Linksys BEFVP41 firmware 1.40.5 and VaporSec

[djwiebe]

…Originally posted on VAPOR forum by error…

Trying to get a Linksys BEFVP41 VPN tunnel working with VaporSec running on Jaguar. After I realized that you need to use Explorer when configuring the Linksys because PFS doesn’t stay checked with Safari I thought I was away to the races.

All the Settings and Logfile Results are below, I’ve obviously tried a number of different settings, but this one as well as variations of this config all get me to the same Phase 2 error “unknown notify message, no phase2 handle found”.

Note: The VaporSec client is behind a standard Linksys 4 port router, which has IPSec pass-through enabled, both client and host are on the same ISP’s DSL network.

Help?

[b:89818bf6a6]Linksys settings:[/b:89818bf6a6]

Tunnel Name: five41
Local Secure Group: 192.168.20.0 (the entire local subnet)
Remote Secure Group: Any
Remote Secure Gateway: Any
Encryption: 3DES
Authentication: SHA
Key Management: Auto. (IKE)
PFS: Checked
Pre-shared Key: 12345
Key Lifetime: 3600 sec.

Advanced Settings:
Operation Mode: Main mode
Prop1 Encryption: 3DEC
Prop1 Authentication: SHA
Group: 768-bit
Key Lifetime: 3600 seconds

Prop2 settings the same as Prop1

Anti-replay: Checked

[b:89818bf6a6]VaporSec Settings:[/b:89818bf6a6]

Remote IPSec device: [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6]
Remote Network 192.168.20.1
Local Network Mask 32

Main Tab
Shared Secret: 12345
Local IP: blank
Mode: main
Popsal Check: obey
Nonce size: 16

Phase 1
Lifetime: 5 minutes
DH Group: 1
Encryption: 3des
Authentication: sha1

Phase 2
Lifetime: 12 hours
PFS Group: 1
Encryption: 3des
Authentication: hmac_sha1

ID
Local: Address
Remote: Address

[b:89818bf6a6]Linksys Log File Results:[/b:89818bf6a6]

2003-08-11 20:43:24 IKE[71] Rx << MM_I1 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] SA
2003-08-11 20:43:24 IKE[71] Tx >> MM_R1 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] SA
2003-08-11 20:43:24 IKE[71] ISAKMP SA CKI=[ec7b3029 eecc3efc] CKR=[2cfacc31 6239d9af]
2003-08-11 20:43:24 IKE[71] ISAKMP SA 3DES / SHA / PreShared / MODP_768 / 300 sec (*0 sec)
2003-08-11 20:43:25 IKE[71] Rx << MM_I2 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] KE, NONCE, VID
2003-08-11 20:43:25 IKE[71] Tx >> MM_R2 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] KE, NONCE
2003-08-11 20:43:25 This connection request matches tunnel 1 setting !
2003-08-11 20:43:25 IKE[1] Rx << MM_I3 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] ID, HASH
2003-08-11 20:43:25 IKE[1] Tx >> MM_R3 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] ID, HASH
2003-08-11 20:43:25 IKE[1] Rx << Notify :
2003-08-11 20:43:26 IKE[1] Rx << QM_I1 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] HASH, SA, NONCE, KE, ID, ID
[color=red:89818bf6a6]2003-08-11 20:43:26 IKE[1] **Check your Local/Remote Secure Group settings ! [/color:89818bf6a6]
2003-08-11 20:43:26 IKE[1] Tx >> Notify : INVALID-ID-INFORMATION

[b:89818bf6a6]Mac Syslog File Results:[/b:89818bf6a6]

Aug 11 20:43:16 tbase racoon: INFO: main.c:169:main(): @(#)racoon 20001216 20001216 [email protected]
Aug 11 20:43:16 tbase racoon: INFO: main.c:170:main(): @(#)This product linked OpenSSL 0.9.6i Feb 19 2003 (http://www.openssl.org/)
Aug 11 20:43:17 tbase racoon: INFO: isakmp.c:1357:isakmp_open(): 192.168.1.20[500] used as isakmp port (fd=6)
Aug 11 20:43:17 tbase racoon: INFO: isakmp.c:1357:isakmp_open(): fe80::205:2ff:fecb:9510[500] used as isakmp port (fd=7)
Aug 11 20:43:17 tbase racoon: INFO: isakmp.c:1357:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=8 )
Aug 11 20:43:17 tbase racoon: INFO: isakmp.c:1357:isakmp_open(): fe80::1[500] used as isakmp port (fd=9)
Aug 11 20:43:17 tbase racoon: INFO: isakmp.c:1357:isakmp_open(): ::1[500] used as isakmp port (fd=10)
Aug 11 20:43:23 tbase racoon: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] queued due to no phase1 found.
Aug 11 20:43:23 tbase racoon: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.1.20[500]<=>[i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6][500]
Aug 11 20:43:23 tbase racoon: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Identity Protection mode.
Aug 11 20:43:24 tbase racoon: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA established 192.168.1.20[500]-[i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6][500] spi:ec7b3029eecc3efc:2cfacc316239d9af
Aug 11 20:43:25 tbase racoon: INFO: isakmp.c:939:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 192.168.1.20[0]<=>[i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6][0]
Aug 11 20:43:26 tbase racoon: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.
Aug 11 20:43:55 tbase racoon: ERROR: pfkey.c:738:pfkey_timeover(): 142.161.173.74 give up to get IPsec-SA due to time up to wait.
Aug 11 20:43:58 tbase racoon: INFO: isakmp.c:939:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 192.168.1.20[0]<=>[i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6][0]
Aug 11 20:43:59 tbase racoon: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.
Aug 11 20:44:28 tbase racoon: ERROR: pfkey.c:738:pfkey_timeover(): 142.161.173.74 give up to get IPsec-SA due to time up to wait.
Aug 11 20:44:31 tbase racoon: INFO: isakmp.c:939:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 192.168.1.20[0]<=>[i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6][0]

[Anonymous]

Hi,

I’m a newbie also and have the same Firewall/VPN with same firmware version.

I was able to get the connection working using the settings in this forum topic:

[url]https://www.afp548.com/eBBS/viewtopic.php?t=201[/url]

Read through all of the posts in the thread for good information.

The differences between your posted settings and what I have are:

You:
Local Secure Group: 192.168.20.0 (the entire local subnet)
Me:
xxx.xxx.xxx.1 (instead of 0)

You:
Remote Network 192.168.20.1
Me:
xxx.xxx.xxx.1/24

I think the above two items will help. The next two, I don’t think make a difference.

You:
DH Group: 1
Me:
DH Group: 2

You:
PFS Group: 1
Me:
PFS Group: 2

There are differences in some of the times, but I don’t think that would make a difference (I could easily be wrong).

Hope this helps.

[Author]

Posts