Thread: [Ipsec-tools-users] Racoon IKE negotiation failing (Phase1, Phase2 time up)
Brought to you by:
mit_warlord,
netbsd
From: Sono C. <so...@ch...> - 2006-05-18 21:50:53
|
Hi, I am trying to setup up an ecrypted network using transport mode and have been using the Linux IPSEC howto as a guide (http://www.ipsec-howto.org/t1.html). At the present moment I don't seem to have any errors other then: ERROR: phase2 negotiation failed due to time up waiting for phase1 AND ERROR: phase1 negotiation failed due to time up. 9de77ba4ed97943a:378cb900df9ee844 Has anyone had experience with this error or be able to guide me in a direction that could solve this? I have posted the details of my configuration below and appreciate any feedback or corrections. I have two machines which I am testing between at the moment: 10.1.0.2/16 and 10.5.0.101/16 Below is a section of my racoon log file from 10.1.0.2: ------------------------------------------ 2006-05-18 15:24:25: NOTIFY: the packet is retransmitted by 10.5.0.101[500]. 2006-05-18 15:24:35: NOTIFY: the packet is retransmitted by 10.5.0.101[500]. 2006-05-18 15:24:45: NOTIFY: the packet is retransmitted by 10.5.0.101[500]. 2006-05-18 15:24:46: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.5.0.101[0]->10.1.0.2[0] 2006-05-18 15:24:46: INFO: delete phase 2 handler. 2006-05-18 15:24:55: NOTIFY: the packet is retransmitted by 10.5.0.101[500]. 2006-05-18 15:24:57: INFO: request for establishing IPsec-SA was queued due to no phase1 found. 2006-05-18 15:25:05: NOTIFY: the packet is retransmitted by 10.5.0.101[500]. 2006-05-18 15:25:15: ERROR: phase1 negotiation failed due to time up. 9de77ba4ed97943a:378cb900df9ee844 2006-05-18 15:25:28: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.5.0.101[0]->10.1.0.2[0] 2006-05-18 15:25:28: INFO: delete phase 2 handler. 2006-05-18 15:25:39: INFO: IPsec-SA request for 10.5.0.101 queued due to no phase1 found. 2006-05-18 15:25:39: INFO: initiate new phase 1 negotiation: 10.1.0.2[500]<=>10.5.0.101[500] 2006-05-18 15:25:39: INFO: begin Identity Protection mode. 2006-05-18 15:25:39: INFO: received Vendor ID: DPD 2006-05-18 15:25:49: NOTIFY: the packet is retransmitted by 10.5.0.101[500]. 2006-05-18 15:25:59: NOTIFY: the packet is retransmitted by 10.5.0.101[500]. 2006-05-18 15:26:09: NOTIFY: the packet is retransmitted by 10.5.0.101[500]. 2006-05-18 15:26:10: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.5.0.101[0]->10.1.0.2[0] 2006-05-18 15:26:10: INFO: delete phase 2 handler. 2006-05-18 15:26:19: NOTIFY: the packet is retransmitted by 10.5.0.101[500]. 2006-05-18 15:26:21: INFO: request for establishing IPsec-SA was queued due to no phase1 found. 2006-05-18 15:26:29: NOTIFY: the packet is retransmitted by 10.5.0.101[500]. ------------------------------------------ My Security policy rules for 10.1.0.2 ---------------------------------------------- #!/sbin/setkey -f spdflush; spdadd 10.1.0.1 10.5.0.101 any -P out ipsec esp/transport//require ah/transport//require; spdadd 10.1.0.2 10.5.0.101 any -P out ipsec esp/transport//require ah/transport//require; spdadd 10.5.0.101 10.1.0.1 any -P in ipsec esp/transport//require ah/transport//require; spdadd 10.5.0.101 10.1.0.2 any -P in ipsec esp/transport//require ah/transport//require; ------------------------------------------- My Security policy rules for 10.5.0.101 ---------------------------------------------- #!/sbin/setkey -f spdflush; spdadd 10.5.0.101 10.1.0.1 any -P out ipsec esp/transport//require ah/transport//require; spdadd 10.5.0.101 10.1.0.2 any -P out ipsec esp/transport//require ah/transport//require; spdadd 10.1.0.1 10.5.0.101 any -P in ipsec esp/transport//require ah/transport//require; spdadd 10.1.0.2 10.5.0.101 any -P in ipsec esp/transport//require ah/transport//require; ------------------------------------------- racoon.conf on 10.1.0.2 & 10.5.0.101 ---------------------------------------------- path pre_shared_key "/etc/racoon/psk.txt"; remote anonymous { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } sainfo anonymous { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } -------------------------------------------- /etc/racoon/psk.txt On 10.1.0.2 & on 10.5.0.101 ----------------------------------------------- 10.5.0.101 sharekey 10.1.0.1 sharekey 10.1.0.2 sharekey ----------------------------------------------- This file has permissions on psk.txt are 400. IN addition it should be noted that I am using Freebsd. Thank You Sono C |
From: George B. <ge...@dx...> - 2006-05-22 14:08:22
Attachments:
signature.asc
|
Sono Chhibber wrote: >=20 > Below is a section of my racoon log file from 10.1.0.2: > > 2006-05-18 15:25:15: ERROR: phase1 negotiation failed due to time up. > 9de77ba4ed97943a:378cb900df9ee844 What does the log on the other side say? --=20 George Borisov DXSolutions Ltd |
From: Sono C. <so...@ch...> - 2006-05-23 21:27:13
|
I was able to solve the problem, I ended up scaling the implementation back to manual keys and discovered some issues across the network: * firewall * DNS * and routing A combination of the above three were causing failuers during the IKE negatiation phase. In other words my ipsec configuration is correct, unfortunately my network was not configured properly, hence phase negotiation failed. Thank You Sono On Mon, 22 May 2006 15:07:58 +0100, George Borisov wrote > Sono Chhibber wrote: > > > > Below is a section of my racoon log file from 10.1.0.2: > > > > 2006-05-18 15:25:15: ERROR: phase1 negotiation failed due to time up. > > 9de77ba4ed97943a:378cb900df9ee844 > > What does the log on the other side say? > > -- > George Borisov > > DXSolutions Ltd -- Open WebMail Project (http://openwebmail.org) |
From: Sono C. <so...@ch...> - 2006-05-23 22:21:34
|
Wandering if anyone has attempted the following or explain if its possible using IPSEC. Here is the set up I require: External System ------ GATEWAY ------ Inernal Box ^ ^ | | Decrypted Traffic Encrypted Traffic The gateway is performing NAT and has a internal address of: 10.0.0.1 The Internal Box is requesting something from the external system (ie website, ftp, mail, etc...) The IP on the Internal box is: 10.0.0.101 My problem: I require all traffic between the Internal box and the gateway to be encrypted, but the endpoint is not the Gateway, it is the External System. Is there way to tranparently decrypt traffic at the Gateway and let it leave unencrypted on the external interface? Thanks, Sono |