Home Forums Archive VaporSec Linksys BEFVP41 firmware 1.40.5 and VaporSec

This topic contains 1 reply, has 2 voices, and was last updated by  Anonymous 16 years ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #356257

    djwiebe
    Participant

    …Originally posted on VAPOR forum by error…

    Trying to get a Linksys BEFVP41 VPN tunnel working with VaporSec running on Jaguar. After I realized that you need to use Explorer when configuring the Linksys because PFS doesn’t stay checked with Safari I thought I was away to the races.

    All the Settings and Logfile Results are below, I’ve obviously tried a number of different settings, but this one as well as variations of this config all get me to the same Phase 2 error “unknown notify message, no phase2 handle found”.

    Note: The VaporSec client is behind a standard Linksys 4 port router, which has IPSec pass-through enabled, both client and host are on the same ISP’s DSL network.

    Help?

    [b:89818bf6a6]Linksys settings:[/b:89818bf6a6]

    Tunnel Name: five41
    Local Secure Group: 192.168.20.0 (the entire local subnet)
    Remote Secure Group: Any
    Remote Secure Gateway: Any
    Encryption: 3DES
    Authentication: SHA
    Key Management: Auto. (IKE)
    PFS: Checked
    Pre-shared Key: 12345
    Key Lifetime: 3600 sec.

    Advanced Settings:
    Operation Mode: Main mode
    Prop1 Encryption: 3DEC
    Prop1 Authentication: SHA
    Group: 768-bit
    Key Lifetime: 3600 seconds

    Prop2 settings the same as Prop1

    Anti-replay: Checked

    [b:89818bf6a6]VaporSec Settings:[/b:89818bf6a6]

    Remote IPSec device: [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6]
    Remote Network 192.168.20.1
    Local Network Mask 32

    Main Tab
    Shared Secret: 12345
    Local IP: blank
    Mode: main
    Popsal Check: obey
    Nonce size: 16

    Phase 1
    Lifetime: 5 minutes
    DH Group: 1
    Encryption: 3des
    Authentication: sha1

    Phase 2
    Lifetime: 12 hours
    PFS Group: 1
    Encryption: 3des
    Authentication: hmac_sha1

    ID
    Local: Address
    Remote: Address

    [b:89818bf6a6]Linksys Log File Results:[/b:89818bf6a6]

    2003-08-11 20:43:24 IKE[71] Rx << MM_I1 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] SA
    2003-08-11 20:43:24 IKE[71] Tx >> MM_R1 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] SA
    2003-08-11 20:43:24 IKE[71] ISAKMP SA CKI=[ec7b3029 eecc3efc] CKR=[2cfacc31 6239d9af]
    2003-08-11 20:43:24 IKE[71] ISAKMP SA 3DES / SHA / PreShared / MODP_768 / 300 sec (*0 sec)
    2003-08-11 20:43:25 IKE[71] Rx << MM_I2 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] KE, NONCE, VID
    2003-08-11 20:43:25 IKE[71] Tx >> MM_R2 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] KE, NONCE
    2003-08-11 20:43:25 This connection request matches tunnel 1 setting !
    2003-08-11 20:43:25 IKE[1] Rx << MM_I3 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] ID, HASH
    2003-08-11 20:43:25 IKE[1] Tx >> MM_R3 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] ID, HASH
    2003-08-11 20:43:25 IKE[1] Rx << Notify :
    2003-08-11 20:43:26 IKE[1] Rx << QM_I1 : [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] HASH, SA, NONCE, KE, ID, ID
    [color=red:89818bf6a6]2003-08-11 20:43:26 IKE[1] **Check your Local/Remote Secure Group settings ! [/color:89818bf6a6]
    2003-08-11 20:43:26 IKE[1] Tx >> Notify : INVALID-ID-INFORMATION

    [b:89818bf6a6]Mac Syslog File Results:[/b:89818bf6a6]

    Aug 11 20:43:16 tbase racoon: INFO: main.c:169:main(): @(#)racoon 20001216 20001216 [email protected]
    Aug 11 20:43:16 tbase racoon: INFO: main.c:170:main(): @(#)This product linked OpenSSL 0.9.6i Feb 19 2003 (http://www.openssl.org/)
    Aug 11 20:43:17 tbase racoon: INFO: isakmp.c:1357:isakmp_open(): 192.168.1.20[500] used as isakmp port (fd=6)
    Aug 11 20:43:17 tbase racoon: INFO: isakmp.c:1357:isakmp_open(): fe80::205:2ff:fecb:9510[500] used as isakmp port (fd=7)
    Aug 11 20:43:17 tbase racoon: INFO: isakmp.c:1357:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=8 )
    Aug 11 20:43:17 tbase racoon: INFO: isakmp.c:1357:isakmp_open(): fe80::1[500] used as isakmp port (fd=9)
    Aug 11 20:43:17 tbase racoon: INFO: isakmp.c:1357:isakmp_open(): ::1[500] used as isakmp port (fd=10)
    Aug 11 20:43:23 tbase racoon: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for [i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6] queued due to no phase1 found.
    Aug 11 20:43:23 tbase racoon: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.1.20[500]<=>[i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6][500]
    Aug 11 20:43:23 tbase racoon: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Identity Protection mode.
    Aug 11 20:43:24 tbase racoon: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA established 192.168.1.20[500]-[i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6][500] spi:ec7b3029eecc3efc:2cfacc316239d9af
    Aug 11 20:43:25 tbase racoon: INFO: isakmp.c:939:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 192.168.1.20[0]<=>[i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6][0]
    Aug 11 20:43:26 tbase racoon: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.
    Aug 11 20:43:55 tbase racoon: ERROR: pfkey.c:738:pfkey_timeover(): 142.161.173.74 give up to get IPsec-SA due to time up to wait.
    Aug 11 20:43:58 tbase racoon: INFO: isakmp.c:939:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 192.168.1.20[0]<=>[i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6][0]
    Aug 11 20:43:59 tbase racoon: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found.
    Aug 11 20:44:28 tbase racoon: ERROR: pfkey.c:738:pfkey_timeover(): 142.161.173.74 give up to get IPsec-SA due to time up to wait.
    Aug 11 20:44:31 tbase racoon: INFO: isakmp.c:939:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 192.168.1.20[0]<=>[i:89818bf6a6]LinkSys WAN IP[/i:89818bf6a6][0]

    #356292

    Anonymous
    Participant

    Hi,

    I’m a newbie also and have the same Firewall/VPN with same firmware version.

    I was able to get the connection working using the settings in this forum topic:

    [url]https://www.afp548.com/eBBS/viewtopic.php?t=201[/url]

    Read through all of the posts in the thread for good information.

    The differences between your posted settings and what I have are:

    You:
    Local Secure Group: 192.168.20.0 (the entire local subnet)
    Me:
    xxx.xxx.xxx.1 (instead of 0)

    You:
    Remote Network 192.168.20.1
    Me:
    xxx.xxx.xxx.1/24

    I think the above two items will help. The next two, I don’t think make a difference.

    You:
    DH Group: 1
    Me:
    DH Group: 2

    You:
    PFS Group: 1
    Me:
    PFS Group: 2

    There are differences in some of the times, but I don’t think that would make a difference (I could easily be wrong).

    Hope this helps.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

Comments are closed