Phase 1 fails when settitng up IPSec tunnel.

[db]

I read the articles on racoon and now a friend and I try to setup an IPSec tunnel between our machines. We both have public ip:s from our ISP:s. My ip is 123.45.67.89 and he has abc.def.gh.ij.

Arguments to setkey on my machine:

spdadd 123.456.78.90 abc.def.gh.ij any -P out ipsec esp/transport/123.456.78.90-abc.def.gh.ij/require;
spdadd abc.def.gh.ij abc.def.gh.ij any -P in ipsec esp/transport/abc.def.gh.ij-123.456.78.90/require;

and on the other machine

spdadd abc.def.gh.ij 123.456.78.90 any -P out ipsec esp/transport/abc.def.gh.ij-123.456.78.90/require;
spdadd abc.def.gh.ij abc.def.gh.ij any -P in ipsec esp/transport/123.456.78.90-abc.def.gh.ij/require;

We do not specify any ip range like they did in the example (10.0.0.3/32).

Btw, I found an ‘assymetry’ in the example. At the client the ip-numbers in the spdadd lines are paired toghether like this:

client/server client/server
server/client server/client

but on the server they are ordered like this:

server/server server/client
client/server client/server

Why are they different?

Anyway, after setting up the spdadd lines, sharing a secret word and starting racoon we try to connect to each others machines, by telnetting, cmd-k in the Finder etc but we cannot find each other.

My system log looks like this:

% tail -f /var/log/system.log | grep racoon
May 1 14:56:08 pb racoon: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA
request for abc.def.gh.ij queued due to
no phase1 found.
May 1 14:56:08 pb racoon: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new
phase 1 negotiation:
123.456.78.90[500]<=>abc.def.gh.ij[500]
May 1 14:56:08 pb racoon: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin
Aggressive mode.
May 1 14:56:39 pb racoon: ERROR: isakmp.c:1773:isakmp_chkph1there(): phase2
negotiation failed due to time up waiting
for phase1. ESP abc.def.gh.ij->123.456.78.90
May 1 14:56:39 pb racoon: INFO: isakmp.c:1778:isakmp_chkph1there(): delete
phase 2 handler.
May 1 14:57:05 pb racoon: NOTIFY: pfkey.c:1539:pk_recvacquire(): no in-bound
policy found: abc.def.gh.ij/32[0]
123.456.78.90/32[0] proto=any dir=in
May 1 14:57:05 pb racoon: INFO: isakmp.c:1700:isakmp_post_acquire(): request
for establishing IPsec-SA was queued due
to no phase1 found.
May 1 14:57:36 pb racoon: ERROR: isakmp.c:1773:isakmp_chkph1there(): phase2
negotiation failed due to time up waiting
for phase1. ESP abc.def.gh.ij->123.456.78.90
May 1 14:57:36 pb racoon: INFO: isakmp.c:1778:isakmp_chkph1there(): delete
phase 2 handler.
May 1 14:58:08 pb racoon: ERROR: isakmp.c:1434:isakmp_ph1resend(): phase1
negotiation failed due to time up.
e346f74d2a16b588:0000000000000000

Obviously phase 1 is never established, but why?

Can firewalls and/or routers interfere with the process of setting up the tunnel? My machine is directly connected to internet, with neither firewall or router inbetween (of course there are routers but not on my LAN).

Any ideas?

Thanks

[Author]

Posts