This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

V7 IPsec Software VPN

I am trying to setup a IPsec VPN from a mac using equinux VPN Tracker.  Phase 1 works fine, Phase 2 error "No Phase 2 Handle found"
Here is how I have this setup.
Authentication Type= Preshared Key
Policy:
IKE encryption algorithm: 3DES
IKE authentication algorithm: MD5
IKE SA lifetime:  28800
IKE DH group: Group 2
IPSec encryption algorithm: 3DES
IPSec authentication algorithm: MD5
IPSec SA lifetime: 28800
IPSec PFS group:  None
Strict policy: Yes
Compression:  No

This is the same on both sides of the VPN.

Here is the ASG log:
esponding to Main Mode from unknown peer x.x.x.x:33093
2007:05:04-11:37:28 (none) pluto[4050]: "S_REF_zVppGuvApy_0"[1] x.x.x.x:33093 #256: ignoring Vendor ID payload [KAME/racoon]
2007:05:04-11:37:28 (none) pluto[4050]: "S_REF_zVppGuvApy_0"[1] x.x.x.x:33093 #256: NAT-Traversal: Result using RFC 3947: peer is NATed
2007:05:04-11:37:28 (none) pluto[4050]: "S_REF_zVppGuvApy_0"[1] x.x.x.x:33093 #256: Peer ID is ID_IPV4_ADDR: '10.1.132.107'
2007:05:04-11:37:28 (none) pluto[4050]: "S_REF_zVppGuvApy_0"[2] x.x.x.x:33093 #256: deleting connection "S_REF_zVppGuvApy_0" instance with peer x.x.x.x {isakmp=#0/ipsec=#0}
2007:05:04-11:37:28 (none) pluto[4050]: | NAT-T: new mapping x.x.x.x:33093/33095)
2007:05:04-11:37:28 (none) pluto[4050]: "S_REF_zVppGuvApy_0"[2] x.x.x.x:33095 #256: sent MR3, ISAKMP SA established
2007:05:04-11:37:28 (none) pluto[4050]: "S_REF_zVppGuvApy_0"[2] x.x.x.x:33095 #256: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2007:05:04-11:37:30 (none) pluto[4050]: "S_REF_zVppGuvApy_0"[2] x.x.x.x:33095 #256: cannot respond to IPsec SA request because no connection is known for 10.1.x.x/20===y.y.y.y:4500...x.x.x.x:33095[z.z.z.z]===10.1.z.z/32
2007:05:04-11:37:30 (none) pluto[4050]: "S_REF_zVppGuvApy_0"[2] x.x.x.x:33095 #256: sending encrypted notification INVALID_ID_INFORMATION to x.x.x.x:33095

The error from the Software VPN says "No Phase 2 Handle found"

Any ideas would be great Thanks!

This thread was automatically locked due to age.

Parents

0 jjohnston62 over 18 years ago

I tried the VPN Tracker software. I hated it. I use L2TP, which is native on the Mac. Or I use PPTP.

Keep in mind you can't use L2TP and IPSEC at the same time on the firewall.

I could try SSL VPN in V7, but haven't done that yet. Haven't needed it.

Why VPN Tracker?
Cancel
Vote Up 0 Vote Down

Cancel
0 microgluf over 18 years ago in reply to jjohnston62

Hi rlott,

wondered if you finally got it to work with VPN Tracker, tried a lot of things, I am getting simmilar results, any pointers would be cool.

cheers

*** Copy of the VPN traker log, note IPs have been delete, and replaced by EXT/LOCAL respectively.
==============================================================

2007-05-11 13:09:30: INFO: isakmp.c:2083:isakmp_post_acquire(): IPsec-SA request for EXT queued due to no phase1 found. Starting phase1...
2007-05-11 13:09:30: INFO: isakmp.c:1038:isakmp_ph1begin_i(): initiate new phase 1 negotiation: LOCAL[500]EXT[500]
2007-05-11 13:09:30: INFO: isakmp.c:1043:isakmp_ph1begin_i(): begin Main mode.
2007-05-11 13:09:31: INFO: isakmp_ident.c:525:ident_i3recv(): detected NAT, switching to port 4500 for EXT[500]
2007-05-11 13:09:31: INFO: isakmp.c:2884:log_ph1established(): ISAKMP-SA established LOCAL[4500]-EXT[4500] spi:43f6733950a33cdc:a70f807aac0989c6
2007-05-11 13:09:32: INFO: isakmp.c:1207:isakmp_ph2begin_i(): initiate new phase 2 negotiation: LOCAL[0]EXT[0] (sequence: 1158931222) (sainfo: EXT/32 10.100.100.0/24)
2007-05-11 13:09:32: ERROR: isakmp_inf.c:947:isakmp_info_recv_n(): unknown notify message: INVALID-ID-INFORMATION, no phase2 handle found.
2007-05-11 13:09:47: ERROR: pfkey.c:795[:P]fkey_timeover(): EXT (LOCAL/32 10.100.100.0/24) give up to get IPsec-SA due to time up to wait.

Firewall logs
========

2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: received Vendor ID payload [RFC 3947]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [Cisco-Unity]
2007:05:11-13:09:29 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[1] MY_CLIENT_EXT_INT_IP #10: responding to Main Mode from unknown peer MY_CLIENT_EXT_INT_IP
2007:05:11-13:09:29 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[1] MY_CLIENT_EXT_INT_IP #10: ignoring Vendor ID payload [KAME/racoon]
2007:05:11-13:09:29 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[1] MY_CLIENT_EXT_INT_IP #10: NAT-Traversal: Result using RFC 3947: peer is NATed
2007:05:11-13:09:29 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[1] MY_CLIENT_EXT_INT_IP #10: Peer ID is ID_IPV4_ADDR: 'LOCAL_IP'
2007:05:11-13:09:29 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[2] MY_CLIENT_EXT_INT_IP #10: deleting connection "S_REF_ogumipNIZy_0" instance with peer MY_CLIENT_EXT_INT_IP {isakmp=#0/ipsec=#0}
2007:05:11-13:09:29 (none) pluto[21420]: | NAT-T: new mapping MY_CLIENT_EXT_INT_IP:500/28082)
2007:05:11-13:09:29 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[2] MY_CLIENT_EXT_INT_IP:28082 #10: sent MR3, ISAKMP SA established
2007:05:11-13:09:30 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[2] MY_CLIENT_EXT_INT_IP:28082 #10: cannot respond to IPsec SA request because no connection is known for 10.100.100.0/24===EXT_IP:4500...MY_CLIENT_EXT_INT_IP:28082[LOCAL_IP]===LOCAL_IP/32
2007:05:11-13:09:30 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[2] MY_CLIENT_EXT_INT_IP:28082 #10: sending encrypted notification INVALID_ID_INFORMATION to MY_CLIENT_EXT_INT_IP:28082
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 microgluf over 18 years ago in reply to jjohnston62

Hi rlott,

wondered if you finally got it to work with VPN Tracker, tried a lot of things, I am getting simmilar results, any pointers would be cool.

cheers

*** Copy of the VPN traker log, note IPs have been delete, and replaced by EXT/LOCAL respectively.
==============================================================

2007-05-11 13:09:30: INFO: isakmp.c:2083:isakmp_post_acquire(): IPsec-SA request for EXT queued due to no phase1 found. Starting phase1...
2007-05-11 13:09:30: INFO: isakmp.c:1038:isakmp_ph1begin_i(): initiate new phase 1 negotiation: LOCAL[500]EXT[500]
2007-05-11 13:09:30: INFO: isakmp.c:1043:isakmp_ph1begin_i(): begin Main mode.
2007-05-11 13:09:31: INFO: isakmp_ident.c:525:ident_i3recv(): detected NAT, switching to port 4500 for EXT[500]
2007-05-11 13:09:31: INFO: isakmp.c:2884:log_ph1established(): ISAKMP-SA established LOCAL[4500]-EXT[4500] spi:43f6733950a33cdc:a70f807aac0989c6
2007-05-11 13:09:32: INFO: isakmp.c:1207:isakmp_ph2begin_i(): initiate new phase 2 negotiation: LOCAL[0]EXT[0] (sequence: 1158931222) (sainfo: EXT/32 10.100.100.0/24)
2007-05-11 13:09:32: ERROR: isakmp_inf.c:947:isakmp_info_recv_n(): unknown notify message: INVALID-ID-INFORMATION, no phase2 handle found.
2007-05-11 13:09:47: ERROR: pfkey.c:795[:P]fkey_timeover(): EXT (LOCAL/32 10.100.100.0/24) give up to get IPsec-SA due to time up to wait.

Firewall logs
========

2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: received Vendor ID payload [RFC 3947]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
2007:05:11-13:09:29 (none) pluto[21420]: packet from MY_CLIENT_EXT_INT_IP:500: ignoring Vendor ID payload [Cisco-Unity]
2007:05:11-13:09:29 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[1] MY_CLIENT_EXT_INT_IP #10: responding to Main Mode from unknown peer MY_CLIENT_EXT_INT_IP
2007:05:11-13:09:29 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[1] MY_CLIENT_EXT_INT_IP #10: ignoring Vendor ID payload [KAME/racoon]
2007:05:11-13:09:29 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[1] MY_CLIENT_EXT_INT_IP #10: NAT-Traversal: Result using RFC 3947: peer is NATed
2007:05:11-13:09:29 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[1] MY_CLIENT_EXT_INT_IP #10: Peer ID is ID_IPV4_ADDR: 'LOCAL_IP'
2007:05:11-13:09:29 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[2] MY_CLIENT_EXT_INT_IP #10: deleting connection "S_REF_ogumipNIZy_0" instance with peer MY_CLIENT_EXT_INT_IP {isakmp=#0/ipsec=#0}
2007:05:11-13:09:29 (none) pluto[21420]: | NAT-T: new mapping MY_CLIENT_EXT_INT_IP:500/28082)
2007:05:11-13:09:29 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[2] MY_CLIENT_EXT_INT_IP:28082 #10: sent MR3, ISAKMP SA established
2007:05:11-13:09:30 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[2] MY_CLIENT_EXT_INT_IP:28082 #10: cannot respond to IPsec SA request because no connection is known for 10.100.100.0/24===EXT_IP:4500...MY_CLIENT_EXT_INT_IP:28082[LOCAL_IP]===LOCAL_IP/32
2007:05:11-13:09:30 (none) pluto[21420]: "S_REF_ogumipNIZy_0"[2] MY_CLIENT_EXT_INT_IP:28082 #10: sending encrypted notification INVALID_ID_INFORMATION to MY_CLIENT_EXT_INT_IP:28082
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data