From owner-freebsd-net@FreeBSD.ORG Thu Nov 17 10:21:44 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3D58816A41F for ; Thu, 17 Nov 2005 10:21:44 +0000 (GMT) (envelope-from asko_nospam@ultrasoft.ee) Received: from mail.ultrasoft.ee (ns.ultrasoft.ee [213.35.215.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67E5B43D53 for ; Thu, 17 Nov 2005 10:21:42 +0000 (GMT) (envelope-from asko_nospam@ultrasoft.ee) Received: from localhost (localhost [127.0.0.1]) by mail.ultrasoft.ee (Postfix) with ESMTP id A3EC45EFA for ; Thu, 17 Nov 2005 12:21:40 +0200 (EET) Received: from mail.ultrasoft.ee ([127.0.0.1]) by localhost (aidamees.ultrasoft.local [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 66424-19 for ; Thu, 17 Nov 2005 12:21:39 +0200 (EET) Received: from [192.168.8.25] (unknown [192.168.8.25]) by mail.ultrasoft.ee (Postfix) with ESMTP id D0BBB5CD7 for ; Thu, 17 Nov 2005 12:21:38 +0200 (EET) Message-ID: <437C599D.30603@ultrasoft.ee> Date: Thu, 17 Nov 2005 12:21:17 +0200 From: asko Organization: Ultrasoft =?ISO-8859-1?Q?O=DC?= User-Agent: Mozilla Thunderbird 1.0.7 (X11/20051010) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at ultrasoft.ee Subject: IPSEC, Watchguard SOHO 6tc and racoon X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 10:21:44 -0000 Hi, Has anyone successfully connected Watchguard SOHO 6tc to FreeBSD with IPSEC. I am not able to get pass phase 1 during key exchange.. racoon.log shows: 2005-11-17 13:00:37: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net 2005-11-17 13:00:37: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/) 2005-11-17 13:00:37: WARNING: cftoken.l:514:yywarn(): /usr/local/etc/racoon/racoon.conf:63: "support_mip6" it is obsoleted. use "support_proxy". 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): fe80::1%lo0[500] used as isakmp port (fd=5) 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): ::1[500] used as isakmp port (fd=6) 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=7) 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): 192.168.8.185[500] used as isakmp port (fd=8) 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): fe80::201:80ff:fe34:3ed5%rl0[500] used as isakmp port (fd=9) 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): fe80::204:75ff:fed9:5bcf%xl0[500] used as isakmp port (fd=10) 2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): 192.168.1.0[500] used as isakmp port (fd=11) 2005-11-17 13:00:40: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for 192.168.8.154 queued due to no phase1 found. 2005-11-17 13:00:40: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.8.185[500]<=>192.168.8.154[500] 2005-11-17 13:00:40: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Identity Protection mode. 2005-11-17 13:01:11: ERROR: isakmp.c:1786:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.8.154->192.168.8.185 2005-11-17 13:01:11: INFO: isakmp.c:1791:isakmp_chkph1there(): delete phase 2 handler. 2005-11-17 13:01:12: INFO: isakmp.c:1713:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found. 2005-11-17 13:01:43: ERROR: isakmp.c:1786:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.8.154->192.168.8.185 2005-11-17 13:01:43: INFO: isakmp.c:1791:isakmp_chkph1there(): delete phase 2 handler. etc. "WAN" addresses are 192.168.8.0/24, LAN-s are 192.168.1.0 and 192.168.3.0, just a virtual test setup. No firewalls are currently set up. $cat vpn1.sh setkey -FP setkey -F # # Configure the Policy # setkey -c << END spdadd 192.168.8.185/32 192.168.3.0/24 any -P out ipsec esp/tunnel/192.168.8.185-192.168.8.154/require; spdadd 192.168.3.0/24 192.168.8.185/32 any -P in ipsec esp/tunnel/192.168.8.154-192.168.185/require; END # $ cat racoon.conf path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; path certificate "/usr/local/etc/cert" ; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; #admin [7002]; # administrative's port by kmpstat. #strict_address; # required all addresses must be bound. } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote anonymous { exchange_mode main,aggressive; #exchange_mode main; doi ipsec_doi; situation identity_only; nonce_size 16; lifetime time 1 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 1 ; } } sainfo anonymous { # pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } I have tried also des encryption and sha1 authentication, agressive and main mode, and so on, no joy ;-( It probably needs some specific tweaks? FreeBSD 5.4-RELEASE, racoon-20050510a, Watchguard SOHO 6 tc firmware 6.3 Please let me know if you had any success with similar setup .. -- asko