[svlug] IPSec failing in phase 1

David Masten dmasten at piratelabs.org
Wed Jun 16 02:08:29 PDT 2004

Previous message: [svlug] June 21 Linux Users Group of Davis: Shell Basics (TOPIC CHANGE)
Next message: [svlug] OpenVPN [was: IPSec failing in phase 1]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I'm trying to set up an IPSEC/L2TP tunnel from a friend's WinXP into one
of my Linux hosts. When he tries to connect I see the following show up
in my logs:

	ERROR: isakmp.c:1466:isakmp_ph1resend(): phase1 negotiation
	failed due to time up. 373b7a265a5e118d:f24f49dc719ee597

and the connection fails. It never gets passed phase 1.

The linux box is Fedora Core 2. I installed racoon and l2tp packages. I
checked the kernel config - it has all the encryption and ipsec options
enabled. Modules load fine.

I've checked the firewalling - the firewall logs all dropped (or
otherwise filtered) packets, and there are no such packets from/to his
machine. 

I am using a pre-shared key.

I have tried the exact config given at
<http://www.funknet.org/doc/tunnel/l2tp.html>
and checked out <http://www.ipsec-howto.org> for any clues.
I think his end is OK, WinXP does make that setup easy (it has to be -
there just aren't many options!)

Something that struck me as odd, when I start racoon with the debug flag
I get a weird message:

	DEBUG: pfkey.c:2311:pk_checkalg(): compression algorithm can not
	be checked because sadb message doesn't support it.

I'm not sure if this has anything to do with the failure, nor whether
this is normal or not. 

Here is my racoon.conf (sanitized for your viewing pleasure):

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
 
listen {
        isakmp 10.10.10.10 [500];
}
 
padding {
        maximum_length 20;
        randomize_off;
        strict_check off;
        exclusive_tail off;
}
 
remote anonymous {
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;
        passive on;
        generate_policy on;
        proposal_check obey;
 
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}
 
sainfo anonymous
{
        lifetime time 24 hour;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}
-- 
David Masten <dmasten at piratelabs.org>

Previous message: [svlug] June 21 Linux Users Group of Davis: Shell Basics (TOPIC CHANGE)
Next message: [svlug] OpenVPN [was: IPSec failing in phase 1]
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list