From: Hanne M. <hm...@it...> - 2005-06-03 11:59:01
|
Hello ipsec-tools-users list. I have a Linux ipsec-tools machine talking to someone elses checkpoint firewall 1, tunneling some connections between the networks behind. I have a couple of host-to-host connections which works fine through the ipsec tunnel. Now I try to connect a subnet behind my ipsec machine to a specific machine behind the other person's firewall 1. This goes fine if I put my test machine's specific IP address into the spdadd policy, but if I use the subnet address, it doesn't work. Phase 1 completes but phase 2 fails with: Jun 3 11:28:04 fedtmule racoon: ERROR: unknown notify message, no phase2 handle found. Jun 3 11:28:04 fedtmule racoon: DEBUG: notification message 18:INVALID-ID-INFORMATION, doi=1 proto_id=3 spi=04472 I have googled and read man pages without much luck, and have reached the point where I need some help. My net 192.168.100.0/23 | | |___|\ My firewall Firewall 1 Dest host ___ \ ___ ___ ___ | | \ | | | | | | |___|--- |___|---------------------|___|--------|___| ___ / (ipsec-tools Linux) 192.168.400.47 | |/ 192.168.200.1 192.168.300.1 |___| My host 192.168.100.40 In reality all the ip adresses are real and there is no NATing involved. I have just replaced them with private IP addresses in this mail. My policies: #!/usr/local/sbin/setkey -f flush; spdflush; spdadd 192.168.100.0/23 192.168.400.47 any -P out ipsec esp/tunnel/192.168.200.1-192.168.300.1/require; spdadd 192.168.400.47 192.168.100.0/23 any -P in ipsec esp/tunnel/192.168.300.1-192.168.200.1/require; My racoon.conf (with all commented out lines removed to make it shorter): path include "/usr/local/etc/racoon"; path pre_shared_key "/usr/local/etc/racoon/psk.txt"; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 192.168.200.1; } timer { counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. phase1 30 sec; phase2 15 sec; } # Anonymous remote anonymous { exchange_mode main; nonce_size 16; lifetime time 1440 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2; } } # Anonymous sainfo anonymous { pfs_group 2; lifetime time 3600 sec; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } log debug2; The policy that works: spdadd 192.168.100.40 192.168.400.47 any -P out ipsec esp/tunnel/192.168.200.1-192.168.300.1/require; spdadd 192.168.400.47 192.168.100.40 any -P in ipsec esp/tunnel/192.168.300.1-192.168.200.1/require; kernel version: 2.6.8-1.521 (fedora) ipsec-tools version: 0.5.2 The firewall 1 administrator says he has enabled the "Support Key Exchange for subnets" setting and he has a rule for my 192.168.100.0/23 network. In fact my 192.168.100.0/23 net is split up in smaller /27 subnets. So I really come from the subnet 192.168.100.32/27. Can this be the problem? The racoon man page says something about the sainfo address or idtype field not being a filter rule and having to match exactly, but I have not specified network addresses in sainfo in raccon.conf at all. I have tried changing my policies to match only the 192.168.100.32/27 network, and that didn't help (same error), but off course, the other end still has 192.168.100.0/23. I just wonder that my 192.168.100.40 goes right through if that is the problem? Are there any specific settings I should set for subnets? What does the error message mean? In theory, shouldn't a "larger subnet mask" work for the lesser subnets? Best regards, -- Hanne Munkholm IT University of Copenhagen Email: hm...@it... Phone: +45 72 18 51 19 Address: Rued Langgaards Vej 7, 2300 Copenhagen S I love deadlines. I especially like the whooshing sound they make as they go flying by. -- Douglas Adams |