[Users] Problems connecting to an Efficient 5861

From: Wil Cooley (wcooley_at_nakedape.cc)
Date: Tue Dec 10 2002 - 21:40:51 CET

• Next message: Jordan Share: "RE: [Users] VPN Bandwidth Control"
• Previous message: Peter Mueller: "RE: [Users] VPN Bandwidth Control"
• Next in thread: Wil Cooley: "Re: [Users] Problems connecting to an Efficient 5861"
• Reply: Wil Cooley: "Re: [Users] Problems connecting to an Efficient 5861"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've been fighting with this for a while, so I thought I'd post to see
if anyone sees something in the configs that I'm missing, before I start
trying to dig through the debugging and flood the list with all that
data.

"Left" side a Linux system running SuperFreeS/WAN 1.99,
known as 'nwhc'. "Right" side is an Efficient 5861 router,
known as 'hrs'. This is a net-to-net connection.

ipsec look indicates that 'ipsec0' is connected to the appropriate
interface. Based on the setups I've done in the past, everything
basic looks right. (I've done several FS-FS connections, but none
with another implementation.)

I'm using the SuperFS RPMs from freeswan.ca:
# rpm -q freeswan-module freeswan
freeswan-module-1.99_x509_0.9.15_2.4.7_10-0
freeswan-1.99_x509_0.9.15_2.4.7_10-0

Relevant sections from nwhc's FreeS/WAN configs:
/etc/ipsec.conf
# basic configuration
config setup
    # THIS SETTING MUST BE CORRECT or almost nothing will
    # work;
    # %defaultroute is okay for most simple cases.
    interfaces=%defaultroute
    # Debug-logging controls: "none" for (almost) none,
    # "all" for lots.
    klipsdebug=none
    plutodebug=all
    # Use auto= parameters in conn descriptions to control
    # startup actions.
    plutoload=%search
    plutostart=%search
    # Close down old connection when new one using same ID
    # shows up.
    uniqueids=yes

# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
    keyingtries=0
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%dnsondemand
    rightrsasigkey=%dnsondemand

conn hrs-nwhc-vpn
    disablearrivalcheck=yes
    leftid=@vpn-nwhc # Is actually the resolvable domain name
    left=X.X.X.113
    leftnexthop=X.X.X.114
    leftsubnet=192.168.X.0/24
    authby=secret
    auto=add
    right=X.X.X.177
    rightsubnet=10.X.X.0/24
    rightnexthop=209.X.X.1
    rightid=@vpn-hrs
    keyingtries=0

---
These are the configuration settings from hrs's end:
# ver
SpeedStream 5861 DMT Router (120-5861-001/2)
Efficient-5000 BOOT/POST V6.0.0 (18-Aug-00 16:15)
Software version v4.0.5 built Wed Sep 20 18:56:57 PDT 2000
Maximum users: unlimited
Options: DMT, RFC1483, IP ROUTING, IP FILTERING, WEB, +IPSEC, +3DES, +L2TP, 
         +ENCRYPT, BRIDGE, IPX
# ike proposals list
IKE Proposals:
nwhc
  Session authentication: Preshared Keys
  Encryption: 3-DES
  Message authentication: MD-5
  DH Group: Group 2
  Lifetime: 3600
# ike peers list
IKE Peers:
nwhc
  IP address is X.X.X.113
  Pre-shared secret: mykeyhere
  Mode: main
# ike ipsec proposals list
IKE IPSec Proposals:
nwhc
  ESP encryption: 3-DES
  ESP authentication: MD-5
  AH authentication: none
  IPComp: none
  Lifetime 1800
  Lifedata 50000
# ike ipsec policies list
IKE IPSec Policies:
nwhc (enabled)
  Source address/mask: 10.X.X.0 / 255.255.255.0
  Destination address/mask: 192.168.X.0 / 255.255.255.0
  Protocol: all
  Source port: all
  Destination port: all
  Mode: Tunnel Mode
  PFS Group: Group 2
  Peer: nwhc (X.X.X.113)
  Proposals:
    nwhc
# ipsec list
IPSec security associations:
nwhc rx2 (disabled, generated by IKE IPSec policy nwhc)
  Remaining lifetime = 0, lifedata = 0
  Gateway: X.X.X.113
  Inbound
  Tunnel
  ESP
  DES
    key=0000000000000000
  No compression
  id =0
  seq=0, bitmap=00000000
nwhc rx1 (disabled, generated by IKE IPSec policy nwhc)
  Remaining lifetime = 0, lifedata = 0
  Gateway: X.X.X.113
  Inbound
  Tunnel
  ESP
  DES
    key=0000000000000000
  No compression
  id =0
  seq=0, bitmap=00000000
nwhc tx (disabled, generated by IKE IPSec policy nwhc)
  Remaining lifetime = 0, lifedata = 0
  Gateway: X.X.X.113
  Outbound
  Tunnel
  ESP
  DES
    key=0000000000000000
  No compression
  id =0
  seq=1
---
Here's what happens when I try to bring the connection up:
# ipsec auto --up hrs-nwhc-vpn
104 "hrs-nwhc-vpn" #1: STATE_MAIN_I1: initiate
106 "hrs-nwhc-vpn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "hrs-nwhc-vpn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "hrs-nwhc-vpn" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "hrs-nwhc-vpn" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "hrs-nwhc-vpn" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "hrs-nwhc-vpn" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "hrs-nwhc-vpn" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "hrs-nwhc-vpn" #1: discarding duplicate packet; already STATE_MAIN_I3
031 "hrs-nwhc-vpn" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
000 "hrs-nwhc-vpn" #1: starting keying attempt 2 of an unlimited number, but releasing whack
This is from the Efficient:
12/10/2002-15:07:50:PPP: IKE starting a phase 1 connection with peer nwhc
12/10/2002-15:07:56:PPP: IKE phase 1; peer not responding, retrying (check peer and proposal settings)
12/10/2002-15:08:04:PPP: IKE phase 1; peer not responding, retrying (check peer and proposal settings)
12/10/2002-15:08:21:PPP: IKE phase 1; peer not responding, retrying (check peer and proposal settings)
12/10/2002-15:08:54:PPP: IKE phase 1; peer not responding, retrying (check peer and proposal settings)
12/10/2002-15:09:02:PPP: IKE starting a phase 1 connection with peer nwhc
12/10/2002-15:09:08:PPP: IKE phase 1; peer not responding, retrying (check peer and proposal settings)
12/10/2002-15:09:16:PPP: IKE phase 1; peer not responding, retrying (check peer and proposal settings)
12/10/2002-15:09:33:PPP: IKE phase 1; peer not responding, retrying (check peer and proposal settings)
And finally, some tcpdump output:
12:38:35.618336 hrs.isakmp > nwhc.isakmp: isakmp: phase 1 ? ident: [|ke]
12:38:39.298336 hrs.isakmp > nwhc.isakmp: isakmp: phase 1 ? ident: [|ke]
12:38:46.478336 nwhc.isakmp > hrs.isakmp: isakmp: phase 1 I ident: [|sa] (DF)
12:38:46.608336 hrs.isakmp > nwhc.isakmp: isakmp: phase 1 R ident: [|sa]
12:38:46.748336 nwhc.isakmp > hrs.isakmp: isakmp: phase 1 I ident: [|ke] (DF)
12:38:48.548336 hrs.isakmp > nwhc.isakmp: isakmp: phase 1 R ident: [|ke]
12:38:48.648336 nwhc.isakmp > hrs.isakmp: isakmp: phase 1 I ident[E]: [|id] (DF)
12:38:52.658336 hrs.isakmp > nwhc.isakmp: isakmp: phase 1 R ident: [|ke]
12:38:58.658336 nwhc.isakmp > hrs.isakmp: isakmp: phase 1 I ident[E]: [|id] (DF)
12:39:01.048336 hrs.isakmp > nwhc.isakmp: isakmp: phase 1 R ident: [|ke]
Wil
-- 
Wil Cooley                                 wcooley_at_nakedape.cc
Naked Ape Consulting                        http://nakedape.cc
* * * * Linux, UNIX, Networking and Security Solutions * * * *
QCSNet                                     http://www.qcsn.com
* * * * T1, Frame Relay, DSL, Dial-up, and Web Hosting * * * *

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• application/pgp-signature attachment: This is a digitally signed message part

• Next message: Jordan Share: "RE: [Users] VPN Bandwidth Control"
• Previous message: Peter Mueller: "RE: [Users] VPN Bandwidth Control"
• Next in thread: Wil Cooley: "Re: [Users] Problems connecting to an Efficient 5861"
• Reply: Wil Cooley: "Re: [Users] Problems connecting to an Efficient 5861"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Thu Dec 12 2002 - 05:21:05 CET