VPN Not working

2002-10-31 Thread Wayne Pascoe
Hi all,

I'm trying to setup up Tunneling VPN between two FreeBSD boxes.
I have network A talking through gateway A to Network B via gateway B

Network A IP Range - 192.168.11.0/24
Network B IP Range - 192.168.12.0/24

Gateway A Internal IP Address - 192.168.11.1
Gateway A External IP Address - 192.168.10.1

Gateway B Internal IP Address - 192.168.12.1
Gateway B External IP Address - 192.168.10.2

I have ip forwarding setup and with the VPN down, a machine behind the
first gateway, 192.168.11.2 can ping a machine behind the second
gateway, 192.168.12.2. As soon as I start the VPN up though, they
can't talk at all any more. Not ssh, not ping, not anything.

I am using the following scripts on Gateway A and B respectively to
start my VPN

#!/bin/bash
setkey -c <


VPN not working

2006-02-03 Thread Subhro
Hello,

I am trying to connect to my workplace which uses a Cisco IW600. I am
putting the connect log from the router below.

--
terminal monitor
IW600#
*Feb  3 22:00:44.051: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 64.191.227.249, remote= 220.225.82.250,
local_proxy= 172.16.3.151/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x5A88B8A1(1518909601), conn_id= 0, keysize= 0, flags= 0x400B
*Feb  3 22:00:44.051: ISAKMP: received ke message (1/1)
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Feb  3 22:00:44.051: ISAKMP: Created a peer struct for
220.225.82.250, peer port 500
*Feb  3 22:00:44.051: ISAKMP: New peer created peer = 0x447C2CF4
peer_handle = 0x8286
*Feb  3 22:00:44.051: ISAKMP: Locking peer struct 0x447C2CF4, IKE
refcount 1 for isakmp_initiator
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0):Setting client config settings 448F7964
*Feb  3 22:00:44.051: ISAKMP: local port 500, remote port 500
*Feb  3 22:00:44.051: ISAKMP: set new node 0 to QM_IDLE
*Feb  3 22:00:44.051: ISAKMP: Find a dup sa in the avl tree during
calling isadb_insert sa = 447DC520
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0):Can not start Aggressive
mode, trying Main mode.
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0):Looking for a matching key
for 220.225.82.250 in default
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): : success
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0):found peer pre-shared key
matching 220.225.82.250
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New
State = IKE_I_MM1

*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): sending packet to
220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 22:00:54.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 22:00:54.051: ISAKMP:(0:0:N/A:0):incrementing error counter on
sa: retransmit phase 1
*Feb  3 22:00:54.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Feb  3 22:00:54.051: ISAKMP:(0:0:N/A:0): sending packet to
220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 22:01:03.043: ISAKMP:(0:0:N/A:0):purging node 1798766697
*Feb  3 22:01:03.043: ISAKMP:(0:0:N/A:0):purging node 756905305
*Feb  3 22:01:04.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 22:01:04.051: ISAKMP:(0:0:N/A:0):incrementing error counter on
sa: retransmit phase 1
*Feb  3 22:01:04.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Feb  3 22:01:04.051: ISAKMP:(0:0:N/A:0): sending packet to
220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 22:01:13.043: ISAKMP:(0:0:N/A:0):purging SA., sa=44872764,
delme=44872764
*Feb  3 22:01:13.727: %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk
header, chunk 0  data 446BFA58  chunkmagic 400B97A8  chunk_freemagic
43EDF9F4
-Process= "IP Input", ipl= 4, pid= 74
-Traceback= 0x40ABDEE8 0x400BC510 0x402FF6B4 0x40ED1738 0x40ED48EC
0x40ED2F8C 0x40ED325C 0x40ED3318 0x40ED34BC
*Feb  3 22:01:14.051: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= 64.191.227.249, remote= 220.225.82.250,
local_proxy= 172.16.3.151/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4)
*Feb  3 22:01:14.051: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 64.191.227.249, remote= 220.225.82.250,
local_proxy= 172.16.3.151/255.255.255.255/0/0 (type=1),
remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x385ACC06(945474566), conn_id= 0, keysize= 0, flags= 0x400B
*Feb  3 22:01:14.051: ISAKMP: received ke message (1/1)
*Feb  3 22:01:14.051: ISAKMP: set new node 0 to QM_IDLE
*Feb  3 22:01:14.051: ISAKMP:(0:0:N/A:0):SA is still budding. Attached
new ipsec request to it. (local 64.191.227.249, remote 220.225.82.250)
*Feb  3 22:01:14.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 22:01:14.051: ISAKMP:(0:0:N/A:0):incrementing error counter on
sa: retransmit phase 1
*Feb  3 22:01:14.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Feb  3 22:01:14.051: ISAKMP:(0:0:N/A:0): sending packet to
220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 22:01:24.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 22:01:24.051: ISAKMP:(0:0:N/A:0):incrementing error counter on
sa: retransmit phase 1
*Feb  3 22:01:24.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Feb  3 22:01:24.051: ISAKMP:(0:0:N/A:0): sending pac

Re: VPN not working

2006-02-10 Thread Michael Vince

You can try out this script if you like, it may or may not help.
I created it so I could more easily remember all the VPN knobs that need 
to be touched when creating a VPN.

http://www.roq.com/projects/vpnsetup/vpnsetup.pl

Mike


Subhro wrote:


Hello,

I am trying to connect to my workplace which uses a Cisco IW600. I am
putting the connect log from the router below.

--
terminal monitor
IW600#
*Feb  3 22:00:44.051: IPSEC(sa_request): ,
 (key eng. msg.) OUTBOUND local= 64.191.227.249, remote= 220.225.82.250,
   local_proxy= 172.16.3.151/255.255.255.255/0/0 (type=1),
   remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
   protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
   lifedur= 3600s and 4608000kb,
   spi= 0x5A88B8A1(1518909601), conn_id= 0, keysize= 0, flags= 0x400B
*Feb  3 22:00:44.051: ISAKMP: received ke message (1/1)
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Feb  3 22:00:44.051: ISAKMP: Created a peer struct for
220.225.82.250, peer port 500
*Feb  3 22:00:44.051: ISAKMP: New peer created peer = 0x447C2CF4
peer_handle = 0x8286
*Feb  3 22:00:44.051: ISAKMP: Locking peer struct 0x447C2CF4, IKE
refcount 1 for isakmp_initiator
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0):Setting client config settings 448F7964
*Feb  3 22:00:44.051: ISAKMP: local port 500, remote port 500
*Feb  3 22:00:44.051: ISAKMP: set new node 0 to QM_IDLE
*Feb  3 22:00:44.051: ISAKMP: Find a dup sa in the avl tree during
calling isadb_insert sa = 447DC520
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0):Can not start Aggressive
mode, trying Main mode.
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0):Looking for a matching key
for 220.225.82.250 in default
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): : success
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0):found peer pre-shared key
matching 220.225.82.250
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New
State = IKE_I_MM1

*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Feb  3 22:00:44.051: ISAKMP:(0:0:N/A:0): sending packet to
220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 22:00:54.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 22:00:54.051: ISAKMP:(0:0:N/A:0):incrementing error counter on
sa: retransmit phase 1
*Feb  3 22:00:54.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Feb  3 22:00:54.051: ISAKMP:(0:0:N/A:0): sending packet to
220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 22:01:03.043: ISAKMP:(0:0:N/A:0):purging node 1798766697
*Feb  3 22:01:03.043: ISAKMP:(0:0:N/A:0):purging node 756905305
*Feb  3 22:01:04.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 22:01:04.051: ISAKMP:(0:0:N/A:0):incrementing error counter on
sa: retransmit phase 1
*Feb  3 22:01:04.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Feb  3 22:01:04.051: ISAKMP:(0:0:N/A:0): sending packet to
220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 22:01:13.043: ISAKMP:(0:0:N/A:0):purging SA., sa=44872764,
delme=44872764
*Feb  3 22:01:13.727: %SYS-2-CHUNKBADMAGIC: Bad magic number in chunk
header, chunk 0  data 446BFA58  chunkmagic 400B97A8  chunk_freemagic
43EDF9F4
-Process= "IP Input", ipl= 4, pid= 74
-Traceback= 0x40ABDEE8 0x400BC510 0x402FF6B4 0x40ED1738 0x40ED48EC
0x40ED2F8C 0x40ED325C 0x40ED3318 0x40ED34BC
*Feb  3 22:01:14.051: IPSEC(key_engine): request timer fired: count = 1,
 (identity) local= 64.191.227.249, remote= 220.225.82.250,
   local_proxy= 172.16.3.151/255.255.255.255/0/0 (type=1),
   remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4)
*Feb  3 22:01:14.051: IPSEC(sa_request): ,
 (key eng. msg.) OUTBOUND local= 64.191.227.249, remote= 220.225.82.250,
   local_proxy= 172.16.3.151/255.255.255.255/0/0 (type=1),
   remote_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4),
   protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
   lifedur= 3600s and 4608000kb,
   spi= 0x385ACC06(945474566), conn_id= 0, keysize= 0, flags= 0x400B
*Feb  3 22:01:14.051: ISAKMP: received ke message (1/1)
*Feb  3 22:01:14.051: ISAKMP: set new node 0 to QM_IDLE
*Feb  3 22:01:14.051: ISAKMP:(0:0:N/A:0):SA is still budding. Attached
new ipsec request to it. (local 64.191.227.249, remote 220.225.82.250)
*Feb  3 22:01:14.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Feb  3 22:01:14.051: ISAKMP:(0:0:N/A:0):incrementing error counter on
sa: retransmit phase 1
*Feb  3 22:01:14.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Feb  3 22:01:14.051: ISAKMP:(0:0:N/A:0): sending packet to
220.225.82.250 my_port 500 peer_port 500 (I) MM_NO_STATE
*Feb  3 22:01:24.051: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO