From owner-freebsd-net@FreeBSD.ORG Tue Apr 15 15:03:19 2003 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D127D37B401 for ; Tue, 15 Apr 2003 15:03:19 -0700 (PDT) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 714E643F75 for ; Tue, 15 Apr 2003 15:03:14 -0700 (PDT) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) h3FM3AhJ059301 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 16 Apr 2003 01:03:10 +0300 (EEST) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.9/8.12.8/Submit) id h3FM3ABM059296; Wed, 16 Apr 2003 01:03:10 +0300 (EEST) (envelope-from ru) Date: Wed, 16 Apr 2003 01:03:10 +0300 From: Ruslan Ermilov To: Damian Gerow Message-ID: <20030415220310.GB57610@sunbay.com> References: <20030415215844.GY648@sentex.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="E39vaYmALEf/7YXx" Content-Disposition: inline In-Reply-To: <20030415215844.GY648@sentex.net> User-Agent: Mutt/1.5.4i cc: net@freebsd.org Subject: Re: IPSec tunnel setup problems X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Apr 2003 22:03:20 -0000 --E39vaYmALEf/7YXx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 15, 2003 at 05:58:44PM -0400, Damian Gerow wrote: > Tried sending this to -questions, now trying -net. I'm pretty sure it's > something obvious I'm missing, just don't know what. >=20 > ----- >=20 > I'm trying to set up an IPSec tunnel between two gateways, with little lu= ck. > I'm pretty sure I have my setkey entries done properly, it seems to be the > negotiations that are failing. Local is 10.0.1.1, and remote is 10.0.2.1. > Their is only a tunnel between the two remote LANs, there's no transport > encryption. >=20 > >From the initiating side, I see (roughly): >=20 > 2003-04-04 15:33:19: DEBUG: remoteconf.c:118:getrmconf(): configuration f= ound for 10.0.2.1 > 2003-04-04 15:33:19: INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA = request for 10.0.2.1 queued due to no phase1 found. > > 2003-04-04 15:33:20: DEBUG: isakmp_agg.c:162:agg_i1send(): authmethod is = pre-shared key > 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add paylo= ad of len 52, next type 4 > 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add paylo= ad of len 192, next type 10 > 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add paylo= ad of len 16, next type 5 > 2003-04-04 15:33:20: DEBUG: isakmp.c:2113:set_isakmp_payload(): add paylo= ad of len 8, next type 0 > 2003-04-04 15:33:20: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin. > > 2003-04-04 15:33:20: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.0.1.= 1[500] > 2003-04-04 15:33:20: DEBUG: sockmisc.c:423:sendfromto(): send packet from= 10.0.1.1[500] > 2003-04-04 15:33:20: DEBUG: sockmisc.c:425:sendfromto(): send packet to 1= 0.0.2.1[500] > 2003-04-04 15:33:20: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 312 b= ytes message will be sent to 10.0.1.1[500] > > 2003-04-04 15:33:20: DEBUG: isakmp.c:1449:isakmp_ph1resend(): resend phas= e1 packet d7824158efb89160:0000000000000000 >=20 > So it /looks/ to be initiating correctly, no? The only thing that confus= es > me is that 10.0.1.1 is sending to 10.0.1.1, according to the debug > output... >=20 > I believe the problem is with the remote end: >=20 > 2003-04-04 15:36:23: DEBUG: isakmp.c:222:isakmp_handler(): 312 bytes mess= age received from 10.0.1.1[40418] > > 2003-04-04 15:36:23: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin. > > 2003-04-04 15:36:23: DEBUG: remoteconf.c:134:getrmconf(): no remote confi= guration found. > 2003-04-04 15:36:23: ERROR: isakmp.c:851:isakmp_ph1begin_r(): couldn't fi= nd configuration. >=20 > So it looks like the remote racoon.conf isn't finding the 'remote 10.0.1.= 1' > section, as it's failing in Phase I (Phase II would mean it can't find > 'sainfo ...', right?). >=20 > The two psk.txt's are exactly the same, the two /etc/ipsec.conf's are > exact mirrors, and the two racoon.conf's are mirrors (with configuration > names changed to match directions). It /feels/ like the remote (10.0.2.1) > isn't finding the 'remote 10.0.1.1' configuration section that exists in > there. I yanked the 'remote anonymous' and 'sainfo anonymous' > configurations to help narrow this down. >=20 > Does anyone have any pointers? Please reply personally, as I'm not > subscribed. >=20 Hmm, on my machines with IPSec tunnels the /etc/ipsec.conf's are NOT the exact mirrors; they are mirrors except for the in/out keywords. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --E39vaYmALEf/7YXx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD4DBQE+nIGeUkv4P6juNwoRAiAyAKCKl9te456p24fKpDiaQeWt3TdLZQCRAdtv hHkkSIAZoB18LZPCnX01gg== =RuoV -----END PGP SIGNATURE----- --E39vaYmALEf/7YXx--