From owner-freebsd-net@FreeBSD.ORG Tue Apr 15 14:58:47 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 857E837B401 for ; Tue, 15 Apr 2003 14:58:47 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5507343F75 for ; Tue, 15 Apr 2003 14:58:46 -0700 (PDT) (envelope-from damian@sentex.net) Received: from pegmatite.sentex.ca (pegmatite.sentex.ca [192.168.42.92]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h3FLwjME080390 for ; Tue, 15 Apr 2003 17:58:45 -0400 (EDT) (envelope-from damian@sentex.net) Received: by pegmatite.sentex.ca (Postfix, from userid 1001) id E8BC3170EC; Tue, 15 Apr 2003 17:58:44 -0400 (EDT) Date: Tue, 15 Apr 2003 17:58:44 -0400 From: Damian Gerow To: net@freebsd.org Message-ID: <20030415215844.GY648@sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.3i X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: IPSec tunnel setup problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 21:58:47 -0000 Tried sending this to -questions, now trying -net. I'm pretty sure it's something obvious I'm missing, just don't know what. ----- I'm trying to set up an IPSec tunnel between two gateways, with little luck. I'm pretty sure I have my setkey entries done properly, it seems to be the negotiations that are failing. Local is 10.0.1.1, and remote is 10.0.2.1. Their is only a tunnel between the two remote LANs, there's no transport encryption. >From the initiating side, I see (roughly): 2003-04-04 15:33:19: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 10.0.2.1 2003-04-04 15:33:19: INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA request for 10.0.2.1 queued due to no phase1 found. 2003-04-04 15:33:20: DEBUG: isakmp_agg.c:162:agg_i1send(): authmethod is pre-shared key 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 52, next type 4 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 192, next type 10 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 16, next type 5 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload of len 8, next type 0 2003-04-04 15:33:20: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin. 2003-04-04 15:33:20: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.0.1.1[500] 2003-04-04 15:33:20: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.0.1.1[500] 2003-04-04 15:33:20: DEBUG: sockmisc.c:425:sendfromto(): send packet to 10.0.2.1[500] 2003-04-04 15:33:20: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 312 bytes message will be sent to 10.0.1.1[500] 2003-04-04 15:33:20: DEBUG: isakmp.c:1449:isakmp_ph1resend(): resend phase1 packet d7824158efb89160:0000000000000000 So it /looks/ to be initiating correctly, no? The only thing that confuses me is that 10.0.1.1 is sending to 10.0.1.1, according to the debug output... I believe the problem is with the remote end: 2003-04-04 15:36:23: DEBUG: isakmp.c:222:isakmp_handler(): 312 bytes message received from 10.0.1.1[40418] 2003-04-04 15:36:23: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin. 2003-04-04 15:36:23: DEBUG: remoteconf.c:134:getrmconf(): no remote configuration found. 2003-04-04 15:36:23: ERROR: isakmp.c:851:isakmp_ph1begin_r(): couldn't find configuration. So it looks like the remote racoon.conf isn't finding the 'remote 10.0.1.1' section, as it's failing in Phase I (Phase II would mean it can't find 'sainfo ...', right?). The two psk.txt's are exactly the same, the two /etc/ipsec.conf's are exact mirrors, and the two racoon.conf's are mirrors (with configuration names changed to match directions). It /feels/ like the remote (10.0.2.1) isn't finding the 'remote 10.0.1.1' configuration section that exists in there. I yanked the 'remote anonymous' and 'sainfo anonymous' configurations to help narrow this down. Does anyone have any pointers? Please reply personally, as I'm not subscribed. - Damian