Date: Fri, 26 Jul 2002 09:40:59 -0500 From: "Matthew Grooms" <mgrooms@seton.org> To: <freebsd-questions@FreeBSD.org>, <freebsd-security@FreeBSD.org> Subject: vpn1/fw1 NG to ipsec/racoon troubles, help please ... Message-ID: <sd411935.056@aus-gwia.aus.dcnhs.org>
next in thread | raw e-mail | index | archive | help
Hello, I have a freebsd related ipsec question. I have set up a checkpoint vpn1/fw1 NG ( feature pack 2 )gateway for vpn connectivity to the hospital I work for. Most of the guys on my team run linux/bsd at thier house so I have set up encrypt rules in vpn1 to allow us connect to the checkpoint box and tunnel into our network from home. In any case, one of my coworkers has had pretty good success with the freeswan ( can connect and route traffic ) but I am getting some weird behavior using racoon/kame ipsec. I was hoping somone could help me out with this. I have attached most configuration info in this email and am more than willing to try just about anything to get this up and running. I could even go so far as to set up a temporary profile in a sandbox if somone who knows what they are doing would like take a stab at it. I am running Checkpoint VPN1/FW1 with Feature pack 2 installed. The VPN1 side is set up to reflect my freebsd configuration. I am using preshared keys for authentication 3des/md5 & pfs. ( although I have tried a myriad of permutations ) The freebsd side is version 4.4 with the following kernel options. options IPFIREWALL # FW Support options IPFIREWALL_VERBOSE # FW Logging options IPFIREWALL_VERBOSE_LIMIT=100 # FW Logging limits options IPFIREWALL_FORWARD # FW Transparent Proxy options IPDIVERT # IP Socket Diversion options IPFILTER # IP Filter options IPFILTER_LOG # IP Filter Logging options IPSEC # Secure IP options IPSEC_ESP # Secure IP ( crypto ) racoon version is racoon-20020507a racoon configuration parameters are set to 3des,md5,w/pfs Here is my security policy script run before vpn connect ... # create tunnel device ifconfig gif0 create # public addresses ( external ) gifconfig gif0 66.90.146.202 65.118.63.252 # private addresses ( internal ) ifconfig gif0 inet 10.22.200.1 10.21.2.253 netmask 255.255.0.0 # delete all existing SPD and SAD entries setkey -FP setkey -F setkey -c << EOF spdadd 10.22.200.0/24 10.20.0.0/16 any -P out ipsec esp/tunnel/10.22.200.1-10.21.2.253/require; spdadd 10.22.200.0/24 10.21.0.0/16 any -P out ipsec esp/tunnel/10.22.200.1-10.21.2.253/require; #spdadd 10.22.200.0/24 10.23.0.0/16 any -P out ipsec esp/tunnel/10.22.200.1-10.21.2.253/require; spdadd 10.20.0.0/16 10.22.200.0/24 any -P in ipsec esp/tunnel/10.21.2.253-10.22.200.1/require; spdadd 10.21.0.0/16 10.22.200.0/24 any -P in ipsec esp/tunnel/10.21.2.253-10.22.200.1/require; #spdadd 10.23.0.0/16 10.22.200.0/24 any -P in ipsec esp/tunnel/10.21.2.253-10.22.200.1/require; EOF killall racoon sleep 1 /usr/local/sbin/racoon -l /var/log/racoon.log -v VPN1 Log Output ... key install IKE: Main Mode completion. key install IKE: Informational Exchange Received Notification from Peer: Initial Contact (phase1) drop ecryption failure: Packet is dropped as there is no valid SA drop ecrtption failure: no response from peer. Racoon Log Output ... 2002-07-23 17:19:25: DEBUG: sainfo.c:100:getsainfo(): anonymous sainfo selected. 2002-07-23 17:19:25: DEBUG: isakmp_quick.c:1815:get_sainfo_r(): get sa info: anonymous 2002-07-23 17:19:25: DEBUG: isakmp_quick.c:1993:get_proposal_r(): get a src address from ID payload 10.20.0.0[0] prefixlen=16 ul_proto=255 2002-07-23 17:19:25: DEBUG: isakmp_quick.c:1998:get_proposal_r(): get dst address from ID payload 10.22.200.0[0] prefixlen=24 ul_proto=255 2002-07-23 17:19:25: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff780: 10.20.0.0/16[0] 10.22.200.0/24[0] proto=any dir=in 2002-07-23 17:19:25: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3c08: 10.20.0.0/16[0] 10.22.200.0/24[0] proto=any dir=in 2002-07-23 17:19:25: DEBUG: policy.c:244:cmpspidxwild(): 0xbfbff780 masked with /16: 10.20.0.0[0] 2002-07-23 17:19:25: DEBUG: policy.c:246:cmpspidxwild(): 0x80a3c08 masked with /16: 10.20.0.0[0] 2002-07-23 17:19:25: DEBUG: policy.c:260:cmpspidxwild(): 0xbfbff780 masked with /24: 10.22.200.0[0] 2002-07-23 17:19:25: DEBUG: policy.c:262:cmpspidxwild(): 0x80a3c08 masked with /24: 10.22.200.0[0] 2002-07-23 17:19:25: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff780: 10.22.200.0/24[0] 10.20.0.0/16[0] proto=any dir=out 2002-07-23 17:19:25: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80a3c08: 10.20.0.0/16[0] 10.22.200.0/24[0] proto=any dir=in 2002-07-23 17:19:25: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff780: 10.22.200.0/24[0] 10.20.0.0/16[0] proto=any dir=out 2002-07-23 17:19:25: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80b2008: 10.21.0.0/16[0] 10.22.200.0/24[0] proto=any dir=in 2002-07-23 17:19:25: DEBUG: policy.c:216:cmpspidxwild(): sub:0xbfbff780: 10.22.200.0/24[0] 10.20.0.0/16[0] proto=any dir=out 2002-07-23 17:19:25: DEBUG: policy.c:217:cmpspidxwild(): db: 0x80b2408: 10.22.200.0/24[0] 10.20.0.0/16[0] proto=any dir=out 2002-07-23 17:19:25: DEBUG: policy.c:244:cmpspidxwild(): 0xbfbff780 masked with /24: 10.22.200.0[0] 2002-07-23 17:19:25: DEBUG: policy.c:246:cmpspidxwild(): 0x80b2408 masked with /24: 10.22.200.0[0] 2002-07-23 17:19:25: DEBUG: policy.c:260:cmpspidxwild(): 0xbfbff780 masked with /16: 10.20.0.0[0] 2002-07-23 17:19:25: DEBUG: policy.c:262:cmpspidxwild(): 0x80b2408 masked with /16: 10.20.0.0[0] 2002-07-23 17:19:25: DEBUG: isakmp_quick.c:2054:get_proposal_r(): suitable SP found:10.22.200.0/24[0] 10.20.0.0/16[0] proto=any dir=out 2002-07-23 17:19:25: ERROR: proposal.c:965:set_proposal_from_policy(): not supported nested SA.2002-07-23 17:19:25: ERROR: isakmp_quick.c:2070:get_proposal_r(): failed to create saprop. 2002-07-23 17:19:25: ERROR: isakmp_quick.c:1069:quick_r1recv(): failed to get proposal for responder. 2002-07-23 17:19:25: ERROR: isakmp.c:1060:isakmp_ph2begin_r(): failed to pre-process packet. This last error 'not supported nested SA.' repeats until the vpn1 side gives up. I am not sure what cuses this error ( not very clear ) but I am guessing this is where the problem is. Help!!! Matthew Grooms Seton Healthcare Network To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?sd411935.056>