OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Eric Anderson (andersoncenttech.com)
Date: Thu Sep 06 2001 - 09:02:57 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Ok, I have been setting up VPN's using IPSEC tunnel mode (ESP) with
    Racoon on FreeBSD 4.2 for some time now. I have 4 currently running
    just fine, and the 3 newest VPN don't work. It appears as though the
    Racoon's aren't talking to each other correctly. I have 1 VPN "server"
    that all the clients connect to, and the clients are small machines
    running from compact flash cards (a stripped down 30Mb freebsd 4.2
    setup). I use the GIF interfaces to connect the vpn's together. I have
    gif0,1,3,4 are connected to VPN's that are up and running. Not that the
    gif's have anything to do with it, just extra info. Is there something
    I'm missing? I have tried configuring the non-working boxes just like
    the working ones, etc. I'm out of ideas!

    Here are some blurps from my logs on the vpn "server" box:

    2001-09-06 08:51:55: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde
    new phase 2 negotiation: xx.yy.zz.60[0]<=>xx.yy.zz.128[0]
    2001-09-06 08:51:55: ERROR: proposal.c:951:set_proposal_from_policy():
    not supported nested SA. Ignore.
    2001-09-06 08:51:55: ERROR: proposal.c:999:set_proposal_from_policy():
    There is a difference between the in/out bound policies.
    2001-09-06 08:51:55: ERROR: isakmp_quick.c:1901:get_proposal_r(): failed
    to create saprop.
    2001-09-06 08:51:55: ERROR: isakmp_quick.c:1025:quick_r1recv(): failed
    to get proposal for responder.
    2001-09-06 08:51:55: ERROR: isakmp.c:975:isakmp_ph2begin_r(): failed to
    pre-process packet.
    2001-09-06 08:52:00: INFO: isakmp.c:1618:isakmp_post_acquire(): request
    for establishing IPsec-SA was queued due to no phase1 found.
    2001-09-06 08:52:19: INFO: isakmp.c:854:isakmp_ph1begin_r(): responde
    new phase 1 negotiation: xx.yy.zz.60[500]<=>xx.yy.zz.128[500]
    2001-09-06 08:52:19: INFO: isakmp.c:859:isakmp_ph1begin_r(): begin
    Aggressive mode.
    2001-09-06 08:52:20: INFO: isakmp.c:2313:log_ph1established(): ISAKMP-SA
    established xx.yy.zz.60[500]-xx.yy.zz.128[500] spi:9c0e0730a89724fc:3
    4e869a34c12cf49
    2001-09-06 08:52:21: INFO: isakmp.c:965:isakmp_ph2begin_r(): responde
    new phase 2 negotiation: xx.yy.zz.60[0]<=>xx.yy.zz.128[0]
    2001-09-06 08:52:21: ERROR: proposal.c:951:set_proposal_from_policy():
    not supported nested SA. Ignore.
    2001-09-06 08:52:21: ERROR: proposal.c:999:set_proposal_from_policy():
    There is a difference between the in/out bound policies.
    2001-09-06 08:52:21: ERROR: isakmp_quick.c:1901:get_proposal_r(): failed
    to create saprop.
    2001-09-06 08:52:21: ERROR: isakmp_quick.c:1025:quick_r1recv(): failed
    to get proposal for responder.
    2001-09-06 08:52:21: ERROR: isakmp.c:975:isakmp_ph2begin_r(): failed to
    pre-process packet.
    2001-09-06 08:52:32: INFO: isakmp.c:1618:isakmp_post_acquire(): request
    for establishing IPsec-SA was queued due to no phase1 found.
    2001-09-06 08:52:32: ERROR: isakmp.c:1676:isakmp_chkph1there(): phase1
    negotiation failed due to time up.
    2001-09-06 08:52:32: INFO: isakmp.c:1678:isakmp_chkph1there(): delete
    phase 2 handler.

    Help please! 

    -- 
-------------------------------------------------------------------------------
Eric Anderson	 andersoncenttech.com    Centaur Technology    (512)
418-5792
Truth is more marvelous than mystery.
-------------------------------------------------------------------------------

    To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message