Ipsec Racoon Error Failed To Get Sainfo
Contents |
« previous next » Print Pages: [1] Go Down Author Topic: Failed to get sainfo - Sonicwall NSA240 (Read 17145 times) 0 Members and 1 Guest are viewing this topic. geewhz01 Jr. Member Posts: 67 Karma: +0/-0 Failed to get sainfo - Sonicwall NSA240 «
Failed To Get Sainfo Meraki
on: December 03, 2008, 01:52:38 pm » I have a tunnel setup to a NSA240 pfsense ipsec firewall rules that comes up but does not work. I have other Sonicwall devices connected with no problem but it appears this new unit
Received No_proposal_chosen Error Notify
must be a little different in how they are handling ipsec. On the pfsense 1.21 box it shows:Dec 3 14:48:11 racoon: ERROR: failed to pre-process packet.Dec 3 14:48:11 racoon: ERROR: failed to get sainfo.Dec 3 14:48:11 racoon: strongswan received no_proposal_chosen error notify ERROR: failed to get sainfo.Dec 3 14:48:11 racoon: [Royal Sonic]: INFO: respond new phase 2 negotiation: X.X.X.X[0]<=>X.X.X.X[0]Dec 3 14:47:55 racoon: ERROR: failed to pre-process packet.Dec 3 14:47:55 racoon: ERROR: failed to get sainfo.Dec 3 14:47:55 racoon: ERROR: failed to get sainfo.Dec 3 14:47:55 racoon: [Royal Sonic]: INFO: respond new phase 2 negotiation: X.X.X.X[0]<=>X.X.X.X[0]On the Sonic box it shows:12/03/2008 11:49:49.368InfoVPN IKEIKE Initiator: Start Quick Mode (Phase 2).I have the lifetimes set for 28800 on received invalid_id_information error notify both boxes on Phase 1 and 2. Both boxes show the tunnel as up but I can't pass any traffic across the vpn.Any ideas?Thanks,Andy Logged geewhz01 Jr. Member Posts: 67 Karma: +0/-0 Re: Failed to get sainfo - Sonicwall NSA240 « Reply #1 on: December 04, 2008, 07:08:38 pm » What I have found is that even though I have the interface of the vpn setup for my 1st carp address and the remote end setup to connect to the carp address that it doesn't work. The Sonicwall sees the packets coming from the carp address but inside the packet it's showing my wan address. The only way I can get this to connect is via the wan address. Is it not possible to use a carp address for the vpn connections or am I missing something else?Andy Logged brbubba Newbie Posts: 3 Karma: +0/-0 Re: Failed to get sainfo - Sonicwall NSA240 « Reply #2 on: January 11, 2009, 09:59:03 am » Quote from: geewhz01 on December 04, 2008, 07:08:38 pmWhat I have found is that even though I have the interface of the vpn setup for my 1st carp address and the remote end setup to connect to the carp address that it doesn't work. The Sonicwall sees the packets coming from the carp address but inside
get sainfo" From: Marc Haber
Id_prot Request With Message Id 0 Processing Failed
currently experimenting with linux 2.6 ipsec using racoon. My test box has invalid id_v1 payload length, decryption failed? Debian sid, kernel 2.6.0, and ipsec-tools and racoon from the Debian package 0.2.2-8. I am attaching my racoon.conf
Failed To Pre-process Ph2 Packet
file, my policy file, and racoon debugging output obtained by racoon -d -F. Racoon starts up OK, and when the first packet (a ping to 10.47.14.14) comes in, it https://forum.pfsense.org/index.php?topic=12934.0 loggs the error message "failed to get sainfo". Google has this error message only twice, and both pages were not very helpful. Neither IKE nor ESP messages are found on the wire with tcpdump which is why I didn't include the empty dump. Can anybody tell me what I am doing wrong? If more information is needed, I'll happily http://www.kame.net/racoon/racoon-ml/msg00294.html deliver it. Thanks for helping! Greetings Marc racoon.conf: path include "/etc/racoon" ; path pre_shared_key "/etc/racoon/psk.txt" ; path certificate "/etc/ipsec.d" ; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 10.47.14.16[500]; } timer { counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. phase1 30 sec; phase2 15 sec; } remote 10.47.14.14 { exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; certificate_type x509 "certs/kamikazeCert.pem" "private/kamikazeKey.pem" verify_cert on; my_identifier asn1dn; peers_identifier asn1dn; peers_certfile "certs/zombieCert.pem"; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo address 10.47.14.14 any address 10.47.14.16 any { pfs_group 2; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } policy file: #!/usr/sbin/setkey -f flush; spdflush; spdadd 10.47.14.16/32 10.47.14.14/32 any -P out ipsec esp/tunnel/10.47.14.16-10.47.14.14/require; spdadd 10.47.14.14/32 10.47.14.16/32 any -P in ipsec esp/tunnel/10.47.14.14-10.47.14.16/require; debug output 2004-01-15 16:18:05: INFO: main.c:174:main(): @(#)racoon 20001216 20001216 sakane@kame.net 2004-01-15
times) IPSEC VPN issue - racoon: ERROR: failed to get sainfo « on: http://forums.kerio.com/t/24401/kerio-ipsec-and-pfsense May 01, 2007, 11:14:48 » zoics Posts: 4 Hi, I am getting an issue with an Ipsec VPN failed to to Cisco router, the error message in system log is - racoon: ERROR: failed to get sainfo. Phase 1 is ok it just fails on phase 2. I have tried both PF set to 2 failed to get and 1 (cisco default).Can I get deeper logs? Does anybody have ideas on this?Thanks,Matt Re: IPSEC VPN issue - racoon: ERROR: failed to get sainfo « Reply #1 on: May 02, 2007, 01:04:34 » cmb Posts: 851 Enable debugging on the Cisco side, you'll probably get more informative info there in this case. Re: IPSEC VPN issue - racoon: ERROR: failed to get sainfo « Reply #2 on: May 04, 2007, 09:42:16 » zoics Posts: 4 Thanks, Turned out to be the subnet mask on the far end.Thanks,Matt Pages: [1] Powered by SMF 1.1.20 | SMF © 2013, Simple Machines
Mon, 08 April 2013 22:36 [message #101200] ZReau Messages: 45 Karma: 0 I run kerio control 8.0.2 and want to try to create an ipsec tunnel. the tunnel works for 10 seconds than pfsense says can;t get sainfo. Which credentials are compatible for kerio ipsec i have configured this on pfsense: PHASE 1: Authentication method: mutual psk Negotiation mode: main My identifier: ipadress Peer identifier: peer ipadress Pre-Shared Key: XXXXX Policy Generation: default Proposal Checking: default Encryption algorithm: 3DES Hash algorithm: SHA1 DH key group: 5 (1536 bit ) Lifetime: 10800 NAT Traversal: disable Dead Peer Detection: disable PHASE 2: Mode: tunnel Local Network: 1.2.3.4/24 Remote Network: 4.3.2.1/24 Protocol: ESP Encryption algorithms: 3DES Hash algorithms: SHA1 PFS key group: off Lifetime: 3600 Could someone tell me what i did wrong? Alex, Report message to a moderator Mon, 08 April 2013 22:38 [message #101201] ZReau Messages: 45 Karma: 0 and pfsense logging says: Apr 8 22:37:36 racoon: DEBUG: IV freed Apr 8 22:37:36 racoon: NAMEIPSEC ERROR: failed to pre-process ph2 packet [Check Phase 2 settings, networks] (side: 1, status: 1). Apr 8 22:37:36 racoon: ERROR: failed to get sainfo. Apr 8 22:37:36 racoon: ERROR: failed to get sainfo. Report message to a moderator Tue, 09 April 2013 12:39 [message #101220] Lisa Lyons (Kerio) Messages: 176 Karma: 8 Hi, ZReau We use IKEv1 cypher suite, so you can see the options that are supported here: http://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Cip herSuites Sadly, we have not tested the IPSec VPN witn a PFSense server, so I cannot advise too closely on what you may try. The information contained here may help: http://kb.kerio.com/product/kerio-control/vpn/configuring-ip sec-vpn-1281.html Kerio Technical Support Log Support Incidents here: http://www.kerio.com/support Also, please use our KB: http://kb.kerio.com Report message to a moderator Tue, 09 April 2013 18:29 [message #101250] ZReau Messages: 45 Karma: 0 Lisa, I know but i have it working except every 10 seconds they drop the connection, and get this error en after a few times it has his ipsec connection again. I used the options that kerio supports but still it will loose