From: Mick <mic...@gm...> - 2014-02-13 10:14:26
|
On Thursday 13 Feb 2014 00:18:22 Melissa Jenkins wrote: > > Fair enough. From what you shared there is a "remoteid mismatch: 0 != 1" > > reported, which says that the remote end is not sending the id requested > > from your local peer. Have you tried increasing the verbosity of the > > log and also have a look at the remote peer's logs? > > > >> Feb 11 06:45:30 bogons1vpn racoon: DEBUG: evaluating sainfo: > >> loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 Feb 11 06:45:30 > >> bogons1vpn racoon: DEBUG: remoteid mismatch: 0 != 1 > > Yup - that’s because the ANONYMOUS sainfo doesn’t match because of the peer > id. As I don’t want it to match this isn’t actually a problem :) OK, I don't know your full topology or how the remote peer is configured, so I am getting confused here. Please ignore my suggestion if not relevant. > >> Feb 11 06:45:30 bogons1vpn racoon: DEBUG: evaluating sainfo: > >> loc=‘192.168.0.0/24', rmt=‘192.168.1.0/24', peer='ANY', id=1 Feb 11 > >> 06:45:30 bogons1vpn racoon: DEBUG: check and compare ids : proto_id > >> mismatch 0 != 47 > > This is the one that should match that isn’t :( Did you try offering both 3des and aes, but listing aes first? If the remote peer wants aes then it should respond to this first. > Unfortunately I am unable to get access to the remote log - I am currently > logging at DEBUG and I don’t really want to increase this as it has a > negative impact on a lot of other IPsecs! Right, but I was just saying add a -ddd when you launch a racoon session to find out what is happening in more detail, only for a short period of time. > I shall see if I can reproduce with a ipsec-tools to ipsec-tools > configuration. > > > On 13 Feb 2014, at 12:57, Mick <michaelkint > > > Alternatively, you may want to try posting at the ipsec-tools-devel list > > in case you have come across a bug. > > Attached original mail below and copied > > > > Thanks! > Mel > > Begin forwarded message: > > From: Melissa Jenkins <mel...@li...> > > Subject: [Ipsec-tools-users] Failure matching sainfo when PFS is not > > configured Date: 11 February 2014 20:27:35 GMT+13 > > To: "ips...@li..." > > <ips...@li...> > > > > I’ve been trying to configure ipsec-tools to talk to a peer that prefers > > not to use PFS. Our default configuration uses 3DES, but this specific > > VPN needs to be configured using AES256. > > > > I have confirmed that AES256 works correctly and when configured as the > > default the IPsec will establish. > > > > If the AES256 setting is configured using a ‘sainfo’ specific for that > > IPSec it will only work if pfs_group is configured. > > > > Without configuring pfs_group I always get the following logging. It > > then proceeds to fail to match the PH2 proposed as it is using 3DES > > rather than the sainfo specified AES256. > > > > Feb 11 06:45:30 bogons1vpn racoon: DEBUG: getsainfo params: > > loc=‘192.168.0.0/24' rmt=‘192.168.1.0/24' peer=‘xxx.yyy.zzz.aaa' > > client='NULL' id=1 Feb 11 06:45:30 bogons1vpn racoon: DEBUG: evaluating > > sainfo: loc=‘192.168.0.0/24', rmt=‘192.168.1.0/24', peer='ANY', id=1 Feb > > 11 06:45:30 bogons1vpn racoon: DEBUG: check and compare ids : proto_id > > mismatch 0 != 47 Feb 11 06:45:30 bogons1vpn racoon: DEBUG: evaluating > > sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 Feb 11 > > 06:45:30 bogons1vpn racoon: DEBUG: remoteid mismatch: 0 != 1 > > > > I am using 8.0 rev 2 on FreeBSD 8.3. I can’t see anything in the change > > log to suggest this would be different in later versions. I’ve had a > > peek in the code but I can’t see why setting PFS would change this > > situation. > > > > Thanks, > > Mel > > > > remote xxx.yyy.zzz.aaa > > { > > > > exchange_mode main; > > doi ipsec_doi; > > situation identity_only; > > nonce_size 16; > > initial_contact on; > > proposal_check obey; > > dpd_delay 120; > > ph1id 1; > > > > proposal { > > > > encryption_algorithm aes 256; > > hash_algorithm sha1; > > authentication_method pre_shared_key; > > dh_group modp1024; > > lifetime time 7200 seconds; > > > > } > > > > } > > > > sainfo subnet 192.168.0.0/24 any subnet 192.168.1.0/24 any > > { > > > > remoteid 1; > > encryption_algorithm aes 256; > > authentication_algorithm hmac_sha1; > > compression_algorithm deflate; > > lifetime time 3600 seconds; > > > > } -- Regards, Mick |