPSec tunnel setup problems Message-ID: <20030415220310.GB57610@sunbay.com> In-Reply-To: <20030415215844.GY648@sentex.net> References: <20030415215844.GY648@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--E39vaYmALEf/7YXx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 15, 2003 at 05:58:44PM -0400, Damian Gerow wrote: > Tried sending this to -questions, now trying -net. I'm pretty sure it's > something obvious I'm missing, just don't know what. >=20 > ----- >=20 > I'm trying to set up an IPSec tunnel between two gateways, with little lu= ck. > I'm pretty sure I have my setkey entries done properly, it seems to be the > negotiations that are failing. Local is 10.0.1.1, and remote is 10.0.2.1. > Their is only a tunnel between the two remote LANs, there's no transport > encryption. >=20 > >From the initiating side, I see (roughly): >=20 > 2003-04-04 15:33:19: DEBUG: remoteconf.c:118:getrmconf(): configuration f= ound for 10.0.2.1 > 2003-04-04 15:33:19: INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA = request for 10.0.2.1 queued due to no phase1 found. > <debug output> > 2003-04-04 15:33:20: DEBUG: isakmp_agg.c:162:agg_i1send(): authmethod is = pre-shared key > 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add paylo= ad of len 52, next type 4 > 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add paylo= ad of len 192, next type 10 > 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add paylo= ad of len 16, next type 5 > 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add paylo= ad of len 8, next type 0 > 2003-04-04 15:33:20: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin. > <debug output> > 2003-04-04 15:33:20: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.0.1.= 1[500] > 2003-04-04 15:33:20: DEBUG: sockmisc.c:423:sendfromto(): send packet from= 10.0.1.1[500] > 2003-04-04 15:33:20: DEBUG: sockmisc.c:425:sendfromto(): send packet to 1= 0.0.2.1[500] > 2003-04-04 15:33:20: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 312 b= ytes message will be sent to 10.0.1.1[500] > <plogdump> > 2003-04-04 15:33:20: DEBUG: isakmp.c:1449:isakmp_ph1resend(): resend phas= e1 packet d7824158efb89160:0000000000000000 >=20 > So it /looks/ to be initiating correctly, no? The only thing that confus= es > me is that 10.0.1.1 is sending to 10.0.1.1, according to the debug > output... >=20 > I believe the problem is with the remote end: >=20 > 2003-04-04 15:36:23: DEBUG: isakmp.c:222:isakmp_handler(): 312 bytes mess= age received from 10.0.1.1[40418] > <plogdump> > 2003-04-04 15:36:23: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin. > <packet dump> > 2003-04-04 15:36:23: DEBUG: remoteconf.c:134:getrmconf(): no remote confi= guration found. > 2003-04-04 15:36:23: ERROR: isakmp.c:851:isakmp_ph1begin_r(): couldn't fi= nd configuration. >=20 > So it looks like the remote racoon.conf isn't finding the 'remote 10.0.1.= 1' > section, as it's failing in Phase I (Phase II would mean it can't find > 'sainfo ...', right?). >=20 > The two psk.txt's are exactly the same, the two /etc/ipsec.conf's are > exact mirrors, and the two racoon.conf's are mirrors (with configuration > names changed to match directions). It /feels/ like the remote (10.0.2.1) > isn't finding the 'remote 10.0.1.1' configuration section that exists in > there. I yanked the 'remote anonymous' and 'sainfo anonymous' > configurations to help narrow this down. >=20 > Does anyone have any pointers? Please reply personally, as I'm not > subscribed. >=20 Hmm, on my machines with IPSec tunnels the /etc/ipsec.conf's are NOT the exact mirrors; they are mirrors except for the in/out keywords. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --E39vaYmALEf/7YXx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD4DBQE+nIGeUkv4P6juNwoRAiAyAKCKl9te456p24fKpDiaQeWt3TdLZQCRAdtv hHkkSIAZoB18LZPCnX01gg== =RuoV -----END PGP SIGNATURE----- --E39vaYmALEf/7YXx--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030415220310.GB57610>