IPSEC, Watchguard SOHO 6tc and racoon

asko asko_nospam at ultrasoft.ee
Thu Nov 17 10:21:44 GMT 2005 

Hi,

Has anyone successfully connected Watchguard SOHO 6tc to FreeBSD with 
IPSEC. I am not able to get pass phase 1 during key exchange..

racoon.log shows:
2005-11-17 13:00:37: INFO: main.c:174:main(): @(#)internal version 
20001216 sakane at kame.net
2005-11-17 13:00:37: INFO: main.c:175:main(): @(#)This product linked 
OpenSSL 0.9.7e 25 Oct 2004 (http://www.openssl.org/)
2005-11-17 13:00:37: WARNING: cftoken.l:514:yywarn(): 
/usr/local/etc/racoon/racoon.conf:63: "support_mip6" it is obsoleted.  
use "support_proxy".
2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): fe80::1%lo0[500] 
used as isakmp port (fd=5)
2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): ::1[500] used as 
isakmp port (fd=6)
2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): 127.0.0.1[500] 
used as isakmp port (fd=7)
2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): 
192.168.8.185[500] used as isakmp port (fd=8)
2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): 
fe80::201:80ff:fe34:3ed5%rl0[500] used as isakmp port (fd=9)
2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): 
fe80::204:75ff:fed9:5bcf%xl0[500] used as isakmp port (fd=10)
2005-11-17 13:00:37: INFO: isakmp.c:1368:isakmp_open(): 192.168.1.0[500] 
used as isakmp port (fd=11)
2005-11-17 13:00:40: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA 
request for 192.168.8.154 queued due to no phase1 found.
2005-11-17 13:00:40: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate 
new phase 1 negotiation: 192.168.8.185[500]<=>192.168.8.154[500]
2005-11-17 13:00:40: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin 
Identity Protection mode.
2005-11-17 13:01:11: ERROR: isakmp.c:1786:isakmp_chkph1there(): phase2 
negotiation failed due to time up waiting for phase1. ESP 
192.168.8.154->192.168.8.185
2005-11-17 13:01:11: INFO: isakmp.c:1791:isakmp_chkph1there(): delete 
phase 2 handler.
2005-11-17 13:01:12: INFO: isakmp.c:1713:isakmp_post_acquire(): request 
for establishing IPsec-SA was queued due to no phase1 found.
2005-11-17 13:01:43: ERROR: isakmp.c:1786:isakmp_chkph1there(): phase2 
negotiation failed due to time up waiting for phase1. ESP 
192.168.8.154->192.168.8.185
2005-11-17 13:01:43: INFO: isakmp.c:1791:isakmp_chkph1there(): delete 
phase 2 handler.
etc.

"WAN" addresses are 192.168.8.0/24, LAN-s are 192.168.1.0 and 
192.168.3.0, just a virtual test setup. No firewalls are currently set up.


$cat vpn1.sh
setkey -FP
setkey -F
#
# Configure the Policy
#
setkey -c << END
spdadd 192.168.8.185/32 192.168.3.0/24 any -P out ipsec
 esp/tunnel/192.168.8.185-192.168.8.154/require;
spdadd 192.168.3.0/24 192.168.8.185/32 any -P in ipsec
 esp/tunnel/192.168.8.154-192.168.185/require;
END
#


$ cat racoon.conf
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}

listen
{
        #isakmp ::1 [7000];
        #isakmp 202.249.11.124 [500];
        #admin [7002];          # administrative's port by kmpstat.
        #strict_address;        # required all addresses must be bound.
}

timer
{
        # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 30 sec;
        phase2 15 sec;
}

remote anonymous
{
        exchange_mode main,aggressive;
        #exchange_mode main;
        doi ipsec_doi;
        situation identity_only;

        nonce_size 16;
        lifetime time 1 min;    # sec,min,hour
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 1 ;
        }
}

sainfo anonymous
{
#       pfs_group 1;
        lifetime time 30 sec;
        encryption_algorithm 3des ;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
}

I have tried also des encryption and sha1 authentication, agressive and 
main mode, and so on, no joy ;-( It probably needs some specific tweaks?

FreeBSD 5.4-RELEASE,  racoon-20050510a,  Watchguard SOHO 6 tc firmware 6.3

Please let me know if you had any success with similar setup ..

--
asko

More information about the freebsd-net mailing list