Menu
▾
▴
[Ipsec-tools-users] [pfkey-errors / phase 2] ipsec-tools <=> Lancom 7111
|
From: Paulo M. <mar...@go...> - 2009-12-09 13:58:52
|
Hello List, my scenario is as follows: one linux server with ipsec-tools tries to connect to an "Lancom 7111" vpn-appliance. Phase 1 complete successful, while phase 2 shows pfkey-errors. I have no idea about the pfkey-errors (pfkey ?). Maybe some kind of incompatibility? Logs shows "Protocol not supported"? Thanks in advance to any tips about this errors? Cheers PM = = ======================================================================== A.A.A.A == Linux Server, ipsec-tools B.B.B.B == Lancom 7111 VPN Gate Dec 8 22:49:37 EL065 racoon: INFO: @(#)ipsec-tools 0.6.5 (http://ipsec-tools.sourceforge.net ) Dec 8 22:49:37 EL065 racoon: INFO: @(#)This product linked OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 (http://www.openssl.org/) Dec 8 22:49:37 EL065 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8) Dec 8 22:49:37 EL065 racoon: INFO: 127.0.0.1[500] used for NAT-T Dec 8 22:49:37 EL065 racoon: INFO: A.A.A.A[500] used as isakmp port (fd=9) Dec 8 22:49:37 EL065 racoon: INFO: A.A.A.A[500] used for NAT-T Dec 8 22:49:37 EL065 racoon: INFO: ::1[500] used as isakmp port (fd=10) Dec 8 22:49:37 EL065 racoon: INFO: 219::fe80:b06c:fe5c:99ff%eth0[500] used as isakmp port (fd=11) Dec 8 22:49:47 EL065 racoon: INFO: respond new phase 1 negotiation: A.A.A.A[500]<=>B.B.B.B[500] Dec 8 22:49:47 EL065 racoon: INFO: begin Identity Protection mode. Dec 8 22:49:47 EL065 racoon: INFO: received Vendor ID: draft-ietf- ipsec-nat-t-ike-02 Dec 8 22:49:47 EL065 racoon: INFO: received Vendor ID: draft-ietf- ipsec-nat-t-ike-03 Dec 8 22:49:47 EL065 racoon: INFO: received Vendor ID: RFC 3947 Dec 8 22:49:47 EL065 racoon: INFO: received Vendor ID: DPD Dec 8 22:49:47 EL065 racoon: INFO: received Vendor ID: DPD Dec 8 22:49:47 EL065 racoon: INFO: ISAKMP-SA established A.A.A.A[500]- B.B.B.B[500] spi:947dbcba5a44d195:45758fd83d1241f9 Dec 8 22:49:47 EL065 racoon: INFO: respond new phase 2 negotiation: A.A.A.A[500]<=>B.B.B.B[500] Dec 8 22:49:47 EL065 racoon: ERROR: not matched Dec 8 22:49:47 EL065 racoon: ERROR: not matched Dec 8 22:49:47 EL065 racoon: ERROR: pfkey UPDATE failed: Protocol not supported Dec 8 22:49:47 EL065 racoon: ERROR: pfkey UPDATE failed: Protocol not supported Dec 8 22:49:47 EL065 racoon: ERROR: pfkey ADD failed: Protocol not supported Dec 8 22:49:47 EL065 racoon: ERROR: pfkey ADD failed: Protocol not supported Dec 8 22:50:17 EL065 racoon: INFO: IPsec-SA expired: AH/Tunnel B.B.B.B[0]->A.A.A.A[0] spi=103419513(0x62a0e79) Dec 8 22:50:17 EL065 racoon: WARNING: the expire message is received but the handler has not been established. Dec 8 22:50:17 EL065 racoon: ERROR: B.B.B.B give up to get IPsec-SA due to time up to wait. Dec 8 22:50:17 EL065 racoon: INFO: IPsec-SA expired: ESP/Tunnel B.B.B.B[0]->A.A.A.A[0] spi=49374108(0x2f1639c) Dec 8 22:51:01 EL065 racoon: INFO: initiate new phase 2 negotiation: A.A.A.A[500]<=>B.B.B.B[500] Dec 8 22:51:02 EL065 racoon: ERROR: pfkey UPDATE failed: Protocol not supported Dec 8 22:51:02 EL065 racoon: ERROR: pfkey UPDATE failed: Protocol not supported Dec 8 22:51:02 EL065 racoon: ERROR: pfkey ADD failed: Protocol not supported Dec 8 22:51:02 EL065 racoon: ERROR: pfkey ADD failed: Protocol not supported Dec 8 22:51:31 EL065 racoon: ERROR: B.B.B.B give up to get IPsec-SA due to time up to wait. Dec 8 22:51:31 EL065 racoon: INFO: IPsec-SA expired: AH/Tunnel B.B.B.B[0]->A.A.A.A[0] spi=263349072(0xfb26350) Dec 8 22:51:31 EL065 racoon: INFO: IPsec-SA expired: ESP/Tunnel B.B.B.B[0]->A.A.A.A[0] spi=210541648(0xc8c9c50) = = ======================================================================== path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 30 sec; } sainfo anonymous { pfs_group 2; lifetime time 1 hour ; encryption_algorithm blowfish 448, rijndael ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } log debug; remote B.B.B.B { exchange_mode main; my_identifier address; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } = = ======================================================================== |