From owner-freebsd-questions@FreeBSD.ORG Mon Jan 1 17:15:31 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 684E316A412 for ; Mon, 1 Jan 2007 17:15:31 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: from sigma.octantis.com.au (ns2.octantis.com.au [207.44.189.124]) by mx1.freebsd.org (Postfix) with ESMTP id 1DB4413C442 for ; Mon, 1 Jan 2007 17:15:30 +0000 (UTC) (envelope-from freebsd@meijome.net) Received: (qmail 13824 invoked from network); 2 Jan 2007 03:48:49 +1100 Received: from 203-217-81-135.dyn.iinet.net.au (HELO localhost) (203.217.81.135) by sigma.octantis.com.au with (DHE-RSA-AES256-SHA encrypted) SMTP; 2 Jan 2007 03:48:49 +1100 Date: Tue, 2 Jan 2007 03:48:44 +1100 From: Norberto Meijome To: freebsd-questions@freebsd.org Message-ID: <20070102034844.5f513dab@localhost> X-Mailer: Claws Mail 2.6.1 (GTK+ 2.10.6; i386-portbld-freebsd6.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Ipsec to Sonicwall, what does this message mean? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Jan 2007 17:15:31 -0000 Hi all, I'm trying to connect to a Sonicwall TZ170 (I believe), from my FBSD 6.2-Prerelease. I have a username, password and PSK (ie, Xauth PSK) from the SonicW's admin (who refuses to provide any help for non MS OS :-) ). I've installed ipsec-tools-0.6.6 because I believe (wrongly?) that ipsec in the base system doesn't support xauth ... is this correct? Anyway, I configured racoon.cfg and psk.txt to the best of my current abilities. I then get: # racoonctl vpn-connect SONICW_IP_ADDRESS Error: Peer not responding It seems my side is receiving a packet with DOI type 0 (as per wireshark, whatever that means...)... and racoon complains with; Jan 2 03:28:18 ayiin racoon: ERROR: reject the packet, received unexpecting payload type 0. (complete log after my signature at end of this mail) I'd love any help that will help me understand what am I doing wrong. I can't see *WHY* I wouldn't be able to connect to this Sonic, other than a problem between the chair and the keyboard :) Alternative ways of doing this same thing with other packages / base tools are greatly appreciated. thanks in advance!!! B Configuration gory details: 192.168.13.3 is my laptop's IP. hostname is ayiin. I have UDP/500 port forwarded to this machine, and my local firewall is open for this traffic (udp/500 from SOCNIW_IP_ADDRESS) my racoon.conf is: --- path include "@sysconfdir_x@/racoon"; path pre_shared_key "@sysconfdir_x@/racoon/psk.txt"; log debug; # Specify various default timers. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per send. # maximum time to wait for completing each phase. phase1 30 sec; phase2 15 sec; } remote SONICW_IP_ADDRESS { lifetime time 1 hour; exchange_mode main, aggressive; #ca_type x509 "ca.crt"; proposal_check obey; mode_cfg on; # accept config through ISAKMP mode config dpd_delay 20; # nat_traversal force; ike_frag on; # esp_frag 552; #script "/etc/racoon/phase1-up.sh" phase1_up; #script "/etc/racoon/phase1-down.sh" phase1_down; passive off; xauth_login "beto"; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method hybrid_rsa_client; dh_group 2; } } sainfo anonymous { lifetime time 1 hour; encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } ------- my psk.txt has: ----- ## Host to connect , PSK to use SONICW_IP_ADDRESS PSK_TO_SONIC ## XAuth bit beto My_MagicPassword ---- My kern conf includes: ## IPSEC VPNs options IPSEC options IPSEC_ESP ipsec-tools options are : _OPTIONS_READ=ipsec-tools-0.6.6 WITH_DEBUG=true WITH_IPV6=true WITH_ADMINPORT=true WITH_STATS=true WITH_DPD=true WITH_NATT=true WITHOUT_NATTF=true WITH_FRAG=true WITH_HYBRID=true WITH_PAM=true WITH_GSSAPI=true WITH_RADIUS=true WITH_SAUNSPEC=true WITHOUT_RC5=true WITHOUT_IDEA=true but I didn't apply the NAT-T kernel patch (yet). _________________________ {Beto|Norberto|Numard} Meijome What you are afraid to do is a clear indicator of the next thing you need to do. I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. In the log file, I get : (apologies for wrapping).. --- Jan 2 03:28:18 ayiin racoon: DEBUG: configuration found for SONICW_IP_ADDRESS. Jan 2 03:28:18 ayiin racoon: INFO: accept a request to establish IKE-SA: SONICW_IP_ADDRESS Jan 2 03:28:18 ayiin racoon: DEBUG: === Jan 2 03:28:18 ayiin racoon: INFO: initiate new phase 1 negotiation: 192.168.13.3[500]<=>SONICW_IP_ADDRESS[500] Jan 2 03:28:18 ayiin racoon: INFO: begin Identity Protection mode. Jan 2 03:28:18 ayiin racoon: DEBUG: new cookie: 6b685b8598c46c46 Jan 2 03:28:18 ayiin racoon: DEBUG: add payload of len 52, next type 13 Jan 2 03:28:18 ayiin racoon: DEBUG: add payload of len 16, next type 0 Jan 2 03:28:18 ayiin racoon: DEBUG: 104 bytes from 192.168.13.3[500] to SONICW_IP_ADDRESS[500] Jan 2 03:28:18 ayiin racoon: DEBUG: sockname 192.168.13.3[500] Jan 2 03:28:18 ayiin racoon: DEBUG: send packet from 192.168.13.3[500] Jan 2 03:28:18 ayiin racoon: DEBUG: send packet to SONICW_IP_ADDRESS[500] Jan 2 03:28:18 ayiin racoon: DEBUG: 1 times of 104 bytes message will be sent to SONICW_IP_ADDRESS[500] Jan 2 03:28:18 ayiin racoon: DEBUG: 6b685b85 98c46c46 00000000 00000000 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c7080 80010007 800e0080 8003fadd 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Jan 2 03:28:18 ayiin racoon: DEBUG: resend phase1 packet 6b685b8598c46c46:0000000000000000 Jan 2 03:28:18 ayiin racoon: phase1(ident I msg1): 0.000436 Jan 2 03:28:18 ayiin racoon: DEBUG: === Jan 2 03:28:18 ayiin racoon: DEBUG: 92 bytes message received from SONICW_IP_ADDRESS[500] to 192.168.13.3[500] Jan 2 03:28:18 ayiin racoon: DEBUG: 6b685b85 98c46c46 04297297 6865ef0c 0b100500 00000000 0000005c 00000040 00000000 0110000e 6b685b85 98c46c46 04297297 6865ef0c 00060004 00000000 00040018 0000004e 6f207072 6f706f73 616c2069 73206368 6f73656e Jan 2 03:28:18 ayiin racoon: DEBUG: receive Information. Jan 2 03:28:18 ayiin racoon: ERROR: reject the packet, received unexpecting payload type 0. Jan 2 03:28:38 ayiin racoon: DEBUG: 104 bytes from 192.168.13.3[500] to SONICW_IP_ADDRESS[500] Jan 2 03:28:38 ayiin racoon: DEBUG: sockname 192.168.13.3[500] Jan 2 03:28:38 ayiin racoon: DEBUG: send packet from 192.168.13.3[500] Jan 2 03:28:38 ayiin racoon: DEBUG: send packet to SONICW_IP_ADDRESS[500] Jan 2 03:28:38 ayiin racoon: DEBUG: 1 times of 104 bytes message will be sent to SONICW_IP_ADDRESS[500] Jan 2 03:28:38 ayiin racoon: DEBUG: 6b685b85 98c46c46 00000000 00000000 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c7080 80010007 800e0080 8003fadd 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Jan 2 03:28:38 ayiin racoon: DEBUG: resend phase1 packet 6b685b8598c46c46:0000000000000000 Jan 2 03:28:38 ayiin racoon: DEBUG: === Jan 2 03:28:38 ayiin racoon: DEBUG: 92 bytes message received from SONICW_IP_ADDRESS[500] to 192.168.13.3[500] Jan 2 03:28:38 ayiin racoon: DEBUG: 6b685b85 98c46c46 46bfd899 6661a528 0b100500 00000000 0000005c 00000040 00000000 0110000e 6b685b85 98c46c46 46bfd899 6661a528 00060004 00000000 00040018 0000004e 6f207072 6f706f73 616c2069 73206368 6f73656e Jan 2 03:28:38 ayiin racoon: DEBUG: receive Information. Jan 2 03:28:38 ayiin racoon: ERROR: reject the packet, received unexpecting payload type 0. Jan 2 03:28:58 ayiin racoon: DEBUG: 104 bytes from 192.168.13.3[500] to SONICW_IP_ADDRESS[500] Jan 2 03:28:58 ayiin racoon: DEBUG: sockname 192.168.13.3[500] Jan 2 03:28:58 ayiin racoon: DEBUG: send packet from 192.168.13.3[500] Jan 2 03:28:58 ayiin racoon: DEBUG: send packet to SONICW_IP_ADDRESS[500] Jan 2 03:28:58 ayiin racoon: DEBUG: 1 times of 104 bytes message will be sent to SONICW_IP_ADDRESS[500] Jan 2 03:28:58 ayiin racoon: DEBUG: 6b685b85 98c46c46 00000000 00000000 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c7080 80010007 800e0080 8003fadd 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Jan 2 03:28:58 ayiin racoon: DEBUG: resend phase1 packet 6b685b8598c46c46:0000000000000000 Jan 2 03:28:58 ayiin racoon: DEBUG: === Jan 2 03:28:58 ayiin racoon: DEBUG: 92 bytes message received from SONICW_IP_ADDRESS[500] to 192.168.13.3[500] Jan 2 03:28:58 ayiin racoon: DEBUG: 6b685b85 98c46c46 188529ff 8727ef75 0b100500 00000000 0000005c 00000040 00000000 0110000e 6b685b85 98c46c46 188529ff 8727ef75 00060004 00000000 00040018 0000004e 6f207072 6f706f73 616c2069 73206368 6f73656e Jan 2 03:28:58 ayiin racoon: DEBUG: receive Information. Jan 2 03:28:58 ayiin racoon: ERROR: reject the packet, received unexpecting payload type 0. Jan 2 03:29:09 ayiin racoon: DEBUG: caught rtm:14, need update interface address list Jan 2 03:29:14 ayiin racoon: DEBUG: my interface: 192.168.13.3 (iwi0) Jan 2 03:29:14 ayiin racoon: DEBUG: my interface: 127.0.0.1 (lo0) Jan 2 03:29:14 ayiin racoon: DEBUG: configuring default isakmp port. Jan 2 03:29:14 ayiin racoon: DEBUG: 2 addrs are configured successfully Jan 2 03:29:14 ayiin racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Jan 2 03:29:14 ayiin racoon: INFO: 192.168.13.3[500] used as isakmp port (fd=10) Jan 2 03:29:18 ayiin racoon: DEBUG: 104 bytes from 192.168.13.3[500] to SONICW_IP_ADDRESS[500] Jan 2 03:29:18 ayiin racoon: DEBUG: sockname 192.168.13.3[500] Jan 2 03:29:18 ayiin racoon: DEBUG: send packet from 192.168.13.3[500] Jan 2 03:29:18 ayiin racoon: DEBUG: send packet to SONICW_IP_ADDRESS[500] Jan 2 03:29:18 ayiin racoon: DEBUG: 1 times of 104 bytes message will be sent to SONICW_IP_ADDRESS[500] Jan 2 03:29:18 ayiin racoon: DEBUG: 6b685b85 98c46c46 00000000 00000000 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c7080 80010007 800e0080 8003fadd 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Jan 2 03:29:18 ayiin racoon: DEBUG: resend phase1 packet 6b685b8598c46c46:0000000000000000 Jan 2 03:29:18 ayiin racoon: DEBUG: === Jan 2 03:29:18 ayiin racoon: DEBUG: 92 bytes message received from SONICW_IP_ADDRESS[500] to 192.168.13.3[500] Jan 2 03:29:18 ayiin racoon: DEBUG: 6b685b85 98c46c46 2d182ee5 3f0644a6 0b100500 00000000 0000005c 00000040 00000000 0110000e 6b685b85 98c46c46 2d182ee5 3f0644a6 00060004 00000000 00040018 0000004e 6f207072 6f706f73 616c2069 73206368 6f73656e Jan 2 03:29:18 ayiin racoon: DEBUG: receive Information. Jan 2 03:29:18 ayiin racoon: ERROR: reject the packet, received unexpecting payload type 0. Jan 2 03:29:38 ayiin racoon: DEBUG: 104 bytes from 192.168.13.3[500] to SONICW_IP_ADDRESS[500] Jan 2 03:29:38 ayiin racoon: DEBUG: sockname 192.168.13.3[500] Jan 2 03:29:38 ayiin racoon: DEBUG: send packet from 192.168.13.3[500] Jan 2 03:29:38 ayiin racoon: DEBUG: send packet to SONICW_IP_ADDRESS[500] Jan 2 03:29:38 ayiin racoon: DEBUG: 1 times of 104 bytes message will be sent to SONICW_IP_ADDRESS[500] Jan 2 03:29:38 ayiin racoon: DEBUG: 6b685b85 98c46c46 00000000 00000000 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c7080 80010007 800e0080 8003fadd 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Jan 2 03:29:38 ayiin racoon: DEBUG: resend phase1 packet 6b685b8598c46c46:0000000000000000 Jan 2 03:29:38 ayiin racoon: DEBUG: === Jan 2 03:29:38 ayiin racoon: DEBUG: 92 bytes message received from SONICW_IP_ADDRESS[500] to 192.168.13.3[500] Jan 2 03:29:38 ayiin racoon: DEBUG: 6b685b85 98c46c46 dfb5fdc4 ec605c45 0b100500 00000000 0000005c 00000040 00000000 0110000e 6b685b85 98c46c46 dfb5fdc4 ec605c45 00060004 00000000 00040018 0000004e 6f207072 6f706f73 616c2069 73206368 6f73656e Jan 2 03:29:38 ayiin racoon: DEBUG: receive Information. Jan 2 03:29:38 ayiin racoon: ERROR: reject the packet, received unexpecting payload type 0. Jan 2 03:29:58 ayiin racoon: DEBUG: 104 bytes from 192.168.13.3[500] to SONICW_IP_ADDRESS[500] Jan 2 03:29:58 ayiin racoon: DEBUG: sockname 192.168.13.3[500] Jan 2 03:29:58 ayiin racoon: DEBUG: send packet from 192.168.13.3[500] Jan 2 03:29:58 ayiin racoon: DEBUG: send packet to SONICW_IP_ADDRESS[500] Jan 2 03:29:58 ayiin racoon: DEBUG: 1 times of 104 bytes message will be sent to SONICW_IP_ADDRESS[500] Jan 2 03:29:58 ayiin racoon: DEBUG: 6b685b85 98c46c46 00000000 00000000 01100200 00000000 00000068 0d000038 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 800c7080 80010007 800e0080 8003fadd 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Jan 2 03:29:58 ayiin racoon: DEBUG: resend phase1 packet 6b685b8598c46c46:0000000000000000 Jan 2 03:29:58 ayiin racoon: DEBUG: === Jan 2 03:29:58 ayiin racoon: DEBUG: 92 bytes message received from SONICW_IP_ADDRESS[500] to 192.168.13.3[500] Jan 2 03:29:58 ayiin racoon: DEBUG: 6b685b85 98c46c46 a44efcf5 7e944979 0b100500 00000000 0000005c 00000040 00000000 0110000e 6b685b85 98c46c46 a44efcf5 7e944979 00060004 00000000 00040018 0000004e 6f207072 6f706f73 616c2069 73206368 6f73656e Jan 2 03:29:58 ayiin racoon: DEBUG: receive Information. Jan 2 03:29:58 ayiin racoon: ERROR: reject the packet, received unexpecting payload type 0. Jan 2 03:30:15 ayiin racoon: DEBUG: caught rtm:14, need update interface address list Jan 2 03:30:18 ayiin racoon: ERROR: phase1 negotiation failed due to time up. 6b685b8598c46c46:0000000000000000 Jan 2 03:30:20 ayiin racoon: DEBUG: my interface: 192.168.13.3 (iwi0) Jan 2 03:30:20 ayiin racoon: DEBUG: my interface: 127.0.0.1 (lo0) Jan 2 03:30:20 ayiin racoon: DEBUG: configuring default isakmp port. Jan 2 03:30:20 ayiin racoon: DEBUG: 2 addrs are configured successfully Jan 2 03:30:20 ayiin racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9) Jan 2 03:30:20 ayiin racoon: INFO: 192.168.13.3[500] used as isakmp port (fd=10)