IPSec not working in 2.0



  • Hi there,

    I am using the snap from the 28th…

    This is what I see in my ipsec log:

    Dec 28 20:28:21 racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
    Dec 28 20:28:21 racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
    Dec 28 20:28:21 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Dec 28 20:28:21 racoon: ERROR: /var/etc/racoon.conf:19: "d" syntax error
    Dec 28 20:28:21 racoon: ERROR: fatal parse failure (1 errors)

    Line 19 reads:

    my_identifier dyn_dns 88.70.x.x;

    Any idea?





  • But I have the newest snap…

    Shall I wait until tomorrow?



  • Can I simply edit this file manually after I mounted / rw? Or does this not survive a reboot?



  • Yes it survives. Just edit the file should be ok.



  • Ok, that seems to be working now, but this simple IPSec, which worked before in 1.2.3-Release does not anymore…

    Here is a log excerpt:

    Dec 29 09:17:42 voldemort racoon: INFO: @(#)ipsec-tools 0.8-alpha20090903 (http://ipsec-tools.sourceforge.net)
    Dec 29 09:17:42 voldemort racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
    Dec 29 09:17:42 voldemort racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
    Dec 29 09:17:42 voldemort racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Protocol not available
    Dec 29 09:17:42 voldemort racoon: INFO: 88.70.x.x[4500] used as isakmp port (fd=14)
    Dec 29 09:17:42 voldemort racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Protocol not available
    Dec 29 09:17:42 voldemort racoon: INFO: 88.70.x.x[500] used as isakmp port (fd=15)
    Dec 29 09:17:42 voldemort racoon: INFO: unsupported PF_KEY message REGISTER
    Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 10.0.100.254/32[0] 10.0.100.0/24[0] proto=any dir=out
    Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 10.0.100.0/24[0] 10.0.100.254/32[0] proto=any dir=in
    Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 10.0.100.0/24[0] 192.168.100.0/24[0] proto=any dir=out
    Dec 29 09:17:42 voldemort racoon: ERROR: such policy already exists. anyway replace it: 192.168.100.0/24[0] 10.0.100.0/24[0] proto=any dir=in
    Dec 29 09:19:11 voldemort racoon: INFO: IPsec-SA request for 213.178.x.x queued due to no phase1 found.
    Dec 29 09:19:11 voldemort racoon: INFO: initiate new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
    Dec 29 09:19:11 voldemort racoon: INFO: begin Aggressive mode.
    Dec 29 09:19:12 voldemort racoon: INFO: received Vendor ID: DPD
    Dec 29 09:19:12 voldemort racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Dec 29 09:19:12 voldemort racoon: INFO: ISAKMP-SA established 88.70.x.x[500]-213.178.x.x[500] spi:f8501bf9108f4a28:76828a5329d45919
    Dec 29 09:19:12 voldemort racoon: INFO: initiate new phase 2 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
    Dec 29 09:19:13 voldemort racoon: INFO: received RESPONDER-LIFETIME: 3600 seconds
    Dec 29 09:19:13 voldemort racoon: WARNING: RESPONDER-LIFETIME: lifetime mismatch
    Dec 29 09:19:13 voldemort racoon: INFO: IPsec-SA established: ESP 88.70.x.x[500]->213.178.x.x[500] spi=75203097(0x47b8219)
    Dec 29 09:19:13 voldemort racoon: INFO: IPsec-SA established: ESP 88.70.x.x[500]->213.178.x.x[500] spi=2773734705(0xa553d531)
    Dec 29 09:38:29 voldemort racoon: INFO: unsupported PF_KEY message REGISTER
    Dec 29 09:40:54 voldemort racoon: INFO: DPD: remote (ISAKMP-SA spi=f8501bf9108f4a28:76828a5329d45919) seems to be dead.
    Dec 29 09:40:54 voldemort racoon: INFO: purging ISAKMP-SA spi=f8501bf9108f4a28:76828a5329d45919.
    Dec 29 09:40:54 voldemort racoon: INFO: purged IPsec-SA spi=2773734705.
    Dec 29 09:40:54 voldemort racoon: INFO: purged IPsec-SA spi=75203097.
    Dec 29 09:40:54 voldemort racoon: INFO: purged ISAKMP-SA spi=f8501bf9108f4a28:76828a5329d45919.
    Dec 29 09:40:55 voldemort racoon: INFO: ISAKMP-SA deleted 88.70.x.x[500]-213.178.x.x[500] spi:f8501bf9108f4a28:76828a5329d45919
    Dec 29 09:41:04 voldemort racoon: INFO: respond new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
    Dec 29 09:41:04 voldemort racoon: INFO: begin Aggressive mode.
    Dec 29 09:41:04 voldemort racoon: INFO: received Vendor ID: DPD
    Dec 29 09:41:05 voldemort racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
    Dec 29 09:41:06 voldemort racoon: NOTIFY: the packet is retransmitted by 213.178.x.x[500] (1).
    Dec 29 09:41:13 voldemort last message repeated 2 times
    Dec 29 09:41:55 voldemort racoon: ERROR: phase1 negotiation failed due to time up. f0dc60d957bf772f:9e743eaa7e86d145
    Dec 29 09:42:07 voldemort racoon: WARNING: unrecognized route message with rtm_type: 18
    Dec 29 09:43:34 voldemort racoon: INFO: IPsec-SA request for 213.178.x.x queued due to no phase1 found.
    Dec 29 09:43:34 voldemort racoon: INFO: initiate new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
    Dec 29 09:43:34 voldemort racoon: INFO: begin Aggressive mode.
    Dec 29 09:44:05 voldemort racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 213.178.x.x[0]->88.70.x.x[0]
    Dec 29 09:44:05 voldemort racoon: INFO: delete phase 2 handler.
    Dec 29 09:44:24 voldemort racoon: ERROR: phase1 negotiation failed due to time up. b573a82910ca1086:0000000000000000
    Dec 29 09:44:42 voldemort racoon: WARNING: unrecognized route message with rtm_type: 18
    Dec 29 09:47:59 voldemort racoon: INFO: IPsec-SA request for 213.178.x.x queued due to no phase1 found.
    Dec 29 09:47:59 voldemort racoon: INFO: initiate new phase 1 negotiation: 88.70.x.x[500]<=>213.178.x.x[500]
    Dec 29 09:47:59 voldemort racoon: INFO: begin Aggressive mode.
    Dec 29 09:48:22 voldemort racoon: WARNING: unrecognized route message with rtm_type: 18
    Dec 29 09:48:31 voldemort racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 213.178.x.x[0]->88.70.x.x[0]
    Dec 29 09:48:31 voldemort racoon: INFO: delete phase 2 handler.
    Dec 29 09:48:50 voldemort racoon: ERROR: phase1 negotiation failed due to time up. 6b0b1e30ec5cce3f:0000000000000000

    This is a site to site VPN from my pfSense with DynDNS to our corporate WatchGuard running XTM 11.1…



  • No I can see an error on the WatchGuard end:

    2009-12-29 10:04:12 iked WARNING: Mismatched ID settings at peer 88.70.x.x:500 caused an authentication failure  Debug

    But I think I have it right…

    My identifier in Phase 1 is Dynamic DNS with my xxx.dyndns.org
    Peer identifier in Phase 1 is IP Address with the correct static IP inserted.

    Any hints?



  • Now I changed my identifier to user distinguished name on both ends and just entered user@domain without a .something at the end and the tunnel established ;)
    I'll have a look at the stability right now.

    Crossing fingers ;-)


Log in to reply