Date: Thu, 17 Nov 2005 12:21:17 +0200 From: asko <asko_nospam@ultrasoft.ee> To: freebsd-net@freebsd.org Subject: IPSEC, Watchguard SOHO 6tc and racoon Message-ID: <437C599D.30603@ultrasoft.ee>
next in thread | raw e-mail | index | archive | help
Hi, Has anyone successfully connected Watchguard SOHO 6tc to FreeBSD with IPSEC. I am not able to get pass phase 1 during key exchange.. racoon.log shows: 2005-11-17 13:00:37: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net 2005-11-17 13:00:37: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/) 2005-11-17 13:00:37: WARNING: cftoken.l:514:yywarn(): /usr/local/etc/racoon/racoon.conf:63: "support_mip6" it is obsoleted. use "support_proxy". 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): fe80::1%lo0[500] used as isakmp port (fd=5) 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): ::1[500] used as isakmp port (fd=6) 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=7) 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): 192.168.8.185[500] used as isakmp port (fd=8) 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): fe80::201:80ff:fe34:3ed5%rl0[500] used as isakmp port (fd=9) 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): fe80::204:75ff:fed9:5bcf%xl0[500] used as isakmp port (fd=10) 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): 192.168.1.0[500] used as isakmp port (fd=11) 2005-11-17 13:00:40: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for 192.168.8.154 queued due to no phase1 found. 2005-11-17 13:00:40: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.8.185[500]<=>192.168.8.154[500] 2005-11-17 13:00:40: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Identity Protection mode. 2005-11-17 13:01:11: ERROR: isakmp.c:1786:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.8.154->192.168.8.185 2005-11-17 13:01:11: INFO: isakmp.c:1791:isakmp_chkph1there(): delete phase 2 handler. 2005-11-17 13:01:12: INFO: isakmp.c:1713:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found. 2005-11-17 13:01:43: ERROR: isakmp.c:1786:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.8.154->192.168.8.185 2005-11-17 13:01:43: INFO: isakmp.c:1791:isakmp_chkph1there(): delete phase 2 handler. etc. "WAN" addresses are 192.168.8.0/24, LAN-s are 192.168.1.0 and 192.168.3.0, just a virtual test setup. No firewalls are currently set up. $cat vpn1.sh setkey -FP setkey -F # # Configure the Policy # setkey -c << END spdadd 192.168.8.185/32 192.168.3.0/24 any -P out ipsec esp/tunnel/192.168.8.185-192.168.8.154/require; spdadd 192.168.3.0/24 192.168.8.185/32 any -P in ipsec esp/tunnel/192.168.8.154-192.168.185/require; END # $ cat racoon.conf path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; path certificate "/usr/local/etc/cert" ; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode main,aggressive; #exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 1 ; } } sainfo anonymous { # pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } I have tried also des encryption and sha1 authentication, agressive and main mode, and so on, no joy ;-( It probably needs some specific tweaks? FreeBSD 5.4-RELEASE, racoon-20050510a, Watchguard SOHO 6 tc firmware 6.3 Please let me know if you had any success with similar setup .. -- asko
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?437C599D.30603>