From: Pier <pi...@ya...> - 2010-02-17 09:59:35
|
Here is my racoon.conf: remote 2.2.2.2 { exchange_mode main; verify_cert on; my_identifier address 1.1.1.1; lifetime time 86400 seconds ; # nat_traversal on; dpd_delay 10; # proposal_check claim ; proposal_check obey ; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } And here the spd config: spdadd 192.168.1.0/24 10.13.137.32/27 any -P out ipsec esp/tunnel /1.1.1.1-2.2.2.2/require; spdadd 192.168.1.0/24 2.2.2.2/32 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; spdadd 1.1.1.1/32 10.13.137.32/27 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; spdadd 10.13.137.32/27 192.168.1.0/24 any -P in ipsec esp/tunnel 2.2.2.2-1.1.1.1/require; spdadd 10.13.137.32/27 1.1.1.1/32 any -P in ipsec esp/tunnel 2.2.2.2-1.1.1.1/require; spdadd 2.2.2.2/32 192.168.1.0/24 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/require; spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/require; The other side is doing some troubleshooting as well. The racoon conf is a little mess cause i tried everything. This is just the last one i tried. Thanks Pier |
From: Pier <pi...@ya...> - 2010-02-17 14:01:30
|
I got again the vpn disconnected. Here the log: 2010-02-17 14:15:33: DEBUG: === 2010-02-17 14:15:33: DEBUG: 84 bytes message received from 2.2.2.2[500] to 1.1.1.1[500] 2010-02-17 14:15:33: DEBUG: 2010-02-17 14:15:33: DEBUG: receive Information. 2010-02-17 14:15:33: DEBUG: compute IV for phase2 2010-02-17 14:15:33: DEBUG: phase1 last IV: 2010-02-17 14:15:33: DEBUG: 2010-02-17 14:15:33: DEBUG: hash(sha1) 2010-02-17 14:15:33: DEBUG: encryption(3des) 2010-02-17 14:15:33: DEBUG: phase2 IV computed: 2010-02-17 14:15:33: DEBUG: 2010-02-17 14:15:33: DEBUG: begin decryption. 2010-02-17 14:15:33: DEBUG: encryption(3des) 2010-02-17 14:15:33: DEBUG: IV was saved for next processing: 2010-02-17 14:15:33: DEBUG: 2010-02-17 14:15:33: DEBUG: encryption(3des) 2010-02-17 14:15:33: DEBUG: with key: 2010-02-17 14:15:33: DEBUG: 2010-02-17 14:15:33: DEBUG: decrypted payload by IV: 2010-02-17 14:15:33: DEBUG: 2010-02-17 14:15:33: DEBUG: decrypted payload, but not trimed. 2010-02-17 14:15:33: DEBUG: 2010-02-17 14:15:33: DEBUG: padding len=1 2010-02-17 14:15:33: DEBUG: skip to trim padding. 2010-02-17 14:15:33: DEBUG: decrypted. 2010-02-17 14:15:33: DEBUG: 2010-02-17 14:15:33: DEBUG: IV freed 2010-02-17 14:15:33: DEBUG: HASH with: 2010-02-17 14:15:33: DEBUG: 2010-02-17 14:15:33: DEBUG: hmac(hmac_sha1) 2010-02-17 14:15:33: DEBUG: HASH computed: 2010-02-17 14:15:33: DEBUG: 2010-02-17 14:15:33: DEBUG: hash validated. 2010-02-17 14:15:33: DEBUG: begin. 2010-02-17 14:15:33: DEBUG: seen nptype=8(hash) 2010-02-17 14:15:33: DEBUG: seen nptype=12(delete) 2010-02-17 14:15:33: DEBUG: succeed. 2010-02-17 14:15:33: DEBUG: delete payload for protocol ISAKMP 2010-02-17 14:15:33: INFO: ISAKMP-SA expired 1.1.1.1[500]-2.2.2.2[500] spi:0f59a95a8c8bfde6:673dbc6922ad16be 2010-02-17 14:15:33: DEBUG: purged SAs. 2010-02-17 14:15:34: INFO: ISAKMP-SA deleted 1.1.1.1[500]-2.2.2.2[500] spi:0f59a95a8c8bfde6:673dbc6922ad16be 2010-02-17 14:15:34: DEBUG: IV freed Why is then not reactivated automatically? Pier |
From: Silvian C. <sil...@gm...> - 2010-02-17 14:12:09
|
I use "unique" instead of "require" when the other encrypted domain is not a continuous network. Are you sure the lifetime values for both phase 1 and phase 2 are the same at both ends ? On 17 February 2010 15:34, Pier <pi...@ya...> wrote: > I got again the vpn disconnected. > Here the log: > > 2010-02-17 14:15:33: DEBUG: === > 2010-02-17 14:15:33: DEBUG: 84 bytes message received from 2.2.2.2[500] to > 1.1.1.1[500] > 2010-02-17 14:15:33: DEBUG: > 2010-02-17 14:15:33: DEBUG: receive Information. > 2010-02-17 14:15:33: DEBUG: compute IV for phase2 > 2010-02-17 14:15:33: DEBUG: phase1 last IV: > 2010-02-17 14:15:33: DEBUG: > 2010-02-17 14:15:33: DEBUG: hash(sha1) > 2010-02-17 14:15:33: DEBUG: encryption(3des) > 2010-02-17 14:15:33: DEBUG: phase2 IV computed: > 2010-02-17 14:15:33: DEBUG: > 2010-02-17 14:15:33: DEBUG: begin decryption. > 2010-02-17 14:15:33: DEBUG: encryption(3des) > 2010-02-17 14:15:33: DEBUG: IV was saved for next processing: > 2010-02-17 14:15:33: DEBUG: > 2010-02-17 14:15:33: DEBUG: encryption(3des) > 2010-02-17 14:15:33: DEBUG: with key: > 2010-02-17 14:15:33: DEBUG: > 2010-02-17 14:15:33: DEBUG: decrypted payload by IV: > 2010-02-17 14:15:33: DEBUG: > 2010-02-17 14:15:33: DEBUG: decrypted payload, but not trimed. > 2010-02-17 14:15:33: DEBUG: > 2010-02-17 14:15:33: DEBUG: padding len=1 > 2010-02-17 14:15:33: DEBUG: skip to trim padding. > 2010-02-17 14:15:33: DEBUG: decrypted. > 2010-02-17 14:15:33: DEBUG: > 2010-02-17 14:15:33: DEBUG: IV freed > 2010-02-17 14:15:33: DEBUG: HASH with: > 2010-02-17 14:15:33: DEBUG: > 2010-02-17 14:15:33: DEBUG: hmac(hmac_sha1) > 2010-02-17 14:15:33: DEBUG: HASH computed: > 2010-02-17 14:15:33: DEBUG: > 2010-02-17 14:15:33: DEBUG: hash validated. > 2010-02-17 14:15:33: DEBUG: begin. > 2010-02-17 14:15:33: DEBUG: seen nptype=8(hash) > 2010-02-17 14:15:33: DEBUG: seen nptype=12(delete) > 2010-02-17 14:15:33: DEBUG: succeed. > 2010-02-17 14:15:33: DEBUG: delete payload for protocol ISAKMP > 2010-02-17 14:15:33: INFO: ISAKMP-SA expired 1.1.1.1[500]-2.2.2.2[500] > spi:0f59a95a8c8bfde6:673dbc6922ad16be > 2010-02-17 14:15:33: DEBUG: purged SAs. > 2010-02-17 14:15:34: INFO: ISAKMP-SA deleted 1.1.1.1[500]-2.2.2.2[500] > spi:0f59a95a8c8bfde6:673dbc6922ad16be > 2010-02-17 14:15:34: DEBUG: IV freed > > Why is then not reactivated automatically? > > Pier > > > > > > ------------------------------------------------------------------------------ > SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW > http://p.sf.net/sfu/solaris-dev2dev > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > -- Silvian Cretu http://www.silviancretu.ro/ |
From: Pier <pi...@ya...> - 2010-02-17 14:37:56
|
> I use "unique" instead of > "require" when the other encrypted domain is not a > continuous network. Ah, that's why. So at the end when you use multiple encryption domains you use unique. > Are you sure the lifetime values for both phase 1 and phase > 2 are the same at both ends ? Yes....I don't know right now but last time they were synchronized. But is it normal that when it disconnects, then it's not available till i force a vpn-connect again? Shoudn'd a traffic make the vpn available? Thanks Pier |
From: Pier <pi...@ya...> - 2010-02-17 15:44:28
|
I post here the sainfos (Milan, i don't get your emails from ipsec ML). sainfo address 192.168.1.0/24 any address 10.13.137.32/27 any { pfs_group 2; lifetime time 86400 seconds ; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } sainfo address 192.168.1.0/24 any address 10.13.144.0/24 any { pfs_group 2; lifetime time 86400 seconds ; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } sainfo address 192.168.1.0/24 any address 10.13.145.0/24 any { pfs_group 2; lifetime time 86400 seconds ; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } sainfo address 1.1.1.1/32 any address 10.13.137.32/27 any { pfs_group 2; lifetime time 86400 seconds ; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } sainfo address 1.1.1.1/32 any address 10.13.144.0/24 any { pfs_group 2; lifetime time 86400 seconds ; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } sainfo address 1.1.1.1/32 any address 10.13.145.0/24 any { pfs_group 2; lifetime time 86400 seconds ; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } sainfo address 1.1.1.1/32 any address 2.2.2.2/32 any { pfs_group 2; lifetime time 86400 seconds ; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } sainfo address 192.168.1.0/24 any address 2.2.2.2/32 any { pfs_group 2; lifetime time 86400 seconds ; encryption_algorithm 3des ; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } |
From: Neslihan G. <nes...@gm...> - 2010-02-18 21:53:40
|
Hi Pier, In your configuration it seems that DPD (dead peer detection) is active. May be it is not active on the other end. Since you can not get reply to your dpd packets, the SAs are deleted. Control your dpd activity on both ends. Just an idea.. Neslihan On Wed, Feb 17, 2010 at 5:44 PM, Pier <pi...@ya...> wrote: > I post here the sainfos (Milan, i don't get your emails from ipsec ML). > > sainfo address 192.168.1.0/24 any address 10.13.137.32/27 any > { > pfs_group 2; > lifetime time 86400 seconds ; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1 ; > compression_algorithm deflate ; > > } > > sainfo address 192.168.1.0/24 any address 10.13.144.0/24 any > { > pfs_group 2; > lifetime time 86400 seconds ; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1 ; > compression_algorithm deflate ; > > } > > sainfo address 192.168.1.0/24 any address 10.13.145.0/24 any > { > pfs_group 2; > lifetime time 86400 seconds ; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1 ; > compression_algorithm deflate ; > > } > > sainfo address 1.1.1.1/32 any address 10.13.137.32/27 any > { > pfs_group 2; > lifetime time 86400 seconds ; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1 ; > compression_algorithm deflate ; > } > > sainfo address 1.1.1.1/32 any address 10.13.144.0/24 any > { > pfs_group 2; > lifetime time 86400 seconds ; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1 ; > compression_algorithm deflate ; > } > sainfo address 1.1.1.1/32 any address 10.13.145.0/24 any > { > pfs_group 2; > lifetime time 86400 seconds ; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1 ; > compression_algorithm deflate ; > } > > > sainfo address 1.1.1.1/32 any address 2.2.2.2/32 any > { > pfs_group 2; > lifetime time 86400 seconds ; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1 ; > compression_algorithm deflate ; > } > > sainfo address 192.168.1.0/24 any address 2.2.2.2/32 any > { > pfs_group 2; > lifetime time 86400 seconds ; > encryption_algorithm 3des ; > authentication_algorithm hmac_sha1 ; > compression_algorithm deflate ; > } > > > > > > > ------------------------------------------------------------------------------ > SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW > http://p.sf.net/sfu/solaris-dev2dev > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > |
From: Pier <pi...@ya...> - 2010-02-19 11:47:03
|
I removed the DPD but i got again disconnected. This is the log after a while: 2010-02-19 11:37:23: DEBUG: === 2010-02-19 11:37:23: DEBUG: 68 bytes message received from 2.2.2.2[500] to 1.1.1.1[500] 2010-02-19 11:37:23: DEBUG: 88fb292b e5991226 655e5792 16abafa6 08100501 ed9b5e1b 00000044 ad912041 9777ee36 c662f51b 9c0d6315 d0452dc3 6a59aeb7 c27ba36f 9bc0fbc2 7044000f 9405e441 2010-02-19 11:37:23: DEBUG: receive Information. 2010-02-19 11:37:23: DEBUG: compute IV for phase2 2010-02-19 11:37:23: DEBUG: phase1 last IV: 2010-02-19 11:37:23: DEBUG: b210da97 0d4c2c1f ed9b5e1b 2010-02-19 11:37:23: DEBUG: hash(sha1) 2010-02-19 11:37:23: DEBUG: encryption(3des) 2010-02-19 11:37:23: DEBUG: phase2 IV computed: 2010-02-19 11:37:23: DEBUG: 6381bb1e 38ec8206 2010-02-19 11:37:23: DEBUG: begin decryption. 2010-02-19 11:37:23: DEBUG: encryption(3des) 2010-02-19 11:37:23: DEBUG: IV was saved for next processing: 2010-02-19 11:37:23: DEBUG: 7044000f 9405e441 2010-02-19 11:37:23: DEBUG: encryption(3des) 2010-02-19 11:37:23: DEBUG: with key: 2010-02-19 11:37:23: DEBUG: bf8da677 447a5b07 833411a7 f64d7251 b656808a 20b69bda 2010-02-19 11:37:23: DEBUG: decrypted payload by IV: 2010-02-19 11:37:23: DEBUG: 6381bb1e 38ec8206 2010-02-19 11:37:23: DEBUG: decrypted payload, but not trimed. 2010-02-19 11:37:23: DEBUG: 0b000018 727edb55 b9f268b9 5285a1f6 40c070d5 eeb9ce6c 00000010 00000001 0304000b bde6ee64 2010-02-19 11:37:23: DEBUG: padding len=101 2010-02-19 11:37:23: DEBUG: skip to trim padding. 2010-02-19 11:37:23: DEBUG: decrypted. 2010-02-19 11:37:23: DEBUG: 88fb292b e5991226 655e5792 16abafa6 08100501 ed9b5e1b 00000044 0b000018 727edb55 b9f268b9 5285a1f6 40c070d5 eeb9ce6c 00000010 00000001 0304000b bde6ee64 2010-02-19 11:37:23: DEBUG: IV freed 2010-02-19 11:37:23: DEBUG: HASH with: 2010-02-19 11:37:23: DEBUG: ed9b5e1b 00000010 00000001 0304000b bde6ee64 2010-02-19 11:37:23: DEBUG: hmac(hmac_sha1) 2010-02-19 11:37:23: DEBUG: HASH computed: 2010-02-19 11:37:23: DEBUG: 727edb55 b9f268b9 5285a1f6 40c070d5 eeb9ce6c 2010-02-19 11:37:23: DEBUG: hash validated. 2010-02-19 11:37:23: DEBUG: begin. 2010-02-19 11:37:23: DEBUG: seen nptype=8(hash) 2010-02-19 11:37:23: DEBUG: seen nptype=11(notify) 2010-02-19 11:37:23: DEBUG: succeed. 2010-02-19 11:37:23: ERROR: fatal INVALID-SPI notify messsage, phase1 should be deleted. 2010-02-19 11:37:23: DEBUG: notification message 11:INVALID-SPI, doi=1 proto_id=3 spi=bde6ee64(size=4). 2010-02-19 11:37:23: DEBUG: === I don't see any other errors messages. Pier --- Gio 18/2/10, Neslihan Guler <nes...@gm...> ha scritto: > Da: Neslihan Guler <nes...@gm...> > Oggetto: Re: [Ipsec-tools-devel] Problems racoon and cisco vpn > A: "Pier" <pi...@ya...> > Cc: "ipsec-tools-devel ipsec" <ips...@li...> > Data: Giovedì 18 febbraio 2010, 22:53 > Hi Pier, > In your configuration it seems that DPD (dead peer > detection) is active. May be it is not active on the other > end. Since you can not get reply to your dpd packets, the > SAs are deleted. Control your dpd activity on both ends. > Just an idea.. > |
From: Pier <pi...@ya...> - 2010-02-19 13:57:02
|
Another hint. After a while (the vpn tunnel was down) i saw this logs: 2010-02-19 14:45:06: DEBUG: === 2010-02-19 14:45:06: DEBUG: 308 bytes message received from 2.2.2.2[500] to 1.1.1.1[500] 2010-02-19 14:45:06: DEBUG: 1cf0ada1 7637b641 53c3b883 2cc3e14c 08102001 10cd17fa 00000134 a6c8c081 16a4b931 a3b451a9 5d17d9e7 bfbb0e1c 79be1a01 da7f18a0 5e1b42a5 1a7880d3 61bdaf77 b5e81f8a d57f1b55 47b8951b a52b34eb e0cf3d17 4aa2812e 24585021 c4e6471f 99c178aa 5a844b34 7b7b4439 1b9fc362 4f0e5bf1 4c72fd88 ab543445 fc3e8219 9ce89159 bfe8e7fd 247d3221 33a76029 1d5eb699 afe6c8dc 37730902 56157c44 60cc7c8f a0502b50 886dd87e 100ed5ae 64d73cf6 109428a4 6ed6c1ed 2b8b6db4 feb8a6a4 c4fb6b92 0a13dd57 386d797c 3c3806c3 80e7b97f 4a1b0bf2 bf5b3bf1 2bf29920 c575fa97 5aafa38a 65991d6d c42b5fe6 c7b9aab4 d4f059af 69e72ae2 512d6e04 ef34f873 ac4d7b10 03d856f8 34201e39 54542b2c e83ea255 7f8c63e6 be193b3d b4687911 b563d7d2 447f4146 2010-02-19 14:45:06: DEBUG: compute IV for phase2 2010-02-19 14:45:06: DEBUG: phase1 last IV: 2010-02-19 14:45:06: DEBUG: 041a57fb 5021c153 10cd17fa 2010-02-19 14:45:06: DEBUG: hash(sha1) 2010-02-19 14:45:06: DEBUG: encryption(3des) 2010-02-19 14:45:06: DEBUG: phase2 IV computed: 2010-02-19 14:45:06: DEBUG: 50db7a89 c7fc1539 2010-02-19 14:45:06: DEBUG: === 2010-02-19 14:45:06: INFO: respond new phase 2 negotiation: 1.1.1.1[500]<=>2.2.2.2[500] 2010-02-19 14:45:06: DEBUG: begin decryption. 2010-02-19 14:45:06: DEBUG: encryption(3des) 2010-02-19 14:45:06: DEBUG: IV was saved for next processing: 2010-02-19 14:45:06: DEBUG: b563d7d2 447f4146 2010-02-19 14:45:06: DEBUG: encryption(3des) 2010-02-19 14:45:06: DEBUG: with key: 2010-02-19 14:45:06: DEBUG: 97a6e308 4c993c37 0f02cf83 0e66fc9f 1ef4139c d89be473 2010-02-19 14:45:06: DEBUG: decrypted payload by IV: 2010-02-19 14:45:06: DEBUG: 50db7a89 c7fc1539 2010-02-19 14:45:06: DEBUG: decrypted payload, but not trimed. 2010-02-19 14:45:06: DEBUG: 01000018 1e4001f6 30e7cb7e 2733deac 2dc38368 6d696628 0a000044 00000001 00000001 00000038 01030401 274b7f8c 0000002c 01030000 80010001 00020004 00015180 80010002 00020004 7fffffff 80040001 80050002 80030002 04000018 aa279277 b6940eb6 ad12ca04 b2efe078 3dc5df18 05000084 4cfdf8cd e5b89a65 da9436aa 068ef524 77054bb0 35a45733 65f5ffdf 81990a0e 8132a258 f532a37b 8b061a06 8df7353d 8cb8fb55 e54edae4 9a7156aa 1c1988c1 837f2266 52a10ded 3c568a59 fdfbbed4 9a301513 ec7313e2 94aeb7b7 8c3423b3 c2100427 f9b90bbd 7c77571f 290b39a5 5a978c1b eac64ad4 2f08d8ef a1df9f7f 05000010 04000000 0a0d8920 ffffffe0 00000010 04000000 c0a80100 ffffff00 2010-02-19 14:45:06: DEBUG: padding len=1 2010-02-19 14:45:06: DEBUG: skip to trim padding. 2010-02-19 14:45:06: DEBUG: decrypted. 2010-02-19 14:45:06: DEBUG: 1cf0ada1 7637b641 53c3b883 2cc3e14c 08102001 10cd17fa 00000134 01000018 1e4001f6 30e7cb7e 2733deac 2dc38368 6d696628 0a000044 00000001 00000001 00000038 01030401 274b7f8c 0000002c 01030000 80010001 00020004 00015180 80010002 00020004 7fffffff 80040001 80050002 80030002 04000018 aa279277 b6940eb6 ad12ca04 b2efe078 3dc5df18 05000084 4cfdf8cd e5b89a65 da9436aa 068ef524 77054bb0 35a45733 65f5ffdf 81990a0e 8132a258 f532a37b 8b061a06 8df7353d 8cb8fb55 e54edae4 9a7156aa 1c1988c1 837f2266 52a10ded 3c568a59 fdfbbed4 9a301513 ec7313e2 94aeb7b7 8c3423b3 c2100427 f9b90bbd 7c77571f 290b39a5 5a978c1b eac64ad4 2f08d8ef a1df9f7f 05000010 04000000 0a0d8920 ffffffe0 00000010 04000000 c0a80100 ffffff00 2010-02-19 14:45:06: DEBUG: begin. 2010-02-19 14:45:06: DEBUG: seen nptype=8(hash) 2010-02-19 14:45:06: DEBUG: seen nptype=1(sa) 2010-02-19 14:45:06: DEBUG: seen nptype=10(nonce) 2010-02-19 14:45:06: DEBUG: seen nptype=4(ke) 2010-02-19 14:45:06: DEBUG: seen nptype=5(id) 2010-02-19 14:45:06: DEBUG: seen nptype=5(id) 2010-02-19 14:45:06: DEBUG: succeed. 2010-02-19 14:45:06: DEBUG: received IDci2:2010-02-19 14:45:06: DEBUG: 04000000 0a0d8920 ffffffe0 2010-02-19 14:45:06: DEBUG: received IDcr2:2010-02-19 14:45:06: DEBUG: 04000000 c0a80100 ffffff00 2010-02-19 14:45:06: DEBUG: HASH(1) validate:2010-02-19 14:45:06: DEBUG: 1e4001f6 30e7cb7e 2733deac 2dc38368 6d696628 2010-02-19 14:45:06: DEBUG: HASH with: 2010-02-19 14:45:06: DEBUG: 10cd17fa 0a000044 00000001 00000001 00000038 01030401 274b7f8c 0000002c 01030000 80010001 00020004 00015180 80010002 00020004 7fffffff 80040001 80050002 80030002 04000018 aa279277 b6940eb6 ad12ca04 b2efe078 3dc5df18 05000084 4cfdf8cd e5b89a65 da9436aa 068ef524 77054bb0 35a45733 65f5ffdf 81990a0e 8132a258 f532a37b 8b061a06 8df7353d 8cb8fb55 e54edae4 9a7156aa 1c1988c1 837f2266 52a10ded 3c568a59 fdfbbed4 9a301513 ec7313e2 94aeb7b7 8c3423b3 c2100427 f9b90bbd 7c77571f 290b39a5 5a978c1b eac64ad4 2f08d8ef a1df9f7f 05000010 04000000 0a0d8920 ffffffe0 00000010 04000000 c0a80100 ffffff00 2010-02-19 14:45:06: DEBUG: hmac(hmac_sha1) 2010-02-19 14:45:06: DEBUG: HASH computed: 2010-02-19 14:45:06: DEBUG: 1e4001f6 30e7cb7e 2733deac 2dc38368 6d696628 2010-02-19 14:45:06: DEBUG: configuration found for 2.2.2.2. 2010-02-19 14:45:06: DEBUG: getsainfo params: loc='192.168.1.0/24', rmt='10.13.137.32/27', peer='2.2.2.2', id=0 2010-02-19 14:45:06: DEBUG: getsainfo pass #1 [...] And after this, the tunnel is up and running. I still don't understand if it's a problem on my side or not. Pier |
From: Silvian C. <sil...@gm...> - 2010-02-17 11:58:33
|
What happens if you replace "require" with "unique" in the spd config ? On 17 February 2010 11:59, Pier <pi...@ya...> wrote: > > Here is my racoon.conf: > > remote 2.2.2.2 > { > exchange_mode main; > verify_cert on; > my_identifier address 1.1.1.1; > lifetime time 86400 seconds ; > # nat_traversal on; > dpd_delay 10; > # proposal_check claim ; > proposal_check obey ; > proposal { > > encryption_algorithm 3des; > > hash_algorithm sha1; > > authentication_method pre_shared_key; > > dh_group 2; > } > > } > > > And here the spd config: > > spdadd 192.168.1.0/24 10.13.137.32/27 any > -P out ipsec esp/tunnel /1.1.1.1-2.2.2.2/require; > spdadd 192.168.1.0/24 2.2.2.2/32 any > -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; > spdadd 1.1.1.1/32 2.2.2.2/32 any -P > out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; > spdadd 1.1.1.1/32 10.13.137.32/27 > any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; > spdadd 10.13.137.32/27 192.168.1.0/24 any -P in > ipsec esp/tunnel 2.2.2.2-1.1.1.1/require; > spdadd 10.13.137.32/27 1.1.1.1/32 any -P in > ipsec esp/tunnel 2.2.2.2-1.1.1.1/require; > spdadd 2.2.2.2/32 192.168.1.0/24 any -P in ipsec > esp/tunnel/2.2.2.2-1.1.1.1/require; > spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec > esp/tunnel/2.2.2.2-1.1.1.1/require; > > > The other side is doing some troubleshooting as well. > The racoon conf is a little mess cause i tried everything. > This is just the last one i tried. > Thanks > > Pier > > > > > > > > > > ------------------------------------------------------------------------------ > SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, > Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW > http://p.sf.net/sfu/solaris-dev2dev > _______________________________________________ > Ipsec-tools-devel mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > -- Silvian Cretu http://www.silviancretu.ro/ |
From: Pier <pi...@ya...> - 2010-02-17 13:46:02
|
> What happens if you replace > "require" with "unique" in the spd > config ? > It seems to work. Or at least the vpn now is up and running. I still have to see if its stays up or fall down after a while. Anyway, what does unique do different from require? I read the man page but i didn't understand "it allows the policy to match the unique out-bound SA". Since i have other vpns with other cisco devices, why this one was not working? Is it safe to substitute all require with unique? Thanks Pier |
From: Milan P. S. <mp...@ar...> - 2010-02-17 14:42:25
|
On Wed, 2010-02-17 at 09:59, Pier wrote: > > Here is my racoon.conf: > > remote 2.2.2.2 > { > exchange_mode main; > verify_cert on; > my_identifier address 1.1.1.1; > lifetime time 86400 seconds ; > # nat_traversal on; > dpd_delay 10; > # proposal_check claim ; > proposal_check obey ; > proposal { > > encryption_algorithm 3des; > > hash_algorithm sha1; > > authentication_method pre_shared_key; > > dh_group 2; > } > > } Do you have sainfo section in racoon.conf ? > > And here the spd config: > > spdadd 192.168.1.0/24 10.13.137.32/27 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; > spdadd 192.168.1.0/24 2.2.2.2/32 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; > spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; > spdadd 1.1.1.1/32 10.13.137.32/27 any -P out ipsec esp/tunnel/1.1.1.1-2.2.2.2/require; > spdadd 10.13.137.32/27 192.168.1.0/24 any -P in ipsec esp/tunnel 2.2.2.2-1.1.1.1/require; > spdadd 10.13.137.32/27 1.1.1.1/32 any -P in ipsec esp/tunnel 2.2.2.2-1.1.1.1/require; > spdadd 2.2.2.2/32 192.168.1.0/24 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/require; > spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec esp/tunnel/2.2.2.2-1.1.1.1/require; > > > The other side is doing some troubleshooting as well. > The racoon conf is a little mess cause i tried everything. > This is just the last one i tried. If you expect help from mailing list you should post exact config with relevant debug log. -- Kind regards, Milan -------------------------------------------------- Arvanta, IT Security http://www.arvanta.net Please do not send me e-mail containing HTML code. |