Racoon Error Failed To Get Proposal For Responder
Contents |
"failed to get sainfo" From: Marc Haber
Ignore Information Because Isakmp-sa Has Not Been Established Yet
in your racoon.conf, you also need > another sainfo for 16-14 (which will probably be a copy of the > existing one). Thank you very much, that has solved the problem. I now have: sainfo address 10.47.14.14 any address 10.47.14.16 any error: failed to pre-process ph2 packet { pfs_group 2; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address 10.47.14.16 any address 10.47.14.14 any { pfs_group 2; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } I find that strange because the examples in http://www.ipsec-howto.org/x242.html only have one sainfo statement as well. Now the IKE exchange seems to complete, but end in the following error message on the .14 machine: 2004-01-15 17:28:38: ERROR: isakmp_quick.c:2029:get_proposal_r(): no policy found: 10.47.14.16/32[0] 10.47.14.14/32[0] proto=any dir=in 2004-01-15 17:28:38: ERROR: isakmp_quick.c:1070:quick_r1recv(): failed to get proposal for responder. 2004-01-15 17:28:38: ERROR: isakmp.c:1062:isakmp_ph2begin_r(): failed to pre-process packet. The policies here are: |#!/usr/sbin/setkey -f |flush; |spdflush; | |spdadd 10.47.14.16/32 10.47.14.14/32 any -P in ipsec | esp/tunnel/10.47.14.16-10.47.14.14/require; | |spdadd 10.47.14.14/32 10.47.14.16/32 any -P out ipsec | esp/tunnel/10.47.14.14-10.47.14.
up Monday « previous next » Print Pages: [1] 2 Go Down Author Topic: Ipsec errors please help need this up Monday (Read 26225 times) 0 Members and failed to get sainfo 1 Guest are viewing this topic. chrisreston Newbie Posts: 13 Karma: +0/-0
Spdadd
Ipsec errors please help need this up Monday « on: March 30, 2008, 01:32:01 am » This is the error I am getting on one box, I am using both Pfsense boxes. Any Ideas? Last 50 IPSEC log entries Mar 29 23:18:43 racoon: [Name]: http://www.kame.net/racoon/racoon-ml/msg00298.html ERROR: 66.93.!.! give up to get IPsec-SA due to time up to wait. Mar 29 23:18:13 racoon: [Name]: INFO: initiate new phase 2 negotiation: 98.165.!.![0]<=>66.93.!.![0] Mar 29 23:12:55 racoon: [Name]: ERROR: 66.93.160.190 give up to get IPsec-SA due to time up to wait. Mar 29 23:12:25 racoon: [Name]: INFO: initiate new phase 2 negotiation: 98.165.!.![500]<=>66.93.!.![500] Mar https://forum.pfsense.org/index.php?topic=8634.0 29 23:12:24 racoon: [Name]: INFO: ISAKMP-SA established 98.165.!.![500]-66.93.!.!500] spi:197dccc5e520270d:6a80ee33c50666ef Mar 29 23:12:24 racoon: WARNING: No ID match. Mar 29 23:12:24 racoon: INFO: received Vendor ID: DPD Mar 29 23:12:24 racoon: INFO: begin Aggressive mode. Mar 29 23:12:24 racoon: [Name]: INFO: initiate new phase 1 negotiation: 98.165.!.![500]<=>66.93.!.![500] Mar 29 23:12:24 racoon: [Name]: INFO: IPsec-SA request for 66.93.!.! queued due to no phase1 found. Mar 29 23:11:44 racoon: ERROR: such policy already exists. anyway replace it: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=out Mar 29 23:11:44 racoon: ERROR: such policy already exists. anyway replace it: 172.16.10.1/32[0] 172.16.0.0/16[0] proto=any dir=out Second Box ErrorsMar 29 23:27:16 racoon: ERROR: failed to pre-process packet. Mar 29 23:27:16 racoon: ERROR: failed to get proposal for responder. Mar 29 23:27:16 racoon: ERROR: no policy found: 172.16.0.0/16[0] 192.168.0.0/24[0] proto=any dir=in Mar 29 23:27:16 racoon: INFO: respond new phase 2 negotiation: 66.93.!.![0]<=>98.165.!.![0] Mar 29 23:27:06 racoon: ERROR: failed to pre-process packet. Mar 29 23:27:06 racoon: ERROR: failed to get proposal for responder. Mar 29 23:27:06 racoon: ERROR: no policy found: 172.16.0.
instructions: Windows Mac Red Hat Linux Ubuntu Click URL instructions: Right-click on ad, choose "Copy Link", then paste here → (This may not be possible with some types of ads) https://sourceforge.net/p/ipsec-tools/mailman/message/23156832/ More information about our ad policies X You seem to have CSS https://www.v13.gr/blog/?p=261 turned off. Please don't fill out this field. You seem to have CSS turned off. Please don't fill out this field. Briefly describe the problem (required): Upload screenshot of ad (required): Select a file, or drag & drop file here. ✔ ✘ Please provide the ad click URL, if possible: failed to Home Browse IPsec Tools Mailing Lists IPsec Tools Brought to you by: mit_warlord Summary Files Reviews Support Wiki Mailing Lists Tickets ▾ Bugs Support Requests Patches Feature Requests Code ipsec-tools-announce ipsec-tools-commits ipsec-tools-devel ipsec-tools-users Re: [Ipsec-tools-devel] IPSEC SA not established in transport mode Re: [Ipsec-tools-devel] IPSEC SA not established in transport mode From: Timo Teräs
pm TweetIt took me more than 6 months in order to sort all issues, so here are the experiences. Most of the trouble was because I didn't knew or I didn't had things clear in my mind. I wanted to have IPsec communication between a bunch of servers and a home network. I believe that this includes almost all (if not all) the possible scenarios of IPsec so it's more complicated than it sounds. For obvious reasons I'm presenting a simplified version here omitting all duplicates (i.e. multiple hosts with the same characteristics). The network We have the following nodes: A network behind a DSL line (home network) (normal, home DSL line with non-static IP, with NAT) A server (srv1) somewhere on the Internet with a static public IP address without NAT. A server (srv2) in Amazon's EC2 which has an allocated public IP address but uses local IP addresses and thus has NAT. Also Amazon doesn't allow ESP and AH protocol to be carried by IP packets inside their network. We also have the following systems: Home network: A bunch of Linux boxes on a private network plus a mikrotik router srv1 and srv2: Squeeze Debian Linux The home network uses IP addresses from the network 10.1.0.0/16. A secondary prefix (10.5.0.0/16) is allocated for IPsec addressing only. All home nodes have addresses from the 10.1.0.0/16. Some nodes (including the servers) have addresses from 10.5.0.0/16. Apart from the above there's a custom CA setup which publishes certificates for all nodes. The problem Setup IPsec so that: srv1 and srv2 can communicate with their public IP addresses with IPsec only boxes on the home network can communicate both with srv1 and srv2 using IPsec The setup Since there are more than one boxes on the home network, the home network needs to be connected with tunneled IPsec to srv1 and srv2. srv1 and srv2 need to be connected with