IPSecuritas
Transcription
IPSecuritas
Checkpoint NG Feature Pack 4 Checkpoint NG Feature Pack 4 by Jim Kelly on 2004-03-24 14:20:30 +0100 Are there any configuration instructions for use of IP Securitas with Checkpoint NG FP 4? Re: Checkpoint NG Feature Pack 4 by Mitch on 2004-03-26 15:28:37 +0100 Hi Jim, Don't have an answer for you yet. Just downloaded the software at work today and will take home and try it out tonight or tomorrow. I had limited success with VPN Tracker and Checkpoint and saved screen shots of my settings in that. I'll try configuring IPSecuritas with those and pass on the info to you. Checkpoint is a real pain in the a** when it comes to working through third-party software, which I wouldn't even bother if they had a Mac version. Stuck with Checkpoint, however, since my office uses it. As long as IPSecuritas can import my .p12 file, I should be able to do it. I've had to use VirtualPC, a no-legged dog when it comes to speed with the Windows version of Checkpoint installed on that. Re: Checkpoint NG Feature Pack 4 by cnadig on 2004-03-26 17:15:56 +0100 Hello, Have a look at the HOWTO section in the online help. There are some instructions how to configure IPsecuritas for a Checkpoint firewall, some settings might differ, depending of the Checkpoint setting. Since IPSecuritas can't (yet) import PKCS#12, check out the section that describes how to convert them into files in PEM format to import the certificates. Re: Checkpoint NG Feature Pack 4 by Mitch on 2004-04-11 13:14:21 +0200 I modified my p12 cert the way described in help file and imported into ipsecuritas, but the program still doesn't recognize the pem file when setting up the ID section. It says that there are no certs available. What am I doing wrong? Re: Checkpoint NG Feature Pack 4 by cnadig on 2004-04-14 07:58:55 +0200 Hello Jim, have you imported the two files as 'own certificate' and does the certificate show up in the certifictates manager window (with the rows private saying yes and CA saying no)? Christoph Re: Checkpoint NG Feature Pack 4 by Mitch on 2004-04-15 19:39:27 +0200 Still having problems. Importing as own certificate leaves the private column "no" and the ca column "no". fAntivirus and Firewall by fmorchid on 2004-05-21 12:30:03 +0200 hello, is it possible to install a symantec antivirus with the checkpoint firewall? thnak you Re: Checkpoint NG Feature Pack 4 by sandra maury on 2004-11-12 13:10:57 +0100 I have same problem. can you have solution ? Thank you very much. Sandra [quote author=Mitch link=1080134430/0#5 date=1082050767]Still having problems. Importing as own certificate leaves the private column "no" and the ca column "no".[/quote] NAT-T Support? NAT-T Support? by petro on 2004-03-28 18:50:05 +0200 Does anyone know where implementing NAT-T in the core MacOS IPsec implementation stands? Unfortunately, KAME's web site isn't the easiest to figure this stuff out on. Is apple using the straight KAME implementation? Thanks, -pete Re: NAT-T Support? by cnadig on 2004-04-14 08:12:18 +0200 Hello Petro, there is NAT-T support in racoon in 10.3 - as for the necessary kernel support I don't know yet. I'm in contact with a few people to get some experience with NAT-T and will keep you updated on any progress! Christoph Re: NAT-T Support? by NetWhiz on 2004-05-28 18:11:42 +0200 Any further knowledge on this? Testing over a wireless dial-up b/c of a lack of NAT-T support in the Mac OS X kernel really sucks. UPDATE: Just saw teh new client, so tried it and it works wonderfully! Now, is there any way you could post the racoon.conf file (or its location) so that we might see what is being set? I would love to be able to get the built-in L2TP/IPSec client working with NAT-T if at all possible! At least I could test plain IPSec on a NAT'd connection now. Back to dialup for the L2TP support though ... :( Thanks, NetWhiz Re: NAT-T Support? by cnadig on 2004-06-08 22:54:39 +0200 Hello, IPSecuritas writes its racoon.conf to /tmp/ipsecuritas.conf - only root can read it. Could you elaborate a bit more on your tests with NAT-T? Thanks, Christoph Re: NAT-T Support? by AaronA1975 on 2004-10-08 04:40:44 +0200 Any news as to whether NAT-T will be available in an upcoming release of IPSecuritas? error malformed cookie received... error malformed cookie received... by Viny on 2004-03-29 05:15:04 +0200 I use IPSecuritas 1.0.3 on OS X 10.3.3 to a FW-1 NG AI R54 without problem. When using IPSecuritas 2.0, I have this error: Mar 28 22:06:41 xxxx racoon: DEBUG: isakmp.c:519:isakmp_main(): malformed cookie received or the initiator's cookies collide. I don't have error on the firewall. When I come back with 1.0.3, it's OK. And I have deleted 1.0.3 settings before reconfiguring 2.0 without success. Somebody can help me ? Thanks. Re: error malformed cookie received... by cnadig on 2004-03-30 06:38:48 +0200 Helloy Viny, probably the other end sends a notification, probably to indicate an unexpected situation. This is often done without the remote cookie and therefore you get the error message. The key exchange would probably be aborted anyway. Could you post just the last line before the malformed cookie message, i.e: Mar 24 05:21:01 g4 racoon: DEBUG: plog.c:199:plogdump(): 8fefe5e8 ac9d2d2c 00000000 00000000 0b100500 00000000 00000028 0000000c 00000001 0100001d That would allow to determine the content of the notification and the reason, why it was send (unsupported exchange type in the example above). Christoph Re: error malformed cookie received... by Viny on 2004-03-30 12:24:34 +0200 Hello Christoph, This is the line: Mar 30 05:18:11 xxxx racoon: DEBUG: plog.c:199:plogdump(): 65dd6250 681660e4 00000000 00000000 0b100500 4ef00f34 00000028 0000000c 00000000 01000012 Thanks Re: error malformed cookie received... by cnadig on 2004-03-30 23:05:14 +0200 Hello Viny, from the log and your error description I assume you're using a DN as your local identification. IPSecuritas 1.0.3 always treated them as a username with fully qualified distinguished name (a USER_FQDN), which seems to be fine with a number of firewalls/routers. Version 2.0 now makes a strict distinction between a USER_FQDN (normally in the form user@dn) and a FQDN (without the user part and the @). It seems that certain firewalls (including Checkpoint) only accept a USER_FQDN, regardless of the actual value. With 2.0.2 (get it at http://www.lobotomo.com/products/downloads /IPSecuritas202.dmg) you can now force IPSecuritas to use USER_FQDN. Just put a @ sign in front of the username (instead of 'user' enter '@user' into the DN field for your local identifier). It should then work again for you! I'll release an official update that resolves a few more of these smaller issues (also in the documentation) in a few weeks. Christoph Re: error malformed cookie received... by Viny on 2004-03-31 06:37:44 +0200 Perfect ! It's work ! Thanks ! Viny Re: error malformed cookie received... by Jeff on 2004-05-15 18:46:23 +0200 I'm getting the same "malformed cookie" error, also with VPN-1. Here is the line before in the log: May 15 12:25:59 Jeffs-Computer racoon: DEBUG: plog.c:199:plogdump(): 3ceb1670 26c898de 00000000 00000000 0b100500 00000000 00000028 0000000c 00000000 0100001d Can you help? Thanks! IPSecuritas <-> Sonicwall IPSecuritas <-> Sonicwall by Guy van der Kolk on 2004-03-30 11:23:04 +0200 Goodmorning/afternoon/evening ;) I haven an issue with the interoperability between IPSecuritas and a Sonicwall. Specs of the Sonicwall will be added as soon as I get them. We have a succesfull setup using VPNTracker. Off-course, as we are ever aware of the costs, a free/donation program is better, and IPSecuritas looks good. I have set up the connectionsettings just as they are in the Working VPN-Tracker setup. Racoon starts up like a charm, but I do not get past: [i]racoon: ERROR: oakley.c:2053:oakley_skeyid(): couldn't find the pskey[/i] Having tried almost every possible combination (luckily, there aren't that many in the Phase 1 setup) I am at a loss. As a final note: VPN-Trackers log ALSO says it can't find a PSKey, but VPN-Tracker somehow continues and sets a working connection anyway. Re: IPSecuritas <-> Sonicwall by cnadig on 2004-03-30 11:32:16 +0200 Hello, there are two possibilities that should resolve the issue: 1. Deselect the 'Verify Identity' option in Options tab 2. Set the remote identifier to 'DN' and enter the numerical IP address of the IPSec router into the text field (which of course is only possible if it has a static address). I'm not sure whether racoon (the MacOS X IKE daemon) or the firewall is at fault here - but it rather seems to be in racoon as I has similar reports with different VPN routers. Christoph Re: IPSecuritas <-> Sonicwall by Guy van der Kolk on 2004-03-30 12:20:56 +0200 Thank you very much! The "Verify Identifier" option did the trick. It now gives the same message as VPN-Tracker, but builds a working connection anyway! We'll be looking at a donation very soon. :) Re: IPSecuritas <-> Sonicwall by viparre on 2004-04-14 18:37:21 +0200 Hello, I am trying to use a SonicWall too, but with no success :-( - Should I use a separate SA in the SonicWall, or I must use the GroupVPN? - May I use a dynamic IP address when I connect to the SonicWall? - I created a new SA with the following options: * Remote IP address 0.0.0.0 * Aggressive Mode * Group 2 * esp des hmac md5 * dest network: 192.168.10.1/32 - On the Ip Securitas side: * Host To Network * The remote network * a local address 192.168.10.1 * Exchange Mode: Aggressive * Proposal Check: Obey / 16 * Ph 1: Grp 2, DES, MD5 * Ph 2: Grp 1, DES, HMAC MD5 * ID Auth Address, Address * Options: IPSec DOi, SIT_IDE.., Initial Conact, Generate Policy, MIP6 The negotiation starts but the Sonicwall says that the ipsec proposal doesn't match (Phase 1). Unfortunately, I can' find a basic working example to start a trial. Thanks for the help, Vito Parisi Re: IPSecuritas <-> Sonicwall by David Barnhart on 2004-04-21 18:10:22 +0200 I have just spent a few weeks getting IPSecuritas 2.0 to connect to a Sonic Wall. There are a couple of things you should note. 1. You can use either the GroupVPN or a separate SA. I finally just had the IT guy set me up a separate SA as that made it easier to have a different home network than the one used by the people coming in through the GroupVPN. 2. Setting up IPSecuritas in the network-to-network mode makes the configuration job easier. Just use the network that you local address resides in as the local network. Host to network should work as well, but it does some things differently that were causing me some problems. 3. Make sure that the SonicWall has a route to your home network address/network. This also applies to any routers on the network you are trying to tunnel to. Now, with regard to getting the tunnel established in the first place before worrying about routing, I used a couple of different parameters than you mention. Proposal check: Claim 16 Phase 1: 3DES, SHA1 Phase 1 DH Group: Group 1 Phase 2: ESP 3DES HMAC SHA1 Phase 2 PFS Group: Group 1 As mentioned in one of the messages in this thread, turn off the Verify Identifier option. With all of the above set, I was able to establish a tunnel to our SonicWall, even across a home router (which has IP-Sec passthrough turned on). Obviously, you will have to check that the options match on both sides. Hope this info helps. Re: IPSecuritas <-> Sonicwall by JIMBOB on 2004-04-23 11:44:32 +0200 I've tried to connect to a sonic wall SOHO3 and cannot seem to manage. it seems to nearly get there, this is the last lines from debug Apr 23 10:20:06 xxxxxx racoon: DEBUG: isakmp.c:1374:isakmp_parsewoh(): succeed. Apr 23 10:20:06 xxxxxx racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Apr 23 10:20:06 xxxxxx racoon: DEBUG: isakmp_inf.c:870:isakmp_info_recv_n(): notification message 14:NOPROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0b0b7bf9(size=4). Apr 23 10:20:06 xxxxxx racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Apr 23 10:20:16 xxxxxx racoon: ERROR: pfkey.c:745:pfkey_timeover(): xx.xx.xx.xx give up to get IPsec-SA due to time up to wait. Apr 23 10:20:16 xxxxxx racoon: ERROR: pfkey.c:745:pfkey_timeover(): xx.xx.xx.xx give up to get IPsec-SA due to time up to wait. Apr 23 10:20:16 xxxxxx racoon: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted. any ideas greatfully received using host to network, Ph1 group 1 des md5, Ph2 group 1 des md5 preshared secret and verify identifier off. os 10.3.3, cable modem, dyn IP (though quite static), local network by airport, port mapping 500 and 4500, local ip 10.0.1.2. J/ :P Re: IPSecuritas <-> Sonicwall by JIMBOB on 2004-04-23 18:41:57 +0200 Hello again, This is the corrisponding sonic wall log. I'll have a play soon, but any magic ideas welome. 04/23/2004 10:18:20.848 IKE Responder: ESP Perfect Forward Secrecy mismatch xx.xx.xx.xx, xx.xx.xx.xx 04/23/2004 10:18:20.704 IKE Responder: Received Quick Mode Request (Phase 2) xx.xx.xx.xx, xx.xx.xx.xx 04/23/2004 10:18:01.592 IKE Responder: IPSec proposal does not match (Phase 2) xx.xx.xx.xx, xx.xx.xx.xx 10.0.1.2/32 -> 193.112.230.3/24 04/23/2004 10:18:01.592 IKE Responder: ESP Perfect Forward Secrecy mismatch xx.xx.xx.xx, xx.xx.xx.xx 04/23/2004 10:18:01.512 IKE Responder: Received Quick Mode Request (Phase 2) xx.xx.xx.xx, xx.xx.xx.xx 04/23/2004 10:18:00.464 IKE Responder: Aggressive Mode complete (Phase 1) xx.xx.xx.xx, xx.xx.xx.xx DES MD5 Group 1 lifeSeconds=3600 04/23/2004 10:18:00.320 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal xx.xx.xx.xx, xx.xx.xx.xx thanks. Re: IPSecuritas <-> Sonicwall by JIMBOB on 2004-04-27 15:34:35 +0200 Well sorted that one easy enough, The sonic wall doesn't support phase 2 DH, so set this to null on sucuritas. ;) Re: IPSecuritas <-> Sonicwall by Doug Fodeman on 2004-04-28 00:37:17 +0200 Like many others I'm looking for a low cost alternative to VPN Tracker. We have a SonicWall Pro 230 and have turned on VPN services. A PC is able to get in just fine but I haven't been able to tunnel in with my OSX Mac. Below is the log file. Here are the stats: Host to Network operation Phase1: DH Group1, 3DES, SHA1 Phase2: PFS Group2, DES, 3DES, HMAC, SHA1 ID/Authentication: Local is set to address while remote identifier uses the identifying key in the Sonicwall. Preshared secret is entered correctly. Options: Verify Identifier is turned off. Turned on are IPSec_DOI, SIT_Identity, Initial Contact, Generate Policy, MIP6, Establish IKE Immediately. Log reads: Apr 27 18:17:28 Computer IPSecuritas: Racoon is running Apr 27 18:17:28 Computer IPSecuritas: Set kernel keys Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:1357:isakmp_open(): 192.168.xxx.xxx[500] used as isakmp port (fd=6) Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:1357:isakmp_open(): 192.168.xxx.xxx[500] used as isakmp port (fd=6) Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for xxx.xxx.xxx.xx queued due to no phase1 found. Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for xxx.xxx.xxx.xx queued due to no phase1 found. Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.xxx.xxx[500]<=>xxx.xxx.xxx.xx[500] Apr 27 18:17:28 Douglas-Fodemans-Computer racoon: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.xxx.xxx[500]<=>xxx.xxx.xxx.xx[500] Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Aggressive mode. Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Aggressive mode. Any thoughts or suggestions?? Doug Re: IPSecuritas <-> Sonicwall by Brian Godden on 2004-08-17 21:30:02 +0200 Hi, I have another case of trying to get IPSecuritas connected to a Sonicwall. The settings are pretty standard for both, os it's likely just my ignorance of what each side requires, hopefully, it's something very obvious. I'm going to list specs, settings and results below, any suggestions on changing the settings for the client or SA would be greatly appreciated! Firewall: SonicWall Pro-VX -------------------------------VPN Summary(these feature are enabled): Enable VPN Enable IKE Dead Peer Detection Dead Peer Detection Interval (seconds): 60 Failure Trigger Level (missed heartbeats): 3 Clean up Active tunnels when Peer Gateway DNS name resolves to a different IP Address SA: GroupVPN IPSec Keying Mode: IKE using pre-shared secret Security Policy: Phase 1 DH Group: Group 1 SA Life time (secs): 28800 Phase 1 Encryption/Authentication: DES & MD5 Phase 2 Encryption/Authentication: Encrypt and Authenticate (ESP DES HMAC MD5) Shared Secret: ---------IPSecutas, version 2.0.6 Mac OS X 10.3.5 General: Mode: Host to Network Remote IPSec Device: (IP Address of firewall) Remote Network: 10.5.1.0 / 24 Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 Phase 1: Lifetime: 28800 DH Group: Mod768(1) Encryption: DES Authentication: MD5 Phase 2: Lifetime: 28800 PFS Group: Mod768 (1) Encryption: DES Authentication: HMAC MD5 Id/Auth: Identifiers set to Address (also tried setting DN of remote to firewall address) Preshared Secret set Options (these are enabled): Compression Deflate IPSec DOI SIT_IDENTITY_ONLY Initial Contact MIP6 DHCP-Passthrough Establish IKE Immediately Re: IPSecuritas <-> Sonicwall by Brian Godden on 2004-08-17 21:31:10 +0200 Here are my log entries: Here is the log of IPSecuritas in normal mode: Aug 17 12:23:02 powerbookg3 IPSecuritas: Parsing configuration Aug 17 12:23:03 powerbookg3 IPSecuritas: Setting up racoon.conf Aug 17 12:23:03 powerbookg3 IPSecuritas: Setting up setkey.conf Aug 17 12:23:03 powerbookg3 IPSecuritas: Setting up psk.txt Aug 17 12:23:03 powerbookg3 IPSecuritas: Setting up tunnel.conf Aug 17 12:23:03 powerbookg3 IPSecuritas: Parsing configuration done Aug 17 12:23:04 powerbookg3 IPSecuritas: Starting racoon... Aug 17 12:23:04 powerbookg3 IPSecuritas: Racoon is running Aug 17 12:23:04 powerbookg3 IPSecuritas: Set kernel keys Aug 17 12:23:06 powerbookg3 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Aug 17 12:23:06 powerbookg3 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Aug 17 12:23:26 powerbookg3 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Aug 17 12:23:36 powerbookg3 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 64.139.33.26 give up to get IPsec-SA due to time up to wait. Aug 17 12:23:26 powerbookg3 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Aug 17 12:23:36 powerbookg3 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 64.139.33.26 give up to get IPsec-SA due to time up to wait. And the corresponding log of the firewall: 08/17/2004 12:23:27.064 SENDING>>>> ISAKMP OAK INFO (InitCookie 0x517f043c892f85c1, MsgID: 0x34722540) *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) 64.139.33.26, 500 63.196.31.22, 498 08/17/2004 12:23:27.064 IKE Responder: IPSec proposal does not match (Phase 2) 63.196.31.22 (admin) 64.139.33.26 10.5.10.127/32 -> 10.5.1.0/24 08/17/2004 12:23:27.064 IKE Responder: ESP Perfect Forward Secrecy mismatch 63.196.31.22 (admin) 64.139.33.26 08/17/2004 12:23:26.928 RECEIVED<<< ISAKMP OAK QM (InitCookie 0x517f043c892f85c1, MsgID: 0x14E299E6) *(HASH, SA, NON, KE, ID, ID) 63.196.31.22, 498 (admin) 64.139.33.26, 500 Re: IPSecuritas <-> Sonicwall by Brian Godden on 2004-08-17 23:32:56 +0200 Hmmm.. OK, after reading more thoroughly through JIMBOBs setup above, I set Phase 2 PFS Group to None and then estabished a connection!! You guys rock for making this freeware, I will get a donation of some kind going... I am however, not able to ping machines inside the other network... Any help on what might be happening there? Thanks! -Brian Re: IPSecuritas <-> Sonicwall by Paul Chernoff on 2004-12-24 15:58:45 +0100 I just upgraded my SonicWall 2040 to Sonic Enhanced OS 2.5 from the regular Sonic OS 2.1. I had to recreate all of my settings on the SonicWall. Since then I cannot get IPSecuritas to connect to the SonicWall. My IPSecuritas settings are intended to mirror my SonicWall (which I won't have access to until Monday). My IPSecuritas settings are as follows: Host to Network Exchange Mode: Main Proposal Check: Obey, size :16 Phase 1 Lifetime: 28800 DH Group: Mod768 (1) Encryption: 3DES Auth: MD5 Phase 2 Lifetime: 28800 PFS Group: None (I know it is EPS on the SW) Encryption: 3DES Auth: MD5 ID/Auth Address for both and a preshared secret Options Establish IKE immediately Here is the log on my IPSecuritas Dec 24 09:52:05 Paul-Chernoffs-Computer IPSecuritas: Parsing configuration Dec 24 09:52:05 Paul-Chernoffs-Computer IPSecuritas: Setting up racoon.conf Dec 24 09:52:05 Paul-Chernoffs-Computer IPSecuritas: Setting up setkey.conf Dec 24 09:52:05 Paul-Chernoffs-Computer IPSecuritas: Setting up psk.txt Dec 24 09:52:05 Paul-Chernoffs-Computer IPSecuritas: Setting up tunnel.conf Dec 24 09:52:05 Paul-Chernoffs-Computer IPSecuritas: Parsing configuration done Dec 24 09:52:06 Paul-Chernoffs-Computer IPSecuritas: Starting racoon... Dec 24 09:52:07 Paul-Chernoffs-Computer IPSecuritas: Racoon is running Dec 24 09:52:07 Paul-Chernoffs-Computer IPSecuritas: Set kernel keys Dec 24 09:52:07 Paul-Chernoffs-Computer racoon: ERROR: ipsec_doi.c:2993:ipsecdoi_checkid1(): Expecting IP address type in main mode, but FQDN. Dec 24 09:52:07 Paul-Chernoffs-Computer racoon: ERROR: ipsec_doi.c:2993:ipsecdoi_checkid1(): Expecting IP address type in main mode, but FQDN. Dec 24 09:52:07 Paul-Chernoffs-Computer racoon: ERROR: isakmp_ident.c:668:ident_i4recv(): invalid ID payload. Dec 24 09:52:07 Paul-Chernoffs-Computer racoon: ERROR: isakmp_ident.c:668:ident_i4recv(): invalid ID payload. Any suggestions would be welcome. Re: IPSecuritas <-> Sonicwall by Kurt Wolf on 2005-02-03 05:03:59 +0100 I am having some issues connecting to a SonicWall 2030. Leg from ipsecuritas is below. Any help would be greatly appriciated. Feb 2 21:02:06 WolfiePowerBook racoon: DEBUG: isakmp.c:1718:isakmp_ph1resend(): resend phase1 packet b4021be9c0639221:0000000000000000 Feb 2 21:02:06 WolfiePowerBook racoon: DEBUG: isakmp.c:233:isakmp_handler(): === Feb 2 21:02:06 WolfiePowerBook racoon: DEBUG: isakmp.c:234:isakmp_handler(): 92 bytes message received from 216.185.179.130[500] Feb 2 21:02:06 WolfiePowerBook racoon: DEBUG: plog.c:199:plogdump(): b4021be9 c0639221 1270aedd d606c3e2 0b100500 00000000 0000005c 00000040 00000000 0110000e b4021be9 c0639221 1270aedd d606c3e2 00060004 00000000 00040018 0000004e 6f207072 6f706f73 616c2069 73206368 6f73656e Feb 2 21:02:06 WolfiePowerBook racoon: DEBUG: isakmp_inf.c:115:isakmp_info_recv(): receive Information. Feb 2 21:02:06 WolfiePowerBook racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Feb 2 21:02:06 Re: IPSecuritas <-> Sonicwall by Martijn Goudkamp on 2005-04-19 19:48:30 +0200 Hi! I just got my Mac mini with OS 10.3.9 working with our company 3060 (running 2.6 enhanced). Full VPN, no problems. Here is my config for IPsecuritas: [b]General[/b] Network to network Aggressive mode Claim Nonce 16 [b]Phase 1[/b] DH group 1 Encryption 3DES Authentication SHA1 [b]Phase 2[/b] DH group none Encryption 3DES Authentication HMAC SHA1 And here's the trick; you NEED to use an identifier on BOTH sides. Put whatever you want to use but make sure that on the other side, it's the opposite and select Domain Name on the Sonicwall: [b]Id[/b] Local ident: DN mydomain.it Remote ident: DN theirdomain.it Preshared: whatanicesecret The rest is default. On the Sonicwall, I created a new SA (no GroupVPN since our clients connect using XAUTH) with the same settings. I'm using my Mac thru a wireless ADSL router, at work with have a 10mbit fiber connection. Hope it's been helpfull! Re: IPSecuritas <-> Sonicwall by Karsten on 2005-10-12 00:45:09 +0200 [quote author=David Barnhart link=1080638584/0#4 date=1082563822]I have just spent a few weeks getting IPSecuritas 2.0 to connect to a Sonic Wall. There are a couple of things you should note. 1. You can use either the GroupVPN or a separate SA. I finally just had the IT guy set me up a separate SA as that made it easier to have a different home network than the one used by the people coming in through the GroupVPN. [/quote] Quick question here: How do you tell IPSecuritas which SA to use? Thanks, Karsten Re: IPSecuritas <-> Sonicwall by mango on 2005-10-29 09:20:45 +0200 ok, i have a wierd problem with ipsecuritas or with my sonicwall tz 170, os 10.4.2. I'm able to vpn correctly, but shortly after i make a connection, my network or usb printer starts to print blank pages about 50 pages or so. This has happen with two different computers each using two different printer models and the same settings for the vpn. Everthing else seems to work corectly, vnc, file sharing, telnet... The print manager shows multiple completed jobs with the name (stdin) .Only the defualt printer is affected. Any help who be nice. thanks Re: IPSecuritas <-> Sonicwall by ghuller on 2005-12-20 15:05:55 +0100 I need help from anyone who has experience setting up IPSecuritas & VPN Tracker with a SonicWall. I have a SonicWall 3060. I can setup a Host to Network VPN with no problems with VPN Tracker 3, but I'm unsuccessful when I copy the settings into the more cost effective IPSecuritas. What am I missing? Can someone help me translate my VPN Tracker 3 settings into IPSecuritas and have it actually work??!!?? Here are the VPN Tracker settings I'm trying to copy over into IPSecuritas (NOTE: if settings aren't noted, then they are left blank in the VPN Tracker configuration): CONNECTION: SonicWall SonicOS Phase1 GeneralExchange mode: aggressive, main Proposal check: claim Nonce size: 16 * Send INITIAL-CONTACT message *Support MIP6 *Use IPSEC DOI *Use SIT_IDENTITY_ONLY Phase1 ProposalEncryption Algorithm: 3DES Hash Algorithm: SHA1 Diffie-Hellman: Group 2 (1024 bit) Lifetime: 28800 seconds Phase2*PFS Enabled: Group 2 (1024 bit) Lifetime: 28800 seconds Encryption Algorithm: 3DES Authentication Algorithm: HMAC SHA1 *Initiate Connection From This End NETWORK: Host to Network Network Port: Automatic VPN Gateway Address: ip address specified here Local Address: blank Remote Network/Mask: ip address & mask specified here AUTHENTICATION: Pre-shared key: key specified here *Enable Extended Authentication (XAUTH) IDENTIFIERS: Local Identifier: *FQDN: specified here Remote Identifier *FQDN: specified here DNS: *Use Remote DNS Server *Use server for all domains IPSecuritas, ZyWALL + NAT IPSecuritas, ZyWALL + NAT by chris on 2004-04-04 12:53:31 +0200 I'm working with a ZyWALL 10 and IPSecuritas as VPN Client. It works fine, if NAT Translation is not activated in my VPN Rule on ZyWALL. Otherwise I get an PAYLOAD ERROR 130 in IPSecuritas. NAT Translation is needet due many customers are in Networks with NAT and not able to use VPN to my location. Does someone have an idea or a workaround? - Chris (Switzerland) what MacOS by cnadig on 2004-04-14 08:10:12 +0200 Hello Chris, what MacOS version do you run? There seems to be NAT-T support in 10.3 which is missing in 10.2, although I don't have any experiences yet. Could you also post the relevant lines from log to spot the place in racoon's sources? Thank you, Christoph Re: IPSecuritas, ZyWALL + NAT by chris on 2004-04-25 23:02:19 +0200 Hello Christoph Sorry for my late answer, I was on holiday :D After switching to MacOS X 10.3 and updating the ZyWall's Firmware it's working fine now. Thank you, Chris Connecting to Nortel Contivity? Connecting to Nortel Contivity? by George White on 2004-04-04 19:05:45 +0200 Has anyone had any luck connecting to a Nortel Contivity? I'm trying to determine if I can use IPSecuritas in place of the Nortel Multi-OS client. I'm pretty sure that I have the correct ESP config for my office config, but I'm not sure the correct format of the DN and PSK. Any ideas? Thanks, G Re: Connecting to Nortel Contivity? by cnadig on 2004-04-14 08:14:00 +0200 Hello, do you have any indication from the log window of what fails (set the log level to 'Verbose Debug' in IPSecuritas' preferences)? Christoph Re: Connecting to Nortel Contivity? by Fred on 2004-08-04 07:49:50 +0200 Could you give me a hint as to what you did to set it up? I'm wanting to do the same thing Connecting to multiple networks behind a firewall Connecting to multiple networks behind a firewall by Doug Weathers on 2004-04-04 21:23:56 +0200 Hi, Love IPSecuritas! It's got a few more options than VaporSec, which is good because my setup is a bit more complicated than the usual. Unfortunately, I still can't figure out the correct combination of settings I need. I have a SonicWALL firewall at work. There are several networks behind it, because we connect to a lot of business partners. I can't figure out how to connect to more than one network behind the firewall. I've configured two tunnels with identical setups, differing only by the destination network. They each work individually, but if I try them simultaneously only the first one seems to work. Anyone have any idea how to fix this? Thanks, Doug Re: Connecting to multiple networks behind a firew by cnadig on 2004-04-14 08:03:53 +0200 Hello Doug, at the moment this is not possible (unless you can combine the severeal networks into one with a smaller netmask). I'm also unsure whether racoon (the IKE daemon) allows this, but I will check. Would you be able to test an enhanced version of IPSecuritas (unfortunately I don't have access to such a setup yet)? Christoph Re: Connecting to multiple networks behind a firew by Eduardo Alvarenga on 2004-04-21 22:12:46 +0200 I have a setup like this and would be very glad to test this new release. Currently my VPN Network is based on ISAKMPD-OpenBSD servers (5 nodes), with Windows clients I can access all the networks by specifying 0.0.0.0/0 as the destination network but it seems IPSecuritas/Racoon doesn't allows this. Please mail me if any version appears ok ? Best Regards, Eduardo Re: Connecting to multiple networks behind a firew by cnadig on 2004-04-22 13:35:31 +0200 Hello Eduardo, the host to anywhere mode sets the remote network to 0.0.0.0/0 and will send all traffic through the tunnel (using the host to network mode with the remote network set to 0.0.0.0/0 won't work because this would also try to send the IKE traffic through the not yet established tunnel... The host to anywhere mode has an exclude rule for the IKE traffic). Regards, Christoph Re: Connecting to multiple networks behind a firew by Doug Weathers on 2004-04-25 06:41:06 +0200 [quote author=cnadig link=1081106636/0#1 date=1081922633]Hello Doug, Would you be able to test an enhanced version of IPSecuritas (unfortunately I don't have access to such a setup yet)? Christoph[/quote] I would be happy to test enhanced versions of IPSecuritas. I'm the network admin where I work and have lots and lots of networks to connect to :) Re: Connecting to multiple networks behind a firew by Eduardo Alvarenga on 2004-05-10 02:22:55 +0200 Unfortunatelly I can't use HOST->Anywhere mode because I need to specify my "Local Address". Using host to anywhere doesn't give me this option. Any ideas? Re: Connecting to multiple networks behind a firew by Fabrice Vincent on 2005-08-03 01:30:20 +0200 [quote author=Doug Weathers link=1081106636/0#0 date=1081106636] I can't figure out how to connect to more than one network behind the firewall. I've configured two tunnels with identical setups, differing only by the destination network. They each work individually, but if I try them simultaneously only the first one seems to work. Anyone have any idea how to fix this? [/quote] Hi, I have precisely the very same need and very same behavior as described above. I browsed through the forum but failed to find any answer to this question. So, is it possible to have more than one tunnels active at the same time? If not, is there any chance that it could work in the near future? I will be happy to do some testing if it can be usefull. My context: I manage our company Firewal and use IPSecuritas to create VPN connexions for roaming users. Our Firewall is an Arkoon A200 appliance, which uses linux swansea as foundation (see http://www.arkoon.net/EN/g_mid.php?menuon=eczone2&#p_38 for details). BTW, thank for this great (and cheap!) tool!!! cheers, Fabrice Re: Connecting to multiple networks behind a firew by favincen on 2005-08-03 02:25:09 +0200 Some more details: 1) Of course the different subnets I connect to cannot be merged into a bigger subnet... 2) I managed to make this work with the demo version of VPNTracker. I just configured the various subnets into the same VPN connexion and it worked. If VPNTracker is using the same IPsec stack as IPSecuritas then I assume there would be some ways to make IPSecuritas behave the same. Thanks in advance for your help. Re: Connecting to multiple networks behind a firew by cnadig on 2005-08-04 23:38:14 +0200 Hello Fabrice, I'm happy to announce that the next release of IPSecuritas will finally allow for multiple remote networks (amongst other long awaited extensions). Public alpha/beta versions will presumably be available by the end of August/beginning of September - please drop me a line at info@lobotomo.com if you're interested in an early version. Cheers, Christoph Re: Connecting to multiple networks behind a firew by favincen on 2005-08-05 13:17:58 +0200 great news. I look forward for the testing. IPSecuritas with Airport Extreme NAT IPSecuritas with Airport Extreme NAT by TLangley on 2004-04-15 20:00:16 +0200 Hi, I'm using IP Securitas to connect from DSL at home to a Netscreen firewall at the office. From testing at a couple of locations out of the office, I've found that if another box (a Linksys) is doing the NAT and the AEBS is only bridging, IPSec works great. If I take the Linksys out of the setup and have the AEBS do NAT, IPSec stops working. It appears to connect and will ping, but will not support any real traffic, such as a server connection. There's a lot of talk on the Apple Discussion boards about this. On suggestion is to set your VPN software to "Negotiate UDP encapsulation with VPN server for NAT traversal". I'm wondering if there is a way around this problem within IPSecuritas. Thanks. Re: IPSecuritas with Airport Extreme NAT by cnadig on 2004-04-15 22:20:00 +0200 Hello, there was an issue with older firmware versions of the AEBS (not sure of the exact version anymore, but I think it was 5.1.x) and IP fragmentation, which resulted in the described beahvior (small packets work (ping), real traffic that needs fragmentation fails). I'm using IPSec with AEBS and NAT enabled daily without problems with firmware version 5.3. Christoph Re: IPSecuritas with Airport Extreme NAT by Laurens van Hoorn on 2004-11-04 10:04:09 +0100 I have Airport in my home, and also the possibility to connect to my (Thomson) router by dropcable. Airport seems fine at first (no errors in log, and green lights from IPSecuritas) but doesn't work. Connecting by dropcable (and thus going around the Airport) does. Checkpoint NG AI R55 Checkpoint NG AI R55 by sumpfgottheit on 2004-04-16 11:53:19 +0200 Hi! I try a VPN to my Checkpoint in the Office, but i get the following error: Apr 16 11:43:39 Powerbook racoon: ERROR: isakmp.c:2033:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP <FW-IP>-><MY-IP> Any hints? best regards, florian Re: Checkpoint NG AI R55 by cnadig on 2004-04-16 13:28:27 +0200 Hello Florian, since Phase 1 negotiation fails, there is a timeout for Phase 2 - setting the log level to 'Verbose Debug' will give a better indication. Have a look at the following threads for possible solutions: http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?board=IPSecuritas; action=display;num=1080638584 and http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?board=IPSecuritas; action=display;num=1080530104 If none of this resolves the problem, I'd need a more detailed log (please make sure to remove any confidential information). Christoph Re: Checkpoint NG AI R55 by Viny on 2004-04-19 02:07:04 +0200 This is my parameters with NG AI R54 and IPSecuritas 2.0.2 http://www.lobotomo.com/products/downloads/IPSecuritas202.dmg I don't know if it's the best configuration but it's work for me. Good luck.... Check Point NG AI R54 and IPSecuritas 2.0.2 Check Point Global Proterties Remote Access VPN - Basic Check: Pre-Shared Secret, Public Key Signatures, Hybrid Mode Check: Gateways support IKE over TCP VPN - Advanced User Encryption Proterties: 3DES, MD5 Check: OKE Security associations proterties: Groupe 2 Resolving mechanism: Enable Securemote/SecureClient ... Check Point Gateway Traditional mode IKE properties Check: 3DES, MD5, Pre_shared Secret, Public Key Signatures, Exportable... Traditional mode IKE properties, Advanced Check: Group 2, Support aggressive mode Renegotiate IKE... : 1440 minutes Renegotiate IPsec... : 3600 Seconds User Properties Encryption Check: IKE Encryption, Edit Specify the password IPSecuritas 2.0.2 General Mode of Operation: Host to Network Exchange Mode: Aggressive Proposal Check: Claim Re: Checkpoint NG AI R55 by Jonathan Lundell on 2004-05-24 00:21:51 +0200 Moving to 2.0.2 and adding @ to my user name helped, in that I'm getting quite a bit farther. Now I get this message, repeated: May 23 15:10:05 jlundell racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. May 23 15:10:05 jlundell racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. May 23 15:10:05 jlundell racoon: ERROR: oakley.c:1190:oakley_validate_auth(): HASH mismatched May 23 15:10:05 jlundell racoon: ERROR: oakley.c:1190:oakley_validate_auth(): HASH mismatched (I'm posting in this thread because we're running R55. This is my first time trying IPSecuritas, so I don't have a history of getting it working with earlier CKPT versions.) Re: Checkpoint NG AI R55 by Jonathan Lundell on 2004-05-24 01:03:16 +0200 Some debug output: May 23 15:53:59 jlundell racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(3des) May 23 15:53:59 jlundell racoon: DEBUG: oakley.c:2519:oakley_newiv(): IV computed: May 23 15:53:59 jlundell racoon: DEBUG: plog.c:199:plogdump(): dfc362ed e12abcc7 May 23 15:53:59 jlundell racoon: DEBUG: oakley.c:1163:oakley_validate_auth(): HASH received: May 23 15:53:59 jlundell racoon: DEBUG: plog.c:199:plogdump(): 30254ef1 792a6d52 ce679ee7 d6bccc13 May 23 15:53:59 jlundell racoon: DEBUG: oakley.c:868:oakley_ph1hash_common(): HASH with: May 23 15:53:59 jlundell racoon: DEBUG: plog.c:199:plogdump(): d368dd02 8801cc92 a7a5a433 c22f14b7 eea5c074 989e23ac b560a021 37f32c7f a40c2447 be9ee589 a9bbb3b6 48416b8b 09fca579 d45055ca c5e5546e 5de46d00 93e63569 268c6fd8 de759484 84cbb44e 7414b5d8 a236db8d 7648741e aa775df4 0c84420a 8021d4f7 1f0e20d6 baf83d05 fdee751b 7a0094be 4dd0ed9f 58b7707a 7ad19f1e 5b2f0eb7 86dee952 4df5e79d 344a9f95 508aa061 4d99d3f2 14a1d245 d4d76c20 55a4d9b3 4e3abe60 3769ec75 e16bf93d 3582e4ab 335d23ec 912ff688 5eb83211 f271d0a6 55509639 730389ce 06275464 023c70b5 7582fe7c 278fd227 b192a39f b3d97707 cba995a3 f83e4c02 bc4d93b1 63a3fa00 292c9b64 b6ab7457 e1c9da6c 4b438d9c 4ea96b0a 5ebba063 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c012c 80010005 80030001 80020001 80040002 01000000 d1ac64a2 May 23 15:53:59 jlundell racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5) May 23 15:53:59 jlundell racoon: DEBUG: oakley.c:878:oakley_ph1hash_common(): HASH computed: May 23 15:53:59 jlundell racoon: DEBUG: plog.c:199:plogdump(): ef6a6f6f 86860528 202a8eff 218e7b07 May 23 15:53:59 jlundell racoon: ERROR: oakley.c:1190:oakley_validate_auth(): HASH mismatched Re: Checkpoint NG AI R55 by Viny on 2004-05-26 04:53:24 +0200 I use R55 HF02 now I have no problem. I'm sorry, I'm a newbie so I can't help you more. Re: Checkpoint NG AI R55 by Jonathan Lundell on 2004-05-26 19:51:30 +0200 Viny, thanks, it's a big help just to know that it can work. I assume that I've got a configuration problem. Can you tell me how you're configured? Is your configuration the same as the one you posted for R54? This morning I saw, as usual, May 26 10:39:33 jlundell racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. May 26 10:39:33 jlundell racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. May 26 10:39:33 jlundell racoon: ERROR: oakley.c:1190:oakley_validate_auth(): HASH mismatched May 26 10:39:33 jlundell racoon: ERROR: oakley.c:1190:oakley_validate_auth(): HASH mismatched ...but my net admin claims that nothing at all showed up in the Check Point logs. Seems odd, since the debug log suggestst that there's a significant amount of negotiation necessary to get to that point. Anyway, thanks again, and if anyone (Christoph?) would care to suggest a course of action, I'd be grateful. Re: Checkpoint NG AI R55 by Viny on 2004-05-28 14:31:58 +0200 Jonathan, It's the same configuration (R54=R55). No modification. Viny Re: Checkpoint NG AI R55 by Jonathan Lundell on 2004-05-29 06:01:19 +0200 Thanks. I moved to 2.0.5 today, with no change. FWIW, I'm setting my local ID to @jlundell, which is my Check Point user name, plus the magic FQID thing. Other combinations don't seem to get as far, including jlundell@mydomain.com, where mydomain is the domain of the firewall. I need a clue. Re: Checkpoint NG AI R55 by Viny on 2004-05-29 07:43:32 +0200 I use a certificate now. But if I remember, I used a username like "user", not "user@domain.com" or something else with "@". And in Check Point, the username was the same ("user"). Viny Exporting/Importing Profiles Exporting/Importing Profiles by Matthew on 2004-04-21 22:41:35 +0200 Is there an easy way to export/import gateway configurations? I want to be able to easily distribute IPSecuritas to users who don't want to go through the process is building (and possibly screwing up) VPN connections. I thought maybe IPsecuritas might create something in /Library/Preferences, but I didn't see anything. Thanks, -matthew Re: Exporting/Importing Profiles by Matthew on 2004-04-22 05:36:14 +0200 Me again. I found the preferences in ~/Library/Preferences, but just copying the com.lobotomo.IPSecuritas.plist file didn't do it for a system that hadn't previously run IPSecuritas. Does IPSecuritas modify anything else? Re: Exporting/Importing Profiles by cnadig on 2004-05-05 16:57:24 +0200 Hello Matthew, import/export of a configuration is one of the top requirements for the next release. I'm confident to release an update in a few weeks time. Christoph Re: Exporting/Importing Profiles by yadda on 2004-10-06 16:49:53 +0200 Any updates on the this issue? Can this be done yet? Thanks. Re: Exporting/Importing Profiles by cnadig on 2004-10-07 08:18:27 +0200 Hello, unfortunately not yet - I plan to put a considerable amount of effort into IPSecuritas once I have finished MoofMenu 1.5 in a few days Cheers, Christoph IPSecuritas and Linksys IPSecuritas and Linksys by Ronald Bellamy on 2004-05-07 22:10:05 +0200 I am trying to connect to a Linksys Cable Firewall Router with VPN endpoint (BEFSX41) from home with IPSecuritas. The VPN endpoint has a static IP Address. At home I connect to a Linksys DSL router that has been assigned a address from DHCP. I am using MacOS 10.2.8. Any suggestions as to how to set up the VPN and/or IPSecuritas? I have not worked with VPN setup before and so far I have not been able to connect past phase 1. :-/ Re: IPSecuritas and Linksys by cnadig on 2004-05-11 18:12:28 +0200 Hello Ronald, what is failing after successfully establishing a phase 1 connection (set the log level to Verbose Debug). Also, do you have access to the routers log? Christoph Re: IPSecuritas and Linksys by Ronald Bellamy on 2004-05-11 20:57:02 +0200 Hi Christopher Not sure if this is helpful. There is a lot of lines in the log that seem to indicate that things are OK. This is where Error lines start appearing: May 11 12:33:10 Ronald racoon: DEBUG: isakmp_inf.c:210:isakmp_info_recv(): hash validated. May 11 12:33:10 Ronald racoon: DEBUG: isakmp.c:1121:isakmp_parsewoh(): begin. May 11 12:33:10 Ronald racoon: DEBUG: isakmp.c:1148:isakmp_parsewoh(): seen nptype=8(hash) May 11 12:33:10 Ronald racoon: DEBUG: isakmp.c:1148:isakmp_parsewoh(): seen nptype=11(notify) May 11 12:33:10 Ronald racoon: DEBUG: isakmp.c:1187:isakmp_parsewoh(): succeed. May 11 12:33:10 Ronald racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. May 11 12:33:10 Ronald racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. May 11 12:33:10 Ronald racoon: DEBUG: isakmp_inf.c:870:isakmp_info_recv_n(): notification message 16:PAYLOADMALFORMED, doi=1 proto_id=3 spi=00000000(size=4). May 11 12:33:16 Ronald racoon: DEBUG: grabmyaddr.c:442:update_myaddrs(): msg 5 not interesting May 11 12:33:30 Ronald racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.111[500] May 11 12:33:30 Ronald racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.111[500] May 11 12:33:30 Ronald racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to 68.150.80.245[500] May 11 12:33:30 Ronald racoon: DEBUG: sockmisc.c:563:sendfromto(): 1 times of 260 bytes message will be sent to 192.168.1.111[500] May 11 12:33:30 Ronald racoon: DEBUG: plog.c:193:plogdump(): 0048766f a2b9058c cfa545f0 8db74490 08102001 4a924fb2 00000104 7ce66c23 ee0f7e87 5d9ee65e fbeaf05e 345fdf59 2b946c43 ad1c46bf 85099a78 c2b20570 33004776 9aa21c82 3cc620ef 1527a9a4 20d547f6 178dba8d 93d2d258 dd7f990a 752281fb 7afee4e5 c26baa19 5f9c196b 0e6c2413 7043fa1b 663d0f4f 35dc100e 664e8b68 6e7fe02f 1a3908d2 1957955c b792a8bf ac418956 d4f47029 274e80dc a616ae69 28ec5aac 93333935 f3f2e311 c5d4c279 20e8297c 1e6c8a84 d34c6b34 59b9f13e 805daa1a ff63a70d 15a0e351 c1407e7d 622a35f9 762bbfc0 25087ff4 0f6b4c0a 5648f37d 90e41bba efe226c2 cdc34189 e1bfbb8c e6d37889 253385e9 15d9ce63 May 11 12:33:30 Ronald racoon: DEBUG: isakmp.c:1496:isakmp_ph2resend(): resend phase2 packet 0048766fa2b9058c:cfa545f08db74490:4a924fb2 May 11 12:33:33 Ronald racoon: DEBUG: grabmyaddr.c:442:update_myaddrs(): msg 5 not interesting May 11 12:33:40 Ronald racoon: ERROR: pfkey.c:738:pfkey_timeover(): 68.150.80.245 give up to get IPsec-SA due to time up to wait. May 11 12:33:40 Ronald racoon: ERROR: pfkey.c:738:pfkey_timeover(): 68.150.80.245 give up to get IPsec-SA due to time up to wait. I do have access to the router logs but not while I am at home. I will try to get that info next time I am out. Re: IPSecuritas and Linksys by Bryan Derman on 2004-06-05 13:07:12 +0200 From a press release that just got posted: ===== 2004-Jun-01 : Derman Enterprises publishes a set of web pages that outline how to use IPSecuritas (a free VPN-setup utility) and Mac OS X to achieve a Host-to-Network and Network-to-Network secure/VPN connection to the popular and inexpensive LinkSys BEFSX41 Switch/Router /Firewall/VPN appliance. Using this information will allow you to configure a stationary or mobile/dial-up secure tunnel to your small business or home network. See http://www.derman.com/Misc/VPN/Overview.html for the information. ===== Hope this helps, if you hadn't already figured it out. Re: IPSecuritas and Linksys by Ronald Bellamy on 2004-06-06 23:43:20 +0200 Hi Bryan I found the information helpful and hoped that it would solve the problem but using the settings still doesn't seem to work. I was finally able to get the log info from IPSecuritas and the Linksys. Hopefully somebody can find what I need to change: Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp_inf.c:210:isakmp_info_recv(): hash validated. Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp.c:1121:isakmp_parsewoh(): begin. Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp.c:1148:isakmp_parsewoh(): seen nptype=8(hash) Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp.c:1148:isakmp_parsewoh(): seen nptype=11(notify) Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp.c:1187:isakmp_parsewoh(): succeed. Jun 6 15:21:57 Ronald racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Jun 6 15:21:57 Ronald racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp_inf.c:870:isakmp_info_recv_n(): notification message 18:INVALIDID-INFORMATION, doi=1 proto_id=3 spi=0701eb2e(size=4). Jun 6 15:22:02 Ronald racoon: DEBUG: grabmyaddr.c:442:update_myaddrs(): msg 5 not interesting Jun 6 15:22:16 Ronald racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.111[500] Jun 6 15:22:16 Ronald racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.111[500] Jun 6 15:22:16 Ronald racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to 68.150.80.245[500] Jun 6 15:22:16 Ronald racoon: DEBUG: sockmisc.c:563:sendfromto(): 1 times of 252 bytes message will be sent to 192.168.1.111[500] Jun 6 15:22:16 Ronald racoon: DEBUG: plog.c:193:plogdump(): 3b1285f7 05215f04 ae763ee4 2e83205e 08102001 7e6ea993 000000fc 980cf3f9 933bf763 f98a28a0 bb374f0a 5e8f4327 d1a349b1 07266af8 eb36e65d 57dadd9d dfd13515 faf925ae 86185ad7 aaff6ae9 91d7cea8 85e736da 64fa300a 848779ea ecc81fee 9277f735 91fe9215 7693cbd8 56b6da60 22df06ba 03d79b9e 262b81ec bc24bbbf 1967f641 6cb06f56 e1da7e9d 58e6883e 3bbcc170 b4ecd9fe d87271f9 dc51b230 92791738 3163da5e b0d72751 5156b1b3 eb26dba1 1147de86 a5e239b7 bd953863 20ece927 120be189 2e0fef10 fa47d9a1 ab0d5939 473e8c88 71d9b73a 081c8f36 95404fa9 d98c0f54 af232f52 4e48a74c 9cd0f80c 9726c1d1 Jun 6 15:22:16 Ronald racoon: DEBUG: isakmp.c:1496:isakmp_ph2resend(): resend phase2 packet 3b1285f705215f04:ae763ee42e83205e:7e6ea993 Jun 6 15:22:22 Ronald racoon: DEBUG: grabmyaddr.c:442:update_myaddrs(): msg 5 not interesting Jun 6 15:22:26 Ronald racoon: ERROR: pfkey.c:738:pfkey_timeover(): 68.150.80.245 give up to get IPsec-SA due to time up to wait. Jun 6 15:22:24 Ronald racoon: DEBUG: grabmyaddr.c:442:update_myaddrs(): msg 5 not interesting Jun 6 15:22:26 Ronald racoon: ERROR: pfkey.c:738:pfkey_timeover(): 68.150.80.245 give up to get IPsec-SA due to time up to wait. From the Linksys Router 2004-06-06 15:21:51 IKE[6] Rx << MM_I1 : 198.53.201.16 SA Re: IPSecuritas and Linksys by Bryan Derman on 2004-06-20 10:11:58 +0200 Sorry, don't look here very often so didn't see your posting. You might want to check the firmware version you're using because some of the released versions simply don't work in certain aspects, including VPN operation. Have a look at the stuff on this page (http://www.derman.com /Misc/VPN/BEFSX41-Problems.html) and look in the forums referenced there, as well. BTW, the currently posted/released version on the LinkSys site seems to be OK. According to your log, you have a mismatch between the Local/Remote Secure Group settings (i.e., those settings in IPSecuritas and those on the Linksys). Re: IPSecuritas and Linksys by Ronald Bellamy on 2004-06-20 23:42:39 +0200 Hi Bryan I was able to connect finally but I had to supply IPSecuritas and the VPN Linksys with the dynamic IP of my home Linksys. "ANY" does not work although that is the setting that Linksys documentation says to use if the remote user will have a dynamic IP. Since my IP will change this is not an ideal setup. It is workable since I can access the VPN Linksys from home and can change the IP remotely before trying to connect. IPSecuritas is also easy to change and works great. The VPN does everything that is needed now. unknown informational exchange... unknown informational exchange... by FraserJopp on 2004-05-08 08:19:59 +0200 Having set up the VPN successfully, the connection fails when the key is to be renewed. I get the following in the log of the FVS318 (host) 4/29/2004 06:27:32 - FVS318 IPsec:STATE_QUICK_R2: IPsec SA established Thur, 04/29/2004 07:30:32 - FVS318 IPsec:event after this is EVENT_SA_EXPIRE in 0 seconds Thur, 04/29/2004 07:30:32 - FVS318 IPsec:IPsec SA expired (LATEST!) Thur, 04/29/2004 07:30:32 - FVS318 IPsec:delete_out() Thur, 04/29/2004 07:30:32 - FVS318 IKE:[VPNLANPC_tmp20] TX >> DELETE SA : 81.178.250.58 (SPI=5bd07bf6) Thur, 04/29/2004 07:30:34 - FVS318 IPsec:ISAKMP SA expired (LATEST!) Thur, 04/29/2004 07:30:34 - FVS318 IPsec:delete_isa_out() Thur, 04/29/2004 07:30:34 - FVS318 IPsec:[VPNLANPC_tmp20] is removed from the head of conn_list Thur, 04/29/2004 07:30:34 - FVS318 IPsec:Connection [VPNLANPC_tmp20] is deleted from connection table Thur, 04/29/2004 07:31:00 - FVS318 IPsec:find_insa() not found Thur, 0 And this in the log of the client: Apr 29 06:27:32 Alison-Robertss-Computer IPSecuritas: Set kernel keys Apr 29 07:30:34 Alison-Robertss-Computer racoon: ERROR: isakmp.c:662:isakmp_main(): unknown Informational exchange received. Apr 29 07:30:34 Alison-Robertss-Computer racoon: ERROR: isakmp.c:662:isakmp_main(): unknown Informational exchange received. Apr 29 07:30:36 Alison-Robertss-Computer racoon: ERROR: isakmp.c:662:isakmp_main(): unknown Informational exchange received. Apr 29 07:30:36 Alison-Robertss-Computer racoon: ERROR: isakmp.c:662:isakmp_main(): unknown Informational exchange received. Both sides have key life (phase1) at 3600 seconds, and IKE key lifetime (phase 2) at 28,800 seconds. The connection is initiated at the Ipsecuritas end I then have to stop & start IPSec to reconnect Many thanks for any help you can offer Fraser Jopp Re: unknown informational exchange... by cnadig on 2004-05-10 15:38:11 +0200 Hello Fraser, first of all sorry for not getting back to your e-mail earlier! I'm expecting a Netgear FVS328 this week to arrive and, assuming it has the same or a similar firmware as the 318, I expect to run into the same problems. I'll let you know as soon as I find a solution. From the log you attached it seems that both phase 1 and 2 time out at the same time - what have you set for the exchange mode in IPSecuritas? Cheers, Christoph Re: unknown informational exchange... by FraserJopp on 2004-05-11 08:15:04 +0200 It's aggressive. The timeout is always 180 seconds after the phase 1 key life (if this helps). As far as I can see, the settings are the same on both sides. Thanks for your help Fraser Re: unknown informational exchange... by FraserJopp on 2004-05-12 09:33:00 +0200 Cracked it, thanks to a clue in your reply. I had not realised that Phase 1 = IKE SA lifetime, Phase 2 = IPSec Sa lifetime, as different terms are used at the other end. Transposed the two figures, and it works fine.. Thanks for your help Fraser Re: unknown informational exchange... by jsilk on 2004-06-06 18:19:54 +0200 Hi there, I am hoping you would be so kind to share your working connection details in both IPSecuritas and FVS318 (naturally exluding any IP adresses) . Thanks, Johan Cisco VPN Client Cisco VPN Client by brichpmr on 2004-05-16 15:59:49 +0200 My company provides a .pcf file to import into the CiscoVPN client app through our Cisco 3000 series VPN concentrator. Does IPSecuritas work with a Cisco .pcf script? Can I import the configuration into your app? I'm running Panther (10.3.3) IPSecuritas to Zyxel ZyWall 35 IPSecuritas to Zyxel ZyWall 35 by Thomas von Hassel on 2004-05-17 14:34:07 +0200 Hi all I'm trying to connect a 10.3 client with this in my zywall logs: IPSecuritas to a Zywall 35. I get Phase 1 IKE SA process done then: !! No proposal chosen Could someone point me in the right direction :) /thomas Re: IPSecuritas to Zyxel ZyWall 35 by cnadig on 2004-05-18 16:31:58 +0200 Hello Thomas, according to the Zyxel user manual you have a mismatch of the encryption or authentication parameters, either in pahse 1 or 2, so that no satisfying SA proposal can be found and the tunnel negotiation is aborted. Check the phase 1 and phase 2 settings in IPSecuritas with the ones of the zyxel router. If you change the log level of IPSecuritas to 'Verbose Debug', you should see in more detail what has been offered by your side and the Zyxel router and why the two proposals don't match. Christoph Re: IPSecuritas to Zyxel ZyWall 35 by Chief_Nerd on 2004-08-25 21:51:58 +0200 I too am trying to get going with a ZyWALL. But in my case, it's 10.2 I'm using. I have AES 256 and SHA1 set. My verbose debug says: {wonder where the ----'ed line came from; as that's not an IP in use here} Log output from IPSecuritas 2.0.6 Aug 25 15:30:07 Notanumber IPSecuritas: Parsing configuration Aug 25 15:30:07 Notanumber IPSecuritas: Setting up racoon.conf Aug 25 15:30:07 Notanumber IPSecuritas: Setting up setkey.conf Aug 25 15:30:07 Notanumber IPSecuritas: Setting up psk.txt Aug 25 15:30:07 Notanumber IPSecuritas: Setting up tunnel.conf Aug 25 15:30:07 Notanumber IPSecuritas: Parsing configuration done Aug 25 15:30:08 Notanumber IPSecuritas: Starting racoon... Aug 25 15:30:08 Notanumber racoon: INFO: main.c:169:main(): @(#)racoon 20001216 20001216 sakane@kame.net Aug 25 15:30:08 Notanumber racoon: INFO: main.c:169:main(): @(#)racoon 20001216 20001216 sakane@kame.net Aug 25 15:30:08 Notanumber racoon: INFO: main.c:170:main(): @(#)This product linked OpenSSL 0.9.6i Feb 19 2003 (http://www.openssl.org/) Aug 25 15:30:08 Notanumber racoon: INFO: main.c:170:main(): @(#)This product linked OpenSSL 0.9.6i Feb 19 2003 (http://www.openssl.org/) Aug 25 15:30:10 Notanumber IPSecuritas: Racoon is running Aug 25 15:30:10 Notanumber IPSecuritas: Set kernel keys Aug 25 15:30:10 Notanumber racoon: DEBUG2: cfparse.y:1354:cfparse(): parse successed. Aug 25 15:30:10 Notanumber racoon: INFO: isakmp.c:1369:isakmp_open(): 192.168.1.69[500] used as isakmp port (fd=6o) -----------------------------------------^^^^^^^^^ huh? Aug 25 15:30:10 Notanumber racoon: INFO: isakmp.c:1369:isakmp_open(): 192.168.1.69[500] used as isakmp port (fd=6) Aug 25 15:30:10 Notanumber racoon: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message Aug 25 15:30:10 Notanumber racoon: DEBUG2: plog.c:193:plogdump(): 02120200 00020000 00000000 00000200 Aug 25 15:30:10 Notanumber racoon: DEBUG: pfkey.c:207:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory Aug 25 15:30:10 Notanumber racoon: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey REGISTER message Aug 25 15:30:10 Notanumber racoon: DEBUG2: {.....} isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 25 15:30:31 Notanumber racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 25 15:30:42 Notanumber racoon: ERROR: isakmp.c:1785:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 207.188.193.107->192.168.1.69 Aug 25 15:30:42 Notanumber racoon: ERROR: isakmp.c:1785:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 207.188.193.107->192.168.1.69 Aug 25 15:30:42 Notanumber racoon: INFO: isakmp.c:1790:isakmp_chkph1there(): delete phase 2 handler. Aug 25 15:30:42 Notanumber racoon: INFO: Replacing CheckPoint SecureClient Replacing CheckPoint SecureClient by Ben on 2004-05-17 15:45:02 +0200 Hi there, I came across IPSecuritas after posting to Apple's support forums. Anyway, here's the gist of my problem. At work, we use Checkpoint's VPN-1 SecureClient for Windows to connect to the company's LAN remotely. My question is how can I do the same thing with my PowerBook. Someone kindly suggested that I try out IPSecuritas, which I installed without any problem. However, the tricky part came when I tried to import the certificate. IPSecuritas wants the certificate to be of the type .pem, whatever that is. At work, we have Entrust certificates that have a .epf suffix. Now, I'm not sure what these different file formats mean (simply changing the suffix didn't do the trick), but I was hoping there would be some sort of conversion utility, or perhaps there is some way to export a certificate from SecureClient as a .pem. Is this even the right approach? Apologies in advance if the above isn't the clearest, but digital certificates and PKI are kind of new to me. Ben Re: Replacing CheckPoint SecureClient by cnadig on 2004-05-18 16:26:02 +0200 Hello Ben, I found very little information about the Entrust Profile File (.epf), especially conecrning about it's contents and format, so importing them directly won't be possible. I don't know how your company generates the certificate files but I'd expect the software to be able to export it into different format (at least PKCS12, which can be imported into IPSecuritas with a few steps, see the online help). As an alternative (and it probably needs very good connections to the network admin), you could setup an alternative CA: http://www.atsec.com /docs/fw1-openssl.howto.pdf Christoph Re: Replacing CheckPoint SecureClient by Benjamin So on 2004-05-24 10:50:03 +0200 Hi Christoph, I think the export method seems like the better bet. At present, the utilities supplied by the company don't allow any export function. Are there any conversion apps available that could do this for me? And which file formats does IPSecuritas understand? Ben Can't setup VPN Can't setup VPN by robbiemurray on 2004-05-18 16:49:20 +0200 I have had 3 days of frustration trying to connect my home network to my colleagues using the VPN software in MAC OS X. Both networks have static IP addresses and are using Netgear DG834 Routers, and Internet/email works fine. I tried configuring both PPTP and L2TP connections, but either got a 'server not responding - check address etc', message, either immediately or after a delay where the icon in the menu bar tried to connect, but gave up after a couple of minutes. (I can however ping from one to the other) Checked with Netgear support, who were unhelpful, but eventually had me open all ports. Still no joy. After a lot of trawling found recommendations for IPSecuritas. Downloaded, installed, configured on both, but no connection - just the red X removed all the Mac VPN configurations, but still no go. Please can anyone help???? Re: Can't setup VPN by cnadig on 2004-05-18 17:51:09 +0200 Hello Robbie, a quick question first: Is NAT (Network Address Translation) enabled on any of the routers? Could you also post the log from IPSecuritas when set to 'Verbose Debug' (in the IPSecuritas preferences). Please remove any confidential information like you static IP addresses. Christoph Re: Can't setup VPN by robbiemurray on 2004-05-18 23:18:17 +0200 Hi Christoph Thanks for your interest. Yes, both have NAT enabled, as they were set up with the simple login suggested by the ISP-login & password, with all others info provided dynamically by the ISP, (although the both addresses are static) How much of the log do you want, as there are pages & pages,and it seems to loop? I’m new to this site, and don’t want to get in trouble........... I could email it if that's an option Regards Robbie IPSec startup failed IPSec startup failed by benoit_mikros on 2004-05-20 18:09:47 +0200 Hello Christoph, I've got message "IPSec startup failed" (in the verbose log, nothing than "Log output from IPSecuritas 2.0") The configuration of IPSec should work because it's being used by one of my colleague, Marc, with the same kind of connection (OS 10.3.3 with Netscreen FW). In fact it did work fine once, at my place (home), but I could'nt stop IPSec properly (refused) : I had to quit IPSecuritas and then no more DNS resolve with any app : Safari , Mail, etc... So I found that /etc/resolv.conf was linked to /tmp/IPSecuritas... Then I redo the link to /var/run/resolv.conf and add some DNS names in my OS Network Preferences . So Http and Mail work fine again now... In the meantime, I aslo removed all settings of IPSecuritas (to start from scratch). Then I re-edit IPSecutitas settings and prefs, checked them twice (the same that work for Marc) but IPSecuritas does not want to start...(immediate message : "IPSec startup failed"). I also removed my optional DNS server names in my OS Network Preferences (and anyway I have checked "Replace DNS Settings on IPSec Activation" with my job DNS refs). But it doesn't start ;-( Any idea to work this out? Re: IPSec startup failed by cnadig on 2004-05-20 23:44:46 +0200 Hello Benoit, at the moment I can only guess, but I think your installation has been corrupted. Please try to remove IPSecuritas completely and re-install it. If you still have trouble, I'll compile a version that logs more detail in such an event. Christoph Re: IPSec startup failed by benoit_mikros on 2004-05-21 13:05:44 +0200 okay : I removed IPSecuritas and prefs, then reinstalled it completely. Same result ;-( Benoit more detais for log ...;-) by benoit_mikros on 2004-06-02 01:03:50 +0200 HEllo Chritophe, Did you change the logs with more details in such an event, with V 2.05? I still have the same message. I even try to update my OS to 10.3.4 (never know...) Still the same instantaneous "IPSec startup failed ". Benoit Re: IPSec startup failed by cnadig on 2004-06-08 23:20:10 +0200 Hello Benoit, sorry for the late answer - my daytime job is keeping me busy... I did not have the opportunity to get more verbose log in, but a quick question: when you try to start IPSec and it fails, do you get anything in the lgo window (with log level set to verbose debug). Also, if you have teh replace DNS settings options set, do you still need to replace the link to /var/run/resolv.conf after terminating IPSecuritas in order to get normal internet acces sback? Christoph Re: IPSec startup failed by MacPapy on 2004-09-28 23:55:22 +0200 Hi everybody I would have loved to announce that IPSecuritas is working fine with an Equinet gateway (at least on a host to network basis) but, in my case, its works only with one of my computer (a PowerBook G3, OS 10.2.6) On my iMac (G3, 600 Mhz, 10.2.6) I have directly the "startup has failed" message, and no message in the log window. I've tried for a couple of nights to understand what the differences are, but I do not find any succesfull explanation. Hypothesis : on my initial launch of IPSecuritas, it happens that I was not loged as an "Administrator" for the system. Of course, I've tried to reinstall and relaunch, but no success :'( Another idea : The mac which is not working was initially configured as a gateway with IPSharing (using the MacOs embeded feature) ; I've stopped IPSharing during the testing of IPSecuritas, (and tried to restart, and everything ...) but this doesn't solve the problem Last : on my iMac, there was an previous version of racoon, hidden in an old "Previous system" directory, that was remainig on my disk. I did clean all that stuff after, but could it be a problem linked with that bad config at beginning. Any idea ? Thanks by advance Jean (from France) Re: IPSec startup failed by Pascal Frey on 2004-10-16 20:43:08 +0200 Same troubles as benoit_mikros and MacPapy : I've tried to estabilish a VPN Connection with IP Securitas, but as soon as I click on "Start IPSec", it answers me "IPSec Startup failed", with nothing at all in the log (even in Verbose Debug mode). I first tried IP Securitas on an other Mac and it seemed to work fine. So I did a clean install on my own Mac and I re-installed IP Securitas. I managed to estabilish connections for about 15 or 20 time, and then, back to the same error message : "IPSec startut failed"... Then I tried to have a look into the IP Securitas.app package. I tried to launch IPSecuritas.app/Contents/MacOS/vpntool sevral times and it didn't answered me anything. BUT, I then relaunched IPSecuritas by invoking IPSecuritas/contents/MacOS /IPSecuritas in the same shell, and it seemed to work fine again. At least I can clik on "Start IPSec" without having the error message. But this time, the connection doesn't work. I haven't changed anything in the config file, but the connection fails to estabilish. That's what the log shows : [i]Log output from IPSecuritas 2.0.6 Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Parsing configuration Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Setting up racoon.conf Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Setting up setkey.conf Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Setting up psk.txt Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Setting up tunnel.conf Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Parsing configuration done Oct 16 20:14:03 Ordinateur-de-Famille-Frey IPSecuritas: Starting racoon... Oct 16 20:14:03 Ordinateur-de-Famille-Frey IPSecuritas: Racoon is running Oct 16 20:14:03 Ordinateur-de-Famille-Frey IPSecuritas: Set kernel keys add net 192.168.1.0: gateway gif0 Oct 16 20:14:34 Ordinateur-de-Famille-Frey racoon: ERROR: pfkey.c:745:pfkey_timeover(): x.x.x.x give up to get IPsec-SA due to time up to wait. Oct 16 20:14:34 Ordinateur-de-Famille-Frey racoon: ERROR: pfkey.c:745:pfkey_timeover(): x.x.x.x give up to get IPsec-SA due to time up to wait. delete net 192.168.1.0 Oct 16 20:15:26 Ordinateur-de-Famille-Frey IPSecuritas: Flushing kernel keys Oct 16 20:15:26 Ordinateur-de-Famille-Frey IPSecuritas: Stopping racoon... Oct 16 20:15:27 Ordinateur-de-Famille-Frey IPSecuritas: Racoon normally terminated[/i] If somebody understainds what's happening ? ... Meanwhile, I've also tried with VPNTracker and it works fine in any case Antivirus and Firewall Antivirus and Firewall by fmorchid on 2004-05-21 19:40:02 +0200 hello, is it possible to install a symantec antivirus with the checkpoint firewall? thnak you smb query smb query by rnoranbrock on 2004-05-24 23:38:54 +0200 OK, I've got IPSecuritas set up and connecting properly to a SonicWall SOHO3. And I would swear that at least the first time I set it up I was able to connect to shared portions of an Exchange server behind the Sonic; however, currently, I am unable to do the same thing. I try to enter smb://MACHINE/OBJECTS in the Connect to Server dialog, but all I get is "The Finder cannot complete the operation because some data in "smb://MACHINE/OBJECTS" could not be read or written. (Error code -36)." with the option to Try Again or Cancel. If I try to double click the aliases setup for the same share from behind the Sonic, it attempts to connect (I guess) and then asks if I want to fix or delete the alias. And just to add more strangeness on top, Entourage (which is configured to connect as an IMAP client from behind the Sonic) has no problem connecting with the address entered as SECOND_MACHINE.DOMAIN.NAME.COM I can use MS Remote Desktop Connection to connect through the VPN and access the Exchange Server, so that works, but so far no success at specifying an smb address. Any thoughts? Thanks, -Randy Re: smb query by info.helpdesk on 2007-04-25 14:44:40 +0200 We are having the same problem using version 3.0 of the software on a Mac OS X 10.4 machine. Any ideas? Re: smb query by rnoranbrock on 2007-04-25 15:18:06 +0200 Sorry, I haven't tried to connect recently as I believe I read in another post that the problem was in the Mac OS. Interestingly though, if I bring up Win XP under Parallels, I can mount any of the drives/machines in Win XP, but not in the Finder. Strange. -Randy Re: smb query by Dave on 2007-04-26 00:42:07 +0200 Are you using IP addresses for MACHINE in your examples? Re: smb query by rnoranbrock on 2007-04-26 03:47:02 +0200 Honestly, I don't recall if I tried that or not. The names resolve to the proper IP address in terminal and ping correctly. If I get a chance to try later, I'll post back. -R OS X 10.3.4 breaks Ipsecuritas OS X 10.3.4 breaks Ipsecuritas by Thomas von Hassel on 2004-05-27 01:40:56 +0200 Well i got Ipsecuritas working with my ZyWall ... but i just installed 10.3.4 and now Ipsecuritas gives me this: Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas: configuration Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas: racoon.conf Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas: setkey.conf Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas: psk.txt Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas: tunnel.conf Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas: configuration done Jun 27 01:39:44 Thomas-von-Hassels-Computer IPSecuritas: racoon... Jun 27 01:39:44 Thomas-von-Hassels-Computer IPSecuritas: running Jun 27 01:39:44 Thomas-von-Hassels-Computer IPSecuritas: keys ifconfig: SIOCIFCREATE: Invalid argument route: writing to routing socket: No such process delete net 192.168.1.0: not in table ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address Jun 27 01:39:45 Thomas-von-Hassels-Computer IPSecuritas: delete gif0 Jun 27 01:39:45 Thomas-von-Hassels-Computer IPSecuritas: racoon... Jun 27 01:39:46 Thomas-von-Hassels-Computer IPSecuritas: normally terminated Jun 27 01:39:46 Thomas-von-Hassels-Computer IPSecuritas: kernel keys so 10.3.4 obiusliy breaks something :) /thomas Parsing Setting up Setting up Setting up Setting up Parsing Starting Racoon is Set kernel Could not Stopping Racoon Flushing Re: OS X 10.3.4 breaks Ipsecuritas by Mark Dadgar on 2004-05-27 06:39:47 +0200 Yep - broke my copy, too. :( - Mark Re: OS X 10.3.4 breaks Ipsecuritas by cnadig on 2004-05-27 08:56:33 +0200 Hello, I can reproduce the problem and am working on a solution, which should be available within days. Christoph Re: OS X 10.3.4 breaks Ipsecuritas by Mark Dadgar on 2004-05-27 18:58:07 +0200 THANK YOU!! - Mark Re: OS X 10.3.4 breaks Ipsecuritas by NetWhiz on 2004-05-31 01:33:39 +0200 Any update on the status of the fix for this? ??? NetWhiz Re: OS X 10.3.4 breaks Ipsecuritas by cnadig on 2004-06-01 14:20:29 +0200 Hello, sorry for the late notification! IPSecuritas 2.0.5 is available for download at [url]http://www.lobotomo.com/products/IPSecuritas/index.html[/url]. See [url]http://www.lobotomo.com/products/IPSecuritas /changes.html[/url] for a list of changes. Christoph Re: OS X 10.3.4 breaks Ipsecuritas by DarX on 2004-06-01 15:51:37 +0200 [quote author=cnadig link=1085614856/0#5 date=1086092429]Hello, sorry for the late notification! IPSecuritas 2.0.5 is available for download at [url]http://www.lobotomo.com/products/IPSecuritas/index.html[/url]. See [url]http://www.lobotomo.com/products/IPSecuritas /changes.html[/url] for a list of changes. Christoph[/quote] hey, this works! thanks a bunch! .. keep up the good work! /thomas Re: OS X 10.3.4 breaks Ipsecuritas by NetWhiz on 2004-06-02 23:14:50 +0200 Is ther a version that fixes the problem? This version is the same as from last week and it does not fix my broken issue. Everything worked fine with this version, until I opened and used the built-in Mac OS X IPSec/L2TP client. When I went back to try IPSecuritas, it will not get past: Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Parsing configuration Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Setting up racoon.conf Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Setting up setkey.conf Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Setting up psk.txt Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Setting up tunnel.conf Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Parsing configuration done Jun 2 21:11:48 Allison-Baby-3 IPSecuritas: Starting racoon... Jun 2 21:11:48 Allison-Baby-3 IPSecuritas: Racoon is running Jun 2 21:11:48 Allison-Baby-3 IPSecuritas: Set kernel keys Jun 2 21:11:48 Allison-Baby-3 racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Jun 2 21:11:48 Allison-Baby-3 racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Jun 2 21:11:55 Allison-Baby-3 IPSecuritas: Flushing kernel keys Jun 2 21:11:55 Allison-Baby-3 IPSecuritas: Stopping racoon... Jun 2 21:11:56 Allison-Baby-3 IPSecuritas: Racoon normally terminated Then it just sits and eventually times out or I get that error. How can this be fixed???? NetWhiz Re: OS X 10.3.4 breaks Ipsecuritas by NetWhiz on 2004-06-04 05:51:50 +0200 Anyone even watching the board? No one else having this problem? NetWhiz Re: OS X 10.3.4 breaks Ipsecuritas by NetWhiz on 2004-06-08 01:56:56 +0200 Just checking in to see if anyone is having this issue or a solution been found???????? NetWhiz Re: OS X 10.3.4 breaks Ipsecuritas by davehodg on 2004-07-08 17:52:30 +0200 I'm getting this too, trying to connect to an FVL328: Jul 8 16:47:34 Daves-PB syslogd: restart Jul 8 16:47:34 Daves-PB syslogd: restart Jul 8 16:47:35 Daves-PB racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Jul 8 16:47:35 Daves-PB racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Offers? Re: OS X 10.3.4 breaks Ipsecuritas by Rusty Bias on 2004-09-07 07:57:48 +0200 I've had the same issue... IPsecuritas working fine until messing with built in L2TP/VPN, and even after removing L2TP configs, IPsecuritas won't work... Support for ... Support for ... by NetWhiz on 2004-05-28 18:28:34 +0200 Will there be support added for DH modp2048 and/or SHA2? Also, will the source code for this app be released? Thanks, NetWhiz New User New User by Spark on 2004-05-28 19:03:19 +0200 Hello I am a new user that would love to use IPSecuritas! I cannot seem to find a how to on the SF. Is there documintation or a how to page i can be directed to. I am running 10.3.4 wirh the firewall on. I do a ton of file transfers and would like to make them secure. Will this mask my ip address when accessing sites and running my own server? Any help would be greatly appreciated! :) Version 2.0.5 breaks name resolution Version 2.0.5 breaks name resolution by Russ Marks on 2004-06-02 23:29:16 +0200 IPSecuritas 2.0.5 does not release the "DNS Servers" entry in its Preferences panel. Once IPSecuritas is run, the OS does not revert back to the DNS servers entry listed in the OS X "Network" system preference pane. I am able to fix this by clearing the IPSecuritas "DNS Servers" entry, committing it then exiting. This problem exists on my 10.3.4 & 10.2.8 machines. Regards, Russ Marks anyone help me? anyone help me? by hopecompany on 2004-06-04 11:30:56 +0200 hi,everybody!my first time here,nice to meet all of you! I have experienced a question:I have 2 Nokia IP530 platforms,which had installed checkpoint NG AI(R55),I configured them running in clusters' environment,and I am sure clusters work well!but a problem occured:when a oracle client connects oracle server behind cluster gateway,the session only remained about 5 to 10 minutes,and the session disconnected,I reseted the connection in oracle client and it worked well again,but disconnectd after 5-10 minutes,I don't know how to settled the problem,anybody help me?looking forward to hearing from you!thanks a lot Netgear - Phase 2 failing Netgear - Phase 2 failing by 2manysecrets on 2004-06-04 19:42:29 +0200 I am using a netgear FVS318 at my office with a fixed IP and connecting from home (and would like to connect from the road) with IPSecuritas and a dynamic IP. The office and home have two different subnets and I did have this working for a couple of weeks. When it was working the computer at work could not see any of the computers on my home network. But, I could see all of the computers on the office network. Something has changed and I am not sure what it is. The debug log show that phase 1 succeeded, but I keep getting Jun 4 13:28:03 AgentSmith racoon: DEBUG: isakmp.c:1756:isakmp_ph2resend(): resend phase2 packet 42cb18005b4777b4:f3941f0d568a1a16:de4771c6 Jun 4 13:28:12 AgentSmith racoon: ERROR: pfkey.c:745:pfkey_timeover(): 55.55.55.55 give up to get IPsec-SA due to time up to wait. Jun 4 13:28:12 AgentSmith racoon: ERROR: pfkey.c:745:pfkey_timeover(): 55.55.55.55 give up to get IPsec-SA due to time up to wait. Jun 4 13:28:12 AgentSmith racoon: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted. After reading several "guides" on setting up NetGear routers I am now total confused. What parameters are affecting the phase 2 verification? Thanks for your help Re: Netgear - Phase 2 failing by jsilk on 2004-06-06 18:12:08 +0200 Hi, Any possibility you could share your configuration that worked before you tried to change so you could roam from anywhere including your home? For Phase 2 I have the same configuration as with Phase 1 with the exception of the life time. This seems to work fine, I am not getting any errors like you are seeing. But after what seems like a successful connection at both ends I am unable to access any hosts at work behind the FVS318... Re: Netgear - Phase 2 failing by jsilk on 2004-06-07 02:21:16 +0200 Hi there I can replicate your message when my Network settings are not matching up between FVS318 and the IPSecuritas settings. Ensure you remote and local network configuration is the same at both ends. Cheers! Johan Re: Netgear - Phase 2 failing by 2manysecrets on 2004-06-08 18:19:08 +0200 The only way I was able to login from a remote site was to know the public IP and put that into the local address field. This worked from home, but when I was at the hotel it was not a viable solution since I cannot find out the public IP. But since I have been reading more it sounds like that the local address field should be the local machine's IP address. Now I am even more confused since in the NetGear setup I need to specifiy the IP address or range for the remote LAN IP. I know that I am missing something and the was the reason for the original post. Thanks Re: Netgear - Phase 2 failing by cnadig on 2004-06-08 23:04:12 +0200 Hello, the local address field in IPSecuritas is used to explicitly define the source address of your traffic going through the tunnel - it has no effect on the tunnel itself (its often referred to as virtual local adress because it makes the remote end (machines within the LAN behind the VPN router, not to the VPN router itself) think you have a different IP address. Basically everything works for this field, but it is common to use a private network address like 10.x.x.x or 192.168.x.x. If no local address is specified, your computers default interface's address is used (whatever you get from your ISP or the NAT router). The VPN router normally has rules on how to route packets through which tunnel. So if you define 192.168.1.1 for your local address in IPSecuritas, you should also enter this address for the destination address rule in your Netgear configuration. I don't have a FVS318 but a 328, but I assume the two work quite similarily. I could post a working configuration of my 328, if you like. Cheers, Christoph Re: Netgear - Phase 2 failing by 2manysecrets on 2004-06-09 03:19:18 +0200 Yep I found that out today. Thanks for the reply. I now have it working and the only unresolved issue is the ability for the computers behind the FVS318 to see my computer. I have a good connection working, but if my laptop goes to sleep while the VPN is connect and the network connection is dropped, I have to sleep the laptop and wake it back up before I can reconnect. Hope that helps. Re: Netgear - Phase 2 failing by 2manysecrets on 2004-06-09 03:24:00 +0200 I do have a working configuration FVS318 settings Connection Name : IPSecuritas Local IPSec : FVS318 Remote: Home Tunnel can be accessed from: any local IP Tunnel can access: a subnet of remote addresses Remote LAN start IP Address: 10.0.0.1 Remote LAN IP Subnetmake: 255.255.255.0 Remote WAN IP or FQDN: 0.0.0.0 Secure Association: Aggressive Mode Perfect Forward Secrecy: Enabled Encryption Protocol: 3DES Key Group: Diffie- Hellman Group 2 Preshared Key: 0123456789 Key Life: 28800 IKE Life Time: 86400 NETBIOS Enabled: false IPSecuritas Settings: Mode of Operation: Host to Network Remote IPSec Device: <Static IP Address> of your VPN router Remote Network: <DHCP Address> (192.168.1.1 / 24) Local Address: [blank] Exchange Mode: Agressive Proposal Check: Strict Nonce Size 16 Phase 1: Lifetime: 28800 DH group: Mod1024 (2) Encryption: 3DES Authentication: MD5 Phase 2: (least sure about all of these settings, but it works) Lifetime: 28800 PFS Group: Mod1024 (2) Encryption: 3DES, AES192, AES128 Authentication: HMAC MD5, HMAC SHA1 ID/Auth: Local Identifier DN: home Remote Identifier DN: FVS318 Preshared Secret: 0123456789 Options: (where unchanged from default) Everything selected but (Passive, Verify Certificate, and Auto Start) ---------------- Re: Netgear - Phase 2 failing by Johan Silkenas on 2004-06-09 12:40:03 +0200 Thanks for the configuration. Mine matches it except for the encryption, where I have opted for less security (DES) to get better speed than when using 3DES. About the Local IP, yes what Christoph was saying is certainly what I have found as well. All it is, is a virtual address. As long as your settings are the same in IPSecuritas as in FVS318 for your profile, then you can roam anywhere. Sorry don't know about making your machine visable to the machines behind the FVS318. Cheers! Johan Re: Netgear - Phase 2 failing by nickb on 2004-06-11 02:44:51 +0200 I've tried building on the config above but get: racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ? Re: Netgear - Phase 2 failing by 2manysecrets on 2004-06-17 15:52:12 +0200 Double check you configuration. Make sure the exchange mode, DH Group, Encryption and Authentication match between IPSecuritas and your VPN server. Next make sure the Local Identifier and Remote Identifier are correct. If these do not match then you will not make it past phase 1. Hope that helps Re: Netgear - Phase 2 failing by 2manysecrets on 2004-06-29 15:50:51 +0200 UPDATE This seems to work better than "Tunnel can access: a subnet of remote addresses " Tunnel can access: a single address Remote LAN start IP Address: 10.0.0.12 Remote LAN IP Subnetmake: 255.255.255.0 Remote WAN IP or FQDN: 0.0.0.0 IPSecuritas <--> NetScreen Firewall IPSecuritas <--> NetScreen Firewall by MacJunkie on 2004-06-05 00:56:30 +0200 I configured IPSecuritas to conect with a NetScreen Firewall and i got following log message: Jun 5 00:32:50 Vigor102 racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 000.000.000.000->192.168.1.102 Jun 5 00:32:50 Vigor102 racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for (I deleted the IP-Adress in this Article because of Data Rights). Has any body configured a IPSecuritas to Netscreen connection successfully? How? (With VPNTracker the connection works fine - but I want not to use VPNTracker) Re: IPSecuritas <--> NetScreen Firewall by cnadig on 2004-06-08 23:10:39 +0200 Hello, could you post a bit more of the log, especially the last 5-10 lines before what you posted already? Also, posting your IPSecuritas settings would be useful (please remove any confidential information!) Thanks, Christoph IPv6 and IPSecuritas IPv6 and IPSecuritas by Axel on 2004-06-05 22:47:08 +0200 Does Anyone knows if IPSecuritas is interoperable with IPv6 address? Netgear FVS318 LOG says I am connected..... Netgear FVS318 LOG says I am connected..... by Johan Silkenas on 2004-06-06 17:38:58 +0200 I am confused to why I am not able to access the remote network. My Netgear FVS318 VPN log says: 06/07/2004 01:17:24 - FVS318 IKE:[JohanSilkenas_tmp37] established with 144.132.212.106 successfully. The Netgear VPN status show an Active connection. IPSecuritas LOG confirms connection: Jun 7 01:20:55 jsilkimac racoon: INFO: pfkey.c:1352:pk_recvadd(): IPsec-SA established: ESP/Tunnel [my IP address] -> [VPN Server IP address] spi=3847618502(0xe555ffc6) How ever when I try a telnet to a remote host it just sits there same if a try connecting to a file share. If I use VPN Tracker it works straight away. My configuration is the same in IPSecuritas as with VPN Tracker. My OS is 10.3.4 and I am using IPSecuritas 2.0.5 Is there anyone out there who have successfully got IPSecuritas 2.0.5 to work with Netgear FVS318? Looking forward to creative ideas for getting this great VPN client to successfully allow access to FVS318 protected network. Cheers! Johan Re: Netgear FVS318 LOG says I am connected..... by cnadig on 2004-06-08 23:08:26 +0200 Hello Johan, do you get a green check mark instead of the red cross in the main window? If so, I suspect a routing problem or a problem with you local IP address did you fill anything into the local address field? Also, could you post a short description of your network setup and the settings in IPSecuritas (please remove any confidential information!) Cheers, Christoph cant to connect to netscreen, VPN tracker works! cant to connect to netscreen, VPN tracker works! by desktopguy on 2004-06-09 16:26:54 +0200 Hi, I am having trouble connecting to a netscreen firewall via an OS X 10.3.4 workstation. VPN tracker works fine. The log shows; Jun 10 00:02:55 support racoon: WARNING: ipsec_doi.c:3064:ipsecdoi_checkid1(): ID type mismatched. Jun 10 00:02:55 support racoon: WARNING: ipsec_doi.c:3064:ipsecdoi_checkid1(): ID type mismatched. Jun 10 00:02:55 support racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Jun 10 00:02:55 support racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Jun 10 00:02:55 support racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. Jun 10 00:02:55 support racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. Jun 10 00:02:55 support racoon: ERROR: oakley.c:2071:oakley_skeyid(): couldn't find the pskey for X.X.X.X. Jun 10 00:02:55 support racoon: ERROR: oakley.c:2071:oakley_skeyid(): couldn't find the pskey for X.X.X.X. my setting for ID/Auth are; local identifier - DN: user@company.com remote identifier - DN: netscreen using preshared secret. With identical setting (default) in VPN tracker it works OK. NOTE: the VPN tracker log shows; 2004-06-09 23:23:35: INFO: isakmp.c:1034:isakmp_ph1begin_i(): begin Aggressive mode. 2004-06-09 23:23:35: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID type mismatched. 2004-06-09 23:23:35: WARNING: ipsec_doi.c:3134:ipsecdoi_checkid1(): ID value mismatched. 2004-06-09 23:23:35: NOTIFY: oakley.c:2111:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. 2004-06-09 23:23:35: INFO: isakmp.c:2783:log_ph1established(): ISAKMP-SA established X.X.X.X[500]-X.X.X.X[500] spi:1eddb852701da258:ad5d572683e3bc62 2004-06-09 23:23:36: INFO: isakmp.c:1173:isakmp_ph2begin_i(): initiate new phase 2 negotiation: X.X.X.X[0]<=>X.X.X.X[0] I guess VPN tracker also has problems, but then falls back to another setting which works any help would be appreciated Re: cant to connect to netscreen, VPN tracker work by cnadig on 2004-06-23 18:22:07 +0200 Hello, try to set the remote identifier to address instead of DN. Cheers, Christoph Re: cant to connect to netscreen, VPN tracker work by desktopguy on 2004-06-24 02:28:32 +0200 thanks cnadig, that works fine now. It is slower to establish the VPN but it works xauth xauth by manu sawkar on 2004-06-09 23:27:45 +0200 will ipsecuritas incorporate xauth support? i can't find an os x client that has this feature. I can connect to our sonicwall FW when i turn off xauth, but our group VPN policy requires this and i am not allowed to keep it disabled. any thoughts? thanks, Manu Sawkar Re: xauth by cnadig on 2004-06-23 18:20:06 +0200 Hello Manu, IPSecuritas is completely dependant on racoon, the IKE daemon which is responsible for the authentication and key exchange. According to their webseit (http://www.kame.net/racoon), theyhave no plans to support XAUTH as it is not an official IETF standard. As soon as racoon supports XAUTH, IPSecuritas will. Cheers, Christoph Re: xauth by shaddow on 2006-01-19 01:17:34 +0100 Does Tiger support xauth yet? I read here that it did, and was hoping if it was true it would be added to IPsecuritas. http://wiki.openswan.org/index.php/InteroperatingMac I also saw that racoon went to ipsec-tools and I believe ipsec-tools now supports xauth? Re: xauth by gdanko on 2006-01-30 04:49:13 +0100 How does VPN Tracker implement xauth? Re: xauth by cnadig on 2006-01-31 00:34:03 +0100 Hello, a beta version of IPSecuritas 3.0 with support for XAUTH is available (not yet public but on request) and I'm looking for testers. If interested, please send me an e-mail to lobotomo@lobotomo.com. Christoph Re: xauth by gdanko on 2006-01-31 19:43:32 +0100 I installed the beta. Here are my settings on both ends. Here are my settings for the SonicWall 5060... [b]General Tab[/b] IPSec Keyring Mode: IKE using Preshared Secret Name: WAN GroupVPN Shared Secret: SomeSharedSecretKey [b]Proposals Tab[/b] [u]IKE (Phase 1) Proposal[/u] DH Group: Group 2 Encryption: 3DES Authentication: SHA1 Life Time (seconds): 28800 [u]Ipsec (Phase 2) Proposal[/u] Protocol: ESP Encryption: 3DES Authentication: SHA1 Enable Perfect Forward Security: Unchecked Life Time (seconds): 28800 [b]Advanced Tab[/b] Enable Windows Networking (NetBIOS) Broadcast: Checked Enable Multicast: Unchecked Management via this SA: HTTP and HTTPS unchecked Default Gateway: 0.0.0.0 (aka None) Require Authentication of VPN Clients via XAUTH: Checked User Group for XAUTH users: Trusted Users Here are my IPSecuritas Settings [b]General Tab[/b] Remote IPSec Device: aaa.bbb.ccc.ddd Local Side Endpoint Mode: Host (IP left empty) Remote Side Endpoint Mode: 10.0.10.0 Network Mask (CIDR): 24 [b]Phase 1 Tab[/b] Life Time: 28800 Seconds DH Group: 1024 (2) Encryption: 3DES Authentication: SHA1 Exchange Mode: Aggressive Proposal Check: Obey (SonicWall tech doesnt know what this is for) Nonce Size: 16 [b]Phase 2 Tab[/b] Lifetime: 28800 Seconds PFS Group: None Encryption: Only 3DES is checked Authentication: Only SHA1 is checked [b]Id/Auth Tab[/b] Local Identifier: Address (SonicWall tech doesnt know what this is for) Remote Identifier: Address (SonicWall tech doesnt know what this is for) Authentication Method: Preshared Key (my key here) [b]Options Tab[/b] The SonicWall tech didn't know what to put here so everything is left Re: xauth by shaddow on 2006-02-16 04:13:35 +0100 I tried emailing a week or so ago and have heard nothing. I can test this on a router here that supports xauth. [quote author=cnadig link=1086816465/0#4 date=1138664043]Hello, a beta version of IPSecuritas 3.0 with support for XAUTH is available (not yet public but on request) and I'm looking for testers. If interested, please send me an e-mail to lobotomo@lobotomo.com. Christoph[/quote] Re: xauth by ritani on 2006-03-28 16:43:57 +0200 Hi, We are using xauth with RSA and not with pre-shared key, was anyone able to make it work? We are testing revision 3.0 with Netscreen 208 version 5.1.0r4a.0. Thank you, ritani Re: xauth by ritani on 2006-03-29 15:55:59 +0200 We also tried xauth with preshared keys, but it seems that the Netscreen is not detecting that the client is sending him any password while the client starts Phase 2 negotiations. Below is the log of the Netscreen: 2006-03-29 14:04:26 info IKE: User <zs03@fea.aub.edu.lb> with ID <75> requested a connection 2006-03-29 14:04:26 info IKE<192.168.136.24> Phase 1: Responder starts AGGRESSIVE mode negotiations. 2006-03-29 14:04:26 info IKE: User <zs03@fea.aub.edu.lb> with ID <75> requested a connection. 2006-03-29 14:04:26 info IKE<192.168.136.24> Phase 1: IKE responder has detected NAT in front of the local device. 2006-03-29 14:04:26 info IKE<192.168.136.24> Phase 1: IKE responder has detected NAT in front of the remote device. 2006-03-29 14:04:26 info IKE<192.168.136.24> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime. 2006-03-29 14:04:26 info IKE<192.168.136.24> Phase 2 msg ID <fb4be856>: Responded to the peer's first message. 2006-03-29 14:04:26 info Rejected an IKE packet on loopback.1 from 192.168.136.24:4500 to 192.168.140.2:4500 with cookies d2b2a44cc455b8a0 and 70ac984644c807a1 because a Phase 2 packet arrived while XAuth was still pending. 2006-03-29 14:04:26 info IKE<192.168.136.24> Phase 2 msg ID <fb4be856>: Negotiations have failed. 2006-03-29 14:04:32 info IKE<192.168.136.24>: XAuth login was aborted for gateway <CNSwlanGW>, username <zs03>, retry: 0. 2006-03-29 14:04:40 info IKE<192.168.136.24>: XAuth login expired and was terminated for username <zs03> at <192.168.157.105>. Has any body faced the same? Thanks IPSec with Bintec Router works fine. IPSec with Bintec Router works fine. by netgoblin on 2004-06-14 10:15:58 +0200 Hello, for information I have tested IPSecuritas with Bintec Router IPsec. - Presahred Key and Certificate works - But in the moment only 3des / AES encryption works. By interest I may send the config form both sides. by netgoblin Re: IPSec with Bintec Router works fine. by cnadig on 2004-06-23 18:17:45 +0200 Hello Netgoblin, I'd be thankful for a short description that I could add to the online help in IPSecuritas! Thanks, Christoph Re: IPSec with Bintec Router works fine. by netgoblin on 2004-06-28 09:44:28 +0200 IPSec Config Bintec VPN25: 1. IPSec Main Screen 2. IKE Phase 1 defaults 3. IPsec Phase 2 defaults 4. Peer Config 4.1 Traffic List 5. Certificates 5.1 CA Certificat 5.2 Own Certificat 5.3 Peer Certificat 6. Tips Software Releases: Bintec VPN25: fossie:> show rev Logik : V.1.0 Bootmon : V.7.1.2 Boss : V.7.1 Rev. 2 (Patch 8 ) IPSec V. 2.1.1 from 2004/06/17 00:00:00 1. IPSec Main Screen VPN Access 25 Setup Tool BinTec Access Networks GmbH [IPSEC]: IPsec Configuration - Main Menu fossie _______________________________________________________________________________ Enable IPSec : yes Pre IPSec Rules > Configure Peers > Post IPSec Rules > IKE (Phase 1) Defaults *autogenerated* IPsec (Phase 2) Defaults *autogenerated* Certificate and Key Management > edit > edit > Advanced Settings > Wizard > Monitoring > SAVE CANCEL _______________________________________________________________________________ 2. IKE Phase 1 defaults: (*autogenerated*) VPN Access 25 Setup Tool BinTec Access Networks GmbH [IPSEC][PHASE1][EDIT] fossie _______________________________________________________________________________ Description (Idx 1) : *autogenerated* Proposal : 2 (DES3/MD5) Lifetime : 7200 Sec (1) Group : 2 (1024 bit MODP) Authentication Method : RSA Signatures Mode : id_protect Heartbeats : none Block Time : 0 Re: IPSec with Bintec Router works fine. by netgoblin on 2004-06-28 09:45:03 +0200 5. Certificates 5.1 CA Certificat VPN Access 25 Setup Tool BinTec Access Networks GmbH [IPSEC][CERTMGMT][OWN]: IPsec Configuration - Certificate Management fossie _______________________________________________________________________________ Flags: 'O'= own cert, 'CA'= CA cert, 'N'= no CRLs, 'T'= cert forced trusted Description Flags SerialNo Subject Names vpn25-fossie O 2 CN=vpn25, OU=Support, O=netgoblin, ST=Bav DOWNLOAD DELETE EXIT _______________________________________________________________________________ 5.2 Own Certificat VPN Access 25 Setup Tool BinTec Access Networks GmbH [IPSEC][CERTMGMT][CAS]: IPsec Configuration - Certificate Management fossie _______________________________________________________________________________ Flags: 'O'= own cert, 'CA'= CA cert, 'N'= no CRLs, 'T'= cert forced trusted Description Chewbacker O=netgoblin Flags SerialNo CA,N,T 0 Subject Names CN=chewbacker, OU=chewbacker, DOWNLOAD DELETE EXIT _______________________________________________________________________________ 5.3 Peer Certificat VPN Access 25 Setup Tool BinTec Access Networks GmbH [IPSEC][CERTMGMT][PEERS]: IPsec Configuration - Certificate Management fossie _______________________________________________________________________________ Flags: 'O'= own cert, 'CA'= CA cert, 'N'= no CRLs, 'T'= cert forced trusted Description powerbook Flags SerialNo Subject Names T 0 OU=pb4, O=netgoblin, ST=Bavaria, C=DE, [n DOWNLOAD DELETE EXIT ______________________________________________________________________________ 8. Watch your time and date on the Bintec specialy when you work with certificates. ( New Bintec Products have not realtime clocks.) Timesync via ntp or isdn. fossie:> date Mon Jun 28 9:33:35 2004 Debug level increment. IPSecuritas appears to be doing nothing at all IPSecuritas appears to be doing nothing at all by DarkBytes on 2004-06-23 14:58:52 +0200 Hi I have installed & ran the latest version of IPSecuritas on macOS 10.2.8 in an attempt to have it connect through our checkpoint NG firewall. The thing is after configuring the client , & attempting to intialize a connection, My gateway logs are showing no connections from the client at all ? I must be doing something fundementally wrong , but it is as if the IPSecuritas is doing nothing at all. also could someone explain where i can find the logs for the client , or how i run it in verbous mode. I would assume that as long as i have the correct ip of my gateway & roughly the correct settings on the client , i should see some kind of connection attempts on my firewall, be them failed attempts etc. please help Many many thanks Re: IPSecuritas appears to be doing nothing at all by cnadig on 2004-06-23 18:14:31 +0200 Hello, to open the log window, go to File and select Open Log. The log detail can be increased in the preferences. I would also assume that there should be some activity visible in the firewall's log, as long as the 'Establish IKE' option is enabled in IPSecuritas. I can probably give more hints if you'd post the IPSecuritas log (with log level to debug or verbose debug) - please remove any confidential information. Christoph Can you use certs and user/pass on same connection Can you use certs and user/pass on same connection by LoopyShane on 2004-06-23 18:14:37 +0200 This may be a unique setup here but my client has just had a BSD based router installed that is setup for incoming L2TP over IPSec connections that use a cert as well as username/password auth. Apple's Internet Connect allows the username/password but no certs. IPSecuritas allows the certs but I can't see that it allows user/pass. Is there a way to use both or get IPSecuritas to add cert auth to the apple connect? Or is there a way to get IPSecuritas to use the user/pass? Re: Can you use certs and user/pass on same connec by nbirnbaum on 2004-08-26 21:21:30 +0200 Did you ever figure this out? Re: Can you use certs and user/pass on same connec by Fernando J. Pereda on 2004-09-08 02:14:35 +0200 I really need this.... If you know how to do it. It'd be great ! Cheers Stop IPSec keeps GIF1 alive - Route corrupt Stop IPSec keeps GIF1 alive - Route corrupt by mhaury on 2004-06-29 14:02:18 +0200 Hello, Don't know if this is a bug or not, I have two VPN connection setup in parallel, one for our Intranet, another for our DMZ. Both work fine however when I stop IPSec the second connection (to the DMZ) continues to stay active, although apparently IPSec is shutdown. At least the routing table seems wrong and indicates a route via GIF1 (and should be EN0): route to: xxx.aaa.bbb.com destination: 192.168.0.0 mask: 255.255.0.0 interface: gif1 flags: <UP,DONE,STATIC,PRCLONING> recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1280 0 I'm Running OSX10.3.4 all updates and IPSecurityas 2.0.5 Any ideas, also how can I reset the routes correctly such that things work, 'route flush' does not work, only restart. Thanks for the GREAT Software anyway !!! Matthias checkpoint userc.C file checkpoint userc.C file by ac7ub on 2004-06-30 11:05:31 +0200 Greetings folks, Does anyone out there know how to extract the pkcs12 certificate from a userc.C file my company gave me for the winblows client and convert it to a format I can import? Re: checkpoint userc.C file by llllllllllllllllllllllll on 2004-09-30 03:51:32 +0200 Did anyone ever figure this out? I have a userc.C file from windows that I'd like to use to set up IPS on my new Mac. Are these keys linked with hardware in anyway? I'm wondering if there is some Intel chip code that it's looking for. Using IPSecuritas for a VPN-1 SecuRemote login Using IPSecuritas for a VPN-1 SecuRemote login by mluker on 2004-07-07 00:50:03 +0200 I have an office VPN that is accessed using the standard VPN-1 SecuRemote client on Windows. I have a powerbook at home I would rather use than the corporate laptop I was given. I have tried to get IPSecuritas setup, but I must confess to being complete ignorant of what settings I should use. My HelpDesk only supports the Windows software, and the "settings" they gave me were next to useless (i.e. enter this IP and use your login) when it comes to all the IPSecuritas settings. Does anyone have the standard settings for a CheckPoint firewall that is normally accessed by a SecuRemote client? Any help at all is greatly appreciated :D Re: Using IPSecuritas for a VPN-1 SecuRemote login by Matthias Haury on 2004-07-08 19:43:08 +0200 Hello, we had the same problem, we have a pretty much standard VPN setup in a Checkpoint NG... so here are the settings for IPSecuritas that work for us: remote device <IP of your Checkpoint FW> remote network 172.22.0.0/16 (or whatever netmask you choose for access) local mask 32 main shared secret: <password entered in VPN of Checkpoint> local IP: <leave empty> mode: aggressive proposal check: claim nounce size: 16 phase 1 lifetime 1440 secondss dh group 2 3des sha1 phase 2 lifetime 3600 seconds pfs group 2 3des hmac_sha1 id local: <your email or whatever ID you entererd in Checkpoint> remote:<leave empty> Here for a couple of commandline tools to see your setup once started in IP Securitas (you need to be root or run as sudo) Diagnosis: ========== See the Current Setup sudo setkey -DP Flush the Current Setup sudo setkey -FP Hope that helps.. we have some problems when stopping the IPSecuritas on OSX 10.3.4 where it sometimes keeps the gif1 Interface active for a second VPN connection that one enters (see my post on this issue), other than that it works great. You can add a special local IP if you wish (i left it empty above), and this helps you to be identified correctly.. however you cannot specify the same network range for local IP as the one behind your Checkpoint FW !!! Best. Matthias Re: Using IPSecuritas for a VPN-1 SecuRemote login by mluker on 2004-07-08 22:15:47 +0200 Thanks for your reply. Unfortunately it is still not working :-( Here are the settings I currently have: General Mode: Host To NetWork Remote IPSec Device: [address as given to me by support for SecuRemote] Remote Network: [same address sans a byte] / 24 Local Address: <blank> Exchange Mode: Aggressive Proposal: Claim Nonce: 16 Phase 1 Lifetime: 1440 DH Group: Mod1024(2) Encryption: 3DES Authentication: SHA1 Phase 2 Lifetime: 3600 PFS Group: Mod1024(2) Encryption: 3DES Authentication: HMAC SHA1 ID/Auth Identificaton: DN: [my username] Remote Identifier: Address Authentication: Preshared Secret: [my password] Options: IPSec/IKE Options: IPSEC DOI, SIT_IDENTITY_ONLY, Initial Contact, Generate Policy, MIP6 General Options: Establish IKE immediately ---Is there something I am missing? From the log file, it appears to be failing on phase 1: [quote] Jul 8 13:03:32 meson racoon: INFO: isakmp.c:1953:isakmp_post_acquire(): IPsec-SA request for checkpoint-ip queued due to no phase1 found. Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:1001:isakmp_ph1begin_i(): === Jul 8 13:03:32 meson racoon: INFO: isakmp.c:1006:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 10.20.20.33[500]<=>checkpoint-ip[500] Jul 8 13:03:32 meson racoon: INFO: isakmp.c:1011:isakmp_ph1begin_i(): begin Aggressive mode. Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:2265:isakmp_newcookie(): new cookie: 9fac4f294e77ce4f Jul 8 13:03:32 meson racoon: DEBUG: ipsec_doi.c:3212:ipsecdoi_setid1(): use ID type of FQDN Jul 8 13:03:32 meson racoon: DEBUG: oakley.c:257:oakley_dh_generate(): compute DH's private. Jul 8 13:03:32 meson racoon: DEBUG: oakley.c:259:oakley_dh_generate(): compute DH's public. Jul 8 13:03:32 meson racoon: DEBUG: isakmp_agg.c:169:agg_i1send(): authmethod is pre-shared key Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:2382:set_isakmp_payload(): add payload of len 48, next type 4 Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:2382:set_isakmp_payload(): add payload of len 128, next type 10 Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:2382:set_isakmp_payload(): add payload of len 16, next type 5 Re: Using IPSecuritas for a VPN-1 SecuRemote login by Matthias Haury on 2004-07-19 10:40:38 +0200 Hello, well, sorry, might be my mistake, have now some different settings running, but don't remember if this was because of an upgrade of NG... try those: Tab: Phase 1 Lifetime 28800 seconds Group: mod1024(2) Endryption: DES Authentication: SHA1 Tab: Id/Auth Encryption: I have active: DES, AES256, 3DES, AES128 Authenciation: I have HMAC MD5 and HMAC SHA1 Options: I don't have selected "Verify Identifier" Everything else is identical to yours... If this does not work, you have to see with your support what are the settings they hacked into Checkpoint.. maybe they modified the default ones. Also verify that your IP netmask is really /24 Let me know if this helps... M. Re: Using IPSecuritas for a VPN-1 SecuRemote login by Helmut Peschke on 2004-09-21 17:40:00 +0200 Hi folks, I am using IPSecuritas on Mac OS 10.3.5 with CheckPoint with all the parameters described in the HOWTO, however the Local Identifier in Id/Auth has to be written as name@domain (e.g. the email adress), which in turn has to be the userid in the VPN-1 software, otherwise the contents is not identified as user id. Hope this helps. Re: Using IPSecuritas for a VPN-1 SecuRemote login by Fabrice on 2004-11-06 18:43:38 +0100 [quote author=Helmut Peschke link=1089154204/0#4 date=1095781200]Hi folks, I am using IPSecuritas on Mac OS 10.3.5 with CheckPoint with all the parameters described in the HOWTO, however the Local Identifier in Id/Auth has to be written as name@domain (e.g. the email adress), which in turn has to be the userid in the VPN-1 software, otherwise the contents is not identified as user id. Hope this helps.[/quote] Can you help me ? I used with success vaporsec 0.9 on panther, but I know that the developer stop this program, and he suggests IPSecuritas. I'm just trying to connect my computer from my home to my network (firewall checkpoint). I can admin the server side. I've got the "green check" on IPSecuritas, but the log give the error : Nov 6 18:12:14 XXXX racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. And of course it doesn't work. Is the problem you're talking about ? You mean that in the "local identifier DN" I put my full e-mail ? And on server side, I put the full e-mail ? Where ? Thanks a lot in advance Kind regards Re: Using IPSecuritas for a VPN-1 SecuRemote login by cnadig on 2004-11-07 01:42:25 +0100 Hello Fabrice, try disabling the 'Verify Identifier' option in IPSecuritas. Let us know how it goes! Cheers, Christoph Re: Using IPSecuritas for a VPN-1 SecuRemote login by Fabrice on 2004-11-07 10:12:10 +0100 [quote author=cnadig link=1089154204/0#6 date=1099788145]Hello Fabrice, try disabling the 'Verify Identifier' option in IPSecuritas. Let us know how it goes! Cheers, Christoph[/quote] Thanks for your answer. "Verify Identifier" was already disabled. Re: Using IPSecuritas for a VPN-1 SecuRemote login by fabrice on 2004-11-07 10:47:12 +0100 Difficult to explain, but it works ! The only thing I've changed is in phase 2 in IPSecuritas : I've unchecked DES, AES 128, AES 256 and HMAC MD5. Of course anybody can tell me my settings, if it can help. Thanks for your help. Using IPSecuritas with NetScreen 208 Using IPSecuritas with NetScreen 208 by joanba on 2004-07-09 19:43:03 +0200 Hi, I'm a completely newbie with VPN questions and I want to know if what is happening to me is normal. We use a NetScreen 208 firewall to protect our company network and I want to access it from Internet using a Mac ( MacOS X 10.3.4 ). The NetScreen is configured to use L2TP, I think that without IPSec. I can connect, but look what I need to do: I've configured Internet Connect, using VPN(L2TP), I write my user/password but in the log appears: Fri Jul 9 19:37:19 2004 : L2TP: starting racoon... Fri Jul 9 19:37:22 2004 : L2TP connecting to server '62.ZZ.XX.YY' (62.ZZ.XX.YY)... Nothing else. But if I run IPSecuritas 2.0.5 ( without any configuration ), the Start IPSec button is disabled and Stop IPSec is enabled. If I press Stop IPSec the connection starts and works fine: Fri Fri Fri Fri Fri Fri Fri Fri Fri Fri Fri Fri Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul 9 9 9 9 9 9 9 9 9 9 9 9 19:37:26 19:37:26 19:37:26 19:37:26 19:37:26 19:37:26 19:37:26 19:37:26 19:37:26 19:37:53 19:37:53 19:37:53 2004 2004 2004 2004 2004 2004 2004 2004 2004 2004 2004 2004 : : : : : : : : : : : : L2TP connection established. Using interface ppp0 Connect: ppp0 <--> socket[34:18] Remote message: We welcome you. acsp resetci called local IP address 10.250.250.1 remote IP address 62.ZZ.XX.YY primary DNS address 10.0.0.15 secondary DNS address 10.0.0.16 Terminating on signal 15. Connection terminated. Connect time 0.5 minutes. And when I close the connection the log also finishes: Fri Jul 9 19:37:53 2004 : Sent 44 bytes, received 0 bytes. Fri Jul 9 19:37:53 2004 : L2TP disconnecting... Fri Jul 9 19:37:53 2004 : L2TP disconnected Any idea or comment ? What I'm doing wrong ? Best regards, Joan B. Altadill VPN is happy; but can't see remote network VPN is happy; but can't see remote network by twarge on 2004-07-15 06:52:55 +0200 So I've made a connection with the linksys BEFVP41 router in the lab; I have a nice green checkbox and both sides seem to agree that they're happily connected. Now I'm missing something rather serious here: I'm not seeing the remote network. I've tried various computer's IP addresses and get no response. If I look at the computers in the Network folder, I see just the local computers at home like I've always seen. So how do I channel all my traffic through the tunnel? What am I missing? Help is greatly appreciated. Tom Kornack Re: VPN is happy; but can't see remote network by sbickle on 2004-07-29 16:39:20 +0200 Is this still a problems? It would sound like the IPSEC tunnel doesn't contain the right information for what IP's are on the other side of the remote network... Re: VPN is happy; but can't see remote network by sfazzina on 2004-08-06 02:43:54 +0200 I HAVE THE SAME PROBLEM :) - EXCEPT - I DO NOT HAVE A CHECKBOX - I HAVE A RED X Re: VPN is happy; but can't see remote network by Matt Deatherage on 2004-08-06 09:36:43 +0200 I have the same problem, and it's not that the tunnel contains the wrong information. The BEFVP41 reports that the tunnel is connected, and the remote computer correctly reports that traffic to the local area network should be routed through gif0 - but nothing happens. The network on the Linksys end is 192.168.1/24, and the remote computer is trying to connect as 192.168.1.100, but even though the tunnel is up and the routing is right, the remote computer can't reach any machines on the local network or vice-versa. Attempts on the local network to ping 192.168.1.100 are fruitless. Re: VPN is happy; but can't see remote network by Laurens van Hoorn on 2004-11-04 09:06:41 +0100 I (now) have the same problem, although the VPN used to work fine from another location. Unfortunately, that location is on another continent so going back there is not an option. No indication in the log that anything is wrong: Log output from IPSecuritas 2.0.6 Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas: done Nov 4 08:50:20 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:20 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:20 PowerBook-G4-Laurens IPSecuritas: Parsing configuration Setting up racoon.conf Setting up setkey.conf Setting up psk.txt Setting up tunnel.conf Parsing configuration Starting racoon... Racoon is running Set kernel keys So what could be the problem?! Any suggestions greatly appreciated. Re: VPN is happy; but can't see remote network by Rich on 2004-11-05 12:29:19 +0100 Same trouble. Cannot ping wireless machines from Xserve, cannot see wired Macs in Local on wireless machines. Wireless machines can see each other in Local Re: VPN is happy; but can't see remote network by JP on 2004-12-02 00:34:27 +0100 I had the same problem if I try to VPN from the corporate network. Turns out they filter just about everything. No ipsec pass-thru, no ESP, etc. Here's how you can test. Dial up to AOL via modem, try to VPN again, now it should work. If you can ping your remote machine, then you know for sure something is being filtered. Hope this helps someone. Re: VPN is happy; but can't see remote network by Bryan Derman on 2004-12-17 22:22:02 +0100 Y'all might want to have a look at the stuff on [size=13] [url]http://www.derman.com/Misc/VPN/Overview.html[/url][/size]. 'Though it's for a LinkSys [b]BEFSX41[/b], the information also applies to the [b]BEFVP41[/b]. Hope this helps. FVL328 denial of service? FVL328 denial of service? by davehodg on 2004-07-21 17:11:15 +0200 I've got a Netgear FVL328 merrily conversing with Netgear Windows VPN client software. I've set up IPSecuritas, as far as I can see, identically to the textbook example that Netgear supply. It negotiates the IKE phase1 fine but then the phase 2 just ends up with a bunch of stuff as attached at the end. Seems like it's just lost the plot. Worse still, it seems to knock out the internet-facing interface on the router! Not good. Any ideas? Jul 21 15:39:26 Daves-PB racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_sha1) Jul 21 15:39:26 Daves-PB racoon: DEBUG: oakley.c:759:oakley_compute_hash1(): HASH computed: Jul 21 15:39:26 Daves-PB racoon: DEBUG: plog.c:199:plogdump(): 571bee24 e446718f 55faeb79 d1d7e435 fad70c7b Jul 21 15:39:26 Daves-PB racoon: ERROR: isakmp_quick.c:1810:get_sainfo_r(): failed to get sainfo. Jul 21 15:39:26 Daves-PB racoon: ERROR: isakmp_quick.c:1810:get_sainfo_r(): failed to get sainfo. Jul 21 15:39:26 Daves-PB racoon: ERROR: isakmp_quick.c:1044:quick_r1recv(): failed to get sainfo. Jul 21 15:39:26 Daves-PB racoon: ERROR: isakmp_quick.c:1044:quick_r1recv(): failed to get sainfo. Jul 21 15:39:26 Daves-PB racoon: ERROR: isakmp.c:1271:isakmp_ph2begin_r(): failed to pre-process packet. Jul 21 15:39:26 Daves-PB racoon: ERROR: isakmp.c:1271:isakmp_ph2begin_r(): failed to pre-process packet. Jul 21 15:39:27 Daves-PB racoon: DEBUG: grabmyaddr.c:454:update_myaddrs(): caught rtm:2, need update interface address list Jul 21 15:39:27 Daves-PB racoon: DEBUG: grabmyaddr.c:454:update_myaddrs(): caught rtm:2, need update interface address list Jul 21 15:39:27 Daves-PB racoon: DEBUG: grabmyaddr.c:454:update_myaddrs(): caught rtm:13, need update interface address list Jul 21 15:39:27 Daves-PB racoon: DEBUG: pfkey.c:196:pfkey_handler(): get pfkey X_SPDFLUSH message Jul 21 15:39:27 Daves-PB racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 16 not interesting Jul 21 15:39:27 Daves-PB racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 15 not interesting Jul 21 15:39:27 Daves-PB racoon: DEBUG: pfkey.c:196:pfkey_handler(): get pfkey FLUSH message Jul 21 15:39:27 Daves-PB racoon: DEBUG: oakley.c:2563:oakley_newiv2(): compute IV for phase2 Jul 21 15:39:27 Daves-PB racoon: DEBUG: oakley.c:2564:oakley_newiv2(): phase1 last IV: Jul 21 15:39:27 Daves-PB racoon: DEBUG: plog.c:199:plogdump(): 9caad0f2 386c356a d0a5d3d3 Jul 21 15:39:27 Daves-PB racoon: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(sha1) Jul 21 15:39:27 Daves-PB racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(3des) Jul 21 15:39:27 Daves-PB racoon: DEBUG: oakley.c:2596:oakley_newiv2(): SonicWall PRO100 SonicWall PRO100 by Peter Pop on 2004-07-21 21:32:36 +0200 Hi, Maybe some of you can tell me whats wrong here: Log output from IPSecuritas 2.0.6 <removed date and machine name> IPSecuritas: Parsing configuration <removed date and machine name> IPSecuritas: Setting up racoon.conf <removed date and machine name> IPSecuritas: Setting up setkey.conf <removed date and machine name> IPSecuritas: Setting up psk.txt <removed date and machine name> IPSecuritas: Setting up tunnel.conf <removed date and machine name> IPSecuritas: Parsing configuration done <removed date and machine name> IPSecuritas: Starting racoon... <removed date and machine name> IPSecuritas: Racoon is running <removed date and machine name> IPSecuritas: Set kernel keys <removed date and machine name> racoon: WARNING: ipsec_doi.c:3064:ipsecdoi_checkid1(): ID type mismatched. <removed date and machine name> racoon: WARNING: ipsec_doi.c:3064:ipsecdoi_checkid1(): ID type mismatched. <removed date and machine name> racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. <removed date and machine name> racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. <removed date and machine name> racoon: WARNING: ipsec_doi.c:920:cmp_aproppair_i(): attribute has been modified. <removed date and machine name> racoon: WARNING: ipsec_doi.c:920:cmp_aproppair_i(): attribute has been modified. In the connection overview the connection has the green checkmark indicating an established connection, so there's nothing wrong with the link. Netgear FVS318 Cofig Help!! Netgear FVS318 Cofig Help!! by Wayne Sturman on 2004-07-29 02:19:34 +0200 These are the settings I am trying to use to connect from my Powerbook G4 Laptop to my Imac G4 15" behind Netgear FVS318 both running OS x 10.3.4 Static Public IP address of my Netgear 66.93.84.14 Lan IP address of my Imac at the office: 192.168.0.25 Dynamic IP at home from cable modem- Powerbook connected to internet via airport through Asante Freindly Net Router Model #FR3004C. Local Lan IP address is 192.168.123.194 I am including jpgs of configuration settiings for both the netgear and IPSecuritas as well as the Log file for these settings. Please can anyone help!! THIS IS THE MAIN VPN SCREEN FOR NETGEAR [img]http://aquaexperts.com/IPs/Netgear_FVS318Main.jpg[/img] THIS IS THE SETTINGS PAGE FOR NETGEAR [img]http://aquaexperts.com/IPs/Netgear_FVS318settings.jpg[/img] THIS IS THE GENERAL TAB FOR IPSecuritas [img]http://aquaexperts.com/IPs/IPS_general.jpg[/img] THIS IS THE PHASE 1 TAB FOR IPSecuritas [img]http://aquaexperts.com/IPs/IPS_Phase1.jpg[/img] THIS IS THE PHASE 2 TAB FOR IPSecuritas [img]http://aquaexperts.com/IPs/IPS_Phase2.jpg[/img] THIS IS THE ID/AUTH TAB GOT IPSecuritas [img]http://aquaexperts.com/IPs/IPS_ID.jpg[/img] THID IS THE LOG FILE GENERATED BY IPSecuritas when I try to connect [img]http://aquaexperts.com/IPs/IPS_Log.jpg[/img] CAN SOMEONE GIVE ME THE CORRECT SETTINGS SO I CAN CONNECT TO MY OFFICE NETWORK THANKS WAYNE Re: Netgear FVS318 Cofig Help!! by sbickle on 2004-07-30 17:37:14 +0200 I had a lot of the same problems setting it up... My settings are similiar, but I have aggressive mode selected with 3des, enable perf. and netbios ARE checked. What I found was that in the remote address field I had to specify the IP of my IPSecuritas client and NOT the remote network. Hope that helps. S Re: Netgear FVS318 Cofig Help!! by cnadig on 2004-08-02 23:23:44 +0200 Hello Wayne, try disabling the 'verify identifier' option or set the remote identification to address instead of DN. Christoph Re: Netgear FVS318 Cofig Help!! by John Hamann on 2004-08-05 04:56:33 +0200 I think your Proposal Check should be set to Claim, DH Group and PFS Group should be set to Mod1024. I don't have Verify Identifier checked but do have checked IPSec DOI, SIT_IDENTITY_ONLY, Initial Contact, MIP6 and DHCP Pass-Though. Hope this helps. NETGEAR FVS318 doesn't allow remote network NETGEAR FVS318 doesn't allow remote network by sbickle on 2004-07-29 16:35:37 +0200 After reading through the other messages and playing around with multiple settings I was able to get the FVS318 talking. The problem I found is that for some reason it does not work if I set the remote as a network with a /24 only if I set it as single host and put the private IP of the remote device. Has anyone else seen this? Any ideas what causes this? Thanks in advance S Import certificate failed Import certificate failed by Yann Borg on 2004-08-03 00:47:07 +0200 Hello, if I receive and download a certificate from Microsoft Entourage v.X or v.2004, IPSecuritas is not able to import it properly: Failed to import xxx_cert.pem. Please make sure the file contains a signed X.509 certificate in PEM format. But if I bounce the mail to Mail.app and download the certificate, then IPSecuritas import it fine. I'm not very ease in UCL but when I make a 'diff file1 file2' the result ist "No newline at end of file". Have a look with BBEdit in the file doesn't help me to find where the new line is in the one file and should be in the second. It seems to be an Entourage bug/whatever, but could IPSecuritas recognize such certificate although? Thanks, Yann Re: Import certificate failed by Yann Borg on 2004-08-03 14:07:21 +0200 Hi, I've asked our security partner and he tolds that on byte level, an Entourage "Newline" is a 0x0d (Carraige Return) and for Mail.app a 0x0a (Line Feed). Could IPSecuritas be more tolerant to accept those Entourage newlines? Thanks, Yann Re: Import certificate failed by Yann Borg on 2004-08-03 23:06:44 +0200 Hello again, a helpfull and easy workaround is to open a certificate who was downloaded from Microsoft Entourage with BBEit Lite and to save it with "options" > "Line Break" > "Unix". So IPSecuritas 2.0.6 will import the certificate it could not before, because of the Macintosh line break. Regards, Yann, alone in the forum today? ;-) having a problem with certificates having a problem with certificates by sfazzina on 2004-08-04 20:45:07 +0200 IPSecuritas will not allow me to select the use of certificates in the config. All cert. related checkboxes are greyed out and not available - can someone help me get these boxes woken up? Re: having a problem with certificates by cnadig on 2004-08-04 20:55:59 +0200 Hello, have you already imported the certificates with the Certificates Manager? Christoph Re: having a problem with certificates by sfazzina on 2004-08-05 04:37:03 +0200 [quote author=cnadig link=1091645108/0#1 date=1091645759]Hello, have you already imported the certificates with the Certificates Manager? Christoph[/quote] Yes - they show up in the Cert Manager - Re: having a problem with certificates by cnadig on 2004-08-05 07:41:12 +0200 Hello, if you select Certificates instead of Preshared Key for the authentication, the certificates ID radiobuttons stay greyed-out? Or is this button already greyed-out? Christoph Re: having a problem with certificates by sfazzina on 2004-08-05 15:26:47 +0200 [quote author=cnadig link=1091645108/0#3 date=1091684472]Hello, if you select Certificates instead of Preshared Key for the authentication, the certificates ID radiobuttons stay greyed-out? Or is this button already greyed-out? Christoph[/quote] ALL certificate options are greyed out. here is a screenshot [img]http://www.supersam.com/certt.jpg[/img] I can provide more if you like - just tell me which screens you want to see. Thanx --sam Re: having a problem with certificates by sfazzina on 2004-08-05 17:01:56 +0200 NEVERMIND - I GOT MY ANSWER...... YOU NEED TO IMPORT A X.509 CERT AND PRIVATE KEY. I DID IMPORT MY KEY - BUT NO PRIVATE KEY - THAT WAS THE PROBLEM. THEN IT LIGHTS UP LIKE A XMAS TREE, LOL THANX ANYWAYS. I WILL PROBABLY HAVE MORE QUESTIONS. Re: having a problem with certificates by sfazzina on 2004-08-06 02:12:24 +0200 hi again - sdo i finally got this thing to use certs - now it wont connect - i get the following error - any help would be appreciated Mac OS X Version 10.3.4 (Build 7H63) Aug 5 20:05:25 SUPERBOOK syslogd: restart Aug 5 20:05:25 SUPERBOOK syslogd: restart Aug 5 20:05:27 SUPERBOOK racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 5 20:05:27 SUPERBOOK racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 5 20:05:47 SUPERBOOK racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 5 20:05:58 SUPERBOOK racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 209.202.127.66->192.168.1.103 Aug 5 20:05:47 SUPERBOOK racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 5 20:05:58 SUPERBOOK racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 209.202.127.66->192.168.1.103 Aug 5 20:06:07 SUPERBOOK racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 5 20:06:07 SUPERBOOK racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Netgear FVM318 problem, any ideas? Netgear FVM318 problem, any ideas? by John Hamann on 2004-08-05 04:48:55 +0200 Hello, I have a VPN set up with a Netgear FVM318 router and it works fine...except that I cannot connect to certain computers (OS X) on the office network. Others can connect with no problem. All I can decern is that the IP I am connecting to is not on the primary NIC but on a secondary one. This is no problem locally, the IP can be pinged all day but through the tunnel, it doesn't respond. Other computers, both OS 9 and OS X, ping OK and can be connected to through Appleshare. Does anybody have any idea what could be going on? ??? I've been banging my head with this one for days now, any ideas would be much appreciated. Re: Netgear FVM318 problem, any ideas? by 2manysecrets on 2004-08-16 19:15:26 +0200 I have not been able to connect from home using Mac OSX with a subnet specified in the FVM318 settings. The only way was to specify an IP address. I could see the entire network behind the FVM318, but so far they cannot see me. This has not been a problem since I am normally the one connecting to the office to get files. I have not had any difficulty connecting to any of the computers behind the FVM318. I might have to input the computer's IP address manually, but it will always connect. I have not been able to locate most of the computer with network browser. Not sure what is causing the problem. Steve SonicWall VPN tunnel up, no network SonicWall VPN tunnel up, no network by Brian Godden on 2004-08-18 21:10:48 +0200 Sorry for opening a new topic if this isn't appropriate, just thought my messages in the other SonicWall topic might be fairly buried. Thanks for any help!! I have been able to establish a successful host to network connection from IPSecuritas to a SonicWall, but can't get access to the remote network. Here are my current settings: Firewall: SonicWall Pro-VX -------------------------------VPN Summary(these feature are enabled): Enable VPN Enable IKE Dead Peer Detection Dead Peer Detection Interval (seconds): 60 Failure Trigger Level (missed heartbeats): 3 Clean up Active tunnels when Peer Gateway DNS name resolves to a different IP Address SA: GroupVPN IPSec Keying Mode: IKE using pre-shared secret Security Policy: Phase 1 DH Group: Group 1 SA Life time (secs): 28800 Phase 1 Encryption/Authentication: DES & MD5 Phase 2 Encryption/Authentication: Encrypt and Authenticate (ESP DES HMAC MD5) Shared Secret: ---------IPSecutas, version 2.0.6 Mac OS X 10.3.5 General: Mode: Host to Network Remote IPSec Device: (IP Address of firewall) Remote Network: 10.5.1.0 / 24 (Also have tried setting local address) Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 Phase 1: Lifetime: 28800 DH Group: Mod768(1) Encryption: 3DES Authentication: SHA1 Phase 2: Lifetime: 28800 PFS Group: None Encryption: 3DES Authentication: HMAC SHA1 Id/Auth: Identifiers set to Address Preshared Secret set Options (these are enabled): Compression Deflate IPSec DOI SIT_IDENTITY_ONLY Initial Contact Netgear FVS318 setup Netgear FVS318 setup by Brian Nichols on 2004-08-19 06:22:48 +0200 Can someone be so kind as to give the setup of their FVS318 and IPSecuritas that WORK? I have been successfully using VPN Tracker but would rather use IPSecuritas but I can't get a connection with the FVS318 settings as they are. I would rather just use the settings on the FVS318 that work for someone else (minus the shared key, etc.) rather than play with my settings as that has become very frustrating for a newbie to VPN. Thanks! Re: Netgear FVS318 setup by Brian Nichols on 2004-08-21 21:45:13 +0200 Never mind. It's actually quite easy to match the settings in IPSecuritas with the FVS318. Thanks to the developer for this great app! Re: Netgear FVS318 setup by edy piro on 2004-09-10 15:30:35 +0200 can you (or anyone else0 help me with config???? i have a netpilot as well, but i cannot make it work! please help :-) thanks edy Re: Netgear FVS318 setup by edy piro on 2004-09-10 15:33:53 +0200 SORRY i have a NETPILOT not a NETGEAR...any ideas? thanks anyway edy Re: Netgear FVS318 setup by Greg on 2004-10-21 03:58:24 +0200 [quote author=Brian Nichols link=1092889368/0#1 date=1093117513]Never mind. It's actually quite easy to match the settings in IPSecuritas with the FVS318. Thanks to the developer for this great app![/quote] I'm glad to hear that someone got it working... I've played with it all day still to no avail.... Would you or anyone else mind posting your settings so the rest of us can see something that's working? Thanks Greg Re: Netgear FVS318 setup by Mike Johnson on 2004-11-23 12:49:27 +0100 Does anyone have a configuration that works with the FVS318? IPSecuritas 2.0.6 problems IPSecuritas 2.0.6 problems by Paul van der Laan on 2004-08-26 12:06:41 +0200 I'm trying for several days now to get a 'host to network' connection to work, but so far my attempts were unfruitfull. I'm using Panther 10.3.5 in combination with a Vigor 2200E router to connect to the internet. When I start IPSecuritas there's a red cross in the name of my configuration indicating that no connection can be established. The worrying thing is that when I stop and quit IPSecuritas my entire network connection is dead: no e-mail, web or anything. I can only revive it again by rebooting the system. This is what the logfile reads: Log output from IPSecuritas 2.0.6 Aug 25 19:14:40 Vigor10 IPSecuritas: Parsing configuration Aug 25 19:14:40 Vigor10 IPSecuritas: Setting up racoon.conf Aug 25 19:14:40 Vigor10 IPSecuritas: Setting up setkey.conf Aug 25 19:14:40 Vigor10 IPSecuritas: Setting up psk.txt Aug 25 19:14:40 Vigor10 IPSecuritas: Setting up tunnel.conf Aug 25 19:14:40 Vigor10 IPSecuritas: Parsing configuration done Aug 25 19:14:41 Vigor10 IPSecuritas: Starting racoon... Aug 25 19:14:42 Vigor10 IPSecuritas: Racoon is running Aug 25 19:14:42 Vigor10 IPSecuritas: Set kernel keys route: writing to routing socket: File exists add net 192.168.1.0: gateway gif0: File exists Aug 25 19:14:43 Vigor10 racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Aug 25 19:14:43 Vigor10 racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Aug 25 19:14:43 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv(): invalid ID payload. Aug 25 19:14:43 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv(): invalid ID payload. Aug 25 19:14:58 Vigor10 racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Aug 25 19:14:58 Vigor10 racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Aug 25 19:14:58 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv(): invalid ID payload. Aug 25 19:14:58 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv(): invalid ID payload. Aug 25 19:15:13 Vigor10 racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 80.127.72.35->192.168.1.10 Aug 25 19:15:13 Vigor10 racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 80.127.72.35->192.168.1.10 Aug 25 19:15:13 Vigor10 racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Aug 25 19:15:13 Vigor10 racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Aug 25 19:15:13 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv(): invalid ID payload. Aug 25 19:15:13 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv(): invalid ID payload. delete net 192.168.1.0 Aug 25 19:15:17 Vigor10 IPSecuritas: Flushing kernel keys Aug 25 19:15:17 Vigor10 IPSecuritas: Stopping racoon... Aug 25 19:15:18 Vigor10 IPSecuritas: Racoon normally terminated Any help would be greatly appreciated. Cheers, Re: IPSecuritas 2.0.6 problems by netgoblin on 2004-08-27 13:27:26 +0200 Hello Paul, can you check ID/Auth parameters, see log > ID value mismatched cu netgoblin Re: IPSecuritas 2.0.6 problems by tom lafleur on 2004-08-28 06:15:39 +0200 I also am having problems with 2.06 and osx 10.3.5 into a Zyxel Zwall10... using VPN tracker works fine on the same system... IPSecuritas crashes FVL328, VPNTracker works! IPSecuritas crashes FVL328, VPNTracker works! by davehodg on 2004-08-26 12:43:41 +0200 Hi - revisiting connecting to and FVL328. VPNTracker just went through a major version bump so I've been able to re-test connecting to my FVL328. Using exactly the same parameters as the Netgear VPN client recommends (3DES/SHA-1/1024 in both phases), VPNtracker works perfectly and I can see the internal network. Loading up IPSecuritas, it sees the identical parameters (with most of the option flags in phase 2 turned off), connects, the router's VPN status sees a well-made connection but I can't see the internal LAN. Furthermore, the LAN users stop being able to see the Internet! It looks like we'll have to grudgingly fork out for VPNTracker licenses... OS X 10.3.5 Server lost connection to IN OS X 10.3.5 Server lost connection to IN by Frogstar on 2004-08-29 19:22:30 +0200 Hi, for a VPN Test i install IPsecuritas on my Webserver on an other location. After start IPsecuritas and config a Setup i lost the connection to my server over ARD (Apple Remote Desktop). Then, i can't connect to my server over ssh or anything. The last chance for me, to connect to my server ist to connect to another Computer in that location und connect via Timbuktu in the local Subnet onto the server. The firewall Setup is unchangend an i test it with turning the Firewall off, too. But the Problem is the same. If i'm in the local Network i can connect to the Server. If i'll try to connet over the Internet the answer is "Connection refused" My Server cannot connetct to the Internet after that. Any Idea? PS: Sorry about my english. Im from Germany and my english is not the best. :-) Nortel Problems Nortel Problems by rbrugman on 2004-09-04 22:26:59 +0200 Hello, I am trying to connect to my schools VPN with my Mac. There is a PC client, but Netlock wants to charge me $95 for their official nortel client. The main problem is that the universities VPN switch is set to use Group Password Authentication. I know the group username and password, but that's it. I also know that the encryption is "3DES" and MD5 is mentioned. That's pretty much all I can find out. If there's some way to get into Netlocks config file, I could possibly tell more, but prefs.db just is a bunch of text. I tried putting the settings in IPSecuritas, and this is what I got as an output: (Edit: Too long, so I put it as a .rtf file) http://hosted.reaktor6.net/ipsec_error.rtf I hope someone can help me decipher. Robert Re: Nortel Problems by rbrugman on 2004-09-04 23:10:31 +0200 I found out some more information that I hope helps. I installed the VPN client for Windows on my desktop and made a log file, and I also took a screenshot. Here they are: Log file from PC: http://hosted.reaktor6.net/vpn_pc.txt Screenshot from PC: http://hosted.reaktor6.net/vpn_pc_ss.jpg I seriously hope that can help someone help me. Robert Re: Nortel Problems by rbrugman on 2004-09-07 04:17:01 +0200 I have more information. The creators of VPN tracker say that at least in my case, the Nortel VPN switch is using an IPSec extension called mod_cfg. Does anyone know if IPSecuritas has this feature? Thanks, Robert Any issues re recent Security Update 9-7? Any issues re recent Security Update 9-7? by rnoranbrock on 2004-09-08 15:28:06 +0200 Is there any reason to hold off applying this Security Update? Any effect on IP Securitas? Thanks, -Randy IPSecuritas and NAT-T support, routing issues IPSecuritas and NAT-T support, routing issues by seano on 2004-09-09 03:54:08 +0200 Hi all, I checked out IPSecuritas after finding out VPN Tracker doesn't have NAT-T support. I'm using OS 10.3.4. Seems I can establish a tunnel ok, but two things are wrong: 1.) On a NAT'ed network, I can't actually communicate to a host over the tunnel. I've verified our firewall (isakmpd/pf on openbsd) is correctly allowing ESP traffic. Seems NAT-T support is not working. 2.) When tunnels are created, I don't see a route created in the routing table. Is this normal? thanks, Sean Re: IPSecuritas and NAT-T support, routing issues by seano on 2004-09-14 22:36:13 +0200 does anyone have an idea or am i just out of luck for support? Re: IPSecuritas and NAT-T support, routing issues by Grant Janssen on 2004-09-16 07:09:06 +0200 :P Me too, I feel your pain. I can establish a "Host To Network" connection. Keys exchange fine, but I can't stuff anything over the tunnel. When I move my laptop on the other side of the router (no NAT), this runs perfectly. I've seen VPN client software function with NAT, so I know this can work, as long as you don't try to establish multiple tunnels from the same NATed network to the same destination firewall. All my other clients are PCs running the SafeNet SoftRemote product [url]http://www.safenet.biz/prod/software/software_a.asp[/url]. This supports NAT, and has run well for us, but is PC only. Is there some setup detail I've missed? ??? Cookies Colliding using IPSecuritas to SOHO 6tc Cookies Colliding using IPSecuritas to SOHO 6tc by Graeme Rae on 2004-09-22 01:58:52 +0200 Trying to connect from a 192.168.1.# network via net and SOHO 6tc to a 192.168.146.# network. Using a Mac OSX10.3.5 All security settings are identical on each side (checked many times) Getting this error: Sep 21 16:32:32 graemes-g4 racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.56[500] Sep 21 16:32:32 graemes-g4 racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.56[500] Sep 21 16:32:32 graemes-g4 racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to 64.7.211.227[500] Sep 21 16:32:32 graemes-g4 racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 112 bytes message will be sent to 192.168.1.56[500] Sep 21 16:32:32 graemes-g4 racoon: DEBUG: plog.c:199:plogdump(): fc7dfa15 5b5d18bf 00000000 00000000 01100100 00000000 00000070 05000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 80010005 80030001 80020001 80040001 0a00000c 011101f4 c0a80138 00000014 e2e59147 a73c03ce 319df5da 5dd11fdf Sep 21 16:32:32 graemes-g4 racoon: DEBUG: isakmp.c:1718:isakmp_ph1resend(): resend phase1 packet fc7dfa155b5d18bf:0000000000000000 Sep 21 16:32:32 graemes-g4 racoon: DEBUG: isakmp.c:233:isakmp_handler(): === Sep 21 16:32:32 graemes-g4 racoon: DEBUG: isakmp.c:234:isakmp_handler(): 68 bytes message received from 64.7.211.227[500] Sep 21 16:32:32 graemes-g4 racoon: DEBUG: plog.c:199:plogdump(): fc7dfa15 5b5d18bf 00000000 00000000 0b100500 00000000 00000044 00000028 00000001 01000004 fc7dfa15 5b5d18bf 00000000 00000000 01100100 00000000 00000070 Sep 21 16:32:32 graemes-g4 racoon: DEBUG: isakmp.c:531:isakmp_main(): malformed cookie received or the initiator's cookies collide. Sep 21 16:32:52 graemes-g4 racoon: ERROR: isakmp.c:1706:isakmp_ph1resend(): phase1 negotiation failed due to time up. fc7dfa155b5d18bf:0000000000000000 Sep 21 16:32:52 graemes-g4 racoon: ERROR: isakmp.c:1706:isakmp_ph1resend(): phase1 negotiation failed due to time up. fc7dfa155b5d18bf:0000000000000000 Any ideas? Please Help!!! Using Phase 1/Mod768/3Des/MD5 Phase 2/No PFS/3Des/Md5 Local ID DN: graeme Remote ID: Address Auth: Pre-shared secret (checked many times) Problems with PPP Problems with PPP by strandoo on 2004-09-22 14:08:30 +0200 I've been able to use IPSecuritas from my home via an ADSL account, but can't get it to work when I use a modem/ppp dial-up account. Any ideas about what I'm doing wrong? Thanks. racoon: must be root to invoke this program racoon: must be root to invoke this program by cdant on 2004-09-29 04:01:32 +0200 I'm having an error with starting up a connection, getting an error from racoon that I must be root to invoke it. I've tried setting racoon to suid root but that didn't resolve the issue. Here's my log: Log output from IPSecuritas 2.0.6 Sep 28 21:30:27 localhost IPSecuritas: Parsing configuration Sep 28 21:30:27 localhost IPSecuritas: Setting up racoon.conf Sep 28 21:30:27 localhost IPSecuritas: Setting up setkey.conf Sep 28 21:30:27 localhost IPSecuritas: Setting up psk.txt Sep 28 21:30:27 localhost IPSecuritas: Setting up tunnel.conf Sep 28 21:30:27 localhost IPSecuritas: Parsing configuration done Sep 28 21:30:27 localhost IPSecuritas: Could not create /etc/syslog_ipsecuritas_orig.conf Sep 28 21:30:27 localhost IPSecuritas: Starting racoon... racoon: must be root to invoke this program. Sep 28 21:30:27 localhost IPSecuritas: Failed to start racoon Sep 28 21:30:27 localhost IPSecuritas: Stopping racoon... Sep 28 21:30:27 localhost IPSecuritas: Racoon normally terminated Sep 28 21:30:27 localhost IPSecuritas: Flushing kernel keys pfkey_open: Operation not permitted pfkey_open: Operation not permitted from scratch from scratch by love on 2004-10-05 00:35:00 +0200 Hi folks! I am a real newbie on this i being trying to figure ut how to set up a VPN connection, but its just to many different parameters to set to figure put my self ! this is what it looks like ------------------------------Office Network Zywall10 set to NAT LAN IP: 192.168.3.0~ Config in Zywall10 Menu 27.1.1 - IPSec Setup Index #= 1 Name= test Active= Yes Keep Alive= No Nat Traversal= Yes Local ID type= IP Content= My IP Addr= 213.xxx.xxx.xxx Peer ID type= IP Content= 0.0.0.0 Secure Gateway Address= 0.0.0.0 Protocol= 0 Local: Addr Type= RANGE IP Addr Start= 192.168.3.1 End/Subnet Mask= 192.168.3.99 Port Start= 0 End= N/A Remote: Addr Type= N/A IP Addr Start= N/A End/Subnet Mask= N/A Port Start= N/A End= N/A Enable Replay Detection= No Key Management= IKE Edit Key Management Setup= No ------------------------------------------------------------------------ Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main PSK= keykeykey Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Key Group= DH1 Phase 2 Active Protocol= ESP Encryption Algorithm= DES Authentication Algorithm= SHA1 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None -----------------------------------------------------------------this is what i want to achieve static ip on wan DHCP on wan Officenetwork--officerouterNAT--internet--airportexpressNAT-- Re: from scratch by cnadig on 2004-10-07 08:32:04 +0200 Hello, I'd propose the following to start with for IPSecuritas' configuration: General: Host to Network mode Remote IPSec device: 213.xxx.xxx.xxx (the public IP address of the Zyxel 10) Remote Network: 192.168.3.0/24 Local Address: Leave empty Exchange Mode: Main Propopsal Check: Obey Nonce Size: 16 Phase 1: Lifetime: 28800 DH Group: Mod768 (1) Encryption: DES Authentication: MD5 Phase 2: Lifetime 28800 PFS Group: None Encryption: Enable DES, disable all others Authentication: Enable HMAC SHA1, disable all others Id/Auth: Local Identifier: Address Remote Identifier: Address Authentication: Preshared key, enter keykeykey (and change this once everything is working :-) ) Options: Leave all on defaults. From experience I know that Zyxel is very picky about the network mask settings - it might be necessary to change the remote addr type to subnet with a netmask of 24. Please make sure to increas IPSecuritas' log level and post the log output if it is not working. CAUTION: Please remove any confidential information like your public IP address! And change the preshared key before posting the log! Cheers, Christoph Trying to set up IPSec between two Macs Trying to set up IPSec between two Macs by Lee Kilpatrick on 2004-10-05 03:55:48 +0200 I want to use IPSecuritas in the "host to anywhere" mode so I can have encrypted traffic when I am using a public WiFi network. I do not have a VPN gateway product, but would like ot use another Mac as the secure endpoint at my house. The documentation is not clear on how you set up this configuration, and I am trying to set up simple configurations just to see if I can get it working (since debugging it remotely from a coffee shop would be pretty difficult). I don't have a lot of equipment to test with, so I am trying to create a tunnel between two Macs on the same ethernet. Is this possible, or will there be routing/interface problems? Do I need another network interface on both machines in order to have a private address to try and access over the tunnel? I set up both with another interface -- one with an Airport, and one with an IP over Firewire. How should I set up IPsecuritas? From reading the online documentation, I have gathered that I should set up the server as "network to network", and my laptop as "host to anywhere". Is this correct? The two machines are connected to an ethernet through the hub/router which is a linksys BEFR41. I have set the router to "IPSec pass through". In general, I'm not even sure that that setting has any effect if you are communicating through two LAN ports on it. When I start IPSec on both machine, the chekmark never becomes green, but stays as a red "X". In the IPSecuritas log, I get this on one machine (the "client"): Oct 4 20:54:47 Scarlet IPSecuritas: Oct 4 20:54:47 Scarlet IPSecuritas: Parsing configurationParsing configuration Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Setting up racoon.confSetting up racoon.conf Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:49 Scarlet IPSecuritas: Starting racoon...Starting racoon... Setting up setkey.conf Setting up psk.txt Setting up tunnel.conf Parsing configuration done Setting up setkey.conf Setting up psk.txt Setting up tunnel.conf Parsing configuration done Oct 4 20:54:49 Scarlet IPSecuritas: Oct 4 20:54:49 Scarlet IPSecuritas: Oct 4 20:54:49 Scarlet IPSecuritas: Racoon is runningRacoon is running Oct 4 20:54:49 Scarlet IPSecuritas: Oct 4 20:54:49 Scarlet IPSecuritas: Set kernel keys I then tried to ping the private address on the other machine (the server) and got no response. After a while, the log showed: Oct 4 20:55:37 Scarlet racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase 2 negotiation failed due to time up waiting for phase1. ESP 10.0.0.4->10.0.0.100 Re: Trying to set up IPSec between two Macs by cnadig on 2004-10-07 08:16:44 +0200 Hello Lee, I'd try the following: Client Side: Host to anywhere is fine, other settings on their default values Server Side: Use Host to Host (Tunnel), with the local IP address of the Ethernet interface and the laptop's IP as remote IP. Please also set the passive option on the server side. Then first start the server side IPSec, once it says running, you can start the client (laptop) IPSec. Please increase the log level in IPSecuritas beforehand (in Preferences) to 'Verbose debug' - the log output then contains much more information. If you want to access other machines (or the internet) through the server Mac, you will need a second interface on that machine (although you probably can get around with aliased interfaces, but I would need to figure this out first - let me know if you need it). Let us know how it goes! Cheers, Christoph zywall 10II zywall 10II by andrew on 2004-10-10 03:17:20 +0200 Hi, Wondering if anyone has a setup for IPSecuritas for a ZyWall 10II with something flexible enough on various locations? I connect often from behind a school firewall (cisco pix) but with real ips and sometimes from locations behind a standard RFC1918 (adsl router - no control over it) and othertimes on the road from a dialup ip.. My internal LAN is 192.168.1.0/24 Thanks. FVS318 now working, but no Network Browsing FVS318 now working, but no Network Browsing by Greg on 2004-10-21 20:53:10 +0200 So after playing with it all day I finally bagged the VPN tracker settings I was trying to get into the IP Securitas, and instead used the VPN Wizard that is available in newer firmware versions of the FVS318. At the end, it offered the proper settings to put into the VPN client... once those were inputed... away it went no problems connected rightup. One setting it had added was the Enable NetBios for network browsing... I couldn't find a setting in IPSecuritas however to allow me to enable network browsing... does anyone know how I can enable that. As I'd like to be able to browse the network rather then needing to go in and find each IP address and type it in manually. And this will make printing and using some other network functions alot easier.... Thanks in advance.. Greg Re: FVS318 now working, but no Network Browsing by AaronA1975 on 2004-10-21 22:01:03 +0200 NetBIOS is a non-routable protocol that Windows uses for file and print sharing, and it usually transmits data via broadcasts. The checkbox allows NetBIOS broadcasts to be sent over the VPN connection. If you're using Windows, this setting is convenience, but since NetBIOS tends to be a chatty protocol, some people would rather not have that traffic sent over the WAN. Checking that box means nothing to your Mac because it does not use NetBIOS. Macs use SLP (Service Location Protocol) to discover network services, which can be enabled in the Directory Access app. If you're unable to browse the network you're connected to via VPN, the NetBIOS checkbox is not your problem. Re: FVS318 now working, but no Network Browsing by Greg on 2004-10-21 22:16:02 +0200 Thanks for the info.... so I've gone and looked the SLP is turned on in direcoty access, any ideas on how to make sure that the VPN tunnel is allowing it. Or is that even possible to browse a Mac Network via a VPN using SLP or any other method for that matter? Thanks, Greg Re: FVS318 now working, but no Network Browsing by AaronA1975 on 2004-10-22 23:08:14 +0200 It's entirely possible to browse a Mac network over your VPN connection - I do it with mine all the time. There should be no reason why your firewall would disallow SLP unless you've somehow expressly instructed it to. Re: FVS318 now working, but no Network Browsing by GaryS on 2004-11-01 23:18:03 +0100 I have the same router and have the same experience... I'm unable to browse the office network remotely, yet SLP is enabled and I'm running the latest version of IPSecuritas and the NetGear firmware for the router. Aargh... Connecting to Linksys 10/100 8port router Connecting to Linksys 10/100 8port router by oolong on 2004-10-23 04:24:30 +0200 Hi everyone I'm attempting to connect to this Linksys 10/100 8-port VPN router via IPSecurita (no VPN router on my side). So far, it doesn't work and I haven't found anybody talk about this combination either. If you happen to have this connection established, please share the config on both Linksys and IPSecurita. My current IPSecurita log goes on and on for a while, but here are the highlights: (At early stage it says...) IPSecuritas: Racoon is running IPSecuritas: Set kernel keys route: writing to routing socket: File exists add net 172.137.2.0: gateway gif0: File exists racoon: DEBUG2: cfparse.y:1365:cfparse(): parse successed. (Towards the end it says...) racoon: DEBUG: grabmyaddr.c:454:update_myaddrs(): caught rtm:2, need update interface address list racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 1 not interesting And then it eventually shuts down after not finding phase1 nor 2. As I have no idea at this point, I appreciate any help!! Thank you. Autostart Autostart by Rich Eaton on 2004-10-26 16:37:11 +0200 OS X.3.5 IPsecuritas autostart does not appear to work on boot up. Once manually started it works fine. Re: Autostart by Rich on 2004-10-29 12:37:32 +0200 I should add, it does autostart but the connection fails. Starting by hand after login works fine. Using Airport to conect to IPsec device. Is this an OS X startup problem ? FQDN in phase 2 FQDN in phase 2 by Daniel Cini on 2004-10-29 11:52:36 +0200 Hi, I currently have a host to network configuration. My remote IPSec device expects the phase 2 proposal to contain my FQDN instead of the IP address. Is it possible to configure IPSecuritas to do so? Also, does IPSecuritas support NAT traversal? Thanks in advance for any help, Daniel Cini Re: FQDN in phase 2 by GaryS on 2004-11-01 23:27:36 +0100 I do this for my office connections... simply select the "DN" radio button in the ID/auth tab (instead of the "Address" button), and enter your FQDN in the blank field. Unstable VPN Connection to FVS318 Unstable VPN Connection to FVS318 by GaryS on 2004-11-01 23:24:18 +0100 I recently upgraded to the latest firmware for the NetGear FVS318 (v.2.4) in the hopes that I would be able to browse my office network, but to no avail. Anyways, since the upgrade, the router runs much better... except for my VPN connections using IPSecuritas. IPSec starts successfully, and my connection shows the little green arrow. But, whereas I used to be able to mount any office Mac quickly, now the mounting times out regularly, and even a Mac that I've mounted doesn't respond properly all the time. The log shows the following: Nov 1 13:53:49 THUNDERDOME IPSecuritas: Parsing configuration Nov 1 13:53:49 THUNDERDOME IPSecuritas: Setting up racoon.conf Nov 1 13:53:49 THUNDERDOME IPSecuritas: Setting up setkey.conf Nov 1 13:53:50 THUNDERDOME IPSecuritas: Setting up psk.txt Nov 1 13:53:50 THUNDERDOME IPSecuritas: Setting up tunnel.conf Nov 1 13:53:50 THUNDERDOME IPSecuritas: Parsing configuration done Nov 1 13:53:51 THUNDERDOME IPSecuritas: Starting racoon... Nov 1 13:53:51 THUNDERDOME IPSecuritas: Racoon is running Nov 1 13:53:51 THUNDERDOME IPSecuritas: Set kernel keys Nov 1 13:53:54 THUNDERDOME racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Nov 1 13:53:54 THUNDERDOME racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Nov 1 13:53:54 THUNDERDOME racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Nov 1 13:53:54 THUNDERDOME racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Nov 1 13:55:34 THUNDERDOME IPSecuritas: Flushing kernel keys Nov 1 13:55:34 THUNDERDOME IPSecuritas: Stopping racoon... Nov 1 13:55:35 THUNDERDOME IPSecuritas: Racoon normally terminated My settings on the router are identical now as how they were prior to the upgrade, and I don't understand the "trns_id mismatched" error in the log. Any help would be appreciated. BTW, I'm running OSX 10.3.5. VPN with dynamic IP on both sides? VPN with dynamic IP on both sides? by mandarax on 2004-11-02 15:12:10 +0100 I'm trying to figure out, wether it is possible to connect to networks or even Macs, both connected to the internet via DSL. Both sides receive dynamic IP adresses when logging in. Is it possible to use a domain name offered by a service like DynDNS instead of a known IP adress in the "General Settings" section when setting up a new connection? Any help appreciated. Thanks, Hans Re: VPN with dynamic IP on both sides? by cnadig on 2004-11-03 07:24:12 +0100 Hello Hans, you can enter a hostname into the remote IPSec device field. The hostname is then translated into an IP address every time you start IPSec. Christoph Netgear FVS328 Netgear FVS328 by sgljungholm on 2004-11-04 14:58:15 +0100 I have set up the Netgear box and tested with other clients that seem to work. When I try IPSecuritas I get a message that says EROOR:isakmp_inf.c:848:isakmp_info_recv_n():unknown notify message, no phase2 handle found. Any ideas? Thanks Re: Netgear FVS328 by cnadig on 2004-11-07 01:46:59 +0100 Hello sgljungholm, please find a working example setup at [url]http://www.lobotomo.com /products/IPSecuritas/howtoUpdates.html[/url] Cheers, Christoph Re: Netgear FVS328 by sgljungholm on 2004-12-26 13:57:51 +0100 I have gotten this working to a point. I now am connected but I cannot see any of the computers on the remote network. I noticed this in the logs. Any idea? Dec 26 07:54:40 Svens-Computer racoon: NOTIFY: isakmp.c:267:isakmp_handler(): the packet is retransmitted by 138.88.162.101[500]. Dec 26 07:54:53 Svens-Computer racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 5 not interesting Dec 26 07:56:31 Svens-Computer racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 5 not interesting Dec 26 07:57:25 Svens-Computer racoon: INFO: isakmp.c:1785:isakmp_ph1expire(): ISAKMP-SA expired 192.168.168.102[500]-138.88.162.101[500] spi:25c51c4f8287898b:25b94c4b38c99f17 Dec 26 07:57:25 Svens-Computer racoon: INFO: isakmp.c:1785:isakmp_ph1expire(): ISAKMP-SA expired 192.168.168.102[500]-138.88.162.101[500] spi:25c51c4f8287898b:25b94c4b38c99f17 Dec 26 07:57:26 Svens-Computer racoon: INFO: isakmp.c:1833:isakmp_ph1delete(): ISAKMP-SA deleted 192.168.168.102[500]-138.88.162.101[500] spi:25c51c4f8287898b:25b94c4b38c99f17 Dec 26 07:57:26 Svens-Computer racoon: INFO: isakmp.c:1833:isakmp_ph1delete(): ISAKMP-SA deleted 192.168.168.102[500]-138.88.162.101[500] spi:25c51c4f8287898b:25b94c4b38c99f17 Dec 26 07:57:35 Svens-Computer racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 5 not interesting Re: Netgear FVS328 by sgljungholm on 2005-02-05 23:24:36 +0100 This is still not working. I am now testing with another unit and I still can't make it work. Can anyone help. I set the VPN as the site suggested but nothing. Watchguard Firebox X15 Edge Watchguard Firebox X15 Edge by Raggamax on 2004-11-04 16:46:51 +0100 Hi Everyone... i am using IPSecuritas on my Mac to connect to a Watchguard Firebox X15 Edge without any success. I tried different settings but i always get the following Error: isakmp.c:2045:isakmp_chkph1there(): phase 2 negotiation failed due to time up waiting for phase 1. Can anyone help me with that? Any idea what goes wrong? I am wondering if i have to change the settings on my box or on the client. From a PC with installed MUVPN-Client (Provided by watchguard) everything goes just fine. I can connect via VPN to the remote Network without any problem. Thank you in advance for your help... Re: Watchguard Firebox X15 Edge by swamphopper on 2005-01-28 05:14:11 +0100 I seem to have the same problem. Using VPN Tracker, I've got a VPN between my Mac and Firebox X1000, but IPSecuritas doesn't work. Can anyone suggest a solution? Thanks. Automatically dial VPN ? Automatically dial VPN ? by bwinter on 2004-11-05 12:29:32 +0100 Hi - I have a user who I need to have to the IPSecuritas VPN automatically dial, say upon login. I have added IPSecuritas to the startup items in the users account settings. I would like to be able to have it all happen automatically. Also, is there anyway to have a dial up connection dial an internet connection automatically before the VPN connection is attempted ?????? Thanks New Sample Configurations Available New Sample Configurations Available by cnadig on 2004-11-07 01:44:46 +0100 Hello, please find sample configurations for Netgear FVS328, Netpilot VPN and Linksys BEFSX41 at [url]http://www.lobotomo.com/products/IPSecuritas /howtoUpdates.html[/url] Cheers, Christoph router and ipsecuritas router and ipsecuritas by Fabrice on 2004-11-13 00:23:37 +0100 Hi, I need your help again. I'm using IPSecuritas on my powerbook to connect via ADSL to my professionnal network (so "Host to network") with success. I've just received my freebox, an ADSL modem with NAT properties. No way to connect to my network. The ckeck comes finally green, but I can't ping my network. I've hard fixed my local IP in my local network. I use the following IP forwarding : Port: 2746 - Protocole: tcp - Destination: 192.168.0.1 - Port: 2746 Port: 2746 - Protocole: udp - Destination: 192.168.0.1 - Port: 2746 Is that correct ? Should I use or not IP DMZ option ? I've tried to modify IPSecuritas with "Network to network", with : Remote Network : 172.23.0.0 / 16 (the network mask is 255.255.0.0) Local network : 192.168.0.0 / 24 (the network mask is 255.255.255.0) But it's not better. Thanks in advance Fabrice Re: router and ipsecuritas by cnadig on 2004-11-14 00:04:24 +0100 Hello Fabrice, do you know the manufacturere and model of the router? Some router require to enable IPSec passthrough explicitely or don't allow IPSec with NAT. also, as it seems that the tunnel can be established successfully, a dump from tcpdump could be useful (tcpdump -i en0 for Ethernet or tcpdump -i en1 for Airport). Cheers, Christoph Re: router and ipsecuritas by Fabrice on 2004-11-14 14:51:00 +0100 [quote author=cnadig link=1100301817/0#1 date=1100387064]Hello Fabrice, do you know the manufacturere and model of the router? Some router require to enable IPSec passthrough explicitely or don't allow IPSec with NAT. also, as it seems that the tunnel can be established successfully, a dump from tcpdump could be useful (tcpdump -i en0 for Ethernet or tcpdump -i en1 for Airport). Cheers, Christoph[/quote] Thanks for your response. I'm waiting for more informations on the freebox, but it's a specific modem of my provider (Free). Some people say i't's pass-through, some other not. A person said just me "option priority must be on "legacy" and not on "normal" to not cut udp packets, but I don't find this option in IPSecuritas. I've juste seen the "DHCP Pass-through" option in IPSecuritas ; should I check it ? For more informations, I give a link to a picture of the on-line web page given by my provider to modify the NAT table : http://kerlienes.free.fr/freebox.jpg About tcpdump, can you please explain me ? I don't undersand at all, sorry. Thanks a lot in advance. Fabrice Re: router and ipsecuritas by akerem on 2005-01-09 12:38:10 +0100 Hi, If you use CheckPoint firewall remotely, you should make sure that its vpn domain includes the ip addresses you are trying to connect. (The 172.23.0.0/16 block) That may be the problem. Nortel and local bind issue Nortel and local bind issue by djb on 2004-11-13 06:54:54 +0100 hi, I am attempting to connect to a Nortel Contivity but can barely start the connection when the log spits this out : Nov 13 00:23:03 JDAB IPSecuritas: Racoon is running Nov 13 00:23:03 JDAB IPSecuritas: Set kernel keys Nov 13 00:23:03 JDAB racoon: ERROR: isakmp.c:1532:isakmp_setup_socket(): failed to bind (Address already in use). Nov 13 00:23:03 JDAB racoon: ERROR: isakmp.c:1532:isakmp_setup_socket(): failed to bind (Address already in use). Nov 13 00:23:03 JDAB racoon: ERROR: isakmp.c:1616:isakmp_open(): no address could be bound. Nov 13 00:23:03 JDAB racoon: ERROR: isakmp.c:1616:isakmp_open(): no address could be bound. lsof says that the other process holding the isakml port is something called INM. any thoughts or fixes? I cannot kill teh inm proc for some reason. thanks derek Re: Nortel and local bind issue by cnadig on 2004-11-14 00:05:49 +0100 Hi Derek, do you have any more information on this process - I did a Google search but could not find anything. What happens if you create another user and log in as him - is the process still running? Christoph Re: Nortel and local bind issue by djb on 2004-11-15 05:20:19 +0100 this is the result of root 363 0.0 0.1 ps -aux | grep inm 28068 296 ?? S 10:21PM 0:00.20 inm -p9165 the proc is run at startup ... thanks derek Re: Nortel and local bind issue by Grant McChesney on 2006-03-01 23:08:26 +0100 Do you by chance have the Netlock Contivity VPN Client from Apani installed? I do, and I get the same error. In fact, I get this error when I load the Netlock VPN after installing Securitas: Connection to the switch dropped due to an IKE/ISAKMP Error. This is probably the cause of the error. Trying uninstalling the Netlock vpn client. Classic Applications (Outlook2001) over VPN Classic Applications (Outlook2001) over VPN by alhinds on 2004-11-16 20:20:49 +0100 Does anyone know if IPSecuritas will support applications running in Classic environment (under OSX) over IPSec VPN? Main use required is Outlook2001 (as Entourage just doesn't seem to be up to scratch yet). Thanks... network to network network to network by Fabrice on 2004-11-17 11:43:08 +0100 Hello everybody, Does anyone use the protocol "network to network" ? In that case, thanks in advance to give me the configuration for ipsecuritas. Should I modify anything on the server side (I use Checkpoint firewall) ? Thanks a lot Fabrice Can't assign requested Address (Ipsecuritas 2.06) Can't assign requested Address (Ipsecuritas 2.06) by AndreasF on 2004-11-25 10:02:49 +0100 Hello! I am trying to connect to my office. But I keep getting this message in the log. I have used the same configuration before (and it worked). Does anybody understand what could be the possible error? "Log output from IPSecuritas 2.0.6 Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Parsing configuration Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Setting up racoon.conf Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Setting up setkey.conf Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Setting up psk.txt Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Setting up tunnel.conf Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Parsing configuration done Nov 25 09:08:20 Andreas-Fredrikssons-dator IPSecuritas: Starting racoon... Nov 25 09:08:20 Andreas-Fredrikssons-dator IPSecuritas: Racoon is running Nov 25 09:08:20 Andreas-Fredrikssons-dator IPSecuritas: Set kernel keys The result of line 7: File exists. The result of line 8: File exists. add net 192.168.1.0: gateway gif0 [b]ifconfig: SIOCSIFPHYADDR: Can't assign requested address add net 192.168.100.0: gateway gif1 ifconfig: interface gif2 does not exist[/b] delete net 192.168.1.0 delete net 192.168.100.0 route: writing to routing socket: No such process delete net 192.168.100.0: not in table ifconfig: interface gif2 does not exist Nov 25 09:08:21 Andreas-Fredrikssons-dator IPSecuritas: Could not delete tunnel gif2 192.168.1.1 192.168.100.0/24 ifconfig: interface gif2 does not exist Nov 25 09:08:21 Andreas-Fredrikssons-dator IPSecuritas: Could not delete gif2 Nov 25 09:08:21 Andreas-Fredrikssons-dator IPSecuritas: Stopping racoon... Nov 25 09:08:22 Andreas-Fredrikssons-dator IPSecuritas: Racoon normally terminated Nov 25 09:08:22 Andreas-Fredrikssons-dator IPSecuritas: Flushing kernel keys Log output from IPSecuritas 2.0.6" Regards Andreas IPSEcuritas and zywall1 IPSEcuritas and zywall1 by gbuma on 2004-11-25 15:45:34 +0100 Hello, I am trying to create a connection between a distant laptop (dynamic IP) and the office firewall (dynamic ip, can be found with dyndns.org). I keep on getting the "couldn't find the pskey for OFFICE_IP " error. Auth is done with email for local and remote. Using pre-shared key. On ipsecuritas, mode is "host to network". Sonicwall Pro 230 Sonicwall Pro 230 by Jim Collis on 2004-11-28 00:41:28 +0100 Has anybody successfully gotten IPSecuritas running on OSX 0.3.6 to work with a Sonicwall Pro 230? If so, can you provide complete configuration info? Verified working with IpCop Verified working with IpCop by gloin on 2004-11-30 22:16:13 +0100 Am short on time, but will create a sample configuration page on my blog as soon as I can. Just so you know, it works both with certificate and PSK. Sorry for the tease... Re: Verified working with IpCop by gloin on 2004-12-14 21:05:16 +0100 Well, that took way too long, but I had some things come up at home here that really needed my attention. Here's the link (which will hopefully change if some Benificient Admin deigns to relieve my burgeoning bandwidth bill by mirroring the sample configurations: http://www.taupehat.com/vpn/ Enjoy! Re: Verified working with IpCop by Rob D on 2005-03-25 20:19:30 +0100 [quote author=gloin link=1101849373/0#1 date=1103054716]Well, that took way too long, but I had some things come up at home here that really needed my attention. Here's the link (which will hopefully change if some Benificient Admin deigns to relieve my burgeoning bandwidth bill by mirroring the sample configurations: http://www.taupehat.com/vpn/ Enjoy![/quote] Hi gloin / all I've been unable to connect to IPCOP 1.4.2 from my 10.3.8 iBook. My log file is below. Any ideas? Log output from IPSecuritas 2.0.6 Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Parsing configuration Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up racoon.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up setkey.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up psk.txt Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up tunnel.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up resolv.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Parsing configuration done Mar 25 19:08:25 Rob-Dykes-Computer IPSecuritas: Starting racoon... Mar 25 19:08:26 Rob-Dykes-Computer IPSecuritas: Racoon is running Mar 25 19:08:26 Rob-Dykes-Computer IPSecuritas: Set kernel keys line 3: Unknown error at [192.168.0.0] line 3: Unknown error at [192.168.10.3] line 4: Unknown error at [192.168.10.3] line 4: Unknown error at [192.168.0.0] Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(80.46.98.226,500): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(80.46.98.226,500): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.0.0,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.0.0,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,500): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,500): resolved to multiple address, taking the first one Mar 25 19:08:29 Rob-Dykes-Computer racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Mar 25 19:08:29 Rob-Dykes-Computer racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Mar 25 19:08:48 Rob-Dykes-Computer racoon: ERROR: Re: Verified working with IpCop by gloin on 2005-03-26 19:58:49 +0100 Not entirely sure, but it does look like someone's multihoming. You probably want to start with the simplest case possible and then add in extra interfaces once things are working. Re: Verified working with IpCop by Rob - D on 2005-03-28 23:30:24 +0200 [quote author=gloin link=1101849373/0#3 date=1111863529]Not entirely sure, but it does look like someone's multihoming. You probably want to start with the simplest case possible and then add in extra interfaces once things are working.[/quote] Gloin... someone = who? my local iBoook is not multihomed...only interface UP and with IP is WLAN. WLAN is connected to AP routing to INTERNET to remote/IPCOP f/w. I can understand why you are saying that though... the 'resolved to multiple address' in the log file made me think something similar... Yet... I get all the way to phase 2 authentication. And then I am unable to make phase 2. It would seem that isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. is the crucial part of the problem..... Re: Verified working with IpCop by robd on 2005-03-29 22:48:39 +0200 Some further testing. Right. I've verified that all is working on the IPCOP side as I have successfully setup a net-to-net VPN connection to the IPCOP. Gotta work out whats going on on the client side for my host-to-net roadwarrior connection. FreeS/WAN (X.509) connection fails FreeS/WAN (X.509) connection fails by petschni on 2004-12-02 09:32:40 +0100 Hello, i am trying to access the network in my university but unfortunatley i get an error (see end of the message). The Gateway runs on a Debian/LINUX and IPSec is implemented with Openswan. The Data Connection is secured with ESP (Encapsulated Security Payload RFC 2406). In Openswan is the 3DES Encryption used. Authentification works with X.509-Certificates. I got it to work in VPN Tracker but in IPSecurtitas I get the error when i trys to connect. I don't know if it is of any interest, but if you start VPN Tracker and IPSecurtitas at the same time and establish the connection with VPN Tracker the button in IPSecurtitas turns green also, but if IPSecurtitas has to do it on its own it stays red. Do you got any idea what I can do? greetings and thanks peter Log output from IPSecuritas 2.0.6 Dec 2 09:02:43 wlanbzw25 IPSecuritas: Parsing configuration Dec 2 09:02:43 wlanbzw25 IPSecuritas: Setting up racoon.conf Dec 2 09:02:43 wlanbzw25 IPSecuritas: Setting up setkey.conf Dec 2 09:02:43 wlanbzw25 IPSecuritas: Setting up psk.txt Dec 2 09:02:43 wlanbzw25 IPSecuritas: Setting up tunnel.conf Dec 2 09:02:43 wlanbzw25 IPSecuritas: Parsing configuration done Dec 2 09:02:44 wlanbzw25 IPSecuritas: Starting racoon... Dec 2 09:02:44 wlanbzw25 IPSecuritas: Racoon is running Dec 2 09:02:44 wlanbzw25 IPSecuritas: Set kernel keys Dec 2 09:03:26 wlanbzw25 racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 141.76.18.225->141.76.18.34 Dec 2 09:03:26 wlanbzw25 racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 141.76.18.225->141.76.18.34 Sidewinder Sidewinder by Chris Coyne on 2004-12-02 21:42:41 +0100 Hi Has anyone set up ipsecuritas to work with Sidewinder G2?? I am very confused as to how to do this. Any help would be great! Thanks Chris Re: Sidewinder by Chris Creighton on 2005-03-08 19:14:12 +0100 Yes, it's pretty easy. They now have an unsupported document explaining how to do this. Contact Secure Computing. However I am having a problem with the Mac in this regard, not the IPSEC configuration that is stopping my Mac from beginning the negotiation. I think the problem is what IPSecuritas is doing to set up the IPSEC connection, but since the error messages are vague to say the least, I can't tell what the problem is. See my other post. I have connected to the Sidewinder using FQDN, and fixed IP, both with shared secrets. I have not yet got the certificates to work, but I was working with 5.2.1.10, not 6.1, which may generate the files in the format that IPSecuritas will accept, i.e. *.pem format. Good luck ... Chris VPN to Sonicwall TZ-170 VPN to Sonicwall TZ-170 by Doug Smart on 2004-12-13 22:51:05 +0100 Can ipsecuritas be used to create a VPN connection to a sonicwall tz170 using domain authentication? I have a group VPN policy set up that grants Access using a pre shared secret and the domain log in credentials. I have not found anything about passing domain user and password credentials In the ipsecuritas online help or in the forum which is why I am submitting a new topic. I have a few home a Mac users (including myself) and I think you would be great for them to be able to connect using ipsecuritas. I have the ability to create new SA’s, so if I can’t use domain authentication I can use just about any method That works. Thanks. Doug connecting to Fortinet VPN: "invalid ex connecting to Fortinet VPN: "invalid ex by Michael Hanisch on 2004-12-22 23:55:58 +0100 Hi everyone, I'm out of luck trying to connect my Mac to a VPN (host to network setup). The remote endpoint is a Fortinet 200 firewall w/ VPN. The log contains lots of debug messages, but also some errors, the first being: Dec 22 23:51:20 Vigor11 racoon: DEBUG: plog.c:199:plogdump(): 7025a13e a4e13035 6fe41458 7991664e 08100601 ebfef208 0000004c c7fcbfb8 5681de4a f247e6e3 6c5f2990 685b48bc aa605eb6 c55a8fd4 a325ac70 7613fc0d d1dad56d 53f688e5 d6050555 Dec 22 23:51:20 Vigor11 racoon: ERROR: isakmp.c:759:isakmp_main(): Invalid exchange type 6 from X.X.X.X[500]. Dec 22 23:51:23 Vigor11 racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.11.11[500] These error messages are repeated multiple times. Can anyone shed some light on this? I can adapt the firewall's config if necessary, but at the moment I don't have any idea where to start... I can provide more info if necessary. Startup - IPsec failed Startup - IPsec failed by taniwha on 2004-12-29 05:33:15 +0100 Apple Mac. When trying to establish the VPN I get the error message "Startup IPsec failed" instantly. Any ideas anyone. Re: Startup - IPsec failed by sdls on 2004-12-30 21:01:00 +0100 I had the same problem I'm still testing, but i ran it as root and it got passed the ipsec failed try it as root SDLS :) Netscreen Xauth Netscreen Xauth by XAuth on 2005-01-07 21:31:19 +0100 Will IPSECURITAS support the authentication method Xauth or is that a Netscreen proprietary standard? Thanks! Re: Netscreen Xauth by tji on 2005-06-08 23:17:32 +0200 Xauth is not a Netscreen proprietary thing.. it was on the standards track, with a draft RFC. But, I don't think it was ever ratified (though I don't know for sure). While there are Xauth patches available for KAME / racoon, I don't think Apple has integrated that support into the Apple code. So, as far as I know, you cannot use Xauth with MacOS today. Also, I am not sure if one could get Xauth support by just updating the racoon binary in MacOS, or if the IPSec support in the kernel needs to be updated. If only racoon needs updating, it could be pretty easy. MacOS can be made to work with netscreen, via standard pre-shared keys. But, the config is a lot more convoluted than the Xauth config. equinux / VPN Tracker has a good dock on configuring Netscreen to work with their client config software. Re: Netscreen Xauth by tji on 2005-07-08 19:55:21 +0200 I tried Xauth with a Netscreen gateway using the "VPN Tracker" demo, and I was able to connect. "VPN Tracker" is not free, but if you need Xauth, it's the only game going right now. I have a sample config for CheckPoint I have a sample config for CheckPoint by akerem on 2005-01-09 11:23:00 +0100 Hi people, I have at last configured my Checkpoint NG R55 and my Powerbook with IPSecuritas 2.0.6 with certificates. The VPN connection works perfectly. I saw that, in the online help of IPSecuritas, using certificates is missing (and the online help says that it should be updated) so I would like to be the one who updates it. Also in the online help, there are some problems with certificate importing, so I would also like to correct those. Can somebody send me instructions about how to do this? So I can be some help to people ;D Cheers, Kerem Re: I have a sample config for CheckPoint by Don on 2005-02-11 06:13:48 +0100 Could you please provide a sample of your configuration as well as the process you went through to get it to work. For example did you need to make any changes to the CheckPoint side to get things working or was it just a case of getting all the IPSecuritas settings right? I've worked through all the settings with the CheckPoint firewall manager but have been unable to get things to work. I still don't know how to set the "Proposal Check" in the general tab or the "Local Identifier" or "Remote Identifier" in the Identification section of the ID/Auth tab. Any help would be appreciated. Thanks . . . Don Symantec Security Gateway with IPsecuritas Symantec Security Gateway with IPsecuritas by matteth on 2005-01-13 10:27:47 +0100 Has anyone been able to use IPSecuritas for VPN with the Symantec 360R, or any other in the 300-series firewalls? Thanks! /Mats Re: Symantec Security Gateway with IPsecuritas by Chris Liddle on 2005-02-19 02:13:33 +0100 I have the same issue; IPSecuritas <--> Symantec 360R - ? if anyone has this working. Re: Symantec Security Gateway with IPsecuritas by R Teller on 2005-08-16 19:35:24 +0200 Here is a symantec article on how to set up a 200 series device using vaporsec. I spoke with symantec and they said a few helpful things such as the username should be formatted as an email address and you should have firmware build 922 before starting. Here's the article http://service1.symantec.com/SUPPORT/ent-gate.nsf /6c5cd071f100c71888256ccd0050d548 /3bc9eaa31908580888256e3e004a1d6c?OpenDocument&src=bar_sch_nam As an alternative you may visit http://www.symantec.com/search and type in the following document number 2004021808393554 I will be trying some of the "procedure" today, although from the look of it, they are not alike, lots of digging. Re: Symantec Security Gateway with IPsecuritas by RT on 2005-08-30 22:37:17 +0200 Tried the Procedure listed on the site and adjusted for differences, but it will not connect, this are the log entries I get when connecting to the firewall <--- Log Begin---!> [DATE TIME] Connection name - Responding to Aggressive Mode from Remote Peer *CLIENT IP ADDRESS* [DATE TIME] Connection name - ERR:preshared secret disappeared! [DATE TIME] Connection name - STATE_AGGR_R1: AUTHENTICATION_FAILED [DATE TIME] Connection name - state transition function for STATE_AGGR_R0 failed: AUTHENTICATION_FAILED [DATE TIME] Connection name - Sending ISAKMP OAK INFO (Notification IKE SA) [DATE TIME] Connection name - Terminating connection [DATE TIME] Connection name - Terminating connection <---End Log---!> Am I missing something? I need some assistance on this please. Thank you Re: Symantec Security Gateway with IPsecuritas by RT on 2005-09-20 22:11:52 +0200 Has anyone had any luck with this, Symantec is most definitely less than helpful. 360 R from tiger, supposedly it worked with vaporware on panther Re: Symantec Security Gateway with IPsecuritas by RT on 2005-09-26 17:41:55 +0200 Finally broke down and called symantec tech support, wasn't able to get it to work, they finally got to the point where they said "sorry, can't help you" . So, if anyone has any idea how to make this work, It keeps saying the preshared secret has dissapeared in the device log file, and have been able to connect using Symantec's client, please let me know. Thank you. Re: Symantec Security Gateway with IPsecuritas by ron on 2005-10-10 23:35:12 +0200 use mac ids for this Re: Symantec Security Gateway with IPsecuritas by jc on 2006-01-29 23:26:09 +0100 Document ID:2005021009270354 Re: Symantec Security Gateway with IPsecuritas by pmossip on 2006-03-16 17:05:20 +0100 The Symantec 200R standard firmware only supports the "keyid" type of client identifier. The Documents on symantec's website where it worked with VAPORSEC were a private 1.7I firmware build where they supported user_fqdn. This user_fqdn support was never added to the regular released firmware updates that are generally available. Currently 1.8F. I have been able to use IPSecuritas to create a skeleton racoon config & then manually switch to using "keyid". -Paul Mossip Certificate Manager Certificate Manager by Jose on 2005-01-16 04:47:47 +0100 Could any one tell me where is the Certificate Manager. I need to import a watchguard certificate but can't find that manager. Thanks for all your help Re: Certificate Manager by akerem on 2005-02-02 16:54:56 +0100 You can open Certificate Manager from File > Open Certificates Manager Source code Source code by Leif Larsson on 2005-02-02 20:21:22 +0100 Hi, Out of curiosity, is the source code available for IPSecuritas ? Cheers, /Leif Re: Source code by cnadig on 2005-02-10 22:43:27 +0100 It's not... :) Re: Source code by Ty on 2005-05-06 18:12:42 +0200 If I wanted to help donate features that I wanted (in terms of coding them myself), can I arrange to get the source and do some work on it? I am not interested in releasing the product, but I would like some features and I would be willing to code them myself and then hand them back to you for the next release. Insert pauses, alternate proxy port, and l2tpd. Insert pauses, alternate proxy port, and l2tpd. by sj7trunks on 2005-02-03 23:22:51 +0100 Hi there, Going through the configs and getting an understanding of whats going on, I see a couple things that work on a Linux machine and not on the OS X. cat ipsecuritas_setkey.conf flush; spdflush; spdadd 1.1.1.1/32 2.2.2.2/32 any -P in ipsec esp/transport /1.1.1.1-2.2.2.2/require; spdadd 2.2.2.2/32 1.1.1.1/32 any -P out ipsec esp/transport /2.2.2.2-1.1.1.1/require; I set the proxy port on the Linux box to [1701] and the connection works fine. spdadd 1.1.1.1[1701] 2.2.2.2 any -P in ipsec esp/transport/1.1.1.1-2.2.2.2 /require; spdadd 2.2.2.2 1.1.1.1[1701] any -P out ipsec esp/transport /2.2.2.2-1.1.1.1/require; ----------It'd be nice to maybe pause the startup so you can manually edit the config and put some configuration variables. Or if you specify MIP6 to ungrey an area where you can specify a UDP proxy port. I've also been able to upgrade the racoon binary but I run into the problem of MIP6 being outdated, another great place to insert a pause to do a replacement of MIP4 to proxy. This might also lead to getting NAT-T working for OS X. On the case of l2tpd, it seems to be running within the client. Is there a way to run this program in stages? I'm only curious because it would help with a lot of debug problems where you can't get further than the limited GUI interface. Any help here is greatly appreciated! Thanks, Benjamin Re: Insert pauses, alternate proxy port, and l2tpd by cnadig on 2005-02-10 22:56:57 +0100 Hello Benjamin, please get in touch with me on info@lobotomo.com as I'm working on the next release of IPSecuritas and I'd like to discuss ways to integrate your proposals. Christoph Set kernel keys Problem ? Set kernel keys Problem ? by fmusso on 2005-02-07 20:46:58 +0100 Hi everybody, No way to start a VPN Connection with version 2.06 and MAC OS 10.3.7 here is my log Log output from IPSecuritas 2.0.6 Feb 7 20:43:16 Titanium IPSecuritas: Parsing configuration Feb 7 20:43:16 Titanium IPSecuritas: Setting up racoon.conf Feb 7 20:43:16 Titanium IPSecuritas: Setting up setkey.conf Feb 7 20:43:16 Titanium IPSecuritas: Setting up psk.txt Feb 7 20:43:16 Titanium IPSecuritas: Setting up tunnel.conf Feb 7 20:43:16 Titanium IPSecuritas: Parsing configuration done Feb 7 20:43:17 Titanium IPSecuritas: Starting racoon... Feb 7 20:43:17 Titanium IPSecuritas: Racoon is running Feb 7 20:43:17 Titanium IPSecuritas: Set kernel keys And no more message... I am sure of my VPN configuration. But it is strange : no error message. Any idea ? Re: Set kernel keys Problem ? by fmusso on 2005-02-07 22:02:04 +0100 does VPN TRACKER make change in my system ? SonicWALL TZ170W Works SonicWALL TZ170W Works by Eric Kaiser on 2005-02-08 18:12:02 +0100 Here is my current setup. PowerBook G4 10.3.7 and SonicWALL TZ170W with SonicOS Enhanced 2.6.0.4-42e. The connection is through the airport/wireless interface. SonicWALL settings: General: IKE using Preshared Secret on the WLAN GroupVPN Proposals: IKE (Phase 1) DH Group 2 Encryption 3DES Authentication SHA1 Life Time 28800 seconds Ipsec (Phase 2) Protocol ESLP Encryption 3DES Enable Perfect Forward Secrecy checked DH Group 2 Life Time 28800 seconds Advanced All boxes unchecked Default Gateway 192.168.225.193 (Which is my LAN Gateway) Allow Unauthenticated VPN Client Access: All Interface IP Client Allow Connections to: Split Tunnels Set Default Route as this Gateway checked All other boxes unchecked IPSecuritas Settings: General Mode Host to Network Remote Ipsec Device 192.168.225.161 (My WLAN gateway) Remote Network 192.168.225.192/27 (My LAN network address/subnet) Local Adress Blank Exchange Mode: Aggressive (only one checked) Proposal Check: Obey Nonce Size: 16 Phase 1 Same settings as on SonicWall Phase 2 Same settings as on SonicWALL Only 3DES checked Id/Auth Local Identifier: Address Remote Identifier: DN (Put the Uniqe Firewall Identifier from the SonicWALL in this box) Preshared Secret: Obviously the Preshared Secret from the SonicWALL Options Check the following Compression Deflate Re: SonicWALL TZ170W Works by Simon T on 2005-02-10 04:56:01 +0100 Where you using RADIUS auth for this? Is so how do you use the username and password? Re: SonicWALL TZ170W Works by Eric Kaiser on 2005-02-20 16:24:03 +0100 I was not using Radius Auth. or Xauth for the VPN. However, I do use WPA-EAP for wireless authentication. Sonicwall 4060 Pro connection problem via DSL Sonicwall 4060 Pro connection problem via DSL by jharris on 2005-02-08 23:46:11 +0100 We are remotely connecting to our network via a Sonicwall 4060 Pro using IPSecuritas v. 2.0.5 in Mac OS X 10.3.x. I can successfully connect to the network from our Comcast Internet connection at work as well as mine from home. We have two remote properties that have an Earthlink DSL connection as a backup solution. We keep getting a "no hash payload" error during the Phase 1 negotiation. All Macs are using the same config settings. They are: General: Host to Network, Aggressive exchange mode, and Claim proposal check, nonce size is 16 Phase 1: Lifetime=9600 seconds, Group 1, Encryption=DES, Authentication=MD5 Phase 2: Lifetime=3600 seconds, PFS Group=None, Encryption=3DES, Authentication=HMAC SHA1 ID/AUTH: Local ID=Address, Remote ID= DN + Sonicwall Unique ID, Authentication by Preshared Secret Options: IPSec/IKE Options enabled-IPSec DOI, Generate Policy, SIT_IDENTITY_ONLY, MIP6, Initial Contact, and DHCP Pass-Through; General Options are Establish IKE immediately I would post a full log, but each time I do I get an error that the message is too long. I will be happy to email the full log if needed. For now only what appears to be the relevant portion is included: Feb 8 16:47:20 user-vc8f15a racoon: DEBUG: isakmp.c:1718:isakmp_ph1resend(): resend phase1 packet 3e2ca792b4de9801:0000000000000000 Feb 8 16:47:20 user-vc8f15a racoon: DEBUG: isakmp.c:233:isakmp_handler(): === Feb 8 16:47:20 user-vc8f15a racoon: DEBUG: isakmp.c:234:isakmp_handler(): 92 bytes message received from 207.59.138.242[500] Feb 8 16:47:20 user-vc8f15a racoon: DEBUG: plog.c:199:plogdump(): 3e2ca792 b4de9801 8cf63ebd ff806252 0b100500 00000000 0000005c 00000040 00000000 0110000e 3e2ca792 b4de9801 8cf63ebd ff806252 00060004 00000000 00040018 0000004e 6f207072 6f706f73 616c2069 73206368 6f73656e Feb 8 16:47:20 user-vc8f15a racoon: DEBUG: isakmp_inf.c:115:isakmp_info_recv(): receive Information. Feb 8 16:47:20 user-vc8f15a racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Feb 8 16:47:20 user-vc8f15a racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Any assistance that can be offered in solving this dilemma would be greatly appreciated. All that the support at Sonicwall can tell me is the the problem is in the Phase 1 configuration. That doesn't seem likely as these settings are working via cable modem. Sonicwall Enhanced OS using radius Sonicwall Enhanced OS using radius by simon t on 2005-02-10 05:02:43 +0100 Question, I see that the client works with sonicwall enhanced OS group connection; however, does it work with this when you have the user authenticate? If not are their any step by step solutions: i.e. setting up another SA on enhanced OS and allowing the client to connect? In advance, thanks for your help. P.S. great client. Re: Sonicwall Enhanced OS using radius by Eric Kaiser on 2005-02-20 16:33:36 +0100 Are you referring to using Xauth? If you are, then you have to establish the appropriate user group which will authenticate against the SonicWALL (Local Users and Local Groups) or an external Radius server. This is assuming that IPSecuritas supports Xauth. Connecting to Linksys RV082 Connecting to Linksys RV082 by Orb on 2005-02-17 00:59:24 +0100 I've been fiddling all day trying to get my Powerbook to connect to my remote RV082. I can connect via PPTP, but getting IPSec to work is not going well. Anyone have a config that works that I can play with. Thank. Re: Connecting to Linksys RV082 by apelsin on 2005-03-25 19:39:25 +0100 Hi i too have an RV802 i cant get anything to work, Which firmware are you using? Could you send me your settings for pptp? I'll let you know if i can get ipsec to work. Thanks Netgear FVS318 flakey Netgear FVS318 flakey by Troy Virojana on 2005-02-17 19:07:53 +0100 Hi. I am able to connect to the router, but it stops after 2 to 3 minutes. I have used the same settings as a VPN Tracker client, who doesn't have this problem. It will connect, and I'm in the middle of doing something, and just stop talking. The green checkmark is still there, and no errors come up in the log at that time. The only issue I get when I log on is this. Feb 17 12:01:38 Dhole IPSecuritas: Starting racoon... Feb 17 12:01:38 Dhole IPSecuritas: Racoon is running Feb 17 12:01:38 Dhole IPSecuritas: Set kernel keys line 3: Unknown error at [192.168.1.0] line 3: Unknown error at [10.1.2.3] line 4: Unknown error at [10.1.2.3] line 4: Unknown error at [192.168.1.0] Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(X.X.X.X,500): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(X.X.X.X,500): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(10.1.2.3,0): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(10.1.2.3,0): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.1.0,0): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.1.0,0): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(10.69.69.101,500): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(10.69.69.101,500): resolved to multiple address, taking the first one add net 192.168.1.0: gateway gif0 as I said, it works, but only for a few minutes. I copied the settings from VPN Tracker, and I used the setup guide from Equinux. The VPN Tracker client has no issue. I moved the key life from 3600 (recommended by Equinux) to 28800 to see if that would help, but it did not. Any ideas? I don't want to buy VPN Tracker if I don't need to, but it seems like that is the only one that works well ALL the time. By the way, I have no problems with IPSecuritas connecting to a sonicwall TZ170 at all. Re: Netgear FVS318 flakey by Roger Meador on 2005-03-21 15:35:17 +0100 hey, I am having trouble with a 318 as well. Have you had any luck? Roger VPN established - unable to pass traffic VPN established - unable to pass traffic by Kirk Paulsen on 2005-02-20 06:04:40 +0100 We are trying to establish a VPN between a PowerBook G4 running 10.3.7 and a Netscreen 5GT. This is the only Mac in the organization and I will admit that I know very little about them. We have established the tunnels using Netscreen Remote on the Windows XP laptops and they all work as expected. I have been able to establish the tunnel between the PowerBook and the Netscreen (both logs show the tunnel connected and green checkmark in IPSecuritas) however when I try to ping anything on the LAN behind the firewall - there is complete loss. Is there some special setting for the Mac to know that the traffic is bound for the VPN? These are the settings I currently have for IPSecuritas: General Mode of Operation: Host to Network Remote IPSec Device: 64.x.x.x Remote Network: 192.168.14.0/24 Local Address: 192.168.14.140 (also have tried leaving this blank - same result) Exchange Mode: Aggressive Proposal Check: Obey Nonce Size: 16 Phase 1 Lifetime: 28800 seconds DH Group: Mod1024 (2) Encryption: 3DES Authentication: SHA1 Phase 2 Lifetime: 28800 seconds PFS Group: Mod1024 (2) Encryption: 3DES Authentication: HMAC SHA1 Id/Auth Local Identifier: DN @user@company.net (found in an article online to preface with @ since we were having trouble in the beginning even establishing the tunnel because the firewall didn't recognize the peer Remote Identifier: blank Preshared Secret: ******** Options Compression Deflate checked (greyed out) IPSec DOI checked SIT_IDENTITY_ONLY checked Initial Contact checked MIP6 checked DHCP Pass-through checked Establish IKE immediately checked all other options unchecked Thanks in advance for any help. Re: VPN established - unable to pass traffic by Kirk Paulsen on 2005-02-20 21:27:32 +0100 An update for anyone that is trying to do a similar configuration. Took the PowerBook home and everything worked fine when behind a Linksys router. At the office, we were behind our Netscreen and even though none of our PC's had a problem something with the PowerBook and our Netscreen was causing traffic not to be routed or passed correctly. Another note, found while home that the configuration worked best with the Local Address left blank. Re: VPN established - unable to pass traffic by KJ on 2005-04-14 22:19:20 +0200 I had the same problem with a PowerMac G5 and a bigger Netscreen as well, we solved it with turning on reverse-nat on our VPN policy at the netscreen. Re: VPN established - unable to pass traffic by Paul on 2005-06-22 02:54:31 +0200 Reverse-Nat? Do you mean nat traversal or incoming NAT translation? Regards, Paul. Isakmp.c 1361: failed2bind(address already in use) Isakmp.c 1361: failed2bind(address already in use) by Chris Creighton on 2005-03-08 01:22:38 +0100 I am baffled by this as I am clueless as to what address it is referring to. My internal Ethernet address is not the same address that I am trying to reach. But I get this message quickly and it fails to even begin to talk to the remote IKE server. Any ideas? I am behind on a project just because of this simple problem. I am assuming it's simple. This is not an issue of how IPSEC is configured with IPSecuritas, as at times, it works, but at times, I get these errors and it just stops trying, quickly. thanks much ... Chris Mar 2 00:08:40 Chris racoon: DEBUG2: cfparse.y:1354:cfparse(): parse successed. Mar 2 00:05:31 Chris racoon: ERROR: isakmp.c:1361:isakmp_open(): failed to bind (Address already in use). Mar 2 00:05:31 Chris racoon: ERROR: isakmp.c:1361:isakmp_open(): failed to bind (Address already in use). Mar 2 00:05:31 Chris racoon: ERROR: isakmp.c:1384:isakmp_open(): no address could be bound. Mar 2 00:05:31 Chris racoon: ERROR: isakmp.c:1384:isakmp_open(): no address could be bound. Error Messages Error Messages by Jeremy Brown on 2005-03-09 06:10:11 +0100 Hello, I am trying to connect to a Sidewinder G2 using IPSecuritas. I have received the document from Secure Computing on how to set this up and followed the directions. I am using self-signed certificates, imported in PEM format. I am directly connected to the Internet (not behind a firewall/NAT) and have full outgoing access. I have tested this VPN on Windows with their supplied SoftRemote program and confirmed that the server configuration is correct. I'm stumped, particularly at the messages saying it's resolved to multiple addresses. Any help on this would be *greatly* appreciated. I have google'd for help and come up dry. Here is a log dump (IP's have been censored): Log output from IPSecuritas 2.0.6 Mar 8 21:02:09 jbrown IPSecuritas: Parsing configuration Mar 8 21:02:09 jbrown IPSecuritas: Setting up racoon.conf Mar 8 21:02:09 jbrown IPSecuritas: Setting up setkey.conf Mar 8 21:02:09 jbrown IPSecuritas: Setting up psk.txt Mar 8 21:02:09 jbrown IPSecuritas: Setting up tunnel.conf Mar 8 21:02:09 jbrown IPSecuritas: Parsing configuration done Mar 8 21:02:10 jbrown IPSecuritas: Starting racoon... Mar 8 21:02:11 jbrown IPSecuritas: Racoon is running Mar 8 21:02:11 jbrown IPSecuritas: Set kernel keys line 3: Unknown error at [<remote internal subnet>] line 3: Unknown error at [<my IP address>] line 4: Unknown error at [<my IP address>] line 4: Unknown error at [<remote internal subnet>] Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(<VPN server IP>,500): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(<VPN server IP>,500): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(<my IP address>,0): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(<my IP address>,0): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(<remote internal subnet>,0): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(<remote internal subnet>,0): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(<my IP address>,500): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(<my IP address>,500): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: isakmp_ident.c:237:ident_i2recv(): ignore the packet, received unexpecting payload type 7. Mar 8 21:02:11 jbrown racoon: ERROR: isakmp_ident.c:237:ident_i2recv(): ignore the packet, received unexpecting payload type 7. Mar 8 21:02:42 jbrown racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP <VPN server IP>-><my IP address> Netgear FVL328 configuration same as FVS328? Netgear FVL328 configuration same as FVS328? by Eric Kelly on 2005-03-18 18:50:22 +0100 Anybody know if the optimal configuration for the FVL328 would be the same as for the FVS328? Thanks, Eric How To Read Log File How To Read Log File by GLC on 2005-03-19 05:58:00 +0100 If I could understand the log file messages, I would not post a note that says "I tried everything and it still does not work.! I am trying to tunnel in to a Fortigate. I finally have a green checkmark, but when I run Remote Desktop, it cannot see anything. The log file has lots of info, but I do not understand it. Is there a "How to Read The Log File" FAQ somewhere? Thanks! Re: How To Read Log File by robd on 2005-03-26 14:14:09 +0100 What do these error messages mean? I agree GLC we need some more help so we can help ourselves! Can we get a IPsecuritas wiki? I'd be keen to help. 10.3.80 to IPCOP 1.4.2 10.3.80 to IPCOP 1.4.2 by Rob on 2005-03-25 20:15:25 +0100 I've been following this HOWTO http://www.taupehat.com/vpn/ to get my 10.3.8 machine to connect to an IPCOP firewall v1.4.2 My log output is below. Anyone got any ideas as to why it is going wrong? Log output from IPSecuritas 2.0.6 Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Parsing configuration Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up racoon.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up setkey.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up psk.txt Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up tunnel.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up resolv.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Parsing configuration done Mar 25 19:08:25 Rob-Dykes-Computer IPSecuritas: Starting racoon... Mar 25 19:08:26 Rob-Dykes-Computer IPSecuritas: Racoon is running Mar 25 19:08:26 Rob-Dykes-Computer IPSecuritas: Set kernel keys line 3: Unknown error at [192.168.0.0] line 3: Unknown error at [192.168.10.3] line 4: Unknown error at [192.168.10.3] line 4: Unknown error at [192.168.0.0] Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(80.46.98.226,500): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(80.46.98.226,500): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.0.0,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.0.0,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,500): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,500): resolved to multiple address, taking the first one Mar 25 19:08:29 Rob-Dykes-Computer racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Mar 25 19:08:29 Rob-Dykes-Computer racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Mar 25 19:08:48 Rob-Dykes-Computer racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Mar 25 19:08:48 Rob-Dykes-Computer racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Mar 25 19:08:58 Rob-Dykes-Computer racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.46.98.226 give up to get IPsec-SA due to Re: 10.3.80 to IPCOP 1.4.2 by Matt Hodson on 2005-04-15 12:20:24 +0200 Any luck on your problem? I have just got a mac and trying to use securitas to connect as an l2tp road warrior to a smoothwall network, but I get the same errors in the log i.e. line 3: Unknown error at [192.168.111.0] line 3: Unknown error at [192.168.111.31] line 4: Unknown error at [192.168.111.31] line 4: Unknown error at [192.168.111.0] add net 192.168.111.0:gateway gif0 Apr 15 09:39:03 Junta racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo( etc ...... using osx 10.3.8 ipsecuritas 2.0.6 Regards Matt Re: 10.3.80 to IPCOP 1.4.2 by Tsathul on 2005-04-22 19:26:06 +0200 Similar problems here with OS X 10.3.8 and IPSecuritas 2.0.6. Tried changing to dialup and back to network (read somewhere that this resets some network settings that can get corrupted in OS X 10.3) but that had no effect. So, used the recent combo updater to OS X 10.3.9 and hey! It actually started negotiating with the ZyWALL router at headquarters. Some configuration debugging and then the link was up. IPSecuritas has been out for awhile so it must have worked with earlier versions of OS X 10.3. However there may be something faulty added in 10.3.8 that was fixed in 10.3.9? Or maybe just rebooting solved the problem and the update is a red herring. Regardless, all is not perfect, my connection dropped this morning and now I can't seem to restore it. If it's not one thing it's another. alias IP address on the Mac alias IP address on the Mac by Thomas on 2005-03-31 12:03:07 +0200 Hi I have successfully managed to get VPN Tracker to work with my Linksys rv082 router despite the fact that my client machine resides behind a NAT firewall. To do this I had to set a virtual ip in VPN Tracker. Does anyone know if a virtual ip adress can be set in IPSecuritas? And if so how? Strangeness with port 9 at startup... Strangeness with port 9 at startup... by NickBoz on 2005-04-01 06:36:44 +0200 I'm curious about the usage of port 9 by IPSecuritas. When starting the latest version of the application, it immediately tries to contact the various IPSec tunnel destination via port 9 (aka Discard protocol). Since the IPsec destination address is to my firewall's built in IPSec VPN Server, it immediately closes down the socket and blocks the outside IP address I was using. I have the firewall's intrusion detection system turned on. As a result of the close, IPSecuritas fails immediately and contains nothing in its log. Now, I can turn all of this firewall blocking off, but what I don't understand is why this would ever work. Who is going to have a system available on the Internet that will respond to queries on port 9? It is unsafe and clearly not part of the standard specs I have been reading. Furthermore, it prevents IPSecuritas from working at all. If I try the same configuration in VaporSec, I can at least get to the negotiation stage of phase 1. Anyone have any ideas as to why port 9 is used? Can it be turned off? Thanks, Nick Re: Strangeness with port 9 at startup... by cnadig on 2005-04-11 00:22:24 +0200 Hello Nick, a UDP packet to port 9 is sent to start the key exchange by racoon without this packet, racoon will only start the key exchange and thus establish the tunnel with the first user traffic for the remote network. You can switch this off by disabling the 'Establish IKE immediatly' option in your connection definition. In this case, you need to access the remote network manually to start IKE. Christoph Tiger compatibility Tiger compatibility by AaronA1975 on 2005-04-04 19:10:51 +0200 Is the current version of IPSecuritas compatible with Tiger, or will there be an update issued? Re: Tiger compatibility by Andreas Ley on 2005-04-27 16:04:08 +0200 Seems to work fine on 10.4, Build 8A428. But the Finder still stops responding whenever a connected AFP volume doesn't respond fast enough, which is a pain, but nothing to blame Lobotomo for. :) Re: Tiger compatibility by jayk on 2005-04-30 09:41:17 +0200 There is a minor incompatibility that I noticed. The 'replace DNS' settings option in preferences no longer works under tiger. It does put the info in the /etc/resolv.conf - but apparantly Tiger ignores that now. I think it has to go into netinfo or something for it to be effective. Re: Tiger compatibility by UncleRobin on 2005-05-01 01:11:11 +0200 Without a doubt, IPSecuritas is the best VPN client I have used, by far. However it seems like Tiger has crippled it. It works, but it is very sluggish. Ping packets that where taking 40ms to return are now typically 500ms and more if they return. UR Re: Tiger compatibility by Influence on 2005-05-01 17:02:00 +0200 I've noticed the same issue as UncleRobin: Since upgrading to tiger the latacy went up from 100ms to 1000ms rendering my vpn connection basically unusable (at the very least for interactive applications like ssh). Any idea what's the problem? Thanks, Influence Re: Tiger compatibility by RotundRanter on 2005-05-02 03:47:42 +0200 I am seeing the same thing, seems connections still work but are really slow, to the point of being unusable. I've noticed it with Windows shares and ssh/sftp. Anyone have a workaround? I could provide Ethereal output if that helps. NAT-T work ? NAT-T work ? by befek-18 on 2005-04-12 09:49:15 +0200 Hallo, short question. Is here someone with a working nat-traversal enviroment. (Ipsecuritas behind a NAT Router over UDP/4500). Uwe Re: NAT-T work ? by Sander on 2005-04-22 22:46:10 +0200 I had the same question and I e-mailed Lobotomo about it. At this moment Mac OS X does not support NAT-T. It will come with Mac OS X Tiger but it only supports one implementation of NAT-T which is probably not compatible with most routers/vpn servers. Connect to D-Link DFL-200 Connect to D-Link DFL-200 by Essington on 2005-04-23 02:52:50 +0200 I am trying to connect to a D-Link DFL-200, and am getting an error: Invalid exchange type 6 from xxx.xxx.xxx.xxx any idea where I should start mucking around to alleviate this? Any ideas would be most helpful Thanks -jason Re: Connect to D-Link DFL-200 by dkreutz on 2005-08-20 18:40:46 +0200 I use Ipsecuritas to connect to a DLink DFL-700. On the firewall configure a VPN of roaming-type. Enter local network and preshared secret key. Do not change any of the advanced settings. Ipsecuritas configuration as following: General - Exchange mode: main, Proposal check: claim, Nonce size 16 Phase1 - Lifetime 28800, DH group: Mod1024 (2), Encryption: AES 128, Authentication: MD5 Phase1 - Lifetime 28800, PFS group: Mod1024 (2), Encryption: DES/3DES/AES 128, Authentication: HMAC MD5/HMAC SHA1 ID/Auth - Local identifier: Address, Remote identifier: Address, enter preshared secret key (same as above) Options: Initial contact, Generate policy, MIP6, Establish IKE immediately IPSecuritas SonicWall Pro 230 IPSecuritas SonicWall Pro 230 by stewymac on 2005-05-01 15:39:12 +0200 Hi folks, I am having troubles getting IPSecuritas 2.0.6 to work with my SonicWall Pro 230 and Mac OS X 10.3.9. I have tried creating a seperate SA and tried using the GroupVPN, but no luck. I was hoping someone could post their Client and firewall config. I have been through the Forums and have tried all the suggestions....any help would be really great. Thanks stewymac Re: IPSecuritas SonicWall Pro 230 by Guest on 2005-07-28 20:32:07 +0200 Bump to this having same issue with Sonicwall Firmware upgrade 3.1 Tiger Compatibility Tiger Compatibility by cnadig on 2005-05-01 22:22:59 +0200 Hello, there have been a number of user reports on IPSecuritas on Tiger. So far, the following problems have been reported to us: a. Tunnel establishes normal, but throughput is very bad, packet round-trip times (ping) between 500 and 1000ms (on connections with approx 50ms before). This seems to be a bug in the MacOS kernel. b. DNS replacement does not work anymore - the settings are ignored. c. In one case, the tunnel could not be established at all. We are working on problems b. and c., while only Apple can resolve a. At the moment we don't recommend to update to Tiger if you rely on VPN connectivity. More user feedback (positive or negative) is highly appreciated - please include a short summary of your setup (peer device, mode of operation etc.) Any progress will be made public on [url]http://www.lobotomo.com[/url] and in this forum. Thanks, Christoph Re: Tiger Compatibility by Kevin on 2005-05-02 02:51:47 +0200 I've been hit by a & b. My ping times are 1000ms range (slightly over actually.) For the DNS issue, my resolv.conf does change, but the settings in it are ignored. Kevin Re: Tiger Compatibility by frogmella on 2005-05-03 13:00:18 +0200 Using IPSecuritas to connect to a CheckPoint SecuRemote VPN. The good news is that IPSecuritas does actually create the connection (this was not working in earlier betas of Tiger). But yes, (a) is a problem although I can SSH to servers within my company, it's slow, and mail.app fails connecting to our Exchange server. I don't use (b) - yet - and haven't done enough testing to see if (c) occurs. Thanks for the excellent work! Re: Tiger Compatibility by J Mitchell on 2005-05-03 14:39:42 +0200 I can confirm the 1000ms ping time. The tunnel to a gnatbox GB-1000 is established but performance is very poor. Mac OS X 10.4 dual 500. Thanks Jonathan Re: Tiger Compatibility by Matthias on 2005-05-03 16:42:53 +0200 Same problem here 2.06 with OSX 10.4 Various Macs connection to Checkpoint FW1 Tunnel seems to be working Ping >1000 DNS replacement seems to work because on the commandline the nslookup or dig do work ok, however the Browser does not seem to pickup the DNS Settings. Hope that helps, can provide more details if anybody wants... thanks for the great app, and letґs hope weґll solve this fast... Matthias Re: Tiger Compatibility by Terry Katz on 2005-05-03 23:14:02 +0200 Same issues here. 1000ms ping times, mostly unuseable. OSX 10.4 on a PM G5 Dual 2.5ghz, and a 17" PB 1ghz connecting to various SonicWall devices. -Terry Re: Tiger Compatibility by Cid Matrix on 2005-05-04 16:10:39 +0200 Upgraded my PB to Tiger. I'm having issue "c" while attempting to connect to my corporate Sonicwall firewall. Re: Tiger Compatibility by Andreas Ley on 2005-05-05 00:30:00 +0200 Etablishing a "Host To Network" tunnel to a monowall (http://m0n0.ch/wall) works fine, but I too have the problem with high pings (>1000ms). I thought my WLAN was the cause, but apparently it isn't... Re: Tiger Compatibility by Craig on 2005-05-05 01:28:35 +0200 Also seeing the (a) & (b) problems connecting from a test system (old 600 mhz G3 iBook) to a Netgear FVX538 in a Host-To-Network configuration. In testing, I noticed that the DNS for "host myserver.mydomain.com" worked most of the time (with the occasional ";; connection timed out; no servers could be reached" because of the lag time.) But when pinging that same name, you get a "ping: cannot resolve myserver.mydomain.com: Unknown host". Thought there might be an issue with lookupd overriding resolv.conf, but the configuration looks the same as in Panther: -------% lookupd -configuration ConfigSource: default LookupOrder: Cache NI DS MaxIdleServers: 4 MaxIdleThreads: 2 MaxThreads: 64 TimeToLive: 43200 Timeout: 30 ValidateCache: YES ValidationLatency: 15 _config_name: Global Configuration LookupOrder: Cache FF DNS NI DS _config_name: Host Configuration LookupOrder: Cache FF NI DS _config_name: Service Configuration LookupOrder: Cache FF NI DS _config_name: Protocol Configuration LookupOrder: Cache FF NI DS _config_name: Rpc Configuration TimeToLive: 60 ValidateCache: NO _config_name: Group Configuration TimeToLive: 300 ValidateCache: NO _config_name: Initgroup Configuration LookupOrder: Cache FF DNS NI DS _config_name: Network Configuration -------A "lookupd -flushcache" didn't help. -ch Re: Tiger Compatibility by Craig on 2005-05-05 01:48:37 +0200 Looks like my suspicion about lookupd being the culprit is correct: -------% lookupd -d > hostWithName: myserver.mydomain.com nil > hostWithName: mydomain.com Dictionary: "DNS: host mydomain.com" _lookup_DNS_domain: org _lookup_DNS_server: 192.168.2.1 _lookup_DNS_time_to_live: 3600 _lookup_DNS_timestamp: 1115249859 _lookup_agent: DNSAgent _lookup_info_system: DNS interface: 5 ip_address: 99.99.99.99 name: mydomain.com + Category: host + Time to live: 43200 + Age: 38 (expires in 43162 seconds) + Negative: No + Cache hits: 1 + Retain count: 3 > quit -------192.168.2.1 is the IP address of the wireless router I'm testing with (my host was assigned an IP of 192.168.2.8 ). The 99.99.99.99 is the public address of mydomain.com, not the one returned by the DNS server that sits behind the firewall. The nil response for the server explains why ping isn't happy. Hope this information is helpful. -ch Re: Tiger Compatibility by Todd I on 2005-05-07 02:00:25 +0200 I am seeing the same thing, with Tiger IPSec through a Linksys WRV54G gateway. PING 10.10.10.9 (10.10.10.9): 56 data bytes 64 bytes from 10.10.10.9: icmp_seq=0 ttl=63 64 bytes from 10.10.10.9: icmp_seq=1 ttl=63 64 bytes from 10.10.10.9: icmp_seq=2 ttl=63 64 bytes from 10.10.10.9: icmp_seq=3 ttl=63 64 bytes from 10.10.10.9: icmp_seq=4 ttl=63 time=293.814 ms time=1093.747 ms time=1095.896 ms time=816.548 ms time=1093.376 ms Are there any other general MacOS X forums, or Apple www sites, where we should be submitting information about this? Re: Tiger Compatibility by David on 2005-05-07 07:07:39 +0200 Yup, same here. Ping times are about 1020 ms from a Powerbook G4 to OpenBSD 3.6 gateways running isakmpd. The high delay breaks virtual clients like VNC and Remote Desktop Connection. Re: Tiger Compatibility by Amanda Walker on 2005-05-10 21:03:00 +0200 Interestingly enough, I'm not seeing any performance difference under 10.4 talking to either FreeBSD 5.3 or a Netscreen firewall. Seems to work fine, with round trip times indistinguishable from running under 10.3.8. Re: Tiger Compatibility by andreast on 2005-05-11 17:05:57 +0200 Apple can be notified of this bug here: http://www.apple.com/macosx/feedback/ If many of us send them a message, maybe they will do something. Re: Tiger Compatibility by filipp on 2005-05-14 22:36:22 +0200 Same problem here. Running IPSecuritas on 10.4 to Netgear FVS338 Ping is pretty much exactly 1000 msec over usual (1035 instead of normal 35) Interesting, when i simultaniously ping the Internet IP of the Netgear, the ping times are down to 550, then go back up to 1035 when I stop pinging the public address. / filipp Re: Tiger Compatibility by atze on 2005-05-16 11:36:02 +0200 i get this on stopping ipsec - the app still runs, seems to be a subprocess: 2005-05-16 11:35:01 +0200 EXC_BAD_ACCESS (0x0001) KERN_INVALID_ADDRESS (0x0001) at 0xc000429b Thread 0 Crashed: 0 removedir + 168 1 removecerts + 52 2 performstop + 52 3 main + 320 4 _start + 380 5 start + 48 Re: Tiger Compatibility by Scott Hander on 2005-05-16 20:28:03 +0200 I upgraded to 10.4 before finding there was a problem with IPSecuritas and 10.4, but I was able to use it with Apple Remote Desktop. The connection was a little odd (it was a little slower than usual and there were several disconnects, but it did work). The connection was a 10.4 system to a remote SonicWall firewall and a server on the other side of the firewall. I thought I would mention this in response to the comments about VNC and MS RDC. Re: Tiger Compatibility by bluemeanie on 2005-05-17 02:09:22 +0200 It looks like 10.4.1 does nothing to fix the issue. I'm still getting no VPN connection to our OpenBSD server (not even a 1000ms response time). I miss my VPN. :'( Re: Tiger Compatibility by Draven Weston on 2005-05-17 03:48:39 +0200 I just updated to 10.4.1 and I am seeing a vast improvement in performance with IPSec. Ping times are down to about 20 ms from 1000+ms Re: Tiger Compatibility by RotundRanter on 2005-05-17 07:26:37 +0200 10.4.1 fixes my problems connecting to a GTA Gnatbox. Pings are back down to 35mS and files transfers once again fill the T1 pipe at work. w00t! Re: Tiger Compatibility by Matt on 2005-05-17 15:40:58 +0200 Anyone tried this with 10.4.1? Apparently the update has fixed problems with VPNTracker, so fingers crossed... http://www.macnn.com/print/29256 Re: Tiger Compatibility by Dan on 2005-05-17 21:12:10 +0200 Howdy, These ping times are from 10.4.1... 192.168.253.0/24[any] x.x.x.x[any] any in ipsec esp/tunnel/x.x.x.x-x.x.x.x/require spid=16 seq=1 pid=904 refcnt=1 x.x.x.x[any] 192.168.253.0/24[any] any out ipsec esp/tunnel/x.x.x.x-x.x.x.x/require spid=17 seq=0 pid=904 refcnt=1 dhcp-248:~ dan$ ping 192.168.253.2 PING 192.168.253.2 (192.168.253.2): 56 data bytes 64 bytes from 192.168.253.2: icmp_seq=0 ttl=64 time=38.098 64 bytes from 192.168.253.2: icmp_seq=1 ttl=64 time=35.874 64 bytes from 192.168.253.2: icmp_seq=2 ttl=64 time=39.370 64 bytes from 192.168.253.2: icmp_seq=3 ttl=64 time=39.581 64 bytes from 192.168.253.2: icmp_seq=4 ttl=64 time=40.872 64 bytes from 192.168.253.2: icmp_seq=5 ttl=64 time=40.179 64 bytes from 192.168.253.2: icmp_seq=6 ttl=64 time=39.722 64 bytes from 192.168.253.2: icmp_seq=7 ttl=64 time=37.892 64 bytes from 192.168.253.2: icmp_seq=8 ttl=64 time=39.310 64 bytes from 192.168.253.2: icmp_seq=9 ttl=64 time=39.321 ms ms ms ms ms ms ms ms ms ms Looks like no more latency in 10.4.1 Re: Tiger Compatibility by evilmeanie on 2005-05-18 05:53:39 +0200 Well, I fixed my problem. It was the encryption algorithm used in quick-mode (Phase 2). Out of AES, only AES-128 will allow packets to pass now. Blowfish doesn't work, either. 3DES does work. I didn't try anything else. It seems odd. Why would some algorithms just stop working in Tiger? Should I stick with AES or go 3DES? Or Cast? Re: Tiger Compatibility by Jayk on 2005-05-18 21:16:57 +0200 Hi all, I have stumbled onto the 'no connection' solution. With IPSecuritas 2.1 and Tiger 10.4.1 - I can get my VPN working again - although I had to adjust my settings a little. I had to disable all but AES128 on the 'phase 2' screen. Prior to Tiger, AES 256 would work, as would blowfish. With 10.4 - having AES 256 enabled would result in no functional connection - IPSecuritas would show the green check, but packets would not pass. Now, AES 128 works and the others do not. Disabling everything but AES 128 worked for me. Hope this helps others get their VPN working again. Jay Re: Tiger Compatibility by Henrik on 2005-05-23 14:50:25 +0200 Hello, I still have problems with IPsecuritas 2.1 and OS X 10.4.1, connecting to a Linux FreeS/WAN box. The connection has always been established without problems, but when trying to access any machines, it will not. If I ping my VPN IP (that ifconfig states) it just says no route to host. Very strange... Any ideas? Henrik Watchgaurd Firebox X500 VPN Watchgaurd Firebox X500 VPN by Ben Thomas on 2005-05-13 00:18:10 +0200 Hi, I have been trying for a few months now to connect to a Firebox X500 VPN using VPN Tracker but have had no luck. Are there any particular issues i should be on the lookout for concerning the Firebox X500 and settings in IP Securitas, VPN Tracker or OSX 10.3.9 in general? I am able to connect using the Watchgaurd VPN client using a PC on my existing Airport Wireless network. I have the BSD Subsystem installed and have triple checked passwords and all settings to make sure they are accurate. Thanks for any help, Ben Re: Watchgaurd Firebox X500 VPN by cnadig on 2005-05-13 23:18:28 +0200 Hello Ben, please send me the ouput from the log window to info@lobotomo.com with the log level set to verbose debug (in IPSecuritas' settings). Please make sure to remove all confidential information like firewall IP address. Christoph Re: Watchgaurd Firebox X500 VPN by ben on 2005-05-14 03:44:40 +0200 Hi, I sent you a PM but not sure if it went through, is there an email address I can send my log file to? Thanks again, Ben Re: Watchgaurd Firebox X500 VPN by ben on 2005-05-18 16:45:33 +0200 Hi, Just wondering what the status of my support request is and if you have the time to help me out.. Thanks again Re: Watchgaurd Firebox X500 VPN by david on 2006-07-04 15:21:37 +0200 Hi all, I'm trying to configure a VPN network with my firebox 500, but i cannot access to Policy Manger->Network->Remote User ! :-( And when i use VPN Wizard, it says "VPN module is not loaded onto the firebox!" I need help, thanks in advance for your help, you can contact by mail david@sdt.be IPSEC vulnerability: advice? IPSEC vulnerability: advice? by tiffert on 2005-05-13 04:16:27 +0200 Having read the NISCC advisory on IPSEC vulnerability, a newbie like me is a little unclear on what to do about it. http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en I wonder if someone could offer configuration advice for IP Securitas that addresses the vulnerability. I have a Linksys BEFVP41 (vers. 1) router. What configuration options should I look at there? TIA! Re: IPSEC vulnerability: advice? by cnadig on 2005-05-13 23:13:55 +0200 Hello, the advisory describes a possible vulnerability for configurations that don't use encryption and/or authentication. In order to prevent such a configuration, disable Null encryption and Null authentication on the Phase 2 tab in IPSecuritas. These options are meant for debugging purposes of a connection only and I'm thinking of removing them in future releases. Cheers, Christoph Tiger 10.4.1 OK Tiger 10.4.1 OK by UncleRobin on 2005-05-17 01:49:24 +0200 It appears, at least on my computer, the 10.4.1 update fixes the problem with latency. My ping times are back to normal. :) UR Re: Tiger 10.4.1 OK by jonathan mitchell on 2005-05-17 10:45:55 +0200 I can confirm that the 10.4.1 update restores the ping time. VNC and RDP client performance back to normal. Jonathan Juniper Netscreen 25 working config Juniper Netscreen 25 working config by Robert on 2005-05-18 04:57:28 +0200 In case anyone is interested, I got Ipsecuritas to work with my Netscreen 25. I used the documentation on the vpntracker.com site and configured the vpn for use this vpntracker client (tested with the demo version) then simply duplicated most of the settings with ipsecuritas (and did some trial and error for settings that were not shown in vpntracker). Hope this helps someone. Here is the info: I followed the steps in this document to setup the netscreen using the single user setup. http://www.equinux.com/cms_components/us/products/vpntracker/media /files/HowTo_Netscreen_Rev_4.0.pdf General Host to Network Remote Ipsec Device <ip address of your netscreen untrust interface> Remote Network <internal network that you are connecting to 192.168.1.0/24> Exchnage Mode Aggressive Proposal Check Claim Nonce Size 16 Phase 1 Lifetime 3600 DH Group Mod1024(2) Encryption 3DES Authentication SHA1 Phase 2 Lifetime 28800 PFS Group None Encryption DES and 3DES checked Authentication HMAC MD5 and HMAC SHA1 checked Id/Auth Local Identifier DN <identifier you used for the user you set up in the Netscreen> Remote Identifier Address Preshared Secret <the secret you put in the netscreen setup> Options Compression Deflate grayed out but checked IPSec DOI not checked SIT_IDENTITY_ONLY checked Verify Identifier not checked Initial Contact checked Passive not checked Generate Policy not checked MIP6 checked Verify Certificate not checked DHCP Pass-through checked Establish IKE immediately checked Auto Start not checked Re: Juniper Netscreen 25 working config by Andre Knudsen on 2005-12-15 14:23:35 +0100 Thanks I've been looking for this for connection to a few 5GT's and 5XP's Administrator rights at first startup? Administrator rights at first startup? by Michael Kussmaul on 2005-05-18 21:28:46 +0200 I like IPSecuritas, it works quite well! I only have a quick question, I have not found an answer so far: When I first startup IPSecuritas, it asks me to enter my administrator password, for what operation does it need it? (E.g. which file(s) does it install/alter on the system) many thanks Michael Re: Administrator rights at first startup? by cnadig on 2005-05-24 12:12:03 +0200 Hello Michael, certain operations require administrator's priviledges (such as changing the routing tables, adding security associations to the kernel and running racoon, the IKE daemon). All of these operations are performed by a background process called vpntool, which needs to have these priviledges in order to acquire them, the administrator's password is queried the first time it runs (please note that this is part of the authentication and authorisation framework of MacOS X - the password is not stored by nor is it even visible to IPSecuritas). Christoph D-Link DI-804HV Compatability? D-Link DI-804HV Compatability? by hammer32 on 2005-05-20 14:45:58 +0200 Does anyone have any tips for configuring ISSecuritas with a D-Link DI-804HV router? Thanks! -Sean Re: D-Link DI-804HV Compatability? by Mikael on 2005-10-18 14:27:01 +0200 Had a try, but didn't make it. Does not say it doesn't work, but it is, apparently, not a straightforward setup. I will be trying something else... Re: D-Link DI-804HV Compatability? by hammer32 on 2005-10-18 15:24:12 +0200 I tried VPNTracker, they didn't have one to test, but I was able to set it up and have used it while on the road for several months. So far so good! Re: D-Link DI-804HV Compatability? by Randall on 2006-02-11 06:51:32 +0100 [quote]Does anyone have any tips for configuring ISSecuritas with a D-Link DI-804HV router?[/quote] Has anybody found a setup since? I feel like I'm close, but it's not working.. Re: D-Link DI-804HV Compatability? by Randall on 2006-02-19 00:18:31 +0100 [quote author=Randall link=1116593158/0#3 date=1139637092] Has anybody found a setup since? I feel like I'm close, but it's not working.. [/quote] I got mine working (with two different DI-804HV's, actually). I think I had the remote network address and subnet a little mixed up and that was preventing success. Everything's good now, with a Rev A1 box with FW 1.40 and and a Rev C1 box with FW 1.42. If anyone needs help, post here and I'll try to provide a little writeup. Randy Re: D-Link DI-804HV Compatability? by Red on 2007-01-09 20:49:06 +0100 I have an 804 at home and an 808 at the office, I would like to use them with IPSecuritas. Your setup tips would be very much appreciated. The D-Link docs are worthless. I had a Trendnet VPN router before and it had MUCH better documentation and configuration. Fairly easy to set up with IPSecuritas. The Trendnet just didn't jive with the Riverstone/Lucent fiber-backbone router we connect to and finally went nuts. We have a SonicWall Firewall/VPN appliance in the server room, also no problems with IPSecuritas on that. Great app. AH Only configuration using ipsecuritas? AH Only configuration using ipsecuritas? by Terr-Oz on 2005-05-31 21:47:38 +0200 Has anyone been able to configure ipsecuritas for this setkey policy? ah/transport/src-dst/require; ? IPSecuritas appears to only configure racoon for esp. Re: AH Only configuration using ipsecuritas? by cnadig on 2005-06-07 08:37:45 +0200 Hello, IPSecuritas does not support AH at the moment as I thought it was pretty much obsolete. However, if the demand for AH is here, I think about implementing it in the next major release. Christoph Re: AH Only configuration using ipsecuritas? by tji on 2005-07-08 20:02:53 +0200 Terr-Oz: Many VPN devices don't support AH.. Instead, they use ESP with NULL encryption, effectively achieving the same thing as AH. One of the major reasons AH is not used is because Network Address Translation (NAT), used on just about every broadband gateway, breaks AH. ESP works through NAT, so more people use it. IPSecuritas connectivity to SonicWall TZW IPSecuritas connectivity to SonicWall TZW by George Zervakos on 2005-06-03 15:43:14 +0200 Hello, I was wondering if anyone has been successful in setting up a VPN tunnel from Mac OS X with IPSecuritas to a SonicWall TZW or something similar? I have been successful in getting the tunnel negotiation to succeed (at least that's what logs on both ends would lead me to believe); I get a green arrow in the IPSecuritas interface after hitting start ipsec, and I also see a green icon LED in the SonicWall's GUI and a log entry stating that Phase 2 has been successfully completed. The problem comes in when I want to ping something (from the Mac) that is on the LAN interface of the SonicWall. It seems that packets are not getting sent through the tunnel at all. I see no entries in the SonicWall's logs. I have put the SonicWall LAN subnet as the destination network in IPSecuritas. I might add that the Mac is behind a firewall and has a private IP that gets NATted to a public IP. Will this scenario work with the NAT or does the Mac need to have the private IP making it the edge device? Does anyone have any troubleshooting ideas or places where I could look for some help? Thanks, George Re: IPSecuritas connectivity to SonicWall TZW by cnadig on 2005-06-07 08:46:03 +0200 Hello, most modern NAT routers support IPSec-Passthrough of at least one IPSec tunnel, so this is probably not your problem - of course a direct connection to the internet at least for tests would rule this out. Another problem might be an address conflict between your local addresses and the network your trying to reach - is your local address within the remote network range? Another problem could be that the remote firewall will not route private addresses (other than the ones configured), so you might want to try entering a different IP address into the Local Address field on the General tab in IPSecuritas (your machine will then appear at this address for the remote machines - if the field is empty, your default interface's address is used instead). There's also some problems with the new AES implementation in Tiger, I'd recommend 3DES for best compatibility. Christoph Re: IPSecuritas connectivity to SonicWall TZW by George Zervakos on 2005-06-09 22:58:20 +0200 Hello, I did a tcpdump on the Mac OS X and I see that traffic bound for the remote network is getting encapsulated in ESP. The thing is, I'm running Mac OS X on a PC in a program called PearPC. In order to get networking in PearPC, I had to share my PC's LAN connection and assign a private IP to the Mac OS X. What happens is the Mac OS X has a 192.168.0.0 IP and my PC has a 10.0.0.0 IP. While I can access the Internet from PearPC using Safari for example, ESP packets are not getting passed along from my PC out to the internet. The Mac IP is getting NATted by my PC whose IP is in turn getting NATted by my firewall. There are no address conflicts with the VPN domains; these are distinct subnets. Geirge Immediate Red X Immediate Red X by Kevin Mader on 2005-06-03 16:43:05 +0200 I am trying to setup a connection to a SonicWALL TZ 170 -SP Wireless and I think I know all the correct settings, but when I put them in a red X apears next to my connection icon before I even have time to connect. The log is empty because all I have done is edit the connection. Thank you Checkpoint and IPSecuritas Checkpoint and IPSecuritas by Art_of_Noise on 2005-06-04 21:42:14 +0200 Hi everybody, I'm trying to connect to my work network (firewall : Checkpoint). I'm using a powerbook with Mac OS 10.4.1. My preferences are "host to network" and the authentification is by address and preshared key. The light becomes green, but I can't check my network. Here are the last of the log. All seems to be okay, but when I test the connection (for example making a traceroute), the text "msg 4 not interesting" is added in the log. Can anybody help me ? Thanks a lot in advance. Jun 4 21:18:28 Ordinateur-de-MY racoon: DEBUG: pfkey.c:1117:pk_recvupdate(): pfkey UPDATE succeeded: ESP/Tunnel 217.167.X.X->82.227.X.X spi=147717185(0x8cdfc41) Jun 4 21:18:28 Ordinateur-de-MY racoon: INFO: pfkey.c:1124:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 217.167.X.X->82.227.X.X spi=147717185(0x8cdfc41) Jun 4 21:18:28 Ordinateur-de-MY racoon: DEBUG: pfkey.c:1162:pk_recvupdate(): === Jun 4 21:18:28 Ordinateur-de-MY racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ADD message Jun 4 21:18:28 Ordinateur-de-MY racoon: DEBUG2: plog.c:199:plogdump(): Jun 4 21:18:28 Ordinateur-de-MY racoon: INFO: pfkey.c:1351:pk_recvadd(): IPsec-SA established: ESP/Tunnel 82.227.X.X->217.167.X.X spi=2149506554(0x801eddfa) Jun 4 21:18:28 Ordinateur-de-MY racoon: DEBUG: pfkey.c:1356:pk_recvadd(): === Jun 4 21:19:22 Ordinateur-de-MY racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 4 not interesting Re: Checkpoint and IPSecuritas by cnadig on 2005-06-07 08:35:09 +0200 Hello, are you by any chance using AES256 or AES192 for encryption? The AES encryption in 10.4 is not compatible wuith checkpoint's implementation anymore. Use 3DES for best compatibility (AES128 seems to work in some cases, so you might want to try this as well). Christoph Re: Checkpoint and IPSecuritas by Art_of_Noise on 2005-06-07 08:54:00 +0200 [quote author=cnadig link=1117914134/0#1 date=1118126109]Hello, are you by any chance using AES256 or AES192 for encryption? The AES encryption in 10.4 is not compatible wuith checkpoint's implementation anymore. Use 3DES for best compatibility (AES128 seems to work in some cases, so you might want to try this as well). Christoph[/quote] Thanks for your response. But I'm already using 3DES for encryption in phase 1 and phase 2. Re: Checkpoint and IPSecuritas by tji on 2005-07-08 19:59:12 +0200 There are also dependancies on the gateway configuration.. If the administrator has enabled the client integrity checking features (where it checks to make sure the host OS is patched up to date, antivirus is running, etc.) it will only work with the Check Point client (SecureClient). If the administrator turns that feature off, IPSecuritas will work fine. Also, Check Point (finally) released their MacOS X VPN client not too long ago. So, you may want to try that one out instead. Re: Checkpoint and IPSecuritas by MikeyG_U2 on 2005-07-12 18:42:42 +0200 I don't mean to jack your thread, I'm just hoping that by posting my problem in your thread we might both find a solution... I've also been having trouble accessing our Checkpoint VPN. I'm running Tiger so the SecureClient doesn't work for me yet. I've followed all the setup guides for both IPSecuritas and the Checkpoint firewall itself, but still can't create a connection. The little red 'X' is all I get. I'm using IPSecuritas 2.1(on Mac OS 10.4.1) and I've tried enabling only the security protocols mentioned earlier in this topic. I admit that I am new to IPSecuritas, only attempting to make it work after I upgraded to Tiger and broke the SecureClient. So I've never had IPSecuritas working. If anyone has any suggestions, I would greatly appreciate it. In case it helps, here is my most recent connect log, I'm not getting nearly as far as Art_of_Noise... Log output from IPSecuritas 2.1 Jul 12 11:15:06 mailman IPSecuritas: Parsing configuration Jul 12 11:15:06 mailman IPSecuritas: Setting up racoon.conf Jul 12 11:15:06 mailman IPSecuritas: Setting up setkey.conf Jul 12 11:15:06 mailman IPSecuritas: Setting up psk.txt Jul 12 11:15:06 mailman IPSecuritas: Setting up tunnel.conf Jul 12 11:15:06 mailman IPSecuritas: Parsing configuration done Jul 12 11:15:07 mailman IPSecuritas: Starting racoon... Jul 12 11:15:08 mailman IPSecuritas: Racoon is running Jul 12 11:15:08 mailman IPSecuritas: Set kernel keys Jul 12 11:15:08 mailman racoon: DEBUG2: cfparse.y:1413:cfparse(): parse successed. Jul 12 11:15:08 mailman racoon: DEBUG: isakmp.c:1592:isakmp_open(): 192.168.69.69[500] used as isakmp port (fd=8) Jul 12 11:15:08 mailman racoon: DEBUG: isakmp.c:1610:isakmp_open(): 192.168.69.69[4500] used as nat-t isakmp port (fd=9) Jul 12 11:15:08 mailman racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message Jul 12 11:15:08 mailman racoon: DEBUG2: plog.c:199:plogdump(): Jul 12 11:15:08 mailman racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory Thanks in advance for any assistance. -Mike Re: Checkpoint and IPSecuritas by Art_of_noise on 2005-07-29 10:20:32 +0200 Hi everybody, Finally I got the green check... The Smartdashboard configuration was not correct (checkbox agressive not checked). In the Smartdashboard tool, open the line of your extern access, click on the left on VPN, then on the "traditional mode configuration button". Be sure checking all the option to match the options choosen in IPSecuritas (don't forget the "advanced" button"). Hope this help Kinds regards Re: Checkpoint and IPSecuritas by Art_of_noise on 2005-08-01 19:29:03 +0200 Well, another point of study ! All is currently OK in direct access, but I would use the routing functionnality on my modem. When I active this functionnality, I get the green check, but I can't ping anything. I currently use the "network to network" mode of operation. Here are the router properties, I'm not sure of these ports (IP of my computer : 192.168.0.1 ; IP of the modem : 192.168.0.254) : Port: 500 - Protocole: udp - Destination: 192.168.0.1 - Port: 500 Port: 500 - Protocole: tcp - Destination: 192.168.0.1 - Port: 500 Port: 264 - Protocole: tcp - Destination: 192.168.0.1 - Port: 264 Port: 265 - Protocole: tcp - Destination: 192.168.0.1 - Port: 265 Port: 266 - Protocole: tcp - Destination: 192.168.0.1 - Port: 266 Port: 3389 - Protocole: tcp - Destination: 192.168.0.1 - Port: 3389 Port: 9 - Protocole: udp - Destination: 192.168.0.1 - Port: 9 Port: 9 - Protocole: tcp - Destination: 192.168.0.1 - Port: 9 Can anybody help me ? Thanks in advance for any help. P.S. The Tiger version of the Checkpoint VPN client will not arrive before 6 months, dixit the Checkpoint support !!! Re: Checkpoint and IPSecuritas by VPNmac on 2005-08-06 23:05:30 +0200 I am also trying to get IPSecuritas 2.1 on Mac OS X at home to work with CheckPoint VPN at my University. After configuring and clicking the Start IPSec button, I get: IPSec startuo failed. The log just says: Log output from IPSecuritas 2.1 Could someone post screen captures of a configuration that works with CheckPoint? Any help most appreciated. Re: Checkpoint and IPSecuritas by VPNmac on 2005-08-07 02:14:10 +0200 OK, I can get IPSecuritas to start now, but the connection gets a red cross on the right. The log says: ----------------Log output from IPSecuritas 2.1 Aug 7 02:09:22 Mac IPSecuritas: Parsing configuration Aug 7 02:09:22 Mac IPSecuritas: Setting up racoon.conf Aug 7 02:09:22 Mac IPSecuritas: Setting up setkey.conf Aug 7 02:09:22 Mac IPSecuritas: Setting up psk.txt Aug 7 02:09:22 Mac IPSecuritas: Setting up tunnel.conf Aug 7 02:09:22 Mac IPSecuritas: Parsing configuration done Aug 7 02:09:23 Mac IPSecuritas: Starting racoon... Aug 7 02:09:23 Mac IPSecuritas: Racoon is running Aug 7 02:09:23 Mac IPSecuritas: Set kernel keys Aug 7 02:09:23 Mac racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 7 02:09:23 Mac racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. ----------------------Any feedback most welcome. Re: Checkpoint and IPSecuritas by VPNmac on 2005-08-07 02:16:44 +0200 More from the log: -----------Aug 7 02:09:55 Mac racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 150.214.231.234->172.26.0.2 Aug 7 02:09:55 Mac racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 150.214.231.234->172.26.0.2 Aug 7 02:11:23 Mac racoon: ERROR: isakmp.c:1706:isakmp_ph1resend(): phase1 negotiation failed due to time up. 3c45f68e73644412:f9fbeadda5cbbeda Aug 7 02:11:23 Mac racoon: ERROR: isakmp.c:1706:isakmp_ph1resend(): phase1 negotiation failed due to time up. 3c45f68e73644412:f9fbeadda5cbbeda --------------------- Re: Checkpoint and IPSecuritas by VPNmac on 2005-08-24 22:59:38 +0200 This is what I get with IPSecuritas 2.1 on Mac OS X 10.4.2: A red cross and the following log. Any help most appreciated. -------Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Parsing configuration Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Setting up racoon.conf Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Setting up setkey.conf Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Setting up psk.txt Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Setting up tunnel.conf Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Parsing configuration done Aug 24 22:55:17 peters-power-mac-g4-agp-graphics IPSecuritas: Starting racoon... Aug 24 22:55:17 peters-power-mac-g4-agp-graphics IPSecuritas: Racoon is running Aug 24 22:55:17 peters-power-mac-g4-agp-graphics IPSecuritas: Set kernel keys Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG2: cfparse.y:1413:cfparse(): parse successed. Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG: isakmp.c:1592:isakmp_open(): 192.168.1.2[500] used as isakmp port (fd=8) Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDADD message Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG2: plog.c:199:plogdump(): Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff980: 192.168.1.2/32[0] 150.214.110.0/24[0] proto=any dir=out Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306568: 150.214.110.0/24[0] 192.168.1.2/32[0] proto=any dir=in Aug 24 22:56:18 peters-power-mac-g4-agp-graphics IPSecuritas: Flushing kernel keys Aug 24 22:56:18 peters-power-mac-g4-agp-graphics IPSecuritas: Stopping racoon... Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDFLUSH message Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG2: plog.c:199:plogdump(): Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: INFO: session.c:331:check_sigreq(): caught signal 15 Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey FLUSH message Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG2: plog.c:199:plogdump(): Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: INFO: session.c:331:check_sigreq(): caught signal 15 Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey FLUSH message Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG2: plog.c:199:plogdump(): Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: INFO: session.c:331:check_sigreq(): caught signal 15 Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG: Only two connection at a time? Only two connection at a time? by Alexander Barton on 2005-06-07 20:32:15 +0200 Hi! I'm using IPSecuritas 2.1 on Mac OS X 10.4.1 and it works great! Thank you guys! But I'm only able to establish at least two simultanous connections at a time, if I select more IPSecuritas fails. All individual connections do work ok. Am I doing something wrong or is this is limitation of IPSecuritas and/or Mac OS X? Thanks! Alex How to get connected through a Trustgate How to get connected through a Trustgate by Thomas Hoffmann on 2005-06-08 11:52:42 +0200 Hello YABBs I' ve the problem How To Connect to a Trustgate 232R I'd tried everything but it dind't work. I cannot pass Phase I The Trustgate Config VPN Peers Peer Name ( Remote ID): 192.168.200.203 Public IP Address : 0.0.0.0 Dynamic IP : empty - Pre-Shared-Key - ID Type : Domain Name - Encryption Algo. : AES - Hash Algo : SHA1 - Deffie-Hell.: 2 (1024 bits) - Perfect Forward Sec.: On IPSecuritas Config General - Mode of Op. : Host to Network - Remote IPsec Device: Public IP of the Trustgate - Remote network: 192.168.5.0 / 24 - Local Address: 192.168.200.203 - Exchange Mode: Main - Proposal Check : Claim Nonce Size 16 PH1 - Lifetime : 28800 sec - DH Droup: Mod1024 (2) - Encryption: AES 128 - Authentication: SHA1 PH2 - Liftime: 28800 sec - PFS Group: Mod1024 (2) - Encryption: AES128 - Authentication: HMAC SHA1 Id/Auth - Local Identifier: DN 192.168.200.203 - Remote Identifier: Address - Authentication: Pre-Shared-Secret (Filled in as ASCII) Options - IPSec DOI: Y - SIT_IDENTITIY_ONLY:Y - Verify Identifier: N - Initial Contact: Y - Passive: N - Generate Policy: N - MIP6: Y - Verify Certificate: N - DHCP-Pass-Through:Y - Establish IKE Immediatly: Y - Auto Start: N Re: How to get connected through a Trustgate by Thomas Hoffmann on 2005-06-08 22:15:50 +0200 :) :) :) :) :) If got the Solution iv any one has Problems Connection Mac though Trustgate ask me ;D IpSecuritas and Zyxel P334WT IpSecuritas and Zyxel P334WT by jayjhunski on 2005-06-10 08:56:02 +0200 is there anyone out there that has successfully established a VPN connection using IPsecuritas and a Zyxel P-334WT wireless router. I'm using Mac OSX 10.3.9. In particular, I'm in need of configuration pointers for both the router and IPSecuritas. I have a static IP address assigned to my router and a 2nd one mapped using NAT to a private IP address on one computer in the office. any help would be greatly appreciated! :) Re: IpSecuritas and Zyxel P334WT by DDA on 2006-01-31 23:34:58 +0100 I'd love an answer to this, too. I just got a P-334wt and have been totally unsuccessful in getting any kind of VPN going. :-( Re: IpSecuritas and Zyxel P334WT by DDA on 2006-02-13 16:10:35 +0100 I *was* able to get a connection to the P-334wt when I hung it off my local LAN for testing. I used Host-to-Host (Tunnel), Aggressive with the WAN IP of the p-334wt as Remote IPSexc device and the LAN IP of the P-334wt for Remote Address in General, 3DES, SHA1 and DH2 for Phase 1, 3DES, SHA1 no PFS for Phase 2 and DN (email address) for Authentication with Preshared Secret. The tunnel terminated in the LANIP for the P-334wt and I was able to connect and use the web interface to verify the tunnel. When I tried it with my Mac behind NAT, it failed, leading me to believe that the NAT-T part of OS X is not working (as others have claimed). But I didn't try very hard because the single LANIP tunnels of the P-334wt aren't really what I want; I'm replacing it with a Netgear FWG114p. I've set that up on the local LAN and tested it with Host-to-Network and it works fine. Next I'll try it from work behind NAT routers and see how that goes. I hope this helps. netgear fvs318 NAT-T and Tiger netgear fvs318 NAT-T and Tiger by waldo on 2005-06-11 07:38:03 +0200 has anyone had any luck using ipsecuritas 2.1 on 10.4.1 to connect to a netgear fvs318 with nat traversal? if yes, feel like sharing the recipe? if no, any suggestions? thanks! Re: netgear fvs318 NAT-T and Tiger by Cameron Wilhelm on 2005-07-05 21:25:08 +0200 I'm trying to essentially do this same thing, and I can't seem to get it to connect. I'm relatively new to VPN and I've tried everything I can think of from allowing just me to connect, to attempting to allow the world to connect. Worse, I can seem to get any useful info from any logs. Nothing shows in the IPSecuritas log This is all that shows on the 318 side: [2005-07-05 11:22:45]**** RECEIVED FIRST MESSAGE OF AGGR MODE **** [2005-07-05 11:22:45]<POLICY: > PAYLOADS: SA [2005-07-05 11:22:45]SENDING NOTIFY MSG: [2005-07-05 11:22:45]INVALID_ID_INFORMATION [2005-07-05 11:22:45]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE **** [2005-07-05 11:22:45]<POLICY: > PAYLOADS: NOTIFY Anyone have any ideas? Thanks. -Cameron Wilhelm Re: netgear fvs318 NAT-T and Tiger by jmizoguchi on 2006-01-29 19:51:37 +0100 if your FVS318 v2.4 then I have soluton at vpncasestudy.com moving IPsecuritas configuration around moving IPsecuritas configuration around by maq on 2005-06-15 14:23:20 +0200 HI, I'm using IPSECURITAS with Netscreen 25. Works fine and really easy to configure. My question iis what iis the quickest and easiest way to move a config from one computer to another? Is there a way to export the config into one file? Or maybe copy the configuration files to the other computer? Where are the configuration files? Thanks for your help Mounting samba share over VPN connection w/ Tiger Mounting samba share over VPN connection w/ Tiger by Mike on 2005-06-15 17:04:49 +0200 The latest version of IPSecuritas + Tiger 10.4.1 seems to have fixed the ping time issues. Has anyone else had issues with attempting to browse shares on the network after connecting to the VPN? Previous to Tiger I had no issues with browsing file shares on the remote system (Apple Server 10.3), now I get spinning beachballs when attempting to browse shares. Thanks in advance. Mike Re: Mounting samba share over VPN connection w/ Ti by Jim Collis on 2005-06-30 21:17:04 +0200 I have experienced the same issue. I had the same issue when I upgraded to Tiger and was directly connected to my network. I cleared that issue by deleting my keychain containing the server password. I tried that over my VPN and unfortunately that did not work. Re: Mounting samba share over VPN connection w/ Ti by tji on 2005-07-08 19:52:17 +0200 I have manually connected to samba file shares via VPN with tiger. But, I have not browsed networks.. I believe the SMB browsing relies on broadcasts on a local LAN, which would not work over a VPN (broadcasts don't go beyond subnets). But, you may be able to configure a WINS server in the samba config, to point to the samba "name server" and find hosts over the VPN (I've never tried that, but it might be worth checking out). Re: Mounting samba share over VPN connection w/ Ti by rnoranbrock on 2005-07-28 07:14:47 +0200 Any tips on how to "configure a WINS server . . . " I'm not sure I understand what you've suggested. Previous to 10.4.2, at least, I was able to connect to a Windows 2000 file server and mount shares over the VPN. Now, spinning beachballs. The share appears to mount to the desktop, but then it never shows any files and just hangs the Finder. -Randy Re: Mounting samba share over VPN connection w/ Ti by Derek on 2005-08-25 15:19:37 +0200 [quote author=Mike link=1118847889/0#0 date=1118847889]The latest version of IPSecuritas + Tiger 10.4.1 seems to have fixed the ping time issues. Has anyone else had issues with attempting to browse shares on the network after connecting to the VPN? Previous to Tiger I had no issues with browsing file shares on the remote system (Apple Server 10.3), now I get spinning beachballs when attempting to browse shares. Thanks in advance. Mike [/quote] Browsing shares is apparently a known issue. If you check your console.log when this happens, you'll see tons of error messages, with an additional note that you should report it as a bug, similar to these: bug: ecnt = 33, but m_len = 0 and m_next = 0 (please report) I emailed the makers of VPNTracker (Equinux) a few weeks ago and they confirmed the problem to me with their product, so it's not restricted to IPSecuritas. Apple has received at least two bug reports on the issue (one from me, one from Equinux), so hopefully this finally gets resolved with the next update... Re: Mounting samba share over VPN connection w/ Ti by Jim Collis on 2005-09-03 08:03:44 +0200 I have been told by the tech support folks at Equinux that this is a know bug in Tiger 10.4.2 in how SMB handles packets over the vpn. Until apple fixes this problem there is no way around it. They said the entire SMB stack was rewritten for Tiger and all the issues with Microsoft networking aren't fixed. They were hopeful, but not encouraging, that this might be fixed in 10.4.3 or 10.4.4. Not an exciting answer. Re: Mounting samba share over VPN connection w/ Ti by rnoranbrock on 2005-11-01 05:59:20 +0100 Any word on whether the 10.4.3 update corrects the above problem? -Randy Re: Mounting samba share over VPN connection w/ Ti by Brian on 2005-11-01 15:54:53 +0100 10.4.3 did not fix the issue on our systems. >:( We get the same 'please report' errors. Re: Mounting samba share over VPN connection w/ Ti by Tsathul on 2006-01-20 02:32:40 +0100 Problem appears still to be there under 10.4.4. Lots of "kernel[0]: bug: ecnt = 32, but m_len = 0 and m_next = 0 (please report)" entries in /var/log /system.log, and the Finder hangs repeatedly necessitating relaunch. How long can this go on? Re: Mounting samba share over VPN connection w/ Ti by chuck_theobald on 2006-02-09 21:11:18 +0100 Yes, I can confirm this problem under 10.4.4 with VPN Tracker 2.2.6. Supposedly, this version of VPN Tracker does not work with Tiger, but it works for me. I am able to get all sorts of connectivity except SMB browsing, either through the Finder, or trying to see the contents of a volume mounted with mount_smbfs. Waiting for the next apple to drop... Re: Mounting samba share over VPN connection w/ Ti by rnoranbrock on 2006-05-10 00:09:04 +0200 Any happiness with browsing SMB shares over VPN connection under 10.4.6? Will this ever be fixed? -R Re: Mounting samba share over VPN connection w/ Ti by chuck_theobald on 2007-12-24 20:01:28 +0100 I can confirm that this is still broken in 10.4.11 using IPSecuritas 3.0, build 1693. Connecting (Cmd-K) to a Samba server through the VPN connection allows authentication and selection of the share, but Finder then goes out to lunch with the pinwheel of death. I can still browse to a Windows-based SMB server within my own network (not through the VPN) and all works fine. I found a message on the Samba site (http://lists.samba.org/archive/samba /2005-July/108903.html) that seems to indicate that this is limited to the Tiger-Samba-VPN combination (note that this would include the Samba-based OS X SMB server). I do not have a Windows-based SMB server on the other side of the VPN to test this for myself, though. In my system.log I get some 24 messages each second: Dec 24 10:38:05 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:05 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = CPU and memory usage? CPU and memory usage? by Me Here on 2005-06-17 21:52:37 +0200 Using IPSecuritas 2.1 on Mac OS X 10.3.9 on a 1GHz powerbook connecting via Airport to an IPCop box. Top lists CPU usage as at least 50%, usually closer to 70%+ just sitting idle (no network activity besides IPSec stuff itself), and RSIZE of 96M and VSIZE of 960M when IPSecuritas is up for any length of time. Needless to say, system slows to a crawl, and it may literally take over a minute to switch applications or close applications with alot of disk swap activity. Anyone else experience something similar? Any suggestions? Thanks. Re: CPU and memory usage? by Me Again on 2005-06-17 23:06:41 +0200 I think I found the answer to my own problem. Posting just in case someone makes the same mistake... It seems that I changed the log level in IPSecuritas to DEBUG about a week ago when I was initially setting it up, and never changed it back. Well my system.log was up to nearly 3GB :o and IPSecuritas didn't play well because of that. Turned it back to Normal logging and cleared system.log and all seems well. 0% CPU and RSIZE of 16M. I'll let it run for a while and see how it goes, but it seems all better. IPSecuritas and Smoothwall IPSecuritas and Smoothwall by paschke on 2005-06-21 00:52:44 +0200 Hi, Has anyone had any success getting IPSecuritas and Smoothwall VPN to talk to each other? I am using IPSecuritas 2.1 on Tiger (10.4.1) and trying to talk to a Smoothwall 3.1 VPN gateway. Using certificates for authentication... I successfully loaded the certificates and get some progress in the logs, but it always seems to die with the following two lines in the log: Jun 20 18:49:28 ashnazg racoon: ERROR: isakmp_inf.c:847:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Jun 20 18:49:28 ashnazg racoon: DEBUG: isakmp_inf.c:869:isakmp_info_recv_n(): notification message 9:INVALIDMESSAGE-ID, doi=1 proto_id=1 spi=(size=0). Does anyone have any clues? Thanks! Matt Paschke Newbie looking for help Newbie looking for help by Tacitus on 2005-06-22 10:21:46 +0200 Hi all, I am a newbie to VPN and am trying to connect from home using a PBk G4 running 10.3.9 (D-Link 504 with VPN passthrough) to a small office network. The office fortunately runs on Macs also with 10.3.9. Sorry this ia a bit long but here goes http://www.lobotomo.com/yabb/YaBBImages /smiley.gif IP securitas on PBk details: General Mode of Operation: Host to Network Office IPSec Device (Router/firewall): 64.x.x.x Office Network: 192.168.1.1/24 Local Address (in office): 192.168.1.21 Exchange Mode: Main Proposal Check: Claim Nonce Size: 16 Phase 1 Lifetime: 28800 seconds DH Group: Mod768 (1) Encryption: DES Authentication: MD5 Phase 2 Lifetime: 3600 seconds PFS Group: None Encryption: DES & 3DES Authentication: HMAC SHA1 & HMAC MD5 Id/Auth Local Identifier: 192.168.1.21 (This is the machine in the office) Remote Identifier: blank Preshared Secret: *** Options Compression Deflate checked (greyed out) IPSec DOI checked SIT_IDENTITY_ONLY checked Initial Contact checked MIP6 checked DHCP Pass-through checked Establish IKE immediately checked all other options unchecked IP Sec appears to be running but I can’t raise the office machine. Here’s part of the PBk log: Freds-Computer racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Freds-Computer racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Freds-Computer racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Freds-Computer racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Freds-Computer IPSecuritas: Flushing kernel keys Freds-Computer IPSecuritas: Stopping racoon... Freds-Computer IPSecuritas: Racoon normally terminated Sorry this is so long, but thanks to anyone who can help. 10.2 Incompatibility and "Can't connect twice 10.2 Incompatibility and "Can't connect twice by Nat! on 2005-06-24 18:23:05 +0200 1. When I try to start IP Securitas on 10.2.8 I get a crash and the following entry in the Console: [font=Courier]dyld: /Volumes/Users/Applications /IPSecuritas.app/Contents/MacOS/IPSecuritas can't open library: /usr/lib /libcrypto.0.9.7.dylib (No such file or directory, errno = 2)[/font] 2. When I use it under 10.4 I can sucessfully connect once to the firewall at the remote site, but I can't connect a second time (doesn't matter if I just quit IP Securitas, "properly Stop IPSEC" or even reboot my machine). The sysadmin "over there" says, that the first session was not properly closed and that their software therefore doesn't allow a second session to be opened. The timeout on their machine appears to be greater than a day ::) This might not be a problem of IP Securitas, but I figure it doesn't hurt to ask, if this is a known problem with possibly a known solution :) Re: 10.2 Incompatibility and "Can't connect t by cdmaris1 on 2005-08-13 05:45:02 +0200 Were you ever able to resolve your problem with 10.2.8? I am get the sam eerror message so would be very interested in finding out if there is a fix for this. thanks Re: 10.2 Incompatibility and "Can't connect t by David on 2005-11-03 16:58:02 +0100 I'm just looking for any confirmation on whether IPSecuritas 2.1 is incompatible with 10.2.8 ? I get a crash log written when it fails to start up. Static Routes setup with IPSecuritas? Static Routes setup with IPSecuritas? by Mike E on 2005-06-28 19:04:32 +0200 One of our developers is using IPSecuritas to VPN (host to network) onto our subnet (10.191.2.0/24). He is setup to look like 10.191.1.140 (local address). He needs to be able to route 38.160.70.118 traffic through 10.191.2.34 on our subnet, so I had him create a static route. But it doesn't work. Any ideas? Notice how the static route be binding to en0? seems like it should have bound to gif0? On Jun 27, 2005, at 2:02 PM, John wrote: Here is the situation after "sudo route add 38.160.70.118 10.191.2.34" Destination Gateway Flags Refs Use Netif Expire default 10.0.1.1 UGSc 71 11 en0 10.0.1/24 link#4 UCS 2 0 en0 10.0.1.1 0:d:93:25:3c:40 UHLW 72 1322 en0 1094 10.0.1.2 0:3:93:70:28:4e UHLW 0 122 en0 331 10.0.1.17 127.0.0.1 UHS 6 1065 lo0 10.191.2.0 10.191.1.140 UH 0 1 gif0 10.191.2/24 gif0 USc 6 1354 gif0 38.160.70.118 10.191.2.34 UGHS 0 2 en0 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 20 245677 lo0 169.254 link#4 UCS 0 0 en0 Johns-Laptop:$ ping 38.160.70.118 PING 38.160.70.118 (38.160.70.118): 56 data bytes ping: sendto: Cannot allocate memory DHCP DHCP by Scott Hander on 2005-06-30 01:49:06 +0200 I am trying to get a VPN setup that will have remote machine request an IP via DHCP from our firewall. We are using a Sonicwall 2040, and I can't seem to get it to work. I can get everything to work with a good connection, just no DHCP. I can assign a specific ip to the computer on the other end, but the connection will not pass any traffic through to that address. Does anyone have any thoughts or insights for this? Thanks, Scott Hander 10.4.1, packets gets lost inside kernel 10.4.1, packets gets lost inside kernel by Henrik on 2005-07-04 21:20:18 +0200 Hi, The VPN with OpenSWAN worked great with OS X 10.3.x. Upgraded to 10.4.1 and now nothing works (I even installed it from scratch). I can create a successfull VPN connection (Host to Network), so IPSEC SA is established and ESP packets are flowing to both directions (checked with ethereal). The downside is the the ESP packets seems somehow to be discared after they are received. The same happens with and without NAT. Any help is greatly apprechiated, since I'm leaving on holyday on saturday and I *don't* want to change the a PC because of this. Thanks, Henrik Finland Re: 10.4.1, packets gets lost inside kernel by cnadig on 2005-07-05 09:56:15 +0200 Hello Henrik, are you by any chance using AES256 or AES192 in phase 2 - the implementation has changed from 10.3 to 10.4 and leads to incompatibilities. I recommend using 3DES for best compatibility with other devices. Hope this helps, Christoph Re: 10.4.1, packets gets lost inside kernel by Henrik on 2005-07-05 11:44:22 +0200 Hi Christoph, It worked! Actually the last thing I tried yesterday was 3DES, but at the same time I broke my NAT when tweaking it, so no connection at all was established. Thanks! Best regrads, Henrik Watchguard X-15 Edge Watchguard X-15 Edge by dd on 2005-07-08 13:31:07 +0200 hi Has anyone successfully connected a VPN using IPSecuritas to a watchguard X15 Edge? I have PC MUVPN working successfully and a number of Edge to Edge tunnels working, but dont seem to be able to succed with IPSecuritas. If any body out there has got things to work with the X15, and feels like sharing howto do it, it would save me having to lug a laptop pc as well as my iBook around! Many Thanks ??? Feature Requests: multiple subnets, dynamic PSK Feature Requests: multiple subnets, dynamic PSK by tji on 2005-07-08 20:17:07 +0200 IPSecuritas is a great tool. Thanks for providing such a nice piece of software for free! If/when you guys update it, could you look into the feasability of implementing a few enhancements? - Multiple Subnets: My office network has several /24 subnets, protected by a Netscreen VPN device. I can define each subnet as a seperate configuration, and enable each one of them individually. But, I cannot enable multiple subnets at the same time (only the first subnet actually gets negotiated). Defining all the available subnets in one VPN config should allow them to be all negotiated in one IKE session. - Dynamic PSK -- external command/script: I set up a Linksys WRV54G at my parents house, and I use that to connect back to their systems for remote tech support. The quirky thing about the WRV54G is that they have an HTTPS front end that is used to authenticate users and dynamically generate the PSK before the IPSec/IKE session starts. I have put together a script to pull that PSK, and generate the IPSec config files. But, being able to call a command/script from within IPSecuritas would be a better solution. (There are probably some other authentication systems that operate similarly (like S/Key). So, this feature would allow IPSecuritas to work with more VPN gateways.) - XAuth -- The updated IPSec tools project supports Xauth authentication (and NAT-Traversal). Apple includes an older version of racoon, which does not. Including an updated racoon binary would allow IPSecuritas to support XAuth authentication. m0n0wall ? m0n0wall ? by Sean McGrath on 2005-07-11 19:48:57 +0200 I can't get a connection to m0n0wall 1.1 or 1.2b9. The error message in the log is "racoon: ERROR: isakmp_inf.c:193:isakmp_info_recv(): ignore information due to hash length mismatch". The server logs show this happens during phase 2. MD5 and SHA1 hashes both fail. Any success stories? Thanks Re: m0n0wall ? by stephenb on 2005-07-15 05:42:37 +0200 I got it up and running. I sent the settings to Christoph but he's probably been too busy to post. email me and I'll send you screen shots. stephenbatmacdotcom Sonicwall TZ170 failing phase 2 Sonicwall TZ170 failing phase 2 by spectre51 on 2005-07-12 06:07:27 +0200 Okay so I got my ibook setup with ipsecuritas and my netscreen 5gt at home so I decided to hook it up to my sonicwall tz170 at work. I am trying to use the GroupVPN option on the sonicwall which is on the latest SonicOS Standard firmware. We are making it through phas 1 no problem but the vpn continues to fail at phase 2. I'm wondering does the sonicwall have to be the enhanced version? What should I put in the ID/Auth section under Identification for local and remote identifier? Re: Sonicwall TZ170 failing phase 2 by w_grace on 2006-02-21 19:02:23 +0100 Are you getting what I am getting? My post... Phase-1 Group 1 3DES MD5 28000 Phase-2 ESP 3DES MD5 Feb 21 16:31:35 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:31:35 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:31:54 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:32:04 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Feb 21 16:31:54 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:32:04 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Feb 21 16:33:49 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:33:49 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:34:10 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:34:19 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Feb 21 16:34:10 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:34:19 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Re: Sonicwall TZ170 failing phase 2 by cnadig on 2006-02-21 23:37:42 +0100 due due due due Hello, do you have access to the log of the Sonicwall? Changing the log level of IPSecuritas to 'Verbose Debug' will give you additional information about the unknown notification sent by the firewall. Cheers, Christoph Re: Sonicwall TZ170 failing phase 2 by Tim Pipes on 2006-03-02 21:27:45 +0100 We had been making a connection to our TZ170 without fail for a while there. Upgraded to 10.4.4 and IPSecuritas stopped working. It also says that it's failing at Phase 2 but none of the settings changed. We have thought about setting up a new SA but instead have decided to delve into this a little more as it was working. IKE using preshared secret Phase 1 DH Group: Group 1 Encryption: 3DES Authentication: MD5 Lifetime: 28800 Phase 2 Protocol: ESP Encryption: 3DES Authentication: MD5 Enable Perfect Forward Secrecy: Unchecked Advanced Enable Windows Networking Broadcast: checked that's it in Advanced. Client Cache XAUTH: never Virtual Adaptor: DHCP Lease Allow Connections to: Split Tunnels nothing else checked. As I said, it had been working flawlessly and now I have messed with just about every setting in IPSecuritas and have not been able to make the connection. I believe I am getting the same error output as w_grace (no phase 2 handle found) Any setup that works for anyone? Please fill me in. cheers, Tim IPsecuritas and Linksys RV042 IPsecuritas and Linksys RV042 by jprsa on 2005-07-13 01:23:54 +0200 I have a linksys RV042 and having issues establishing a tunnel. I previoulsy had a different Linksys vpn router model and that worked great. I decided to upgrade to the new and improved router. Linksys is of no help Can anyone help me? Re: IPsecuritas and Linksys RV042 by Mike O'Reilly on 2005-09-12 00:58:02 +0200 I just figured out the Linksys RV042 and RV082 with IPSecuritas and figured that some other people might be having the same issues... It seems that Linksys removed to the "connect from any" option in their routers, but it's really still there! Set up your tunnels just like you would have before (with another router) but use the option "Dynamic IP + E-mail Addr.(USER FQDN) Authentication" Input an email address (real or not, just a unique identifer) in the router for the tunnel. The magic is buried in the IPSecuritas help: 2. Domain Name (DN): This can either be a fully qualified distinguished name (FQDN, e.g. lobotomo.com) or a user fully qualified distinguished name (USER_FQDN, e.g. user@lobotomo.com). This means just put that same email address in the Id/Auth dialog box under the "DN" option for the Local Identifier and your connection should work. I hope this helps someone out there, if anyone needs screenshots of the RV042 and IPSecuritas screens I can try and post them. Just reply to this post... Re: IPsecuritas and Linksys RV042 by Alan H on 2005-09-20 17:11:20 +0200 Could you provide the screen shots please. Thanks Re: IPsecuritas and Linksys RV042 by Glenn Dallas on 2005-10-21 03:31:57 +0200 I'm trying to setup a vpn tunnel to a mobile user also and can't find any good documentation. Could you send me the screenshots also. Thanks. Re: IPsecuritas and Linksys RV042 by Dave Story on 2005-11-12 05:03:17 +0100 Thanks for offering, could you send the screen shots along to me as well. Re: IPsecuritas and Linksys RV042 by Some Pinoy on 2005-11-16 01:57:26 +0100 Please send some pics that would be awesome! We just updated to the RV016 Re: IPsecuritas and Linksys RV042 by BJS on 2005-11-30 16:42:26 +0100 I would also appreciate the screenshots. Thanks! Re: IPsecuritas and Linksys RV042 by Cbo on 2005-12-30 22:27:08 +0100 Could you send me the screenshot also. Thanks a lot ! Re: IPsecuritas and Linksys RV042 by Jonathan Steuer on 2006-01-02 12:49:54 +0100 screen shots most appreciated! also firmware version of router, if you please. i assume this should work identically with the RV082? -j- Re: IPsecuritas and Linksys RV042 by Mike O'Reilly on 2006-01-04 04:56:22 +0100 Well, it looks like my post from Sept. 12 has sparked some discussion... After a long testing period and some time in front of a graphics editor I finally got the screenshots everyone has been asking for! It looks like I can't post them directly in the forum here, so I'm going to put them in a Yahoo! photo gallery: http://pg.photos.yahoo.com/ph/mike_b_oreilly/album?.dir= /8802&.src=ph&.tok=ph7NeMEBjUPy0h8U If that URL is too long, try this TinyURL: http://tinyurl.com/74e82 ...and now for the description of what you're looking at: IPSecuritas #1 "General" tab The red box is over the public IP address of my RV042, this could be a public DNS name. I'm using DynDNS without any issues. #2 "Phase 1" tab The info here needs to match what you set on the router. #3 "Phase 2" tab The info here also needs to match what you set on the router. #4 "ID/Auth" tab This is where it got tricky; Use the "Local Identifier" "DN" Option. (For those of you in the know, you know that this is the Domain Name... Not here!) This is the email address that you will use to establish the tunnel. The email address is the fully qualified address but doesn't need to be a real address; Only the address needs to match what you set on the router! This is also where you set the "preshared secret"; This is the VPN key that you use as the password between IPSecuritas and the RV042. #5 "Options" tab I don't remember changing anything here, but who knows at this point. Just follow the example and things should work for you. #6 RV042 VPN Summary This is a bit difficult to see, but it's the overview of how the tunnels are set up. The red box on the left is the name of the tunnel (this could be anything, name it something that helps you to identify the tunnel!) The green box on the right will automagically populate with the email adress entered when you set up the tunnel (this will match the address in image #4). Don't worry about the black boxes, that's just to protect the users of my VPN. #7 Tunnel Summary Overview This is where the actual tunnel details are set. The first red box is where the tunnel name goes, this helps to identify who is connecting. The second red box is not avaliable to edit, this is the IP address of the router. The 3rd and 4th red boxes are the email address that is used to identify the tunnel between IPSecuritas and the RV042, this is the same email address entered in image #4. Finally the 5th red box is the "preshared key" that is the password between the router and VPN client. #8. This is just the summary of what the VPN log should look like on the RV042. I blocked off my tunnel's email address so that I can try to avoid UMTS / GPRS UMTS / GPRS by lganzetti on 2005-07-16 18:00:43 +0200 IPSECURITAS not work with connection by UMTS or GPRS. The VPN start without error, but when try to user VPN not work. I try with modem56k and work correctly, but with PHONE Nokia UMTS or GPRS not work. Please Help me Problem 2.1: Cannot change Nonce size Problem 2.1: Cannot change Nonce size by Andrea on 2005-07-18 13:40:24 +0200 This looks like a GUI problem... In IPSecuritas 2.1 (MacOS 10.4.1) I cannot edit the Nonce size field. The default is 16, I can add a third digit then remove it but I cannot set it to 64 as I wish! Thank you for your attention! Andrea Re: Problem 2.1: Cannot change Nonce size by cnadig on 2005-07-21 22:34:49 +0200 Hello Andrea, I confirm that this is a bug - i will make an update available fixing the bug in a few days. Thank you very much, Christoph IPSecuritas not working on PB, but does on another IPSecuritas not working on PB, but does on another by Sean McNamara on 2005-07-26 00:21:21 +0200 Hi folx, I've successfully gotten IPSecuritas connecting to a Netgear FVS318 VPN router using the instructions [url]http://www.aaronadams.net/index.php /2004/12/20/establishing_a_vpn_with_ipsecuritas_and[/url]. This PB was using Panther originally, and now uses Tiger (we've had to use 128 bit for Tiger, but otherwise all the same). My client's PB running Panther and Tiger doesn't want to work, even if I copy my IPSecuritas configuration. I've finally gotten him to send me a log from IPSecuritas, so I'm hoping someone can point me in the right direction: Log output from IPSecuritas 2.1 Jul 26 07:53:53 dewG4laptop IPSecuritas: Parsing configuration Jul 26 07:53:53 dewG4laptop IPSecuritas: Setting up racoon.conf Jul 26 07:53:53 dewG4laptop IPSecuritas: Setting up setkey.conf Jul 26 07:53:53 dewG4laptop IPSecuritas: Setting up psk.txt Jul 26 07:53:53 dewG4laptop IPSecuritas: Setting up tunnel.conf Jul 26 07:53:53 dewG4laptop IPSecuritas: Parsing configuration done Jul 26 07:53:54 dewG4laptop IPSecuritas: Starting racoon... Jul 26 07:53:54 dewG4laptop IPSecuritas: Racoon is running Jul 26 07:53:54 dewG4laptop IPSecuritas: Set kernel keys add net 192.168.0.0: gateway gif0 Jul 26 07:53:54 dewG4laptop racoon: DEBUG2: cfparse.y:1413:cfparse(): parse successed. Jul 26 07:53:54 dewG4laptop racoon: DEBUG: isakmp.c:1592:isakmp_open(): 192.168.1.5[500] used as isakmp port (fd=8) Jul 26 07:53:54 dewG4laptop racoon: DEBUG: isakmp.c:1610:isakmp_open(): 192.168.1.5[4500] used as nat-t isakmp port (fd=9) Jul 26 07:53:54 dewG4laptop racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:12, need update interface address list Jul 26 07:53:54 dewG4laptop racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting Jul 26 07:53:55 dewG4laptop racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:14, need update interface address list Jul 26 07:53:55 dewG4laptop racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting Jul 26 07:53:55 dewG4laptop racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message Jul 26 07:53:55 dewG4laptop racoon: DEBUG2: plog.c:199:plogdump(): Jul 26 07:53:55 dewG4laptop racoon: DEBUG: pfkey.c:1551:pk_recvacquire(): suitable outbound SP found: 10.0.0.3/32[0] 192.168.0.0/16[0] proto=any dir=out. Jul 26 07:53:55 dewG4laptop racoon: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff970: 192.168.0.0/16[0] 10.0.0.3/32[0] proto=any dir=in Jul 26 07:53:55 dewG4laptop racoon: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306618: 192.168.0.0/16[0] 10.0.0.3/32[0] proto=any dir=in Jul 26 07:53:55 dewG4laptop racoon: DEBUG: pfkey.c:1567:pk_recvacquire(): suitable inbound SP found: 192.168.0.0/16[0] 10.0.0.3/32[0] proto=any dir=in. Jul 26 07:53:55 dewG4laptop racoon: DEBUG: pfkey.c:1606:pk_recvacquire(): new acquire 10.0.0.3/32[0] 192.168.0.0/16[0] proto=any dir=out Jul 26 07:53:55 dewG4laptop racoon: DEBUG: proposal.c:826:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) Re: IPSecuritas not working on PB, but does on ano by sean McNamara on 2005-07-26 00:22:34 +0200 ...log continued... Jul 26 07:53:55 dewG4laptop racoon: DEBUG: oakley.c:260:oakley_dh_generate(): compute DH's private. Jul 26 07:53:55 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:53:55 dewG4laptop racoon: DEBUG: oakley.c:262:oakley_dh_generate(): compute DH's public. Jul 26 07:53:55 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp_agg.c:169:agg_i1send(): authmethod is pre-shared key Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 52, next type 4 Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 96, next type 10 Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 16, next type 5 Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 13, next type 13 Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 16, next type 0 Jul 26 07:53:55 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.5[500] Jul 26 07:53:55 dewG4laptop racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.5[500] Jul 26 07:53:55 dewG4laptop racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to xxx.xxx.xxx.xxx[500] Jul 26 07:53:55 dewG4laptop racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 241 bytes message will be sent to 192.168.1.5[500] Jul 26 07:53:55 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 618d997594493356:0000000000000000 Jul 26 07:53:57 dewG4laptop racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 16 not interesting Jul 26 07:53:57 dewG4laptop racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 15 not interesting Jul 26 07:54:01 dewG4laptop racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 16 not interesting Jul 26 07:54:02 dewG4laptop racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 15 not interesting Jul 26 07:54:15 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.5[500] Jul 26 07:54:15 dewG4laptop racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.5[500] Jul 26 07:54:15 dewG4laptop racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to xxx.xxx.xxx.xxx[500] Jul 26 07:54:15 dewG4laptop racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 241 bytes message will be sent to 192.168.1.5[500] Jul 26 07:54:15 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:54:15 dewG4laptop racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 618d997594493356:0000000000000000 Jul 26 07:54:26 dewG4laptop racoon: ERROR: isakmp.c:2120:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP xxx.xxx.xxx.xxx->192.168.1.5 Jul 26 07:54:26 dewG4laptop racoon: INFO: isakmp.c:2125:isakmp_chkph1there(): delete phase 2 handler. Jul 26 07:54:35 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.5[500] Jul 26 07:54:35 dewG4laptop racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.5[500] Jul 26 07:54:35 dewG4laptop racoon: DEBUG: sockmisc.c:425:sendfromto(): Re: IPSecuritas not working on PB, but does on ano by Sean McNamara on 2005-07-26 00:23:37 +0200 ...last bit... Jul 26 07:54:36 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:54:36 dewG4laptop racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 618d997594493356:0000000000000000 Jul 26 07:54:56 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.5[500] Jul 26 07:54:56 dewG4laptop racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.5[500] Jul 26 07:54:56 dewG4laptop racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to xxx.xxx.xxx.xxx[500] Jul 26 07:54:56 dewG4laptop racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 241 bytes message will be sent to 192.168.1.5[500] Jul 26 07:54:56 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:54:56 dewG4laptop racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 618d997594493356:0000000000000000 Jul 26 07:55:16 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.5[500] Jul 26 07:55:16 dewG4laptop racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.5[500] Jul 26 07:55:16 dewG4laptop racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to xxx.xxx.xxx.xxx[500] Jul 26 07:55:16 dewG4laptop racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 241 bytes message will be sent to 192.168.1.5[500] Jul 26 07:55:16 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:55:16 dewG4laptop racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 618d997594493356:0000000000000000 Jul 26 07:55:36 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.5[500] Jul 26 07:55:36 dewG4laptop racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.5[500] Jul 26 07:55:36 dewG4laptop racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to xxx.xxx.xxx.xxx[500] Jul 26 07:55:36 dewG4laptop racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 241 bytes message will be sent to 192.168.1.5[500] Jul 26 07:55:36 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:55:36 dewG4laptop racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 618d997594493356:0000000000000000 Jul 26 07:55:56 dewG4laptop racoon: ERROR: isakmp.c:1772:isakmp_ph1resend(): phase1 negotiation failed due to time up. 618d997594493356:0000000000000000 delete net 192.168.0.0 Jul 26 07:56:40 dewG4laptop IPSecuritas: Flushing kernel keys Jul 26 07:56:40 dewG4laptop racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:2, need update interface address list Jul 26 07:56:40 dewG4laptop racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:2, need update interface address list Jul 26 07:56:40 dewG4laptop racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:13, need update interface address list Jul 26 07:56:40 dewG4laptop IPSecuritas: Stopping racoon... Jul 26 07:56:40 dewG4laptop racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDFLUSH message Jul 26 07:56:40 dewG4laptop racoon: DEBUG2: plog.c:199:plogdump(): Jul 26 07:56:40 dewG4laptop racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey FLUSH message Lucent IPSec Lucent IPSec by Bob on 2005-07-26 11:49:56 +0200 Hi I was wondering if anyone has tips for getting IPSecuritas working with the Lucent IPSec implementation. The standard Lucent client works with Windows only and I'd love to get access on my Mac. BTW, it does ask for a username and password. I've read that some IPSec implementations use something called xauth which I believe allows proprietory authentication though I don't really understand the in's and out's of how all this works. Can someone please provide me with some advice or point me in a suitable direction for more information? I've been searching google for weeks trying to find a solution but haven't had any luck so far. Thanks Tiger, IPSecuritas, Sonicwall 2040 and NAT Trversl Tiger, IPSecuritas, Sonicwall 2040 and NAT Trversl by miles on 2005-08-01 19:38:18 +0200 we've been using IPSecuritas for some time, but suddenly it's stopped working for all OS X users in my office. We did recently upgrade the fw to SonicOS 3.1, but all windows users are still able to VPN so we're wondering if this is tied to OS X 10.4.2 update last week In the client logs we see NO PROPOSAL CHOSEN for phase 2, and in the firewall logs we see that NAT Traversal is failing on the client any ideas? did something change in OS X? thanks in advance Re: Tiger, IPSecuritas, Sonicwall 2040 and NAT Trv by David Chamberlin on 2005-08-16 02:04:06 +0200 I've been trying to setup IPSecuritas to a SonicWall 2040 as well with the latest 3.1.7.x firmware and can't get past phase 2. It always gives a NO-PROPOSAL-CHOSEN error. We are trying to connect to our group vpn policy using preshared keys. Strangely, I tested using IPSecuritas (racoon) on both 10.4.2 and 10.3.9 OS X with same result. Same result if I used the other VPN clients that utilize racoon. So, I don't think it's related to racoon version, unless you upgraded from much earlier OS X. Any ideas? Re: Tiger, IPSecuritas, Sonicwall 2040 and NAT Trv by miles on 2005-08-18 08:23:51 +0200 hey David, I've come to the conclusion it must be sonicos. just renewing our support with sonicwall so I'll podt what I find out may have to roll back to 2.1 IPSecuritas and SonicWall Pro 2040 IPSecuritas and SonicWall Pro 2040 by zervakos on 2005-08-02 15:39:17 +0200 Hello, I have been successful in getting IPSecuritas to work with a SonicWall TZW, and now I'm trying to get IPSecuritas to work with a SonicWall Pro 2040. The problem I'm seeing is this in the logs of IPSecuritas: Aug 2 06:26:41 vpnclient racoon: ERROR: ipsec_doi.c:2993:ipsecdoi_checkid1(): Expecting IP address type in main mode, but FQDN. Aug 2 06:26:41 vpnclient racoon: ERROR: ipsec_doi.c:2993:ipsecdoi_checkid1(): Expecting IP address type in main mode, but FQDN. Aug 2 06:26:41 vpnclient racoon: ERROR: isakmp_ident.c:668:ident_i4recv(): invalid ID payload. Aug 2 06:26:41 vpnclient racoon: ERROR: isakmp_ident.c:668:ident_i4recv(): invalid ID payload. Aug 2 06:26:52 vpnclient racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP sonicwall_ip->192.168.1.110 Aug 2 06:26:52 vpnclient racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP sonicwall_ip->192.168.1.110 Aug 2 06:26:52 vpnclient racoon: INFO: isakmp.c:2050:isakmp_chkph1there(): delete phase 2 handler. In the logs of the SonicWall, I see that phase I successfully completes, but I also get this: Warning Received packet retransmission. Drop duplicate packet public_ip_vpnclient_hides_behind 0.0.0.0 - Has anyone come across this perhaps? Re: IPSecuritas and SonicWall Pro 2040 by Mike on 2005-08-11 22:40:16 +0200 Bump on this but I get a different error message with mine. Here is what mine is saying. Also Sonicwall is running latest firmware update version 3.1.0.6-75s Sonicwall output IKE Responder: IPSec proposal does not match (Phase 2) IPsecuritas Output Log output from IPSecuritas 2.1 Aug 11 13:39:35 Michael-Palfreys-Computer-2 configuration Aug 11 13:39:35 Michael-Palfreys-Computer-2 racoon.conf Aug 11 13:39:35 Michael-Palfreys-Computer-2 setkey.conf Aug 11 13:39:35 Michael-Palfreys-Computer-2 psk.txt Aug 11 13:39:35 Michael-Palfreys-Computer-2 tunnel.conf Aug 11 13:39:35 Michael-Palfreys-Computer-2 configuration done Aug 11 13:39:36 Michael-Palfreys-Computer-2 racoon... Aug 11 13:39:36 Michael-Palfreys-Computer-2 running Aug 11 13:39:36 Michael-Palfreys-Computer-2 The result of line 5: File exists. The result of line 6: File exists. IPSecuritas: Parsing IPSecuritas: Setting up IPSecuritas: Setting up IPSecuritas: Setting up IPSecuritas: Setting up IPSecuritas: Parsing IPSecuritas: Starting IPSecuritas: Racoon is IPSecuritas: Set kernel keys netgear fvs318 vpn setup netgear fvs318 vpn setup by mike on 2005-08-03 18:14:35 +0200 I set up a netgear fvs318 in a branch office that is using dsl to the internet. I am trying to setup vpn connections from the computers in the branch office back to the main office. We are using a cisco concentrator at the main office and the cisco vpn client on the pc's in the branch office. I am able to connect one computer back to the main office. when I attempt to connect a second computer the first computer loses connection. from what i understand the ng fvs318 is supposed to do nat'ing(one to many), says so on the box. where in the web interface do i config nat and/or do i need config seperat vpn tunnels for each pc. I only have one ip from my isp. thanks mike Re: netgear fvs318 vpn setup by cnadig on 2005-08-04 23:33:02 +0200 Hello Mike, having multiple IPSec clients in a NAT'ed private network talking to the same remote won't work unless you used NAT-T for all clients (the NAT router cannot distinguish incoming IPSec traffic and will just send it on to the last known client - resulting in the behaviour you described). In your situation I'd recommend to permanently connect the two LANs (branch office and main office) by the FVS318 itself - so instead of having an individual tunnel for each PC, there is only one between the FVS318 and the Cisco concentrator, tunneling the traffic for all PCs. Hope this helps, Christoph Resolved Multiple Addresses Resolved Multiple Addresses by MikeyG_U2 on 2005-08-03 20:25:53 +0200 I'm in the process of configuring IPSecuritas to access a Checkpoint VPN-1 but have run into many problems. The one that is currently throwing me is that it reports that it's resolving multiple addresses... Here is my log: Aug 3 13:02:45 Panther IPSecuritas: Parsing configuration Aug 3 13:02:45 Panther IPSecuritas: Setting up racoon.conf Aug 3 13:02:45 Panther IPSecuritas: Setting up setkey.conf Aug 3 13:02:45 Panther IPSecuritas: Setting up psk.txt Aug 3 13:02:45 Panther IPSecuritas: Setting up tunnel.conf Aug 3 13:02:45 Panther IPSecuritas: Parsing configuration done Aug 3 13:02:46 Panther IPSecuritas: Starting racoon... Aug 3 13:02:46 Panther IPSecuritas: Racoon is running Aug 3 13:02:46 Panther IPSecuritas: Set kernel keys line 3: Unknown error at [192.168.1.0] line 3: Unknown error at [192.168.69.69] line 4: Unknown error at [192.168.69.69] line 4: Unknown error at [192.168.1.0] Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(204.253.2.254,500): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(204.253.2.254,500): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.69.69,0): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.69.69,0): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.1.0,0): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.1.0,0): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.69.69,500): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.69.69,500): resolved to multiple address, taking the first one Aug 3 13:09:42 Panther racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 204.253.2.254->192.168.69.69 Aug 3 13:09:42 Panther racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 204.253.2.254->192.168.69.69 Aug 3 13:10:42 Panther IPSecuritas: Flushing kernel keys Has anyone seen this issue? I can't figure out what is causing it. Oh, 192.168.69.69 is my internal IP (behind a Linksys router with IPSec passthrough enabled) and 192.168.1.0 is the remote network and netmask I'm connecting to. Thanks for any insight. -Mike Re: Resolved Multiple Addresses by VPNmac on 2005-08-07 10:12:37 +0200 More issues with Check Point here: http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?board=IPSecuritas; action=display;num=1117914134 IPSecuritas behind FW to Bintec VPN25 ? IPSecuritas behind FW to Bintec VPN25 ? by avalon_s_de on 2005-08-14 16:48:08 +0200 Hello all, i try to get a working connection to a funkwerk (afka Bintec) VPN Access 25. The VPN Phase1 and Phase2 are established correctly, but i cannot ping any host in the remote network. I set up a Host-Network connection. I use the following setup-details: Phase1: 3des/MD5 Phase2: PFS 3des/MD5 Preshared key remote-auth: adress local-auth: fqdn I get the VPN up, but reaching the remote-hosts dowsn't work any hints / ideas ? connection with VPN Tracker works correctly... thx stefan Re: IPSecuritas behind FW to Bintec VPN25 ? by Florian on 2006-03-29 17:24:45 +0200 Hi Stefan, how did you get your VPN to work? Thanks a lot florian Re: IPSecuritas behind FW to Bintec VPN25 ? by Stefan Dietz on 2006-03-30 10:15:37 +0200 Florian, i got the vpn working by setting up the traffic settings correctly ;) there where some entries missing. send an email when you have further questions. regards, -stefan Re: IPSecuritas behind FW to Bintec VPN25 ? by netgoblin on 2006-05-17 11:19:47 +0200 Hey Florian, see this Link http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?board=IPSecuritas; action=display;num=1087200958 for more Info about Bintec / IPSecuritas write a EMail. -thorsten GB OS 3.7 Mac 10.4.2 GB OS 3.7 Mac 10.4.2 by Ryan.Haller on 2005-08-24 19:13:15 +0200 Hello, GB-500 with GB OS 3.7 using a Mac 10.4.2 Client and IPSecuritas. Anyone else have this setup? Still in the testing stage but I can not seem to get it to work. Check box goes green, I show authenticated user and Active VPN but I can not get anywhere on the local network. IPsecuritas seems to be ignoring the getmyaddr response message.... possibly because I put it in during configuration. it is msg #4 and or #5 If anyone has any insight, please help? -Ryan IPSecuritas 2.1 mysterious failure IPSecuritas 2.1 mysterious failure by Olaf Mьller-Michaels on 2005-09-12 19:32:06 +0200 Until today IPSecuritas worked great with the Bintec router in our firm. Starting today, I cannot connect to the internal network anymore. Nothing was changed on the company side. I also tried the same settings with VPN Tracker and everything still works fine. However, with IPSecuritas I can connect fine to the router, and it seems to establish a tunnel, but when I try to ping our internal server, it does not work. Maybe I can do a total reinstall of IPSecuritas, but I do not know where all the settings sit; simply deleting IPSecuritas from the Applications folder is not enough. Any other ideas? On request, I can send the debug output. I do not want to change to VPN Tracker, please ... ;D Re: IPSecuritas 2.1 mysterious failure by Olaf Mьller-Michaels on 2005-09-12 22:51:53 +0200 Intermittently it worked again, but very unreliable. This is what seems to cause the problem, I get this message repeatedely: Sep 12 22:49:28 Powerbook-OMM racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting Olaf Mac Gateway Assistant Mac Gateway Assistant by mitchellzone on 2005-09-12 19:59:04 +0200 Anyone have any luck setting up a VPN that can be accessed by machines behind a Mac OS X internet gateway, or know how this can be done? The VPN appears to work fine on the gateway machine itself, but I can't get any machines BEHIND the gateway to see the VPN. Sure there's a routing trick that can make this work, but the route table looks okay already, so not sure what's happening there... /mike IPSecuritas and SonicWALL SOHO3 IPSecuritas and SonicWALL SOHO3 by Louis Gephardt on 2005-09-13 22:10:45 +0200 I'm trying to connect to a SonicWALL SOHO3 device at a remote office and I keep getting this in the log and it won't connect: Sep 13 16:08:27 Mozart racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet be12e283176fab00:0000000000000000 Sep 13 16:08:27 Mozart racoon: DEBUG: isakmp.c:238:isakmp_handler(): === Sep 13 16:08:27 Mozart racoon: DEBUG: isakmp.c:239:isakmp_handler(): 208 bytes message received from 66.159.77.44[500] Sep 13 16:08:27 Mozart racoon: DEBUG: plog.c:199:plogdump(): Sep 13 16:08:27 Mozart racoon: DEBUG: isakmp.c:539:isakmp_main(): malformed cookie received or the initiator's cookies collide. Sep 13 16:08:47 Mozart racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.0.0.102[500] Sep 13 16:08:47 Mozart racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.0.0.102[500] Sep 13 16:08:47 Mozart racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to xxx.xxx.xxx.xxx[500] Sep 13 16:08:47 Mozart racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 112 bytes message will be sent to 10.0.0.102[500] Sep 13 16:08:47 Mozart racoon: DEBUG: plog.c:199:plogdump(): Sep 13 16:08:47 Mozart racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet be12e283176fab00:0000000000000000 Sep 13 16:08:47 Mozart racoon: DEBUG: isakmp.c:238:isakmp_handler(): === Sep 13 16:08:47 Mozart racoon: DEBUG: isakmp.c:239:isakmp_handler(): 208 bytes message received from xxx.xxx.xxx.xxx[500] Sep 13 16:08:47 Mozart racoon: DEBUG: plog.c:199:plogdump(): Sep 13 16:08:47 Mozart racoon: DEBUG: isakmp.c:539:isakmp_main(): malformed cookie received or the initiator's cookies collide. Sep 13 16:09:07 Mozart racoon: ERROR: isakmp.c:1772:isakmp_ph1resend(): phase1 negotiation failed due to time up. be12e283176fab00:0000000000000000 Any ideas? I'm running 10.4.2 on my Mac and the SOHO3 has the latest firmware. known good sonicwall pro 230 settings known good sonicwall pro 230 settings by nunya biznas on 2005-09-17 16:58:14 +0200 I just got a sonicwall pro 230 work, here are my settings. omitted items are blank or unchecked. :General host to network static ip at work first three numbers of work network with a zero on the end (192,168.1.0) 24 blank main and agressive checked obey 16 :Phase 1 28000 mod768(1) 3des sha1 :phase 2 28800 none des 3des hmac sha1 :id/auth address address preshared secret from sonicwall :options ipsec doi sit_identity_only initial contact generate policy dhcp pass-through establish ike immediatly :sonicwall groupvpn ike using pre-shared secret group 1 28800 3des &sha1 strg enc and auth (esp 3des hmac sha1) shared secret :advanced all unchecked group 1 0.0.0.0 lan (after changing items on this menu you must hit update on main screen for items to take effect) Re: known good sonicwall pro 230 settings by nunya biznas on 2005-09-17 17:07:05 +0200 oops am using Mac OS X 10.4.1 known good sonicwall tz 170 settings known good sonicwall tz 170 settings by nunya biznas on 2005-09-17 17:04:28 +0200 I just got a sonicwall tz 170 work, here are my settings. omitted items are blank or unchecked. :General host to network static ip at work first three numbers of work network with a zero on the end (192,168.1.0) 24 blank main and agressive checked obey 16 :Phase 1 28000 mod768(1) 3des sha1 :phase 2 28800 none des 3des hmac sha1 :id/auth address address preshared secret from sonicwall :options ipsec doi sit_identity_only initial contact generate policy dhcp pass-through establish ike immediatly :sonicwall groupvpn ike using pre-shared secret :proposals group 2 3des sha1 28800 esp des md5 group 1 28800 :advanced forward packets 0.0.0.0 lan :Client split tunnels Re: known good sonicwall tz 170 settings by nunya biznas on 2005-09-17 17:06:24 +0200 oops. Am using Mac OS X 10.4.1 Re: known good sonicwall tz 170 settings by w_grace on 2006-02-21 19:06:01 +0100 Hello, Thats using the default settings on the Sonicwall, is it possible to change anything from the default settings and still keep it working? It seems strange that you can not change it from the default settings. Re: known good sonicwall tz 170 settings by Uptimejeff on 2006-03-08 17:19:30 +0100 No go for me... OS X 10.4.5 Sonicwall TZ170 3.1.0.12-86s I am able to make ipSEC connection to several Linksys devices, but have not had any success connecting to a Sonicwall (tried several) On the Sonicwall, I tried the defaults of the Group VPN with the settings as described in this thread. It's not possible for me to be sure that all the settings are the same because not all fields are listed. Screen shots might be more accurate (and faster). If anyone has a similar config running, I would be willing to email screen shots of my ipSecuritas and Sonciwall setup or receive screenshots of your working configuration. Thanks Jeff Re: known good sonicwall tz 170 settings by xrub on 2006-06-04 18:52:20 +0200 Doesn't work for me either with exact settings. OS X 10.4.6 Firmware SonicOS Standard 3.1.0.15-95s on TZ170W I spent 3 hours trying to get this to work without success. Then I downloaded VPN Tracker and set it up in 5 minutes. Is it worth the money? Depends how much your time is worth. Personally, I think spending time setting up a VPN connection is a gross waste of time. I'll gladly pay for a good solution. Re: My working TZ170 settings by northben on 2006-07-29 06:31:15 +0200 I finally have this working except for dns. I can ping an ip address but it apparently isn't getting the dns server (our Domain Controller, not the Sonicwall). I opened up the sonicwall config page and copy the settings to IP Securitas. If anyone has questions, I'd be glad to help with what I can. email/IM me at ben.northway@gmail.com. If anyone has any suggestions for dns, I'd be glad to know about it. Troubles while installing certs Troubles while installing certs by Dennis on 2005-09-20 18:36:49 +0200 While installing the certs according to dividedsky.net/~equate/vpn/ I am told to do the follwing: openssl pkc12 -in RoadCert.p12 -nodes -nokeys -clcerts -out x509gate.pem for extracting in PEM format. openssl pkcs12 -nodes -nocerts -in RoadCert.p12 -out private.pem for extracting the private key. After that I try to import these files by using the Certificate Manager. First the foreign, but while importing the private key I get this message: "Failed to import priv.pem. Please make sure the file contains a signed X.509 certifcate in PEM format." Any hints? VPN Broken in Mac OS X 10.4.2 ? VPN Broken in Mac OS X 10.4.2 ? by nunya biznas on 2005-10-06 03:53:56 +0200 For some reason I have a 10.4.1 laptop that works from home with a sonicwall at work, yet my 10.4.2 G5 tower from home does not. Identical settings in IPSecuritas. Anyone know if I should post my log file and try to solve or just wait for 10.4.3? thanks for any insight. Re: VPN Broken in Mac OS X 10.4.2 ? by jt on 2005-10-09 16:52:50 +0200 Wow, not a single reply. I'd a thought someone would let me know if 10.4.2 is or isn't broken. I have other problems with it as well, it broke some networking features in Virtual PC. ;) Here's my log output from a known good configuration with a sonicwall. Again, I have a 10.4.1 laptop that, with the same configuration has no problem connecting. Log output from IPSecuritas 2.1 Oct 9 09:44:23 gtower IPSecuritas: Parsing configuration Oct 9 09:44:23 gtower IPSecuritas: Setting up racoon.conf Oct 9 09:44:23 gtower IPSecuritas: Setting up setkey.conf Oct 9 09:44:23 gtower IPSecuritas: Setting up psk.txt Oct 9 09:44:23 gtower IPSecuritas: Setting up tunnel.conf Oct 9 09:44:23 gtower IPSecuritas: Parsing configuration done Oct 9 09:44:24 gtower IPSecuritas: Starting racoon... Oct 9 09:44:25 gtower IPSecuritas: Racoon is running Oct 9 09:44:25 gtower IPSecuritas: Set kernel keys Oct 9 09:44:25 gtower racoon: DEBUG2: cfparse.y:1413:cfparse(): parse successed. Oct 9 09:44:25 gtower racoon: DEBUG: isakmp.c:1592:isakmp_open(): 10.0.1.4[500] used as isakmp port (fd=8) Oct 9 09:44:25 gtower racoon: DEBUG: isakmp.c:1610:isakmp_open(): 10.0.1.4[4500] used as nat-t isakmp port (fd=9) Oct 9 09:44:25 gtower racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message Oct 9 09:44:25 gtower racoon: DEBUG2: plog.c:199:plogdump(): Oct 9 09:44:25 gtower racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory Re: VPN Broken in Mac OS X 10.4.2 ? by jt on 2005-10-09 16:54:33 +0200 for completeness, this is my log Re: VPN Broken in Mac OS X 10.4.2 ? by jt on 2005-10-09 16:59:31 +0200 for completeness, this is my log off 10.4.2 to a different sonicwall. This configuration also works fine off the 10.4.1 laptop. Oct 9 09:53:56 gtower IPSecuritas: Parsing configuration Oct 9 09:53:56 gtower IPSecuritas: Setting up racoon.conf Oct 9 09:53:56 gtower IPSecuritas: Setting up setkey.conf Oct 9 09:53:56 gtower IPSecuritas: Setting up psk.txt Oct 9 09:53:56 gtower IPSecuritas: Setting up tunnel.conf Oct 9 09:53:56 gtower IPSecuritas: Parsing configuration done Oct 9 09:53:57 gtower IPSecuritas: Starting racoon... Oct 9 09:53:57 gtower IPSecuritas: Racoon is running Oct 9 09:53:57 gtower IPSecuritas: Set kernel keys add net 172.16.10.0: gateway gif0 Oct 9 09:53:57 gtower racoon: DEBUG2: cfparse.y:1413:cfparse(): parse successed. Oct 9 09:53:57 gtower racoon: DEBUG: isakmp.c:1592:isakmp_open(): 10.0.1.4[500] used as isakmp port (fd=8) Oct 9 09:53:57 gtower racoon: DEBUG: isakmp.c:1610:isakmp_open(): 10.0.1.4[4500] used as nat-t isakmp port (fd=9) Oct 9 09:53:57 gtower racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message Oct 9 09:53:57 gtower racoon: DEBUG2: plog.c:199:plogdump(): Oct 9 09:53:57 gtower racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory Oct 9 09:53:58 gtower racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:12, need update interface address list Oct 9 09:53:58 gtower racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting Oct 9 09:53:58 gtower racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:14, need update interface address list Oct 9 09:53:58 gtower racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting Oct 9 09:53:58 gtower racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message Oct 9 09:53:58 gtower racoon: DEBUG2: plog.c:199:plogdump(): Oct 9 09:53:58 gtower racoon: DEBUG: pfkey.c:1551:pk_recvacquire(): suitable outbound SP found: 10.0.12.1/32[0] 172.16.10.0/24[0] proto=any dir=out. Oct 9 09:53:58 gtower racoon: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff970: 172.16.10.0/24[0] 10.0.12.1/32[0] proto=any dir=in Oct 9 09:53:58 gtower racoon: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306778: 172.16.10.0/24[0] 10.0.12.1/32[0] proto=any dir=in Oct 9 09:53:58 gtower racoon: DEBUG: pfkey.c:1567:pk_recvacquire(): suitable inbound SP found: 172.16.10.0/24[0] 10.0.12.1/32[0] proto=any dir=in. Oct 9 09:53:58 gtower racoon: DEBUG: pfkey.c:1606:pk_recvacquire(): new acquire 10.0.12.1/32[0] 172.16.10.0/24[0] proto=any dir=out Oct 9 09:53:58 gtower racoon: DEBUG: proposal.c:826:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) Oct 9 09:53:58 gtower racoon: DEBUG: proposal.c:860:printsatrns(): (trns_id=DES encklen=0 authtype=1) Oct 9 09:53:58 gtower racoon: DEBUG: proposal.c:860:printsatrns(): (trns_id=DES encklen=0 authtype=2) Oct 9 09:53:58 gtower racoon: DEBUG: proposal.c:860:printsatrns(): (trns_id=3DES encklen=0 authtype=1) Oct 9 09:53:58 gtower racoon: DEBUG: proposal.c:860:printsatrns(): (trns_id=3DES encklen=0 authtype=2) Oct 9 09:53:58 gtower racoon: DEBUG: remoteconf.c:118:getrmconf(): Re: VPN Broken in Mac OS X 10.4.2 ? by cnadig on 2005-10-10 08:38:34 +0200 Hello, I'm not aware of any problems with 10.4.2. From what I can see in your log, it seems that the remote router/firewall does not send an answer on your side's request. Do you have access to the router's log? Christoph Re: VPN Broken in Mac OS X 10.4.2 ? by nunya biznas on 2005-10-27 02:44:52 +0200 Got it working on my G5. Turns out all I had to do was completely delete the settings I had been working with out of the IPSecuritas menu and start over. Started working first try. RV042 Setup Needed RV042 Setup Needed by johnnj on 2005-10-14 19:08:40 +0200 I've got to say this router as driven me nuts! I can't get it to work with any of our Mac OS X users. I just want to set up 3 connections with mobile users. All using Mac OS X (Hey OS X helps cut down on IT work for the mobile users). I have read through most of the postings on this site for linksys routers and only a few have stated that they have gotten it to work but don't supply sufficent information. LinkSys claims that Mac OS X VPN software only works with the Cisco routers. (Which is BS because I have to use a Cisco VPN Client for their routers) If anyone could please provide me with some help, links, advice, etc... Thanks JohnNJ Re: RV042 Setup Needed by Rand on 2005-12-09 06:45:56 +0100 Has anyone been succesful creating a VPN connection to a RV042/RV042? Any help would be appreciated. Re: RV042 Setup Needed by Heston on 2006-01-05 20:20:18 +0100 Hey - any joy with this?? I'm thinking of getting some RV042/RV082 for an all mac environment - gulp. Thanks Re: RV042 Setup Needed by macmouse on 2006-03-31 15:15:20 +0200 If anyone has gotten this to work an you please post the settings? Thank you! VPN/IPSec to LANCOM Routers VPN/IPSec to LANCOM Routers by Heiko Amft on 2005-10-17 00:47:58 +0200 Does anyone have success with vpn-IPSec-connection between Mac (10.4.2) and a LANCOM-Router with preshared keys, especially LANCOM DSL/I-1611 or the new 1611+ ? I'm testing for a few days, it seems to be the ipsec-tunnel starts up but no traffic in- or outgoing. any ideas ? greetings Heiko Re: VPN/IPSec to LANCOM Routers by Erik Roderwald on 2006-02-06 09:44:13 +0100 Hi Heiko! First of all, do you have access to a windows machine? If you have you should install the Lancom software which includes the Lancom Monitor. That tool is very helpfull for looking up what's going wrong with your VPN connection. Also the assistants are not bad. I just made it for a client. Two things went wrong: First of all make sure that there is for each VPN connection an entry in configure (Konfigurieren), PPP connections (PPP-Verbindungen; I hope that I retranslate it correctly; your name sounds german, so I gave you the german items in the brackets). If there isn't an entry add one which contains only the name of the wanted connection. You may activate IP forwarding and NetBIOS over IP. The rest you leave blank. The other thing which went wrong was the local and remote identifier. I tried it with a full qualified user name which didn't work even though I found it in several online documents to be configured like that. I changed it to domain name and it worked fine. The router I named like router.network.local and the clients like user1.network.local. Well, I also called the Lancom hotline which is quite expensive but very helpfull. They sent me a step by step help file (pdf; german). Unfortunately it is not public. So I cannot give you an URL or send it to you. I'm sorry, you have to call them and ask for it. HTH Erik Tiger 10.4.2 and IPSecuritas 2.1 Problems Tiger 10.4.2 and IPSecuritas 2.1 Problems by Nick Rigby on 2005-10-18 14:03:26 +0200 Hi, I'm having problems with my VPN (IPSecuritas 2.1) and Tiger 10.4.2. I can create a connection with my work network, and can connect to a couple of the server. However, some servers cause finder to hang and then stop responding. It appears that it's only the servers with a large amount of folders on them that I can't connect to. Does anyone know of a problem, or the solution. Thanks, Nick Re: Tiger 10.4.2 and IPSecuritas 2.1 Problems by Nick Rigby on 2005-11-09 12:59:30 +0100 Still having problems, even with the 10.4.3 update. It certainly appears that connecting to servers with a large amount of data (folders) causes finder to crash. AEBS setup examples? AEBS setup examples? by Sig on 2005-10-18 21:12:16 +0200 Can anyone help with a sample config or settings for an AEBS? I'm trying to use IP2sec from a Powerbook, through the AEBS firewall (most likely have to open ports, though I have no idea which one, guessing 24), and out to the Internet. I would assume this would bypass all firewall settings without some customization. A good and bad thing, though not real risky on OS X. Thanks much in advance. Acquiring IP address from Cisco 3000? Acquiring IP address from Cisco 3000? by WD40 on 2005-10-19 20:40:05 +0200 I just recently got IPSecuritas to connect to a Cisco 3000 Concentrator VPN. One area that doesn't seem to be working, though, is that IPSecuritas (racoon?) won't acquire an IP address from the Cisco unit. If I leave "local address" blank, ifconfig shows "gif0" with no address, and the VPN for the most part doesn't work. However, if I manually enter a local address, the ipsec stuff works fine. How can I set up IPSecuritas to request and use an IP address from the remote IPSec device? Thanks! Early Replacement Of Name Servers Early Replacement Of Name Servers by goldharv on 2005-10-21 01:23:17 +0200 I love IPSecuritas, but I've run into a problem implementing it. I've defined a default domain name and 2 name servers that are visable only when connected to my VPNs. However, /etc/resolv.conf gets replaced immediately after IPSecuritas starts IPSec. Unfortunately, my ISP changes my IP address occasionally and I have to use a dynamic DNS service. My VPNs are defined to use the fully qualified domain name of my home firewall. The net result is that if my VPN does not come up soon enough, my access to DNS servers is gone. I'm mainly posting this as a warning to others. I spent an hour or two trying to figure out what was going on. It would be great if IPSecuritas waited until the VPN was established before switching resolv.conf, and if it switched it back if the connection drops. To be really snazzy, you should be able to tell if the DNS server is accessible based on the network address of the VPN. For example, if I've entered 192.168.0.1 and 192.168.2.1 as name server addresses and if one of my VPNs connects to 192.168.0.0 and the other connects to 192.168.2.0, it should be obvious which connections have to be up before modifying resolv.conf. Harry IPSecuritas Auto Start with certificates (10.3.9) IPSecuritas Auto Start with certificates (10.3.9) by SomeUser on 2005-10-27 22:24:21 +0200 IPSecuritas Auto Start in 10.3.9 is broken if you use certificates... IPSecuritas stores certificates and config files in /private/tmp when you click "Auto Start". Mac OS X runs /etc/rc.cleanup after boot, which deletes all files in /private/tmp. Solution: 1) Lobotomo could save the config/cert files somewhere more sensible like /etc 2) Edit /etc/rc.cleanupto spare deletion of your config/cert files: e.g. (line 43)[code] # Clean out /private/tmp. if [ -d /private/tmp ]; then # blow away any _tmp_ in case it exists as well if [ -f /private/_tmp_ ]; then chflags -R nouchg /private/_tmp_ && rm -rf /private/_tmp_ fi echo -n " /private/tmp" + mkdir -m 1777 /private/_tmp_ + find /private/tmp/* ! -name ipsecuritas\* -maxdepth 0 -exec mv {} /private/_tmp_ \; + find /private/tmp/.[^.]* -maxdepth 0 -exec mv {} /private/_tmp_ \; - mv /private/tmp /private/_tmp_ (chflags -R nouchg /private/_tmp_ && rm -rf /private/_tmp_) & fi - mkdir -m 1777 /private/tmp [/code] Netgear FVS124G Netgear FVS124G by David on 2005-11-01 17:47:26 +0100 I can connect to the likes of Netgear FVS318 just fine but this new FVS124G is more complex - anyone else connecting to it? Re: Netgear FVS124G by Daniel Loewus-Deitch on 2006-01-19 22:25:21 +0100 I also am having no luck connecting to a Netgear FVS124G. If possible, can anyone explain all the settings necessary on both the router and IPSecuritas in order to make this VPN connection work? I am really frustrated and I am hoping to avoid spending an exorbant amount of money to buy VPN Tracker, just because Netgear is too lazy to support Macs with their own VPN client. If anyone has IP Re: Netgear FVS124G by danlode on 2006-01-19 22:35:07 +0100 To finish my post above: If anyone has been able to get IPSecuritas to work with the Netgear FVS124G, please post here or contact me at daniel@experiencedynamics.com. Thank you so much!! Regards Re: Netgear FVS124G by grep on 2006-05-10 03:55:14 +0200 I have recently purchased the FVS124g router to replace my linksys router with service from verizon.dsl. Nope doesn't work, so I took it back to the store and got another one. Nope it doesn't work either. Then called tech support in India, level one was quite good but couldn't make it work, Level 2 was so so, but couldn't make it work, now level 3 is working on it but with no luck so far. My fix at the moment is to unplug the netgear and plug the linksys back in, works almost instantly and works fine. My current opinion of Netgear is probably not very good. Grep Re: Netgear FVS124G by rogerm on 2007-04-09 19:05:21 +0200 Greetings, I was able to get this to work. As others did I looked at how VPN tracker configured itself and adapted from there. Below is the info. (please note the formatting got a bit messed up) --------------------------------------------------------------Setting up IPSecuritas and FVS124G router. Configuration of FVS124G VPN. Log into your FVS124G router 1.Create and name a new IKE policy. 1.Direction Type : Responder 2.Exchange Mode: Aggressive. 3.Local. Select Local Gateway. Select Wan1, or Wan2 depending on which port this policy will be active on. 1.Local Identity Type: FQDN – Fully Qualified Domain Name 2.Local Identity Data: netgearrouter.local. This can be anything you want and will be used in the client configuration as well. 4.Remote. Remote Host Configuration Record : None 1.Remote Identity Type: FQDN – Fully Qualified Domain Name 2.Remote Identity Data: thevpncleint.com. This can be anything you want and will be used in the client configuration as well. 5.IKE SA Parameters. 1.Encryption algorithm: 3DES 2.Authentication Algorithm: SHA1 3.Authentication Method: Select Pre-Shared Key 1.Enter the pre-shared key. 4.Diffle Hellman (DH) Group: Group 2 (1024 Bit) 5.SA Life Time: 3600 6.Select Apply to save the configuration. 2.Create a new VPN Policy. 1.IKE Policy: Select the name of the IKE Policy that you just created. 2.Remote VPN End Point: 1.Address Type: IP Address 2.Address Data: 0.0.0.0 3.SA Life Time 1.Seconds: 3600 2.Kbytes: 0 4.Check Box: IPSec PFS – no check. 1.PFS Key group: Ignored as step 4 contains no check. 5.Traffic Selector 1.Local IP: Subnet Address ( you will need to adjust this section with your IP info) 1.Start IP Address: 192.168.254.0 2.Finish IP Address: 3.Subnet Mask: 255.255.255.0 2.Remote IP: Single Address 1.Start IP Address: 192.168.252.100 2.Finish IP Address 3.Subnet Mask: 3.AH Configuration 1.Check Box: Enable Authentication – no check 2.Authentication Algorithm. ignored with no check in section 3.1 4.ESP Configuration 1.Check Box: Enable Encryption – Check 1.Encryption Algorithm: 3DES 2.Check Box: Enable Authentication – Check 1.Authentication Algorithm: SHA-1 5.Select apply to save the configuration. Re: Netgear FVS124G by mpilch on 2007-04-15 01:30:08 +0200 rogerm: I tried to mimic your configuration but still without success. Which firmware do you have in your FVS124G ? I have 1.1.38. Also looks like you are not using "VPN wizard" to set your "IKE Policies" and "VPN Policies". So I have question: How did you set "VPN Client Policy". I assume this is one you are using in your walkthrough? There is no way (at list I can not find it) to add new "VPN Client Policy". Manualy I can add only "VPN Policy". Only using "VPN Wizard" I can add entry to "VPN Client Policy" and later edit it. I also assumed you are using IPSecuritas v3 in your guide. thanks, Marek Re: Netgear FVS124G by mpilch on 2007-04-15 06:27:50 +0200 It works now. ;D Thanks for great walk through. Good work. Marek Mac VPN Client using IPSecuritias Case Study is av Mac VPN Client using IPSecuritias Case Study is av by jmizoguchi on 2005-11-06 20:13:51 +0100 FYI http://www.xtreme-racing-team.com/casestudy.html Re: Mac VPN Client using IPSecuritias Case Study i by jmizoguchi on 2006-01-29 19:48:25 +0100 New site is vpncasestudy.com Zyxell Zywall 2 and IPsecuritas Zyxell Zywall 2 and IPsecuritas by tota on 2005-11-10 16:52:50 +0100 Did someone ever have luck to set up a Zyxell Zywall 2 and IPSecuritas that way that both are working together? For your information I give you the actual settings of the Zywall 2 as shown below. Hope someone may able to give me some advice. Name: VPN-Test Key Management: IKE Negotiation Mode: Main Local Address Type : Subnet Starting IP Address: 192.168.2.0 Ending IP Address / Subnet Mask: 255.255.255.0 Remote Address Type : Single Address Starting IP Address: 0.0.0.0 Ending IP Address / Subnet Mask: 0.0.0.0 DNS Server (for IPSec VPN): 0.0.0.0 Authentication Method Pre-Shared Key: securekey Local ID Type: IP Content: 130.60.32.95 Peer ID Type: IP Content: 0.0.0.0 My IP Address : 0.0.0.0 Secure Gateway Address: 0.0.0.0 Encapsulation Mode: Tunnel Encryption Algorithm: DES Authentication Algorithm: SHA1 Phase 1 Negotiation Mode: Main Encryption Algorithm: DES Authentication Algorithm: MD5 SA Life Time (Seconds) : 28800 Key Group: DH1 Phase 2 Active Protocol: ESP Encryption Algorithm: DES Authentication Algorithm: SHA1 SA Life Time (Seconds): 28800 Encapsulation : Tunnel Perfect Forward Secrecy(PFS): None Best regards for anyone's help and advice and tipps. Greetings from Switzerland Thomas Thaler IPSecuritas & OpenBSD? IPSecuritas & OpenBSD? by Iggy on 2005-11-14 07:24:00 +0100 I was wondering if any has had sucess getting isakmpd work well with mobile IPSecuritas clients. If you have I'd appreciate it if you can let me take a looke at your isakmpd.conf and policy files as an example. Re: IPSecuritas & OpenBSD? by Iggy on 2005-11-14 07:47:08 +0100 Or even examples from Freebsd isakmpd.conf/policy will be great. Re: IPSecuritas & OpenBSD? by rical on 2006-01-14 19:05:46 +0100 for isakmpd on OBSD 3.6 to 3.8: isakmpd.conf [General] Listen-on= 82.58.73.130 Policy-file= /etc/isakmpd/isakmpd.policy Default-phase-1-lifetime= 1800,360:28800 Default-phase-2-lifetime= 1800,360:28800 Retransmits= 3 [Phase 1] Default= company-Nomades [Phase 2] Connections= [Iniflux-Nomades] Phase= Transport= Local-address= Address= Configuration= ID= Authentication= [company-gw] ID-type= Address= [IPsec-Nomades] Phase= ISAKMP-peer= Configuration= Local-ID= Remote-ID= IPsec-Nomades 1 udp 82.58.73.130 0.0.0.0 Default-main-mode company-gw good-password IPV4_ADDR 82.58.73.130 2 company-Nomades Default-quick-mode Internal Nomades [Internal] ID-type= Network= Netmask= IPV4_ADDR_SUBNET 192.168.1.0 255.255.255.0 [Nomades] Id-type= Address= IPV4_ADDR 0.0.0.0 [Default-main-mode] DOI= EXCHANGE_TYPE= Transforms= IPSEC ID_PROT 3DES-SHA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE policy: Re: Can't connect to Netgear FVS338 Re: Can't connect to Netgear FVS338 by Cryobat on 2005-12-21 14:19:11 +0100 I have the exact same problem on the exact same hardware! Did you have any success in this? It seems like the Netgear router doesn't like IPSecuritas to define the remote network or something? The router can't find the SPD for this client... I had the exact same messages in the log on the router from the beginning when trying to configure the Netgear IPSec client for Windows machines, but that was because I used the VPN Wizard instead of doing the "mode config" by hand. Does anyone know how to make IPSecuritas go through this last step? Re: Can't connect to Netgear FVS338 by Ken Anderson on 2006-01-31 16:15:19 +0100 That makes three of us! Has anyone ever solved this? Re: Can't connect to Netgear FVS338 by Ted Mittelstaedt on 2006-03-01 10:49:19 +0100 Hi All, Yes there is a solution to this. Your all going to hate it but it works. The problem is the Netgear's view of what an IPSec VPN is, is basically a classical LAN2LAN IPSec VPN. The so-called "VPN Client Policies" in the Netgear's VPN Policies that appears to be usable for a single client to VPN in with, is actually a nasty hack that was worked out with the old Secure ID IPSec client, and nothing other than this client interoperates with it. You can get a Mac (or other UNIX) system to connect in to the Netgear, but you MUST use the standard VPN Policies, not the VPN Client policies, and you must define it by hand. Also, most importantly, you MUST USE a STATIC ip address. This is due to a bug in the Netgear's firmware which when you define a Fully Qualified Domain Name as a peer, the Netgear DOES NOT do a DNS lookup of that and substitute the remote peer IP address. Instead it just substitutes 0.0.0.0 which makes the VPN code in the netgear fall back to the borked Secure ID client method. Basically what is going on here is we are defining a static peer on the Netgear side and a static peer on the Mac side and they must be mirror images of each other. So, in summary - your going to have to pay extra to your DSL providers for a static IP. Also, I do NOT think this will work if the client is BEHIND a NAT router. Here are the setup instructions. This is on Panther (MacOS X 10.3) running the current MacOS patches and version 2.1 of IPSecuritas. The Netgear is running firmware version V1.6.47 Have phun with it! :-) 1) Setup your Mac client with a static IP number. In this case I'll use IP address 75.75.97.32 Login into the Netgear admin interface and click on IKE Policies on the left, then click Add. Here is the policy: Policy Name: macattack Direction Type: Responder Exchange Mode: Agressive Mode Local Identity Type: WAN IP Address Locl Identity Data: leave blank! Remote Host Configuration Record: None Remote Identity Type: Remote WAN IP Remote Identity Data: leave blank for now! IKE SA Encryption Algorithm: DES Authentication Algorithm: MD5 Authentication Method: Preshared Key Preshared Key: freebsdkicksass DH Group: Group 1 SA Life Time: 28800 X Authentication: None Click Apply Re: Can't connect to Netgear FVS338 by Cryobat on 2006-03-01 12:21:57 +0100 Ouch.... I wish it would work better somehow... how often do you have a static IP when you're out working at another location.... Ohh well, I think setting up a PPTP server behind the firewall and playing with port forwardning might be a better solution for Mac users then. Thanks for your reply tho! That was a really good answer with precise information on how to solve the problem! Thank you! Re: Can't connect to Netgear FVS338 by Ted Mittelstaedt on 2006-03-04 08:55:03 +0100 Well, actually all you have to do is enable remote access on the Netgear, then when your at a location, just obtain your IP address from www.whatismyip.com or some such, then access the Netgear's administrative page, change the IP addresses in the VPN policy and isakmp policy, and your in business. Obviously this is tiresome and certainly not an answer that you would want to give to your regular users! Might be doable for system administrators, though. As for setting up a PPTP server behind the Netgear, another possibility is running a Linux/FreeBSD system in parallel with the Netgear, and running poptop on that. I can confirm MacOSX Panther pptp will successfully connect to that if you use 128bit encryption, since that is what we do. One of our Tiger users claims it only works if encryption is switched off on Tiger. One of these days I'm going to have to test that. Re: Can't connect to Netgear FVS338 by Nathan Hilderman on 2006-05-06 21:32:10 +0200 I haven't got a FVS338, but I've had success with both an FVL328 and FVX338. I've noticed between the FVL and FVX familly a few differences, but did get both to work. My main problem was with the 'ID/Auth' part in IPSecuritas I made the local and remote names 'fvx_host.com' on both IPSecuritas and in the local/remote FQDN (Fully Qualified Domain Name) within Netgear's IKE policy. Next hurdle (for me, anyways) was the IP settings - in IPSecuritas the 'Remote Network' uses the slash notiation (i.e. /24) notation, while Netgear wants a subnet address. To let it use your whole subnet (e.g. 10.0.0.0 /24), you have to set the subnet to 255.255.255.0 (e.g. 10.0.0.0 as start IP, 255.255.255.0 as subnet address). You can use whatever subnet you want - but unless both sides are EXACTLY THE SAME you won't ever get a proper connection. In fact, it seems there are VERY few settings (SA Lifetimes, for example) that don't have to be identical for it to work. Also, in case you haven't figured it out, when you connect take a look at the VPN status to determine where your bad settings are. If you can't establish Phase 1 even, then something in your IKE policy is wrong. If you can't establish Phase 2, the problem is in your VPN Policy. Oh, and I don't know about the FVS family, but on the FVX I also had to make sure my VPN Policy was a 'VPN Policy' as opposed to a 'VPN Client Policy', if that makes a difference. Keep at it, you'll eventually get it to work. Re: Can't connect to Netgear FVS338 by William Kyngesburye on 2006-05-13 01:42:06 +0200 Well, the FVS338 has been commandeered for a host-to-host VPN off our main internal network (and thru a different ISP) all this time (just a few Windoze computers there), so I haven't had a need to pursue this. Until now. I'm getting ready to put it back on our main network and ISP and decided to try it again. I doubled-checked settings on the FVS338 and in IPSecuritas. One thing I noticed on my IPSec config was that the remote subnet setting was 192.168.1.1/24. From Nathan's last post I got the idea to try 192.168.1.0/24. Now it's working - VPN connection made. I'm sure I tried this before. Maybe some OSX update since then affected something. I didn't update the FVS firmware. I'm at home now and don't have my notes, but I'll post a summary later. I haven't been able to test file sharing yet - nothing really on the other end right now - but I could ping the firewall's local IP. The real test will be when I get the FVS on the main internal network, where the server, printers and Macs are. I can say that the FVS338 works with fvs_local.com and fvs_remote.com for the identifiers, just as the FVS docs say. And the VPN policy vs. VPN client policy distinction seems to be automatic, or something odd. I had a client policy and host-host policy generated from the wizard, then deleted the client policy that wasn't working. But when I added a policy, it automatically became a client policy. There can only be one client policy it's used for the 50 client limit on the FVS338 (100 on the FVL328 and 200 on the FVX538) - and any more policies become the 'VPN Policies' (and then the FVS became a little confused). That didn't make much sense, but the VPN Client Policy works, I didn't need to make it a VPN Policy. Re: Can't connect to Netgear FVS338 by kb on 2006-06-15 12:02:34 +0200 try with "A remote VPN client" option in VPN Wizard along with NG VPN client installed in your windows, that must solve the problem Re: Can't connect to Netgear FVS338 by pristine on 2006-06-15 12:35:09 +0200 has anyone tried Extended authentication in FVS338, have any one tried modeconfig, any inputs for configuring modeconfig in FVS338 would be appreciated. IPSecuritas & Checkpoint IPSecuritas & Checkpoint by fiddelm3742 on 2005-11-23 07:12:54 +0100 I'm having some issues with my IPSecuritas/Checkpoint setup. I've got all of the default IPSecuritas settings in as suggest via the forums and the example. I do not have a key being my corporation has a managed firewall(thank you quest :-/) Anywho, perhaps i'm missing a step. Anywho my logs wont help anyone I"ve stopped and started IPsec via ipsecuritas but my log doens't report anything usefull, Just Log output from IPSecuritas 2.1 Nov 23 00:11:16 iBook IPSecuritas: Parsing configuration Nov 23 00:11:16 iBook IPSecuritas: Setting up racoon.conf Nov 23 00:11:16 iBook IPSecuritas: Setting up setkey.conf Nov 23 00:11:16 iBook IPSecuritas: Setting up psk.txt Nov 23 00:11:16 iBook IPSecuritas: Setting up tunnel.conf Nov 23 00:11:16 iBook IPSecuritas: Parsing configuration done Nov 23 00:11:17 iBook IPSecuritas: Starting racoon... Nov 23 00:11:17 iBook IPSecuritas: Racoon is running Nov 23 00:11:17 iBook IPSecuritas: Set kernel keys No real connection info. Now, with the windows client I just attempt to connect to something on our network (206.99.156.0/24) and it then prompts me for the User/Pass (which I already have setup in the software Am I missing something here? Re: IPSecuritas & Checkpoint by fiddelm3742 on 2005-12-08 20:52:03 +0100 No one knows ehh? Re: IPSecuritas & Checkpoint by trs80 on 2005-12-15 16:45:14 +0100 You have to use Aggressive Mode under the phase 1 settings, and the rest of the config has to match whatever's in the checkpoint policy (should be able to get that info from the admins). You also must have a user account in what's called the "Internal DB" (again, the admins will know what that is), in the form of an email address. Netgear FVS318V3 Netgear FVS318V3 by Tony on 2005-12-06 19:48:20 +0100 I see a lot of people were able to get IPSecuritas to work with the FVS318. This wouldn't by any chance be V3 of the router would it? I have an FVS318V3 that simply refuses to cooperate with IPSecuritas (my understanding is that V3 is essentially a completely different router than V1 & V2). Re: Netgear FVS318V3 by jmizoguchi on 2006-01-29 19:47:50 +0100 I think so too.FVS318, FVX538 doesn't seems to run. newer router has IKE and VPN seperate and old V1,2.4 was differenent setup. I go to work on v2.4. that is on my site at vpncasestudy.com. if someone has done FVS318v3~ to work please submit your story to submission@vpncasestudy.com compatible with FORTIGATE compatible with FORTIGATE by Sepp maier on 2005-12-13 11:54:00 +0100 IPSECURITAS works well with the fortinet Firewalls (IPSEC with fixed or dynamic IP) GREAT APP. Re: compatible with FORTIGATE by Gary S on 2005-12-14 21:53:41 +0100 I am trying to get that setup myself, but I don't have any experience with fortigates. I don't think I am setting up the gateway right. Is there any advice you could give me on getting this setup? Re: compatible with FORTIGATE by Sebastien on 2006-01-02 14:21:33 +0100 Hi, I tried to set up IP Securitas but I am not able to connect to the VPN gateway F50A. I will provide logs this evening if somebody could help me. Sebastien. Re: compatible with FORTIGATE by stephan on 2006-01-03 13:34:09 +0100 hi, i'm just trying to connect to our fortigate 400. i can't see anything in its logs, i don't even know if my mac tries to connect to it. are there any logs i could look for errors in on the mac side? haven't found any... Re: compatible with FORTIGATE by sebastien on 2006-01-10 08:19:01 +0100 I got invalid exchange type 6, any idea ? Log output from IPSecuritas 2.1 Jan 10 08:15:33 sunnyday IPSecuritas: Parsing configuration Jan 10 08:15:33 sunnyday IPSecuritas: Setting up racoon.conf Jan 10 08:15:34 sunnyday IPSecuritas: Setting up setkey.conf Jan 10 08:15:34 sunnyday IPSecuritas: Setting up psk.txt Jan 10 08:15:34 sunnyday IPSecuritas: Setting up tunnel.conf Jan 10 08:15:34 sunnyday IPSecuritas: Setting up DNS configuration Jan 10 08:15:34 sunnyday IPSecuritas: Parsing configuration done Jan 10 08:15:35 sunnyday IPSecuritas: Starting racoon... Jan 10 08:15:36 sunnyday IPSecuritas: Racoon is running Jan 10 08:15:36 sunnyday IPSecuritas: Set kernel keys Jan 10 08:15:36 sunnyday racoon: DEBUG2: cfparse.y:1413:cfparse(): parse successed.\n Jan 10 08:15:36 sunnyday racoon: DEBUG: isakmp.c:1592:isakmp_open(): 10.70.1.100[500] used as isakmp port (fd=8)\n Jan 10 08:15:36 sunnyday racoon: DEBUG: isakmp.c:1610:isakmp_open(): 10.70.1.100[4500] used as nat-t isakmp port (fd=9)\n Jan 10 08:15:36 sunnyday racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message\n Jan 10 08:15:36 sunnyday racoon: DEBUG2: plog.c:199:plogdump(): \n02120200 00020000 00000000 00000395\n Jan 10 08:15:36 sunnyday racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n add net 192.168.1.0: gateway gif0 Jan 10 08:15:37 sunnyday IPSecuritas: Setting ip-label.com|192.168.0.3 Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:12, need update interface address list\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:14, need update interface address list\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting\n Re: compatible with FORTIGATE by sebastien on 2006-01-10 08:21:04 +0100 next ... Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2278:oakley_skeyid_dae(): SKEYID_d computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n2f74bea4 1d9d45d0 59b513c1 fa7e59af\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2307:oakley_skeyid_dae(): SKEYID_a computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n7f9756d6 71e1a348 d92dca61 ec3c22ce\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2336:oakley_skeyid_dae(): SKEYID_e computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n130facfb a8d233e5 9f0f3758 41719485\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2478:oakley_compute_enckey(): final encryption key computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n130facfb a8d233e5\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2589:oakley_newiv(): IV computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n2d2fb498 79fe1ee8\n Jan 10 08:15:40 sunnyday racoon: DEBUG: ipsec_doi.c:3238:ipsecdoi_setid1(): use ID type of IPv4_address\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:871:oakley_ph1hash_common(): HASH with:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \nef3561d9 f0900c3e 029593fb 25841dd0 594e3fcd d5fe1b58 efe1df7c 08c9c8fd\n29b35525 9cb6f812 879bae26 ed82f54e c5eb274f 218b23eb 1f2d45ef 0dc9bc14\nd7763a03 4079501e d72bca21 3b3510e0 ff751e4d ccbf2f04 ff67e2ad fceb1f9a\n56585bbe 55a48b2f af8596b7 ad5123b2 11762332 bb616f81 23b97c83 ef2da978\n2023db40 7cb9aace 919d4f1c ce0aa8c6 bdac3f1d 5aa3135c 4e2902c6 66288852\n3ae66d81 de6a179b f52962b0 17a65f1e ba74a423 1e9044e4 f04cb396 8f867c65\naba97d0c c961d04b aa6c9521 fd2e762c 429e876c 03078ebb 6bfb6a60 2373be69\n42f79b97 1464ef99 76a9d436 3c3761fe b01a6cfb b9d5ff4e fc74f5df d0f4a49b\nf79acfe3 3dc85eea 0bea0204 079f0db2 ecde9573 baad6157 f4435c0a cc0fc10f\nbcb0c6ae 998f0c93 f7855faf 89e0dc05 686f787a 98e3a555 76e3baa7 4e40401c\n69a05ea7 bd751de4 2e1fe8cf e1be51d4 f9162b4b 23ec04d2 61f4ab22 1a70da86\n28bbbc8e 041d5253 70af87da 66c5c9b4 da9870a1 80574be5 050ed0a8 d7f067b7\n6f42de18 bdfa477e a83c25fb 8b970626 00000001 00000001 00000028 01010001\n00000020 01010000 800b0001 80 Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:881:oakley_ph1hash_common(): HASH computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): Re: compatible with FORTIGATE by sebastien on 2006-01-10 08:21:26 +0100 Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n0800000c 011101f4 0a460164 00000014 123027b8 5e8928cd 11cbdddf 36911daa\n00000000 00000008\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2883:oakley_do_encrypt(): with key:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n130facfb a8d233e5\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2891:oakley_do_encrypt(): encrypted payload by IV:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n2d2fb498 79fe1ee8\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2898:oakley_do_encrypt(): save IV for next:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \ndd836560 cb31998b\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2915:oakley_do_encrypt(): encrypted.\n Jan 10 08:15:40 sunnyday racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.70.1.100[500]\n Jan 10 08:15:40 sunnyday racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.70.1.100[500]\n Jan 10 08:15:40 sunnyday racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to 62.160.52.119[500]\n Jan 10 08:15:40 sunnyday racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 68 bytes message will be sent to 10.70.1.100[500]\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n6f42de18 bdfa477e a83c25fb 8b970626 05100201 00000000 00000044 b748f5c3\n3d61547d d39260d9 9620820e 4f7dfcb3 096ffa0f 887ea505 810acc28 dd836560\ncb31998b\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 6f42de18bdfa477e:a83c25fb8b970626\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:238:isakmp_handler(): ===\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:239:isakmp_handler(): 60 bytes message received from 62.160.52.119[500]\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n6f42de18 bdfa477e a83c25fb 8b970626 05100201 00000000 0000003c a016f50c\n60d392c7 245425dd b460723d ddb226d6 9eb4ce3c e5d6dbef 3a509b07\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2709:oakley_do_decrypt(): begin decryption.\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2723:oakley_do_decrypt(): IV was saved for next processing:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): Re: compatible with FORTIGATE by sebastien on 2006-01-10 08:23:54 +0100 Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \nb34d0bdb 03fd6f25 f40ce451 8b0125cb\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:871:oakley_ph1hash_common(): HASH with:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \naba97d0c c961d04b aa6c9521 fd2e762c 429e876c 03078ebb 6bfb6a60 2373be69\n42f79b97 1464ef99 76a9d436 3c3761fe b01a6cfb b9d5ff4e fc74f5df d0f4a49b\nf79acfe3 3dc85eea 0bea0204 079f0db2 ecde9573 baad6157 f4435c0a cc0fc10f\nbcb0c6ae 998f0c93 f7855faf 89e0dc05 686f787a 98e3a555 76e3baa7 4e40401c\n69a05ea7 bd751de4 2e1fe8cf e1be51d4 f9162b4b 23ec04d2 61f4ab22 1a70da86\n28bbbc8e 041d5253 70af87da 66c5c9b4 da9870a1 80574be5 050ed0a8 d7f067b7\nef3561d9 f0900c3e 029593fb 25841dd0 594e3fcd d5fe1b58 efe1df7c 08c9c8fd\n29b35525 9cb6f812 879bae26 ed82f54e c5eb274f 218b23eb 1f2d45ef 0dc9bc14\nd7763a03 4079501e d72bca21 3b3510e0 ff751e4d ccbf2f04 ff67e2ad fceb1f9a\n56585bbe 55a48b2f af8596b7 ad5123b2 11762332 bb616f81 23b97c83 ef2da978\n2023db40 7cb9aace 919d4f1c ce0aa8c6 bdac3f1d 5aa3135c 4e2902c6 66288852\n3ae66d81 de6a179b f52962b0 17a65f1e ba74a423 1e9044e4 f04cb396 8f867c65\na83c25fb 8b970626 6f42de18 bdfa477e 00000001 00000001 00000028 01010001\n00000020 01010000 800b0001 80 Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:881:oakley_ph1hash_common(): HASH computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \nb34d0bdb 03fd6f25 f40ce451 8b0125cb\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:1197:oakley_validate_auth(): HASH for PSK validated.\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp_ident.c:695:ident_i4recv(): peer's ID: Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n01000000 3ea03477\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:838:ph1_main(): ===\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2633:oakley_newiv2(): compute IV for phase2\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2634:oakley_newiv2(): phase1 last IV:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \ne5d6dbef 3a509b07 705fe9e2\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2666:oakley_newiv2(): phase2 IV computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n424f2cb7 f670fab8\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:752:oakley_compute_hash1(): HASH with:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n705fe9e2 0000001c 00000001 01106002 6f42de18 bdfa477e a83c25fb 8b970626\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:762:oakley_compute_hash1(): HASH computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n266ad6a8 f6e45dc4 5fb596ec 7d0e1603\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2832:oakley_do_encrypt(): begin encryption.\n Re: compatible with FORTIGATE by sebastien on 2006-01-10 08:24:14 +0100 Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp_inf.c:705:isakmp_info_send_common(): sendto Information notify.\n Jan 10 08:15:40 sunnyday racoon: INFO: isakmp.c:2756:log_ph1established(): ISAKMP-SA established 10.70.1.100[500]-62.160.52.119[500] spi:6f42de18bdfa477e:a83c25fb8b970626\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:885:ph1_main(): ===\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:238:isakmp_handler(): ===\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:239:isakmp_handler(): 68 bytes message received from 62.160.52.119[500]\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n6f42de18 bdfa477e a83c25fb 8b970626 08100601 532c13ae 00000044 fd7cc74d\nd84776b2 a5f0dc47 fd531bdd 431b17ae 96b7eab9 e371d10a 5daa0397 2c6e4af7\n4aa76e10\n Jan 10 08:15:40 sunnyday racoon: ERROR: isakmp.c:767:isakmp_main(): Invalid exchange type 6 from 62.160.52.119[500].\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:41 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:1153:isakmp_ph2begin_i(): ===\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:1154:isakmp_ph2begin_i(): begin QUICK mode.\n Jan 10 08:15:41 sunnyday racoon: INFO: isakmp.c:1158:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 10.70.1.100[0]<=>62.160.52.119[0]\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:2633:oakley_newiv2(): compute IV for phase2\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:2634:oakley_newiv2(): phase1 last IV:\n Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \ne5d6dbef 3a509b07 766e76a7\n Jan 10 08:15:41 sunnyday racoon: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(md5)\n Jan 10 08:15:41 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:2666:oakley_newiv2(): phase2 IV computed:\n Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \na39303c3 e9f82df6\n Jan 10 08:15:41 sunnyday racoon: DEBUG: pfkey.c:795:pk_sendgetspi(): call pfkey_send_getspi\n Jan 10 08:15:41 sunnyday racoon: DEBUG: pfkey.c:808:pk_sendgetspi(): pfkey GETSPI sent: ESP/Tunnel 62.160.52.119->10.70.1.100 \n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp_quick.c:129:quick_i1prep(): pfkey getspi sent.\n Jan 10 08:15:41 sunnyday racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey GETSPI message\n Jan 10 08:15:41 sunnyday racoon: DEBUG2: plog.c:199:plogdump(): \n02010003 000a0000 00000001 00000396 00020001 01d84e96 00000001 00000014\n00030005 ff200000 10020000 3ea03477 00000000 00000000 00030006 ff200000\n10020000 0a460164 00000000 00000000\n Jan 10 08:15:41 sunnyday racoon: DEBUG: pfkey.c:879:pk_recvgetspi(): pfkey GETSPI succeeded: ESP/Tunnel 62.160.52.119->10.70.1.100 Re: compatible with FORTIGATE by sebastien on 2006-01-10 08:24:30 +0100 Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n764e1119 daad3630 d773ca44 7d163814 fd735244 bcf3b18a 4c7b78ae 2c3e225d\n1bcdab8f 1a9e3c2f f57e513f fb2add11 073ce657 5bfddfeb f25d0c67 811edbc5\n45848390 3e4b9762 8e1b8ce3 7c639985 3d8cbe40 7089edb4 6fd50f19 47f2256d\n0a39e2d7 ee6ae265 02ea18b7 f057b4e7 18ff5fcc 68f93184 8c95904a 4d93753d\n8361dec0 5365272d 005298e5 7e85860d 3283b3f5 50c31319 7f02ad7d 1a22eab2\na0b073be f6ee8ad1 58420fe6 e1aa6bfb 41c9dbd7 20e0b0f0 382ada9c 6fc3d6a0\n Jan 10 08:15:41 sunnyday racoon: DEBUG: ipsec_doi.c:3374:ipsecdoi_setid2(): use local ID type IPv4_address\n Jan 10 08:15:41 sunnyday racoon: DEBUG: ipsec_doi.c:3419:ipsecdoi_setid2(): use remote ID type IPv4_subnet\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp_quick.c:206:quick_i1send(): IDci: Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n01000000 0a010364\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp_quick.c:208:quick_i1send(): IDcr: Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n04000000 c0a80100 ffffff00\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 76, next type 10\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 16, next type 4\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 192, next type 5\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 8, next type 5\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 12, next type 0\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:752:oakley_compute_hash1(): HASH with:\n Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n766e76a7 0a000050 00000001 00000001 00000044 01030402 01d84e96 0300001c\n01020000 80010001 80020708 80040001 80050001 80030005 0000001c 02020000\n80010001 80020708 80040001 80050002 80030005 04000014 8cff85b9 59ed4658\nf8bd2bf5 24cba9cb 050000c4 764e1119 daad3630 d773ca44 7d163814 fd735244\nbcf3b18a 4c7b78ae 2c3e225d 1bcdab8f 1a9e3c2f f57e513f fb2add11 073ce657\n5bfddfeb f25d0c67 811edbc5 45848390 3e4b9762 8e1b8ce3 7c639985 3d8cbe40\n7089edb4 6fd50f19 47f2256d 0a39e2d7 ee6ae265 02ea18b7 f057b4e7 18ff5fcc\n68f93184 8c95904a 4d93753d 8361dec0 5365272d 005298e5 7e85860d 3283b3f5\n50c31319 7f02ad7d 1a22eab2 a0b073be f6ee8ad1 58420fe6 e1aa6bfb 41c9dbd7\n20e0b0f0 382ada9c 6fc3d6a0 0500000c 01000000 0a010364 00000010 04000000\nc0a80100 ffffff00\n Jan 10 08:15:41 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:762:oakley_compute_hash1(): HASH computed:\n Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n9c2c2ffc 9af360c2 8193a055 d306a357\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 16, next type 1\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:2832:oakley_do_encrypt(): begin encryption.\n Jan 10 08:15:41 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:2848:oakley_do_encrypt(): pad length = 8\n Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n01000014 9c2c2ffc 9af360c2 8193a055 d306a357 0a000050 00000001 Known Good Sonicwall TZ130 Settings Known Good Sonicwall TZ130 Settings by nunya biznas on 2005-12-31 17:42:53 +0100 If you have trouble, try removing the connection settings in IPSecuritas, quit the application and start over by creating a New Connection. I do this whenever I hit "Start IPSEC" in IPSecuritas and see "X_SPDDUMP failed: No such file or directory" in the IPSecuritas log or nothing at all in the sonicwall log, (they tend to happen at the same time). I just got a sonicwall tz 170 to work with IPSecuritas on 10.4.3, here are the settings. Omitted items are blank or unchecked. ------IPSECURITAS-----:General host to network / static ip at work first three numbers of work network plus a zero (192.168.1.0) 24 / ip address of IPSecuritas machine / main / obey / 16 :Phase 1 28000 / mod1024(2) / 3des / sha1 :phase 2 28800 / mod768(1) / des / hmac md5 :id/auth address / address preshared secret from sonicwall :options ipsec doi / sit_identity_only / initial contact generate policy / dhcp pass-through / establish ike immediatly ------SONICWALL-----:general ike using pre-shared secret groupvpn your secret here :proposals :phase1 group 2 / 3des / sha1 / 28800 :phase2 esp / des / md5 / group 1 / 28800 :advanced forward packets / 0.0.0.0 / lan :Client always / this gateway only / use dhcp IPSecuritas & Checkpoint VPN-1 Pro R60 IPSecuritas & Checkpoint VPN-1 Pro R60 by perezcr1 on 2006-01-03 19:58:07 +0100 I have manage to connect to the VPN, I can even connect to the VPN web console. But If i try to do a ping Remote desktop , the firewall gets the packet but doesn't let it pass. Have any one been able to work with this configuration. I have OSX 10.4.3 and the latest version of IP Securitas. Any help will be greatly appreciated. ANN: 10.4.4 Update Broke IPSecuritas 2.1? ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Lawrence Bean on 2006-01-12 17:33:16 +0100 I have been using IPSecuritas with 5 IPCop firewalls happily for a number of months. Great product. I just this morning installed the 10.4.4 update from Apple. Now when I start IPSecuritas, it says everything is OK and I get green chechmarks, but I get no connectivity. I cannot ping anything on the network. Even more distressing, even with IPSecuritas quit I cannot ping the IPCop firewall at its public address. I can ping the gateway to all 5 buildings, but trying to ping the firewalls results in 100% packet loss. On another computer right beside this one that does not have IPSecuritas and has never used VPN but it otherwise *exactly* the same including the 10.4.4 update, I can ping both the gateway and the firewall happily. On this machine, I can ping anywhere else on the network except my five firewall addresses. As it happened to all five firewalls in very physically separated buildings, that pretty much rules out the firewalls being the trouble, and as it works on a computer next to this one that pretty much rules out the network between here and there, leaving the problem with this machine. My suspicion is that a config file somewhere has blown up, but I'm not sure where to even begin looking. My next step will be an uninstall/reinstall of IPSecuritas. In the meantime, and suggestions of how else to "clean house" would be greatly appreciated. Re: 10.4.4 Update Broke IPSecuritas 2.1? by Flo Wagner on 2006-01-13 11:48:40 +0100 I have the very same problem as Lawrence. After installing the 10.4.4 update I cannot reach any client in the network after establishing an IPSec connection with IPSecuritas 2.1 (the firewall is IPCop, too). Yet, I can ping the firewall when IPSec ist stopped. Last entry in the IPCop log is "IPSec SA established". So it may be some kind of routing error?! Any hint would be greatly appreaciated. Regards, Flo Re: 10.4.4 Update Broke IPSecuritas 2.1? by LBean on 2006-01-13 16:13:24 +0100 Update: Complete uninstall of IPSecuritas including pref files followed by reboot set things back to "right" as far as normal, non-vpn functions are concerned. I can now ping the public side of everything and get the firewall web interfaces. Reinstall and reconfiguration of IPSecuritas vpn with certificates to a single firewall gave green checkmarks on both my side and the firewall side. Both logs look correct as a normal establishment of a vpn. However, no joy being able to ping any device on the remote Green network, even the private side of the firewall, no ability to "lookup" any hardcoded FQDN of a private host in Green, and traceroute to the private side of the firewall times out without yeilding any useful information. I am now officially in over my head. Good news: OpenVPN (tunnelblick) is now working where it wasn't before uninstall/reinstall of IPSecuritas. Re: 10.4.4 Update Broke IPSecuritas 2.1? by cnadig on 2006-01-16 17:32:55 +0100 Hello, I could not find any problems after upgrading to 10.4.4 - but this might be very depending on the specific configurations used. In order to investigate, could you please give a descripton of you settings and of your network setup. Also, please supply the ouput of the following commands while IPSec is running (the green check mark is visible): sudo setkey -DP sudo setKey -D netstat -nr ifconfig -a (please replace confidential information like your public IP address with anynomized information). Thanks, Christoph Re: 10.4.4 Update Broke IPSecuritas 2.1? by Vincent on 2006-01-18 16:04:49 +0100 Hello, I have the same problem since installation of 10.4.4 but the check mark stay red. I deleted the pref file without success. Both setkey commands return nothing. The firewall is CheckPoint/Gateway R60 (NGX) HFA-01. Vincent Re: 10.4.4 Update Broke IPSecuritas 2.1? by Flo Wagner on 2006-01-18 19:48:01 +0100 Output of the commands is as follows: [code]$ sudo setkey -DP 0.0.0.0/0[any] 192.168.254.199[any] any in ipsec esp/tunnel/192.168.254.254-192.168.254.199/require spid=1 seq=1 pid=562 refcnt=1 192.168.254.199[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/192.168.254.199-192.168.254.254/require spid=2 seq=0 pid=562 refcnt=1[/code] [code]$ sudo setkey -D 192.168.254.199 192.168.254.254 esp mode=tunnel spi=1228686566(0x493c44e6) reqid=0(0x00000000) E: 3des-cbc [...] A: hmac-md5 [...] replay=4 flags=0x00000000 state=mature seq=1 pid=566 created: Jan 18 19:21:34 2006 current: Jan 18 19:23:21 2006 diff: 107(s) hard: 28800(s) soft: 23040(s) last: Jan 18 19:23:06 2006 hard: 0(s) soft: 0(s) current: 6832(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 45 hard: 0 soft: 0 refcnt=2 192.168.254.254 192.168.254.199 esp mode=tunnel spi=162150579(0x09aa38b3) reqid=0(0x00000000) E: 3des-cbc [...] A: hmac-md5 [...] replay=4 flags=0x00000000 state=mature seq=0 pid=566 created: Jan 18 19:21:34 2006 current: Jan 18 19:23:21 2006 diff: 107(s) hard: 28800(s) soft: 23040(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1[/code] [code]$ netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.254.254 UGSc 2 5 en1 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 63 6335 lo0 169.254 link#5 UCS 0 0 en1 192.168.254 link#5 UCS 2 0 en1 192.168.254.199 127.0.0.1 UHS 0 0 lo0 192.168.254.254 0:5:5d:a2:de:6 UHLW 5 59 en1 1046[/code] [code]$ ifconfig -a lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 stf0: flags=0<> mtu 1280 en0: [...] en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet6 ****::***:****:****:****%en1 prefixlen 64 scopeid 0x5 Re: 10.4.4 Update Broke IPSecuritas 2.1? by Olaf Seifert on 2006-01-19 17:11:58 +0100 The same here, since running Mac OS X v.10.4.4. When trying to establish a VPN-connection in the used manner, IPSecuritas 2.1 shows green checkmark but my Mac can not reach anything behind IPCop-firewall v1.4.10 (ping-time-out etc.) ??? Re: 10.4.4 Update Broke IPSecuritas 2.1? by Nick Rutter on 2006-01-19 19:48:11 +0100 I've had the same problem! I was happily using IPsecuritas 2.1 on 10.4.3, on a network using IPsec, and all was well until I updated to 10.4.4. Now only local things work, and the windows machines on the network all are still working, so I know that it's me. Other mac users have suffered the same problem as me. Anybody know how to fix this? Is apple going to release a fix? Is IPsecuritas going to be updated? Re: 10.4.4 Update Broke IPSecuritas 2.1? by Chris Haas on 2006-01-19 23:25:21 +0100 On my mac IPSecuritas is working. On a other mac its broken. The thing what is different: I did the combo update. On the other mac it was the delta update. Any exp. with that? Chris Re: 10.4.4 Update Broke IPSecuritas 2.1? by LBean on 2006-01-20 02:05:49 +0100 >could you please give a descripton of your settings and of your network setup I am connecting to an IPCop 1.4.10 firewall from home over cablemodem. Here is the writeup I use to configure IPSecuritas, which has worked fine for months and no changes have been made: ----In the General tab, set the following: Mode of Operation: Host to Network Remote IPSec Device: [firewall IP] Remote Network: [remote IP/mask] Local Address: [blank] Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 In the Phase-I tab, set the following: Lifetime: 28800 DH Group: Mod1536 (5) Encryption: 3DES Authentication: SHA1 In the Phase-2 tab, set the following: Lifetime: 28800 PFS Group: Mod1536 (5) Encryption: check "3DES" and "AES 128", uncheck all others Authentication: check "HMAC SHA1", uncheck all others In the ID/Auth tab, set the following: FIRST: select "Certificates" at the bottom, change Local: to the name of your private certificate, change Remote from "Check CA" to the name of the building SECOND: above, set both "Local Identifier" and "Remote Identifier" to "Certificate" In the Options tab, check everything EXCEPT Passive and Auto-Start Click OK When you want to connect, click "Start IPSec". If all was done correctly, after a few moments, the red X should change to a green checkmark. You can now use your remote computer on the school network just as though you were at school. ----I do get the green checkmark, and the IPCop also shows a connection successfully made. I'm told my message is too long, so I will post output separately. Re: 10.4.4 Update Broke IPSecuritas 2.1? by LBean on 2006-01-20 02:06:23 +0100 >please supply the ouput of the following commands while IPSec is running >(the green check mark is visible) >sudo setkey -DP "*" used to mask real numbers, but all numbers are correct. My local address is assigned dynamically by RoadRunner, so I left it as is. 192.168.*.*/*[any] 24.198.95.95[any] any in ipsec esp/tunnel/*.*.*.*-24.198.95.95/require spid=1 seq=1 pid=284 refcnt=1 24.198.95.95[any] 192.168.*.*/*[any] any out ipsec esp/tunnel/24.198.95.95-*.*.*.*/require spid=2 seq=0 pid=284 refcnt=1 > sudo setKey -D 24.198.95.95 *.*.*.* esp mode=tunnel spi=1437978041(0x55b5cdb9) reqid=0(0x00000000) E: 3des-cbc 9c637e10 e4be7f47 ef9ddde9 def83280 036657ba 8b29c7a1 A: hmac-sha1 92d7e0ab d08d7b87 ce0a09f0 5fb22b4e 46988358 replay=4 flags=0x00000000 state=mature seq=1 pid=288 created: Jan 19 19:33:17 2006 current: Jan 19 19:55:09 2006 diff: 1312(s) hard: 28800(s) soft: 23040(s) last: Jan 19 19:36:44 2006 hard: 0(s) soft: 0(s) current: 4080(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 30 hard: 0 soft: 0 refcnt=2 *.*.*.* 24.198.95.95 esp mode=tunnel spi=191312427(0x0b67322b) reqid=0(0x00000000) E: 3des-cbc 842f4747 51ce44f1 3aaa2acd 401eb533 8d00d4a6 9c53aaf7 A: hmac-sha1 ca79cf33 f049c230 be103704 b7f96b4a 56c5d5d0 replay=4 flags=0x00000000 state=mature seq=0 pid=288 created: Jan 19 19:33:17 2006 current: Jan 19 19:55:09 2006 diff: 1312(s) hard: 28800(s) soft: 23040(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 >netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 24.198.80.1 UGSc 15 105 en1 24.198.80/20 link#5 UCS 2 0 en1 24.198.80.1 0:5:74:f2:90:8c UHLW 15 0 en1 1200 24.198.93.26 0:a:95:72:b:b4 UHLW 1 9 en1 24.198.95.95 127.0.0.1 UHS 0 0 lo0 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 10 1969 lo0 169.254 link#5 UCS 0 0 en1 Re: 10.4.4 Update Broke IPSecuritas 2.1? by busta on 2006-01-20 15:06:29 +0100 Same problem here, just installed IPSecuritas 2.1 under Mac os X 10.4.4 and it isnt working. I don't seem to get much log output either. Sometimes it logs, and sometimes it doesen't. If i use VPN-tracker it works ok. I'm connecting to a Zywall 70. Re: 10.4.4 Update Broke IPSecuritas 2.1? by LBean on 2006-01-28 20:42:31 +0100 RE:Chris Haas and 10.4.4 combo I just installed the 10.4.4 combo update over my current 10.4.4, but no change. Still green checkmarks and both ends log a good connection, but pings are 100% packet loss and traceroute shows nothing. Chris, did you use the 10.4.4 combo to update 10.4.3? Are you connecting to IPCop? If so, could you post your IPSecuritas settings and prefs and IPCop settings so I could compare for differences? Re: 10.4.4 Update Broke IPSecuritas 2.1? by Trevor Baker on 2006-01-29 21:57:31 +0100 Hi, Like other posters, I have the same problem since updating OS X to 10.4.4 (using the combo updater). Thinking that I have messed up, I re-installled OS X from the original media and used software update to bring myself back up to 10.4.4. Nothing has changed on my IPCop box, nor my IPSecuritas configuration. The only change has been updating from 10.4.3 to 10.4.4. I use my VPN to secure my wireless connection (IPCop blue interface) to the LAN and Internet (Host to Anywhere). When the VPN is not started, I can ping the WLAN intarface on my access point (10.0.1.3), the Blue interface on my IPCop Box (10.0.1.1) and the Green interface (10.0.0.1). When started, I can ping the access point (10.0.1.3), but cannot ping any anything else on my network/Internet. Both IPSecuritas and my IPCop box register an open VPN but no traffic can pass. I have been able to verify the IPCop side with another (wired) workstation. I am including my results from the terminal commands asked for by cnadig. sudo setkey -DP 10.0.1.1[any] 10.0.1.10[any] any in none spid=1 seq=7 pid=224 refcnt=1 0.0.0.0/0[67] 10.0.1.10[any] any in none spid=3 seq=6 pid=224 refcnt=1 0.0.0.0/0[68] 10.0.1.10[any] any in none spid=5 seq=5 pid=224 refcnt=1 0.0.0.0/0[any] 10.0.1.10[any] any in ipsec esp/tunnel/10.0.1.1-10.0.1.10/require spid=7 seq=4 pid=224 refcnt=1 10.0.1.10[any] 10.0.1.1[any] any out none spid=2 seq=3 pid=224 refcnt=1 10.0.1.10[67] 0.0.0.0/0[any] any out none spid=4 seq=2 pid=224 refcnt=1 10.0.1.10[68] 0.0.0.0/0[any] any out none spid=6 seq=1 pid=224 refcnt=1 10.0.1.10[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/10.0.1.10-10.0.1.1/require spid=8 seq=0 pid=224 refcnt=1 sudo setkey -D No SAD entries. Re: 10.4.4 Update Broke IPSecuritas 2.1? by Trevor Baker on 2006-01-29 21:59:49 +0100 Sorry, I forgot to close my prevoius post. Thank you for looking at my post, I hope my information will be helpful in solving our problem. Trevor Re: 10.4.4 Update Broke IPSecuritas 2.1? by Chris Haas on 2006-02-09 09:17:40 +0100 I noticed that the problem only exist if the ip adress of the mac is an "official" ip adress and so the ip-adress of the mac is one end of the tunnel. If I establish a tunnel when my Mac is behind a NAT-router (and so it has a privat ip-adress) I can get traffic through the tunnel. I tested it with 2 different Mac all with 10.4.4. Chris Re: 10.4.4 Update Broke IPSecuritas 2.1 WORKAROUND by LBean on 2006-02-10 14:11:15 +0100 I can verify this! I just set my airport base station to "share a single IP address using dhcp and nat" and my IPSecuritas worked perfectly. I went back to having my base station as a "dumb hub" only and although I still get the green connection checkmark I cannot connect to nor ping anything on the remote network. Back to dhcp/nat on the airport, and I am pinging, connecting to servers, and using Remote Desktop. Now the BIG QUESTION .... *WHY*??? And what about those poor souls who do not have an airport base station to carry around in their front pocket? Does anyone from Lobotomo participate in this list? I've sent two emails to their support address simply asking if they were aware of this thread, but never got any reply, not even just a simple "yes" or "no". Re: 10.4.4 Update Broke IPSecuritas 2.1? by Erik Meitner on 2006-02-13 20:41:09 +0100 We have also run into this problem. Connecting to a Netscreen 5GT worked great for our Macs until we updated them to 10.4.4. The Netscreen reports that the phase-2 negotiations could not complete because there were no acceptable phase-2 proposals. The exact same VPN configuration works fine on non-10.4.4 Macs. The Log shows the following after the VPN is brought up: Feb 13 13:19:41 Horse-with-no-name-3 racoon: ERROR: isakmp_inf.c:847:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 13 13:19:41 Horse-with-no-name-3 racoon: DEBUG: isakmp_inf.c:869:isakmp_info_recv_n(): notification message 14:NOPROPOSAL-CHOSEN, doi=1 proto_id=1 spi=0b57ba623078e122 279132308d30c6b6 (size=16). Re: 10.4.4 Update Broke IPSecuritas 2.1? by Erik Meitner on 2006-02-13 21:05:03 +0100 And in addition to my post above: The generated racoon and setkey configs do not differ at all between our Macs that work and those that don't(10.4.4). Re: 10.4.4 Update Broke IPSecuritas 2.1? by Jeremy cooke on 2006-02-14 12:35:46 +0100 I experienced the same problem and searched the web for a solution. I am NON technical and didnt understand half of what was being said.Remote connection for me was critical, so i decided to look for another VPN client solution,connecting to an Exchange server. I downloaded and installed the 30 day demo of VPN tracker and failed to configure it proerly because its way above my expertise. BUT geuss what,almost immediately my IP securits connection came to life on a hard wire connection and on the built in airport.dont know why or how but thats what happened.I geussi ts bad news for VPN Tracker sales, but hey it did it for me. Re: 10.4.4 Update Broke IPSecuritas 2.1? by Erik Meitner on 2006-02-14 16:51:14 +0100 I tried the VPN Tracker demo on the same 10.4.4 box that IPSecuritas does not work on. VPN Tracker worked fine. As I understand it, it does not use the BSD native 'racoon' IKE daemon so it is no surprise that it works. I manually configured racoon and tried to establish a VPN. Phase-2 negatiations still fail. This is a known good configuration. I tried reconfiguring the VPN for various phase-2 authentication and encryption types with no success. Apple broke something. I think we need to just wait for them to fix it. Re: 10.4.4 Update Broke IPSecuritas 2.1? by mrfett on 2006-02-14 20:21:09 +0100 [quote author=Jeremy cooke link=1137083596/15#19 date=1139916946]I downloaded and installed the 30 day demo of VPN tracker and failed to configure it proerly because its way above my expertise. BUT geuss what,almost immediately my IP securits connection came to life on a hard wire connection and on the built in airport.[/quote] wait you just installed this app and IPSecuritas started working? i know my issue is a little different than the one discussed here, but i'll give that a shot... Re: 10.4.4 Update Broke IPSecuritas 2.1? by cnadig on 2006-02-14 22:04:56 +0100 Hello all, thank you very much for your logs and other hints - they helped a lot in tracking down the problem. There were indeed a lot of changes in racoon (the IKE daemon, responsible for the key exchange and some part of kernel configuration for IPSec) between 10.4.3 and 10.4.4. Unfortunately, these changes make it necessary for us to supply a new version of IPSecuritas which includes its own, working version of racoon, which will take one or two more days. We're very sorry for all inconveniences! The new version will be labeled 2.2 and will be announced through the usual channels (www.versiontracker.com, www.lobotomo.com) Thanks again, Christoph (Lobotomo Software) Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Trevor Baker on 2006-02-15 02:38:28 +0100 Hi, There's an update to Mac OS X (10.4.5) using Software Update. This fixed my issue with IPSecuritas. Thanks, Trevor Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Flo Wagner on 2006-02-15 12:31:45 +0100 Thanks Trevor, installing the 10.4.5 update did it for me, too. And thanks anyway to Christoph for his assistance! Cheers, Flo Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Vincent on 2006-02-17 14:03:27 +0100 I installed Combo 10.4.5 and no change. I rebuild the preference file. I have "IPSec started" but red X stay. No green check. Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Erik Meitner on 2006-02-17 19:17:26 +0100 I can verify that the 10.4.5 update did fix the problem. Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by yon on 2006-02-17 20:23:44 +0100 I am using 10.4.5 and I can't get an IP address from IPCOP behind the VPN. Any ideas? My setup looks like the normal IPCop/IPSecuritas setup. Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by xdavid on 2006-02-19 09:57:59 +0100 Another confirmation: 10.4.5 fixed it. From the update release notes: "... includes general operating system fixes, as well as specific fixes for the following applications and technologies: ... -VPN connections to Cisco servers when using NAT" Interestingly, I thought this was a misleading note since I only got a problem when I was on a public IP and it worked fine behind a NAT router (Netgear). However, on further analysing where it worked and where it did not, my 'public' IPs were all dynamically assigned by the ISP, whereas the LANs where I was behind a NAT router actually had a static external IP assigned to them. This suggests to me that there was more of a general routing bug in 10.4.4 than just NAT. This was the specific error in the logs where it broke down an would not complete phase 2 negotiations (although it seemed to get a fair way through them)... Feb 18 13:27:09 Redpaw racoon: DEBUG: isakmp.c:1831:isakmp_ph2resend(): resend phase2 packet dd03679ef51ce26e:ff15187961a5d0bf:2279bb6f\n Feb 18 13:27:09 Redpaw racoon: ERROR: isakmp.c:196:isakmp_handler(): the length of the isakmp header is too big.\n Feb 18 13:27:11 Redpaw racoon: ERROR: isakmp.c:183:isakmp_handler(): packet shorter than isakmp header size.\n Anyway, all better now with the 10.4.5 update. ;D Thanks Lobotomo for your continued support for IPSecuritas. I hope my small contribution to your tip-jar allows you to continue your great work for the Mac community! -david Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Brian Reed on 2006-03-01 19:11:15 +0100 IPSecuritas 2.1 and MAC OS 10.4.5 is NOT working for us Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Vincent on 2006-03-01 21:33:28 +0100 [quote author=Brian Reed link=1137083596/15#29 date=1141236675]IPSecuritas 2.1 and MAC OS 10.4.5 is NOT working for us[/quote] I override /usr/sbin/racoon file with the 10.4.3 version and it's OK. I don't know why... Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Trevor Baker on 2006-03-02 01:40:58 +0100 Hi, Just thought I'd drop a quick note. The Apple security update breaks the 10.4.5 "fix" again. VPN is down. According to Apple this update fixes an IPSec issue with regards to remote DoS attacks. The blurb from Apple's site follow. BTW, how's the update for IPSecuritas coming? <grin> I'll gladly be a tester if you like. Also, Vincent, where can one find /usr/sbin/racoon from 10.4.3? Trevor ----------------------------------Taken from docs.apple.com--------------------------IPSec CVE-ID: CVE-2006-0383 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5 Impact: Remote denial of service against VPN connections Description: Incorrect handling of error conditions for virtual private networks based on IPSec may allow a remote attacker to cause a service interruption. This update addresses the issues by correctly handling the conditions that may cause crashes. Credit to OUSPG from the University of Oulu, NISCC, and CERT-FI for coordinating and reporting this issue. Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Vincent on 2006-03-02 02:28:52 +0100 Hi Travor, I try the update Update 2006-001 without success. I had installed 10.4 and Combo 10.4.3 on a external disk to obtain racoon. Vincent Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Flo Wagner on 2006-03-20 14:13:27 +0100 The Security Update did break my setup again, too. But if 10.4.5 worked for you, you can simply extract the racoon executable from the 10.4.5 Combo Update, available here: http://www.apple.com/support/downloads /macosxupdate1045combo.html. Mount the .dmg and choose 'Show package content' from the context menu of the .pkg file. Next unpack 'Archive.pax.gz' from the Content subdir of the package. Then just overwrite /usr/sbin/racoon with the one you just extracted (you must be root to do that). You can always revert to the latest racoon version by simply installing 'Security Update 002' (http://www.apple.com/support/downloads /securityupdate2006002v11macosx1045ppc.html). Regards, Flo P.S.: Do this at you own risk. I wont take any liability for damage (e.g. you Mac explodes or something ;)). Also be careful when working as root, as one can easily breake some vital system files. Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Trevor Baker on 2006-04-04 01:38:10 +0200 Hi Gang, The new OS X Tiger update, 10.4.6, again restores IPSecuritas functionality. Just wanted to let everyone know. Any news on the update to 2.2 for IPSecuritas? Thanks, Trevor Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Vincent on 2006-04-04 11:55:46 +0200 No success for me with 10.4.6 and CheckPoint NGX Sometime it's work with 10.4.3 image of /usr/sbin/racoon Vincent Local Address with Sonicwall Local Address with Sonicwall by rtl on 2006-01-19 04:22:30 +0100 Hi, I've been trying to get IPSecuritas 2.1 working with a Sonicwall TZ150. It failed during Phase 2 with the following message... "IKE Responder: No match for proposed remote network address" I was able to resolve the issue by setting a remote address of 192.168.45.0 in the Sonicwall SA and setting my local address in IPSecuritas to 192.168.45.5, but I've never had to enter a local address for the settings I've used for Netscreen firewalls. Are there other Sonicwall/IPSecuritas users who have had this problem and been able to resolve it? I've tried some of the setups listed on the boards that say they work, but have not been able to get anything going until I added the local address setup. Thanks! How to export a certificate that can go in to CM? How to export a certificate that can go in to CM? by GrandPA on 2006-02-01 23:26:33 +0100 Is there anyone who can tell me how to export a certificate (selsigned) from the mac to one thats accepted by IPSecuritas? Unable to Browse Network - BEFSX41 Unable to Browse Network - BEFSX41 by mrfett on 2006-02-06 21:44:34 +0100 I'm trying to use IPSecuritas to connect to a Linksys BEFSX41 running 1.52.9 firmware. My Mac is running OS X 10.4.4. I can successfully make a connection (I get a green checkmark) but I am unable to see any of the machines on the network. When I try to ping a machine, the message is "no route to host". Can anyone offer some advice? I'm using 3DES and SHA if that makes any difference. Thank you. Re: Unable to Browse Network - BEFSX41 by mrfett on 2006-02-15 18:45:50 +0100 10.4.5 didn't help me, just FYI. Re: Unable to Browse Network - BEFSX41 by yves_kayak on 2006-03-05 20:17:29 +0100 Hello, If you get the green light and get a "no route to host" error, I think your remote network config is wrong. Edit your configuration. In the General tab, check the "remote network" field. (If you're not sure, the network admin will provide you this information). Also, check the other field on that line, the number of bits in mask. If your mask is 255.255.255.0, use 24 bits; it your mask is 255.255.0.0 use 16 bits. Hope this helps, Yves Re: Unable to Browse Network - BEFSX41 by mrfett on 2006-03-24 17:22:58 +0100 forgot to thank you for the advice. unfortunately, that config tip didn't help either. i've gone over all the instructions pretty thoroughly, and can't see what the issue could be. but thanks for the help. Starting IPSec from command line Starting IPSec from command line by Peer Sandtner on 2006-02-08 20:57:43 +0100 How can I start/stop IPSec from the command line? It seems that IPSecuritas is not scriptable. But perhaps there are other solutions out there. Thanks, Peer Connecting to IPCOP IP Address (DHCP) Problem Connecting to IPCOP IP Address (DHCP) Problem by boblee on 2006-02-16 04:54:00 +0100 I am running OS X 10.4.5, and I am having the same issue with 10.4.4. When connecting to IPCOP VPN I do not seem to get an IP address from IPCOP via DHCP. Infact, I dont seem to have an IP address at my works internal network at all. Am I suppose to be getting an IP via DHCP from IPCOP? It's setup to give out addresses, and when I plug in my laptop at work I get an address. Once I am connected to through the VNP I can connect to pretty much any machine in my works network, but every connection comes from my home's private IP. For example, if I ssh to one of our servers at its internal address of 192.168.1.158 and I check to see where I am connected from it'll show my Home's NAT, so it would look something like 10.1.1.101 Any ideas? I'd like to get a private IP from IPCOP via DHCP just like I do when I plug in my laptop at work. Re: Connecting to IPCOP IP Address (DHCP) Problem by Stephen on 2006-02-17 20:21:17 +0100 Are you suppose to get an IP from the VPN with IPSecuritas? So your system has 2 IPS???? Re: Connecting to IPCOP IP Address (DHCP) Problem by yon on 2006-03-10 23:45:59 +0100 I have the same problem with 10.4.5 Any solution?? IPSecuritas Working with Windows Server RRAS IPSecuritas Working with Windows Server RRAS by Jack Valko on 2006-02-16 08:16:06 +0100 Has anyone gotten IPSecuritas to connect to a Windows 2003 Server running RRAS? Universal Binary Universal Binary by Andreas Ley on 2006-02-20 02:06:30 +0100 Hey there. IPSecuritas rules - thanks for that! I'm a proud owner of an Intel-based iMac, and as such I prefer using native binaries (mostly for speed issues). But, for the record, everything works completely fine under Rosetta, using either 10.4.4 and 10.4.5. As far as I understand, IPSecuritas is a GUI for the built-in "racoon" of MacOS X, so the speed of the actual IPSec connection isn't affected by IPSecuritas beeing PowerPC only. Since that may change with version 2.2, I was wondering if I could provide any help to make IPSecuritas an universal binary. I can do some compiles and tests, but my coding skills are below average. :) Also, I had a few ideas concerning interface enhancements (with some additional icons, if you'd welcome that). Is it ok to drop you a mail with an example? Thanks for the great work; keep it up! PS: I tried to register, but I couldn't get the forum script to actually send me a mail in 15 minutes. But maybe it'll get to me later. Re: Universal Binary by cnadig on 2006-02-21 23:40:37 +0100 Hello Andreas, thank you very much for your feedback - certainly I'd like to receive all of your proposals, please just send me an e-mail to lobotomo@lobotomo.com. I will start to port IPSecuritas 3.0 (which at the moment is in beta testing, soon a public beta will be released) to the new Intel architecture as soon as I can get hold of a Intel machine for a few days. Cheers, Christoph checkpoint office mode IKE over TCP checkpoint office mode IKE over TCP by Yitz Jacob on 2006-02-21 10:34:21 +0100 I use checkpoint's secureclient (username & password, office mode, and IKE over TCP being the only real configuration settings) does this translate into something that can be configured in ipsecuritas..? i would really love to use my ibook to do my work rather than my pc.. thanks :) yitz Sonicwall TZ170 Sonicwall TZ170 by w_grace on 2006-02-21 13:08:46 +0100 Hello, I am trying to get connected to a Sonicwall TZ170 and I am getting the following; Feb 21 11:54:42 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Verify Identifyer is not selected and i have set the Remote Identifyer to the IP address of the Sonicwall, both these suggestions I have seen in relation to this error. Any ideas? Re: Sonicwall TZ170 by w_grace on 2006-02-21 17:42:33 +0100 I get the same thing with VPN Tracker, and they suggest going back to the Default settings on the Sonicwall, but that would kill other clients that are logging in OK. This is the only Mac Client I have and I get the following all the time. Phase-1 Group 1 3DES MD5 28000 Phase-2 ESP 3DES MD5 Feb 21 16:31:35 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:31:35 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:31:54 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:32:04 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Feb 21 16:31:54 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:32:04 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Feb 21 16:33:49 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:33:49 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:34:10 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:34:19 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Feb 21 16:34:10 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:34:19 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Any help would be great. Thanks due due due due Watchguard Firebox Edge: USER_FQDN ID? Watchguard Firebox Edge: USER_FQDN ID? by jmaynard on 2006-02-24 04:56:44 +0100 I'm trying to get IPSecuritas running with a Watchguard Firebox Edge X5. I know it can do IPSec, because it's talking with VPN Tracker. Unfortunately, I can't get it to work with IPSecuritas. The problem is that the local identifier needs to be a USER_FQDN string, and I can't see how to set that in IPSecuritas. The underlying racoon config file has it as a valid my_identifier type, but I can't see where IPSecuritas is keeping its racoon.conf so I can see if it'll work at all. Can i get there from here? Re: Watchguard Firebox Edge: USER_FQDN ID? by DDA on 2006-02-25 04:18:03 +0100 You can indeed get there from here; simply select DN for the Local Identifier in the Id/Auth page and fill it is with username@domain.com (or even just @domain.com) and IPSecuritas will send a USER_FQDN ID. Re: Watchguard Firebox Edge: USER_FQDN ID? by jmaynard on 2006-02-25 05:19:23 +0100 [quote author=DDA link=1140753404/0#1 date=1140837483]You can indeed get there from here; simply select DN for the Local Identifier in the Id/Auth page and fill it is with username@domain.com (or even just @domain.com) and IPSecuritas will send a USER_FQDN ID. [/quote] Nice...except for one problem: it needs to be tagged as a USER_FQDN, but it's just a user name with no @ or domain name attached. Is there a way I can force it to USER_FQDN without that? Re: Watchguard Firebox Edge: USER_FQDN ID? by DDA on 2006-02-25 17:35:28 +0100 I believe if you put an @ in front of it, it will be sent as a USER_FQDN. So if it would normally be "myusername", try "@myusername". From the help: [i]2. Domain Name (DN): This can either be a fully qualified distinguished name (FQDN, e.g. lobotomo.com) or a user fully qualified distinguished name (USER_FQDN, e.g. user@lobotomo.com). Normally, IPSecuritas determines the type itself (i.e. if there is a @ character in the name it's automatically considered a USER_FQDN. If you want to force IPSecuritas to always send the consider the identification as USER_FQDN, prepend one @ character in front of the FQDN, e.g. @lobotomo.com)[/i] I don't know if this will send the @ or just force it to say it is a USER_FQDN but give it a try! :-) Re: Watchguard Firebox Edge: USER_FQDN ID? by jmaynard on 2006-02-25 22:15:18 +0100 [quote author=DDA link=1140753404/0#3 date=1140885328]If you want to force IPSecuritas to always send the consider the identification as USER_FQDN, prepend one @ character in front of the FQDN, e.g. @lobotomo.com)[/quote] It didn't work. I tried it with the @ both before and after the user name. I think it's sending the @ while flagging it as a USER_FQDN. The help quoted seems to say that you can send a domain name as USER_FQDN. I need to send the user ID with no domain name or @ attached, as a USER_FQDN. Netscreen 5XP login issues Netscreen 5XP login issues by Derek on 2006-02-27 16:58:54 +0100 I can connect from home to my Netscreen 5XP at work but I can only see a few macs as active using Apple remote desktop. Most of them are NOT visible. I can't even ping them. Any hints? Re: Netscreen 5XP login issues by TZ on 2006-03-30 20:40:09 +0200 Review your netscreen policies, there should be something there... ;) Anyone using IPSecuritas/Mac OS X/Checkpoint VPN-1 Anyone using IPSecuritas/Mac OS X/Checkpoint VPN-1 by Jack sellers on 2006-02-28 01:53:42 +0100 I was told by someone at Checkpoint that IPSecuritas works connecting a Mac running Panther or Tiger to a network running CheckPoint VPN-1. Is there anyone out there who can help me? Re: Anyone using IPSecuritas/Mac OS X/Checkpoint V by Rolf Schmerder on 2006-03-05 17:43:11 +0100 Hi Jack! Yes - it can...or should I say ...under certain circumstances? I had a connection running from my IBook with Tiger 10.4.x to our company LAN beeing protected by CP-VPN-1 NGX. Unfortunately right now after an update (my IBook to 10.4.5 it doesn' t work anymore. But I could give you my config screenshots if you give me your email address. Greets Rolf, Hamburg - Northern Germany Re: Anyone using IPSecuritas/Mac OS X/Checkpoint V by Paul Donovan on 2006-03-05 18:55:30 +0100 I'm unable to get IPSecuritas 2.1 to connect to a CheckPoint VPN-1 network either. I'm running 10.4.5. I can connect successfully using the demo of VPN Tracker 4.6 but the demo has an extremely annoying 3 minute timeout so I downloaded IPSecuritas. I've only been using VPN since yesterday so I'm new to all this! If you could give me the settings that used to work I can try those and see if I can get anywhere. I have a Mac mini still running 10.4.4 that I can test on too. Thanks a lot, Paul (paul at donovansbrain dot co dot uk) 10.4.5 giveth, Security 2006-001 taketh away 10.4.5 giveth, Security 2006-001 taketh away by Lawrence Bean on 2006-03-02 17:12:55 +0100 Saw IPSec listed in this Security Update released today by Apple, so I cloned to a non-critical machine and tested. Same issue as with 10.4.4, but worse. The NAT work-around works, so if your client running IPSecuritas is behind a natted device and running in the 10.x.x.x, 192.x.x.x, or 172.x.x.x ranges it works. In the 10.4.4 trouble with a public address, I could get general internet but could not ping/connect to the private network. Now in 10.4.5 with Security Update 2006-001 applied and "Replace DNS ..." checkmarked, in addition to not being able to ping/connect to the private network, I cannot get general internet services. Additional info: The client shows a green checkmark, and the IPCop firewall shows an open connection with the client. It appears I can ping public IPs by IP address. It appears I can lookup FQDNs and get their IP addresses. I cannot ping the FQDN, though, and it times out with "could not resolve host". I cannot ping the private network by IPAddress or FQDN, neither on the inside private addresses, nor on the outside public address(es). I cannot get any http, https, ftp, or ssh connections by FQDN. I can get ftp and ssh by IPAddress. I seem to begin to load a web page by IPAddress, i.e. I get the name of the page in the browser header, but loading stalls before the page renders and I get a "You are not connected to the Internet" error. If I go to IPSecuritas Preferences and uncheck "Replace DNS ...", this solves all the general internet trouble and web, ftp, ssh are all back to normal, but still no ping to private network on the inside or the outside addresses. I'd be happy to provide any further info and run any further tests that the Lobotomo team would like, including alphas and betas. Just ask. Connection lost with SonicWall PRO 230 Connection lost with SonicWall PRO 230 by Yves Forget on 2006-03-05 18:04:54 +0100 Hello everyone, I'm using IPSecuritas to connect to a SonicWall PRO 230 firewall/VPN Server. It *does* work, but I lose the VPN connection every 10 minutes or so. I have a Linksys BEFSR41 router on the client side, I don't know if it's part of the problem. When I use VPN Tracker 3 as the VPN Client it works fine. (on the same Mac, connecting to the same server) Re: Connection lost with SonicWall PRO 230 by Yves Forget on 2006-03-05 18:07:32 +0100 I'm on a PowerMac G5 with Mac OS X 10.4.5 Did anyone experience something similar ? Thanks ! yves Re: Connection lost with SonicWall PRO 230 by Tom Komadowski on 2006-06-07 20:00:17 +0200 It's dropping you because of the dead peer detection. turn that off on the client and on the sonicwall and you will be fine. Re: Connection lost with SonicWall PRO 230 by yves_kayak on 2006-10-07 04:40:15 +0200 Hi everyone, A couple of months after posting this question, we found the problem ! I connect to work using the VPN. Many of my work colleagues have routers too, and local IP addresses set the router's DHCP are often the same : 192.168.1.100 If someone is connected with that address and someone else comes it with the same (local) IP address, the user that was logged on is kicked out. Those who don't have a router are connecting with their Internet IP address, which is obviously unique, so the problem only happens for people having routers (or a really messy configuration...) In a small business, users can manage to use different local IP addresses (easily set on your router's config). Our VPN server (SonicWall Pro 230) can be set to provide DHCP addresses to users of the VPN, but see my post regarding that one.... Hope this may help, Yves Forget IPSecuritas to IPSecuritas in a server config? IPSecuritas to IPSecuritas in a server config? by Matt Warren on 2006-03-08 22:40:47 +0100 This seems like it should be obvious, but I've yet to find docs or info on it. I'd like to set up a host to network vpn with IPSecuritas at both ends. Is this possible? I'm looking to get access to my home network from various public locations. I assume the client is setup as Host to Network. But what's a proper setup for the "server" end of things? And what ports would I forward on the home network's router? I've found all kinds of info on connecting to other devices, but little to none on connecting to IPSecuritas its self. Intel Mac minor problem Intel Mac minor problem by jmaynard on 2006-03-10 15:34:34 +0100 I've got a shiny new MacBook Pro. IPSecuritas runs and VPNs, but there's one minor problem: the status icon next to the connection name is always blank, making it somewhat difficult to tell if the VPN link is actually up. I suspect this is just a matter of building a universal binary. Any idea when that might happen? Netgear DG834GB <- Connect to ? Netgear DG834GB <- Connect to ? by sukram33 on 2006-03-10 17:02:09 +0100 Hi, has anyone experience with netgear dg834gb? I am tryin to connect to this router, but do not succed ... anyway, I do not really understand what I am doing ... ??? Here is my configuration: In the office: router dg834gb, dyndns host name (dynamic ip adress), using nat with lokal ip range. at the remote location there is also a router with nat and i forwarded esp and upd port 500 (router is a avm fritz box) has anyone perhaps experiences with a connection between ipsecuritas and the netgear dg834gb router with both sides using dynamic ip adresses ? thanks markus Re: Netgear DG834GB <- Connect to ? by tghewett on 2006-04-10 13:01:30 +0200 I now have the DG834 router connecting with IPSecuritas. The DG834 VPN service only responds to the IP address on the ADSL port, i.e. the one usually negotiated with the ISP. If you set the IPSecuritas Remote IPSec Device value to the LAN IP address of the DG834, it won't work. Recommend a VPN router for home use Recommend a VPN router for home use by eullman on 2006-03-15 01:04:09 +0100 Greetings. My Netgear WGR614 at home has died, and I'm looking to replace it with a router that offers VPN client access from Tiger/IPSecuritas and Win XP (built-in). I don't need Wi-Fi, and I'd like to spend less than $150 if possible. QoS is not required, but would be an added benefit. Anyone care to offer a recommendation? Thanks in advance, Eric Re: Recommend a VPN router for home use by DDA on 2006-03-17 03:57:05 +0100 Netgear FWG114Pv2 will do 2 IPSec tunnels, WPA2 and has a USB printserver port. I don't know if it will do PPTP (the WinXP VPN stuff) but it works fine with IPSecuritas (PSK so far). Around $100 at NewEgg. Netscreen to Dlink VPN Netscreen to Dlink VPN by Kev on 2006-03-16 06:43:37 +0100 Has anyone managed to get a Dlink VPN router DI804 to talk to a Netscreen using IKE. I am getting a "Received incorrect ID payload: ID type mismatch" from the debug but I can't work out what is going wrong. It looks like the peer id is wrong but I cant find where to set it on the Dlink. There is also nothing on the Netscreen knowledge base about setting up VPNs to third party routers. Any help would be appreciated. Kev. ??? Another user trying to match VPN Tracker settings Another user trying to match VPN Tracker settings by Phil Delaney on 2006-03-22 21:07:49 +0100 Hi, i've checked google and these forums, i'm trying to connect using IPSecuritas 2.1 on OSX 10.4.5 through a SonicWall2040 Pro. The Mar Mar Mar Mar Mar Mar Mar Mar Mar log says: 20 23:28:33 20 23:28:33 20 23:28:33 20 23:28:33 20 23:28:33 20 23:28:33 20 23:28:34 20 23:28:34 20 23:28:34 pd-pb pd-pb pd-pb pd-pb pd-pb pd-pb pd-pb pd-pb pd-pb IPSecuritas: IPSecuritas: IPSecuritas: IPSecuritas: IPSecuritas: IPSecuritas: IPSecuritas: IPSecuritas: IPSecuritas: Parsing configuration Setting up racoon.conf Setting up setkey.conf Setting up psk.txt Setting up tunnel.conf Parsing configuration done Starting racoon... Racoon is running Set kernel keys but i do not get a tunnel/connection - and there is a red cross on the main window next to my setting name. SonicWall Log says: 1 03/22/2006 20:03:11.336 Error VPN IKE SA -payload processing error 84.XXX.XXX.XXX, 500 (admin) 82.XXX.XXX.XXX, 500 2 03/22/2006 20:03:11.336 Warning VPN IKE IKE Responder: IKE proposal does not match (Phase 1) 84.XXX.XXX.XXX, 500 (admin) 82.XXX.XXX.XXX, 500 3 03/22/2006 20:03:11.336 Info VPN IKE IKE Responder: Received Main Mode request (Phase 1) 84.XXX.XXX.XXX, 500 (admin) 82.XXX.XXX.XXX, 500 4 03/22/2006 20:02:44.880 Info Authenticated Access WAN zone administrator login allowed 84.XXX.XXX.XXX, 0, X1 (admin) 82.XXX.XXX.XXX, 443, X1 82.XXX.XXX.XXX = public ip on sonic wall (router) 84.XXX.XXX.XXX = public ip on user (router) If i connect using VPN Tracker and then connect using IPSecuritas i get the green tick! my IPSecuritas settings are: Host to Network Exchange Mode: Main Proposal Check: Obey, size :16 Phase 1 Lifetime: 28800 DH Group: Mod768 (1) Encryption: 3DES Auth: SHA1 Phase 2 Lifetime: 28800 PFS Group: None (I know it is EPS on the SW) Encryption: 3DES Auth: SHA1 ID/Auth Address for both and a preshared secret Re: Another user trying to match VPN Tracker setti by Josh Carlson on 2006-07-08 07:08:59 +0200 I more or less have the same problem with the same sonicwall model. Any thoughts? Re: Another user trying to match VPN Tracker setti by Phil on 2006-07-17 15:38:20 +0200 Nothing.... still.....!!!! Re: Another user trying to match VPN Tracker setti by northben on 2006-07-31 15:27:19 +0200 You could try using the "debug level" logs or whatever they are called. It might help you see what exactly is wrong. I was able to get my setup working (TZ170) by more or less copying the settings from the Sonicwall configuration page to the IPSecuritas pages. HTH. Re: Another user trying to match VPN Tracker setti by yves_kayak on 2006-10-07 04:58:00 +0200 Hi, Did you double-check that your IPSecuritas settings match the VPN Server's settings ? Make sure there's not a typo in your secret key, and if you copy/pasted it, make sure you don't bring an extra space. I use exchange mode "agressive" instead of "main" to connect to our SonicWall Pro 230. Also, you can try a couple of things in the "options" tab. Hope this helps, Yves Anyone using a Cyberguard endpoint? Anyone using a Cyberguard endpoint? by Demani on 2006-03-23 20:05:26 +0100 I'm trying to find the right setup, but I haven't had any luck so far. I have a SG560 running the 3.1.2 firmware. Running v2.1 on OSX 10.4.5. I believe I have all the settings matched but its stalling during the Phase one negotiation. Settings I have so far: Host to Network Aggressive Exchange mode Proposal check: Claim Phase 1 lifetime: 3600 DH Group 2 Encryption: 3DES Authentication: SHA1 Phase 2 Lifetime: 3600 PFS Group 2 Encryption: 3DES Authentication: HMAC SHA1 ID has the Local DN option set to the Required Remote Identifier on the Cyberguard ("Outside" in this case) The IPSec/IKE options that are checked are IPSec DOI, SIT_IDENTITY_ONLY, MIP6, Initial Contact, and DHCP Pass-Through. Establish IKE immediately is on. The line in the IPSecuritas log I see when the connection isn't working is: DEBUG: isakmp_ph1resend():resend phase1 packet. I can provide more info if needed. Re: Anyone using a Cyberguard endpoint? by rugby on 2006-03-31 18:13:41 +0200 I have the same router, the same firmware and the same problem, although it's with VPN Tracker. I am going to contact Cyberguard and see if they can assist with this. Here's a log of the issue I'm having: 2006-03-31 11:04:07: INFO: isakmp.c:2102:isakmp_post_acquire(): IPSec-SA request for X.X.X.X queued due to waiting for phase1 connection to complete. 2006-03-31 11:04:07: DEBUG: isakmp.c:1807:isakmp_ph1resend(): resend phase1 packet to X.X.X.X[500] (d909f677273dd58c:0000000000000000) 2006-03-31 11:04:10: DEBUG: pfkey.c:1793:pk_recvacquire(): ignore the acquire because phase2 found 2006-03-31 11:04:18: DEBUG: pfkey.c:1793:pk_recvacquire(): ignore the acquire because phase2 found 2006-03-31 11:04:27: DEBUG: isakmp.c:1807:isakmp_ph1resend(): resend phase1 packet to X.X.X.X[500] (d909f677273dd58c:0000000000000000) 2006-03-31 11:04:27: DEBUG: pfkey.c:1793:pk_recvacquire(): ignore the acquire because phase2 found Adtran IPSEC Adtran IPSEC by Mikel King on 2006-03-30 03:01:38 +0200 Does anyone know if there has been any success with any of the Adtran VPN products. IPSecuritas says that IPSEC is UP but am unable to pass any traffic to the remote LAN. Any pointers would be helpful... cheers, m intel intel by Shaddow on 2006-04-04 21:44:43 +0200 Does this software work on the new intel macs under rosetta or is it universal already? Linksys WRV54G: can't connect Linksys WRV54G: can't connect by tiffert on 2006-04-07 01:56:14 +0200 I have never been able to establish a VPN tunnel using IPsecuritas with my Linksys WRV54G router (firmware 2.38.6). It is a VPN endpoint. I am using the same, proven configuration that works for my Linksys BEFVP41. Is this a known issue? Has anyone gotten it to work? I *CAN* establish a tunnel without IPsecuritas, using a curl script from: http://forums.macosxhints.com/showthread.php?t=40920 Any chance of adding support for this router? It is a popular device. OS X 10.4.6 Thanks! Re: Linksys WRV54G: no tunnels by Francis Tanzella on 2006-04-16 21:58:46 +0200 Since you're using IPSECuritas, I presume you're using the passthrough. If you're using the hardware tunnel you probably don't need IPSECuritas. I was able to establish a tunnel with IPSECuritas using this router with no real problem. I was connecting to a Checkpoint IPSEC server. I failed using the hardware tunnel because I need to use a certificate, which it doesn't support. So I turned off the hardware VPN, turned off the the other 2 passthroughs and only checked the IPSEC passthrough. I used the same configuration that worked without the router and it went through first time. Since I couldn't use the hardware VPN, I "downgraded" to a WRT54G, saved $100, and it works fine. Re: Linksys WRV54G: no tunnels by tiffert on 2006-04-16 22:40:29 +0200 Just to clarify, I am not trying to establish a VPN between the BEFVP41 and the WRV54G routers. Rather I am trying to use IPSecuritas from a third location to establish tunnels to each of those routers in their capacities as remote VPN endpoints. Put another way, the BEFVP41 and WRV54G are in different parts of the US, and I am in another country all together with my laptop and IPSecuritas. I can establish a tunnel to the BEFVP41, but cannot to the WRV54G. It gets stuck at Phase 1. Since I am trying to use the WRV54G as a remote VPN endpoint, with IPSecuritas on the local end, I need to have the WRV54G's "hardware VPN" turned on, right? Any further suggestions? Thanks! Glenn Re: Linksys WRV54G: can't connect by Niels S. Eliasen on 2006-05-08 11:40:37 +0200 Hi Just wanted to say "mee to!" if anyone can get a connection working to WRV54G, then please ! share the info!... Re: Linksys WRV54G: can't connect by tiffert on 2006-05-14 21:32:37 +0200 I am the original poster to this thread. The following is just anecdotal and circumstantial, but I hope helpful: I have not tried to establish a VPN for about 3 weeks to my WRV54G. I had previously not been able to use IPSecuritas (Phase 1 failures), only the curl script mentioned in my initial post. However, today my curl script stopped working, and the log revealed Phase 1 failures. Nothing on the remote side has changed, and the only thing I can think of on the local side that has changed is the installation of Apple Security Update 2006-003 (5/11/06). I decided to try IPSecuritas again out of curiousity. Amazingly, IPSecuritas now works with exactly the settings that would not work last month and all of the months before. Perhaps the Security Update changed something that was blocking IPSecuritas? Don't know. But I am happy. Can't view folder Can't view folder by Keith W on 2006-04-24 16:08:40 +0200 Hi There, I'm having a problem getting access to one of my folders on the remote server. The VPN connects fine and I can get into a number of other folders without a problem but it seems that whenever I try and open this one folder the finder gets stuck on the spinning wheel and ends up crashing. I have checked my access rights and I should be able to access it without a problem and was able to do so previously. The only thing I could think of is that the folder I am trying to view is too big, it has around 80 sub folders within so perhaps it has a problem with this? Any Thoughts? Thanks, Keith ISA VPN to Sonicwall problems ISA VPN to Sonicwall problems by CybermonkeyCK on 2006-05-06 00:24:05 +0200 I have an ISA 2004 system trying to site-to-site VPN to a Sonicwall TZ 150 (IPSec). I have been going over all of the logs and session info on ISA and Sonicwall. The Sonicwall says that the VPN tunnel is open and the ISA shows a session of the remote computer. All the routing and firewall rules are in place (On the ISA for sure and the Sonicwall… I think). But I can’t RDP, telnet, Ping, browse, anything; both directions. I have the same type of VPN with the same rules and everything the only difference is its to another ISA. The ISA system does have multiple external IP’s… could this be a problem? Has anyone ever had this problem? CheckPoint NGX, can't connect (Aggressive mode) CheckPoint NGX, can't connect (Aggressive mode) by bgentry on 2006-05-10 22:54:37 +0200 We just upgraded our Checkpoint firewall from NG (R54) to NGX R60. Checkpoint has removed support for Aggressive mode from Phase I negotiations. This is a known security hole according to my VAR. Apparently there are several publicly available exploits to allow one to hijack IPSEC connections that use aggressive mode. Consequently, IPSecuritas on OSX can no longer connect to our firewall. I have tried using Basic and Main modes, as well as changing the NONCE size to various values, changing options, and verifiying that the Phase I encryption types were proper. According to the logs, Checkpoint seems to not understand the IKE tunnel probe that is being sent with NAT traversal. I'm trying to connect from behind a consumer (Linksys) NAT router like you find at everyone's house. So, I'm not sure where to go. Does the IPSEC support built in to OSX include support for Main or Base ? If so, does IPSecuritas properly implement those modes? Any ideas on how to get this working again? Does anyone have OSX establishing a VPN connection to a CheckPoint NGX firewall? Thank you for any help or insight you can provide. Brian. Re: CheckPoint NGX, can't connect (Aggressive mode by flruiz on 2006-06-30 11:39:32 +0200 Have you got it? I have the same problem Regards vpn certificate connection vpn certificate connection by johnlehardos on 2006-05-11 12:12:33 +0200 Hi, I am trying to connect my macOSx to an Arkoon firewall VPN. We are actually using the vpn connection on winXP hosts through a netscreen client and it work perfectly with my certificate (not a pre-shared key). But now I can't succeed th ipsecuritas working with the certificate. my host is now configured with the ip address : 192.168.161.61 the vpn server address is : 213.41.xx.xx the lan i want to connect is : 172.27.0.0 /16 I have converted my p12 certificate to a pem one, using an openssl command (found on the internet). I have successfully imported the two certificates in the certificate manager. I have configured the ipsecuritas client as same as he netscreen windows client was, phase1, phase2 and authentication. But when i try to connect I get the following log debug : [code] May 11 11:08:54 playmobile racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message\n May 11 11:08:54 playmobile racoon: DEBUG2: plog.c:199:plogdump(): \n02060003 00260000 00000033 00000000 00030005 ff200000 10020000 [...] 00000000\n May 11 11:08:54 playmobile racoon: DEBUG: pfkey.c:1567:pk_recvacquire(): suitable outbound SP found: 192.168.161.61/32[0] 172.27.0.0/16[0] proto=any dir=out.\n May 11 11:08:54 playmobile racoon: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff970: 172.27.0.0/16[0] 192.168.161.61/32[0] proto=any dir=in\n May 11 11:08:54 playmobile racoon: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306998: 172.27.0.0/16[0] 192.168.161.61/32[0] proto=any dir=in\n May 11 11:08:54 playmobile racoon: DEBUG: pfkey.c:1583:pk_recvacquire(): suitable inbound SP found: 172.27.0.0/16[0] 192.168.161.61/32[0] proto=any dir=in.\n May 11 11:08:54 playmobile racoon: DEBUG: pfkey.c:1622:pk_recvacquire(): new acquire 192.168.161.61/32[0] 172.27.0.0/16[0] proto=any dir=out\n May 11 11:08:54 playmobile racoon: DEBUG: proposal.c:826:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)\n May 11 11:08:54 playmobile racoon: DEBUG: proposal.c:860:printsatrns(): (trns_id=3DES encklen=0 authtype=2)\n May 11 11:08:54 playmobile racoon: DEBUG: remoteconf.c:118:getrmconf(): configuration found for 213.41.xx.xx.\n May 11 11:08:54 playmobile racoon: INFO: isakmp.c:2028:isakmp_post_acquire(): IPsec-SA request for 213.41.xx.xx queued due to no phase1 found.\n May 11 11:08:54 playmobile racoon: DEBUG: isakmp.c:1009:isakmp_ph1begin_i(): ===\n May 11 11:08:54 playmobile racoon: INFO: isakmp.c:1014:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.161.61[500]<=>213.41.xx.xx[500]\n May 11 11:08:54 playmobile racoon: INFO: isakmp.c:1019:isakmp_ph1begin_i(): begin Aggressive mode.\n May 11 11:08:54 playmobile racoon: DEBUG: isakmp.c:2340:isakmp_newcookie(): new cookie:\n5961a56996cec897 \n May 11 11:08:54 playmobile racoon: DEBUG: localconf.c:328:getpathname(): filename: /tmp/ipsecuritas_certs /cert.pem.cert\n Apple Keychain support for certs? Apple Keychain support for certs? by Bill Burns on 2006-05-16 01:06:41 +0200 I was disappointed to see that this program uses its OWN certificate database. Are there any plans to support the mac OS X keychain instead? Or support PKCS#11 security modules? I have smartcard users that can use their certificates with the suite of Apple applications (because their certs and keys show up in the Apple Keychain via the tokend mechanism), and several Mozilla applications (because they have a PKCS#11 module). It seems that with minimal code changes, your application could choose to use either native Keychain support or even a PKCS#11 module. thanks, bill IPSec (setkey+racoon) IPSec (setkey+racoon) by BALEX on 2006-05-29 16:42:45 +0200 IPsec work with SETKEY and RACOON. spdadd x.x.x.x y.y.y.y any -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/use; spdadd y.y.y.y x.x.x.x any -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/use; All traffic direct into tunnel How to destroy tunnel, if remote address (B.B.B.B) unreachable? How to Force all traffic thru tunnel How to Force all traffic thru tunnel by clay perreault on 2006-06-08 21:30:59 +0200 Hi. I've set up IPSecuritas on my mac os x and am successfully connecting to a host and bringing a tunnel up. I can ping and connect through the tunnel to devices on the internal tunnel subnet, but I want to force ALL traffic from my laptop through the tunnel. with the current config, only traffic destined for the internal network traverses the tunnel and other traffic such as web surfing still goes out my normal gateway. Is there a setting somewhere to FORCE ALL traffic through the tunnel? Re: How to Force all traffic thru tunnel by who me on 2006-06-27 23:47:12 +0200 This is done on the vpn "server" side. Nothing can be done on the client. Normally, a company does NOT want all traffic to go through their vpn. Connected once but no more Connected once but no more by apu on 2006-06-13 17:10:41 +0200 IPSecuritas 2.1, Mac OS X 10.4.6, trying to connect to a Netgear FVS318 with v2.4 firmware. My end of the tunnel is behind a Linksys router/access point right now (same as when it worked) but is mobile; the other end of the tunnel is connected directly to a DSL modem -- the IP address changes occassionally but has a fixed dyndns.org host name (and has not changed since this worked yesterday). I got it to connect (green checkmark) once and was able to successful use the tunnel. But, ever since, IPSecuritas continues to display the red X and I am unable to use the IPsec tunnel that is created. However, on the FVS318, the VPN Status page shows what appears to be a normal, active connection. Re: Connected once but no more by apu on 2006-06-13 17:25:41 +0200 p.s. I have a "verbose" log file from IPSecuritas which I has going to post but its too big and I would have to chop it up into pieces. I can if its of value. But, the only error found in it is [code] racoon: ERROR: pfkey.c:756:pfkey_timeover(): PUB.LIC.IP.VPN give up to get IPsec-SA due to time up to wait. [/code] where PUB.LIC.IP.VPN is the VPN gateway's public IP address. Re: Connected once but no more by yves_kayak on 2006-10-07 05:08:02 +0200 Did you get it to work while you were connected via a wired linksys router, and now you're trying with a mobile connection (Linksys wireless router) ? If so, check the router's settings. In particular, my Linksys router has a "VPN Passthrough" option that needs to be turned on. Hope this helps, Yves Can't get it to autostart at boot 10.4.6 Can't get it to autostart at boot 10.4.6 by Jason on 2006-06-22 01:03:48 +0200 I have it working great with an Ipsec tunnel to my monowall at the office, however, I cannot get it to autostart. I have the option checked in the options menu, but when I reboot, the tunnel is down until I manually start the program. Thoughts anyone? or, how can I script it to auto start the program and the Ipsec tunnel? Re: Can't get it to autostart at boot 10.4.6 by Jason on 2006-06-22 04:17:50 +0200 Well, I've found that you can't run a GUI program from cron so I guess I need to figure out how to open the ipsec tunnel and close it all from the command line, so my nightly backup can work without leaving an account logged in. IPSecuritas -> Linksys RV082 IPSecuritas -> Linksys RV082 by Rainer Kormann on 2006-06-27 22:13:09 +0200 Hi, anyone ever connected IPSecuritas with an Linksys RV082 VPN Router? I am trying for days now... Any help would be great!!! Thanks in advance, Rainer. Re: IPSecuritas -> Linksys RV082 by incognito on 2006-07-19 18:39:52 +0200 I have a Linksys RV016 and can't get it to work either. In my logs, it shows this: Jul 19 00:29:30 2006 VPN Log Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x53713ffa (perhaps this is a duplicated packet) Jul 19 00:29:10 2006 VPN Log Cannot respond to IPsec SA request because no connection is known for 192.168.1.0/24==="ip address" [email@email.com]...1.2.10.12[email@email.com]===192.168.1.101/32 Jul 19 00:29:10 2006 VPN Log [Tunnel Negotiation Info] <<< Responder Received Quick Mode 1st packet Jul 19 00:29:09 2006 VPN Log type IPSEC_INITIAL_CONTACT Received informational payload, Jul 19 00:29:09 2006 VPN Log [Tunnel Negotiation Info] Responder Cookies = bbd6 581f d355 338 Jul 19 00:29:09 2006 VPN Log Cookies = c94a 10c2 8f9 8fbc [Tunnel Negotiation Info] Initiator Jul 19 00:29:09 2006 VPN Log [Tunnel Negotiation Info] Aggressive Mode Phase 1 SA Established Jul 19 00:29:09 2006 VPN Log ID_USER_FQDN: 'it@it.com' Aggressive mode peer ID is Jul 19 00:29:09 2006 VPN Log [Tunnel Negotiation Info] <<< Responder Received Aggressive Mode 3rd packet Jul 19 00:29:09 2006 VPN Log [Tunnel Negotiation Info] >>> Responder Send Aggressive Mode 2nd packet Jul 19 00:29:09 2006 from 64.149.107.132 VPN Log Jul 19 00:29:09 2006 VPN Log ID_USER_FQDN: 'it@it.com' Responding to Aggressive Mode Aggressive mode peer ID is Jul 19 00:29:09 2006 VPN Log [Tunnel Negotiation Info] <<< Responder Received Aggressive Mode 1st packet Jul 19 00:29:09 2006 VPN Log = [draft-ietf-ipsec-nat-t-ike-02_n] Ignoring Vendor ID payload Type Jul 19 00:29:09 2006 VPN Log = [draft-ietf-ipsec-nat-t-ike-02] Ignoring Vendor ID payload Type Jul 19 00:29:09 2006 [4df37928e9fc4fd1...] VPN Log Ignoring Vendor ID payload Jul 19 00:29:09 2006 [4a131c8107035845...] VPN Log Ignoring Vendor ID payload Re: IPSecuritas -> Linksys RV082 by truckstop on 2006-10-17 05:28:31 +0200 Hmm, my RV042 works without an issue. I assume that you sorta know what you are doing so I am not going to trace through every step. Here are the relevant settings: ******* *RV042* ******* Client to Gateway FQDN: yourmac.local PHASE1: Group5, AES-256, SHA, 3600s PFS: enabled. PHASE2: Group5, AES-256, SHA-1, 3600s ********** * Your Mac * ********** PHASE1: 3600s, Group5, AES-256, SHA, Agressive, Strict, 16 PHASE2: 3600s, Group5, AES-256, SHA-1 Local ID: yourmac.local Remote ID: address OPTIONS: IPSec DOI, SIT_IDENTITY_ONLY, Initial Contact, Generate Policy, Support Proxy, Nat-T disabled. (All listed = checked - All others = unchecked) Basically the "Verify Identifier" option seems to break the tunnel when enabled. You can do pretty much whatever else as long as it is off. It kinda is lame that it requires aggresive mode, but watch are you gonna do? Re: IPSecuritas -> Linksys RV082 by cbo on 2006-11-30 17:12:00 +0100 Hi ! I would like to know how you can put some AES-256 in linksys RV042 / 082 ? If you look at the product spec, there's no support of AES (even 128)... So truckstop, are you sure you are using a linksys RV042 ??? Thx Cbo PS : i have stopped trying to make ipsecuritas work with this product one year ago... now i work with Zyxel product s which are more powerfull and for professional use. Re: IPSecuritas -> Linksys RV082 by truckstop on 2006-12-02 08:29:59 +0100 cbo - unless you are sure about something you shouldn't go spouting off. I AM using AES-256 with an RV042. I have a screen capture but I am too lazy to set up a flickr account just to prove a point. Maybe tomorrow I'll get to it. You're right in the fact that it's not in the spec sheet. However the device supports AES-128, AES-192, and AES-256. They must have been added to the firmware after the specs were released. They are definately options in 1.3.7.10 Personally I use SonicWALL devices anywhere I need a "pro" device. And let's face it with download speeds in my area now up to 25Mbps it is getting to the point where you need a "pro" device at home just to handle your connection. [quote author=cbo link=1151439189/0#3 date=1164903120]Hi ! I would like to know how you can put some AES-256 in linksys RV042 / 082 ? If you look at the product spec, there's no support of AES (even 128)... So truckstop, are you sure you are using a linksys RV042 ??? Thx Cbo PS : i have stopped trying to make ipsecuritas work with this product one year ago... now i work with Zyxel product s which are more powerfull and for professional use. [/quote] Always on IPSecuritas Always on IPSecuritas by iamchris on 2006-06-29 21:10:51 +0200 On OSX 10.4.2 I can't get IPSecuritas to autoload on boot. If I could get it to autoload, I'd like it to autoconnect, and then to reconnect if it gets disconnected, and if it can't reconnect, continue to retry at short intervals until it succeeds. How can I get IPSecuritas to work that way? Couldn't find the pskey Couldn't find the pskey by Ian on 2006-06-29 22:26:08 +0200 oakley.c:2146:oakley_skeyid(): couldn't find the pskey for x.x.x.x. I have setup a Host -> Network profile in IPsecuritas, but whenever I try to connect I find the error message above in the log file. I entered a preshared key into the IPSecuritas GUI, but this makes it sound like racoon can't find it? Any help would be greatly appreciated. Netgear FVS318 connects, no traffic. Routing? Netgear FVS318 connects, no traffic. Routing? by dfaulkner on 2006-07-04 19:22:51 +0200 Hi all, I've browsed/searched here briefly and can't find the answer I need. So, here goes: I used Aaron Adams tutorial to set up IPSecuritas with my Netgear FVS318 (firmware version 2.4). When I click "Start IPSEC," everything appears to start fine and a ping turns the red X into a green check, but the ping doesn't return. A traceroute reveals that my traffic is still going out to the Internet, apparently though unencrypted channels: $ traceroute 191.168.55.20 traceroute to 191.168.55.20 (191.168.55.20), 64 hops max, 40 byte packets 1 192.168.1.1 (192.168.1.1) 5.650 ms 1.102 ms 1.102 ms 2 ip72-204-64-1.fv.ks.cox.net (72.204.64.1) 11.034 ms 10.766 ms 11.747 ms 3 wsip-70-182-122-97.ks.ks.cox.net (70.182.122.97) 11.410 ms 10.611 ms 35.684 ms 4 wsip-70-182-120-53.ks.ks.cox.net (70.182.120.53) 10.435 ms 13.787 ms 12.128 ms 5 wsip-70-182-120-49.ks.ks.cox.net (70.182.120.49) 13.693 ms 25.273 ms 10.975 ms So, I run ifconfig, and see the following for gif0: gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 tunnel inet 10.1.1.1 --> 127.0.0.1 inet 10.1.1.1 --> 192.168.55.0 netmask 0xffffff00 From netstat -nr, I get Destination Gateway default 192.168.1.1 192.168.43.0 10.1.1.1 192.168.43 gif0 Flags UGSc UH USc Refs Use Netif Expire 38 2435 en1 0 1 gif0 1 202 gif0 Looks to me like a routing/gateway problem, but I'm not sure what to do to fix this. Any thoughts? IPSecuritas 3.0 Public Beta released IPSecuritas 3.0 Public Beta released by Forum Admin on 2006-07-05 23:51:28 +0200 We're proud to announce the release of the first public beta release of IPSecuritas 3.0. Please go to http://www.lobotomo.com/products/IPSecuritas/beta.html for more information. The IPSecuritas Team. Re: IPSecuritas 3.0 Public Beta released by Roberto Carlos Navas on 2006-07-07 08:55:30 +0200 Hello: I'm testing the new Public Beta and it looks very promising. However I found a problem trying to connect to my corporate network when I'm behind a NAT router. The error I get is: Jul 07, 00:50:05 Info APP IKE daemon started Jul 07, 00:50:05 Info APP IPSec started Jul 07, 00:50:05 Debug APP State change from IDLE to RUNNING after event START Jul 07, 00:50:06 Info IKE Foreground mode. Jul 07, 00:50:06 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 07, 00:50:06 Info IKE @(#)This product linked OpenSSL 0.9.7i 14 Oct 2005 (http://www.openssl.org/) Jul 07, 00:50:06 Info IKE Resize address pool from 0 to 255 Jul 07, 00:50:06 Debug IKE parse successed. Jul 07, 00:50:06 Debug IKE my interface: 127.0.0.1 (lo0) Jul 07, 00:50:06 Debug IKE my interface: ::1 (lo0) Jul 07, 00:50:06 Debug IKE my interface: fe80::1%lo0 (lo0) Jul 07, 00:50:06 Debug IKE my interface: fe80::211:24ff:fe84:7f3e%en0 (en0) Jul 07, 00:50:06 Debug IKE my interface: 192.168.1.100 (en0) Jul 07, 00:50:06 Debug IKE configuring default isakmp port. Jul 07, 00:50:06 Debug IKE 5 addrs are configured successfully Jul 07, 00:50:06 Info IKE 192.168.1.100[500] used as isakmp port (fd=6) Jul 07, 00:50:06 Info IKE fe80::211:24ff:fe84:7f3e%en0[500] used as isakmp port (fd=7) Jul 07, 00:50:06 Info IKE fe80::1%lo0[500] used as isakmp port (fd=8) Jul 07, 00:50:06 Info IKE ::1[500] used as isakmp port (fd=9) Jul 07, 00:50:06 Info IKE 127.0.0.1[500] used as isakmp port (fd=10) Jul 07, 00:50:06 Debug IKE get pfkey X_SPDDUMP message Jul 07, 00:50:06 Debug IKE Jul 07, 00:50:06 Debug IKE 02120200 00020000 00000000 000036fc Jul 07, 00:50:06 Debug IKE pfkey X_SPDDUMP failed: No such file or directory I managed to narrow down when this happens: My remote network is 192.168.0.0/16 and my local address is 192.168.1.100... if i try to connect to a different remote network (let's say 172.25.0.0/16) the VPN will be established. But if my local address overlaps the remote network, then this error happens and NO VPN setup is ever attempted. This same scenaria works fine with IPSecuritas 2.1 I'm running MacOS X 10.4.7 in a Powerbook G4. Regards, Re: IPSecuritas 3.0 Public Beta released by Philip on 2006-07-07 13:46:23 +0200 I get the following errors when trying to make a connection. Am I doing somethins worng or is this a bug ? Jul 07, 13:42:07 Error IKE /Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf:58: ";" algorithm mismatched Jul 07, 13:42:07 Error IKE fatal parse failure (1 errors) Jul 07, 13:42:07 Error IKE racoon_vpn1: failed to parse configuration file. Jul 07, 13:42:07 Error IKE Foreground mode. Regards, Philip Re: IPSecuritas 3.0 Public Beta released by Mini on 2006-07-10 16:12:55 +0200 Same error as above.. Please help Re: IPSecuritas 3.0 Public Beta released by Roberto Carlos Navas on 2006-07-10 23:36:54 +0200 Hello, I noticed that the problem reported above: Jul 07, 13:42:07 Error IKE /Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf:58: ";" algorithm mismatched Jul 07, 13:42:07 Error IKE fatal parse failure (1 errors) happens when you create a new connection using the wizard... if you re-create that connection manually, without using the wizard, then it works. Still... I have no workaround for the problem when using a local IP address that overlaps the remote network. Regards, Re: IPSecuritas 3.0 Public Beta released by cnadig on 2006-07-11 16:36:21 +0200 Hello, I can confirm a bug in the wizard templates causing the error described above. I will release a new beta version with updated wizard templates soon (some more testing required this time I guess :-). Many thanks to the numerous contributions helping to find this bug! Christoph Lobotomo Software Re: IPSecuritas 3.0 Public Beta released by cnadig on 2006-07-12 10:06:29 +0200 Hello, Version 3.0b6 is available for download (see top posting for link). IMPORTANT: connections created with the Wizard in earlier versions won't work in 3.0b6 and need to be deleted! Please recreate them in 3.0b6. Christoph Lobotomo Software Re: IPSecuritas 3.0 Public Beta released by iamchris on 2006-07-21 20:19:33 +0200 I've tried unsuccessfully to connect correctly to a Symantec Gateway Security (SGS) appliance... I spent several hours on the phone with a Level 2 tech trying to get it working properly. He offered to put an IPSecuritas developer in touch with an SGS developer as to aid in getting the program working properly. Any takers? Re: IPSecuritas 3.0 Public Beta released by cnadig on 2006-07-24 15:49:52 +0200 Hello Chris, could you please send me the contact details of the person that made you the offer to lobotomo@lobotomo.com - I will then get in touch with him/her. Thanks a lot, Christoph Re: IPSecuritas 3.0 Public Beta released by pchernoff on 2006-07-25 16:32:37 +0200 After upgrading our SonicWall 2040 (enhanced OS) our VPN stopped working(IPSecuritas 2.1) so I decided to try out IPSecuritas 3.0b6 and it worked great once I figured out the settings. We have installed IPSecuritas 3.0b6 on other Macs, I exported my settings and imported them onto other Macs. The results have been mixed. I am using Mac OS X 10.4.7. Another user also uses 10.4.7. Unfortunately he never gets the green checkmark (he gets a yellow x) and was unable to mount a server volume across the VPN. He sent me his log and it looks like he is connecting to our VPN server. He also sent me screenshots of his IPSecuritas setup and it looks OK. Here is the contents of his log: IPSecuritas 3.0b6 build 534, Tue Jul 11 22:00:26 CEST 2006, nadig Darwin 8.4.0 Darwin Kernel Version 8.4.0: Tue Jan 3 18:22:10 PST 2006; root:xnu-792.6.56.obj~1/RELEASE_PPC Power Macintosh Jul 24, 18:58:21 Info APP IKE daemon started Jul 24, 18:58:21 Info APP IPSec started Jul 24, 18:58:21 Info IKE Foreground mode. Jul 24, 18:58:21 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 24, 18:58:21 Info IKE @(#)This product linked OpenSSL 0.9.7i 14 Oct 2005 (http://www.openssl.org/) Jul 24, 18:58:21 Info IKE Resize address pool from 0 to 255 Jul 24, 18:58:21 Info IKE 10.0.0.4[4500] used as isakmp port (fd=6) Jul 24, 18:58:21 Info IKE 10.0.0.4[500] used as isakmp port (fd=7) Jul 24, 18:58:23 Info IKE IPsec-SA request for 216.194.197.194 queued due to no phase1 found. Jul 24, 18:58:23 Info IKE initiate new phase 1 negotiation: 10.0.0.4[500] <=>216.194.197.194[500] Jul 24, 18:58:23 Info IKE begin Aggressive mode. Jul 24, 18:58:23 Info IKE received Vendor ID: RFC 3947 Jul 24, 18:58:23 Info IKE received Vendor ID: DPD Jul 24, 18:58:23 Warning IKE No ID match. Jul 24, 18:58:23 Info IKE Selected NAT-T version: RFC 3947 Jul 24, 18:58:23 Info IKE Hashing 10.0.0.4[500] with algo #2 Jul 24, 18:58:23 Info IKE NAT-D payload #-1 doesn't match Jul 24, 18:58:23 Info IKE Hashing 216.194.197.194[500] with algo #2 Jul 24, 18:58:23 Info IKE NAT-D payload #0 verified Jul 24, 18:58:23 Info IKE NAT detected: ME Jul 24, 18:58:23 Info IKE KA list add: 10.0.0.4[4500]->216.194.197.194[4500] Jul 24, 18:58:23 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Jul 24, 18:58:23 Info IKE Adding remote and local NAT-D payloads. Jul 24, 18:58:23 Info IKE Hashing 216.194.197.194[4500] with algo #2 Jul 24, 18:58:23 Info IKE Hashing 10.0.0.4[4500] with algo #2 Jul 24, 18:58:23 Info IKE ISAKMP-SA established 10.0.0.4[4500]-216.194.197.194[4500] spi:668d5adfd265129f:fe2028ac928b6eda Jul 24, 18:58:24 Info IKE initiate new phase 2 negotiation: 10.0.0.4[4500]<=>216.194.197.194[4500] Jul 24, 18:58:24 Info IKE NAT detected -> UDP encapsulation (ENC_MODE 1->3). Jul 24, 18:58:24 Info IKE Adjusting my encmode UDP-Tunnel->Tunnel Jul 24, 18:58:24 Info IKE Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Jul 24, 18:58:24 Info IKE IPsec-SA established: ESP/Tunnel 216.194.197.194[4500]->10.0.0.4[4500] spi=134320294(0x80190a6) Jul 24, 18:58:24 Info IKE IPsec-SA established: ESP/Tunnel 10.0.0.4[4500]->216.194.197.194[4500] spi=960951546(0x3946f4fa) Re: IPSecuritas 3.0 Public Beta releasedI am by AaronA1975 on 2006-10-27 18:17:57 +0200 I am completely unable to get split DNS to work in 3.0b14. Are there any troubleshooting steps I can try or is there any way to help you fix this problem? Re: IPSecuritas 3.0 Public Beta released by kramericafsu on 2006-11-09 05:11:48 +0100 Has there been any headway with configuring the Symantec Gateway 320? I have hit a road block! Zyxel P-334WT anc IPSecuritas 3.0b5 Zyxel P-334WT anc IPSecuritas 3.0b5 by Thomas Thaler on 2006-07-10 23:47:23 +0200 Does anyone have sucssesfully setup IPSecuritas and a Zyxel P-334WT Firewall to setup a IPSec tunnel? It's hard to find out what on one side does compare to the same function on the otherside. If needed, I can provide snapshots of the Zyxel Settings. Best regards for anyones help Greetings from Switzerland Thomas Thaler Where is HMAC 3.0b6 Where is HMAC 3.0b6 by LittleDan on 2006-07-12 16:41:28 +0200 I have installed 3.0b6 and it keeps failing on Phase 2 with "No Proposal is Chosen". I thought maybe it had something to do with HMAC not being under authentication in the Phase 2 config optiosn. Anyone have any suggestions? Mac OS X 10.4.7 w/ SonicWall PRO 200 using XAUTH Note: XAUTH is passing on the router log. Re: Where is HMAC 3.0b6 by LittleDan on 2006-07-12 18:44:48 +0200 Made a good connection now what? Forgive me ignorance this is my first mac since the IIe days, I have since been a windows guy. Log errors when trying to connect to home Log errors when trying to connect to home by CdtDelta on 2006-07-14 18:35:28 +0200 Hey all, I've been using IPSecuritas for a while with my smoothwall firewall. It worked fine with version 2.x, but I'm having some issues with 3.0b5 (and I just tried it with b6 as well). I'm not sure if it's a configuration issue on my part or not. I've gotten it where it shows I'm connected to my home network. And I can see on my firewall that the connection has been established. However, if I try to ping any machines on my local network, I notice this error pop up: "the length in the isakmp header is too big" For each ping packet I send out. Now it is possible that the network I'm on right now is part of the problem. Because this worked a couple of days ago no problem at a hotel I was at. However I was back at the same hotel last night and I had the issue I have now. I can get connected, but not access anything on my home network. So I'm looking for suggestions on where to look (I'm not entirely sure if all my settings are correct). Thanks ahead of time.... Re: Log errors when trying to connect to home by cnadig on 2006-07-14 21:45:40 +0200 Hello, this look like a problem with NAT-T - is it enabled in your configuration (if it is, please try disabling it, if it isn't, please try enabling or even forcing it [Options tab]) Hope this helps, Christoph IPsecuritas, Parallels and Internet Sharing IPsecuritas, Parallels and Internet Sharing by msolsona on 2006-07-16 01:13:29 +0200 I am having problems connecting to my company intranet using IP securitas from the Parallels virtual Machine (XP). Has anybody had this working? IPsecuritas 3.0b6 installed and running in 10.4.7(Intel) Airport connection to the world Internet sharing from Airport to the Parallels interface (en2) Parallels is connecting properly to the Internet (yahoo, google, etc) but it cannot reach the Intranet. Has anybody got it work? Doing TCPdump on en1 (Airport, external interface) of Macbook, I do see UDP-encap packets going out and coming back from GW. But they are not reaching the virtual machine. marc Netgear FVS318v3 Netgear FVS318v3 by jscooper on 2006-07-22 20:46:05 +0200 Hi folks, I've seen a bunch of postings about this, but no solutions. Does anyone have the settings to get a working tunnel from a remote machine (roaming user/dynamic IP) to a FVS318v3? Thanks! Jeff ps - Cool app, go it working with a couple of different VPNs (just not the netgear so far). Re: Netgear FVS318v3 by jscooper on 2006-07-26 04:22:30 +0200 Update: I was able to get it working, but I had it in a test environment: I made a subnet for the router and had it's "WAN" be the main router of my LAN (a dlink wireless). I was able to establish a VPN (green arrow and ping) the netgear from a laptop wirelessly connected to the dlink. I thought I was set until I put the netgear to use as a real router/gateway (WAN->LAN). It's working fine as a gateway; traffic can get out. But, when I try to establish a VPN to it from a different location (using the exact same settings), it gets hung up on Phase 2. Below is the client log (actual WAN IP replaced by x.x.x.x). It keeps trying to "initiate new phase 2 negotiation": Jul 25, 14:31:50 Info APP IKE daemon started Jul 25, 14:31:50 Info APP IPSec started Jul 25, 14:31:50 Info IKE Foreground mode. Jul 25, 14:31:50 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 25, 14:31:50 Info IKE @(#)This product linked OpenSSL 0.9.7i 14 Oct 2005 (http://www.openssl.org/) Jul 25, 14:31:50 Info IKE Resize address pool from 0 to 255 Jul 25, 14:31:50 Info IKE 192.168.22.21[4500] used as isakmp port (fd=6) Jul 25, 14:31:50 Info IKE 192.168.22.21[500] used as isakmp port (fd=7) Jul 25, 14:31:51 Info IKE IPsec-SA request for x.x.x.x queued due to no phase1 found. Jul 25, 14:31:51 Info IKE initiate new phase 1 negotiation: 192.168.22.21[500]<=>x.x.x.x[500] Jul 25, 14:31:51 Info IKE begin Aggressive mode. Jul 25, 14:31:54 Info IKE ISAKMP-SA established 192.168.22.21[500]-x.x.x.x[500] spi:3238789ff58aba9f:9b586d8ffd398608 Jul 25, 14:31:55 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]<=>x.x.x.x[500] Jul 25, 14:32:07 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]<=>x.x.x.x[500] Jul 25, 14:32:19 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]<=>x.x.x.x[500] Jul 25, 14:32:25 Error IKE x.x.x.x give up to get IPsec-SA due to time up to wait. Jul 25, 14:32:37 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]<=>x.x.x.x[500] Jul 25, 14:32:37 Error IKE x.x.x.x give up to get IPsec-SA due to time up to wait. Jul 25, 14:32:49 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]<=>x.x.x.x[500] Jul 25, 14:32:49 Error IKE x.x.x.x give up to get IPsec-SA due to time up to wait. Jul 25, 14:33:01 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]<=>x.x.x.x[500] Jul 25, 14:33:07 Error IKE x.x.x.x give up to get IPsec-SA due to time up to wait. Jul 25, 14:33:19 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]<=>x.x.x.x[500] Jul 25, 14:33:19 Error IKE x.x.x.x give up to get IPsec-SA due to time up to wait. Jul 25, 14:33:31 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]<=>x.x.x.x[500] Jul 25, 14:33:31 Error IKE x.x.x.x give up to get IPsec-SA due to time up to wait. Re: Netgear FVS318v12 by bradisa on 2006-07-31 09:04:16 +0200 Got it working with the following settings: Please note that I do not need to browse the Mac clients; I only needed them to access a server behind the FVS318. I have not attempted to access the macs, so you'll have to test it out: [b][u]ON THE FVS318[/u][/b] Local IPSec Identifier: 10.0.3.1 {local IP address of FVS318} Remote IPSec Identifier: 192.168.1.2 {local IP address of Mac} Tunnel can be accessed from: any local address Tunnel can access: a subnet of remote addresses Remote LAN start IP Address: 192.168.1.2 {local IP address of Mac} Remote LAN IP Subnetmask: 255.255.255.0 {subnet of Mac} Remote WAN IP or FQDN: xxxxx.dyndns.info {for dynamic ip of Mac; using Dynamic DNS Host service} Secure Association: Main Mode Perfect Forward Secrecy: Enabled Encryption Protocol: 3DES PreShared Key: AnyKeyY0uCh00se Key Life: 28800 Seconds IKE Life Time: 28800 Seconds Netbios: Enabled [b][u]On the Mac using IPSecuritas[/u][/b] [b][i]General[/i][/b] Remote IPSec Device: XXXXXXXX.com {FQDN or Dynamic Host Service} Local Side: Endpoint Mode: Network Network Address: 192.168.1.1 {local IP address of router for Mac} Remote Side: Endpoint Mode: Network Network Address: 10.0.3.0 [b][i]Phase 1[/i][/b] Lifetime: 2880 Seconds DH Group: 1024(2) Encryption: 3DES Authentication: SHA1 Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 [b][i]Phase 2[/i][/b] Lifetime: 28800 Seconds PFS Group: 1024(2) Encryption: {Check box for 3DES ONLY} Authentication: {Check box for SHA1 ONLY} [b][i]ID[/i][/b] Local Identifier: Address Remote Identifier: Address Authentication Method: Preshared Key Preshared Key: AnyKeyY0uCh00se {of course must match entry on FVS318} [b][i]Options[/i][/b] Check boxes for: IPSec DOI SIT_IDENTITY_ONLY Verify Identifier Initial Contact If anyone viewing this sees any serious flaws in this configuration, please post Re: Netgear FVS318v3 by bradisa on 2006-07-31 17:48:14 +0200 FYI, Here are the log files: [b][i]IPSecuritas:[/i][/b] IPSecuritas 3.0b6 build 534, Tue Jul 11 22:00:26 CEST 2006, nadig Darwin 8.4.0 Darwin Kernel Version 8.4.0: Tue Jan 3 18:22:10 PST 2006; root:xnu-792.6.56.obj~1/RELEASE_PPC Power Macintosh Jul 31, 08:09:04 Info APP IKE daemon started Jul 31, 08:09:04 Info APP IPSec started Jul 31, 08:09:04 Error IKE Foreground mode. Jul 31, 08:09:04 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 31, 08:09:04 Info IKE @(#)This product linked OpenSSL 0.9.7i 14 Oct 2005 (http://www.openssl.org/) Jul 31, 08:09:04 Info IKE Resize address pool from 0 to 255 Jul 31, 08:09:04 Info IKE 192.168.1.2[4500] used as isakmp port (fd=6) Jul 31, 08:09:04 Info IKE 192.168.1.2[500] used as isakmp port (fd=7) Jul 31, 08:09:05 Info IKE IPsec-SA request for x.x.x.x queued due to no phase1 found. Jul 31, 08:09:05 Info IKE initiate new phase 1 negotiation: 192.168.1.2[500]<=>x.x.x.x[500] Jul 31, 08:09:05 Info IKE begin Identity Protection mode. Jul 31, 08:09:08 Info IKE ISAKMP-SA established 192.168.1.2[500]-x.x.x.x[500] spi:xxxxx:xxxxxx Jul 31, 08:09:09 Info IKE initiate new phase 2 negotiation: 192.168.1.2[500]<=>x.x.x.x[500] Jul 31, 08:09:12 Info IKE IPsec-SA established: ESP/Tunnel x.x.x.x[0]->192.168.1.2[0] spi=xxxxx Jul 31, 08:09:12 Info IKE IPsec-SA established: ESP/Tunnel 192.168.1.2[0]->x.x.x.x[0] spi=xxxxxx [b][i]Netgear FVS318:[/i][/b] Mon, 07/31/2006 07:08:51 - xxxxx IPsec:Receive Packet address:0x1807194 from x.x.x.x Mon, 07/31/2006 07:08:51 - xxxx IPsec:main_inI1_outR1() Mon, 07/31/2006 07:08:51 - xxxxx IKE: Peer Initialized IKE Main Mode Mon, 07/31/2006 07:08:51 - xxxxx IKE:[Mac] RX << MM_I1 : x.x.x.x Mon, 07/31/2006 07:08:51 - xxxxx IPsec:New State index:5, sno:32 Mon, 07/31/2006 07:08:51 - xxxxx IPsec:responding to Main Mode Mon, 07/31/2006 07:08:51 - xxxxx IPsec: Oakley Transform 1 accepted Mon, 07/31/2006 07:08:51 - xxxxx IKE: OAKLEY_PRESHARED_KEY/OAKLEY_3DES_CBC/MODP1024 Mon, 07/31/2006 07:08:51 - xxxxx IKE:[Mac] TX >> MM_R1 : x.x.x.x Mon, 07/31/2006 07:08:51 - xxxxx IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #32 Mon, 07/31/2006 07:08:51 - xxxxx IPsec:Receive Packet address:0x1807194 from x.x.x.x Mon, 07/31/2006 07:08:51 - xxx IPsec:main_inI2_outR2() Mon, 07/31/2006 07:08:51 - xxxxx IKE:[Mac] RX << MM_I2 : x.x.x.x Mon, 07/31/2006 07:08:51 - xxxxx IKE:[Mac] TX >> MM_R2 : x.x.x.x Mon, 07/31/2006 07:08:51 - xxxx IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #32 Mon, 07/31/2006 07:08:53 - xxxxx IPsec:Receive Packet address:0x1807194 from x.x.x.x Mon, 07/31/2006 07:08:53 - xxxxx IPsec:main_inI3_outR3() Mon, 07/31/2006 07:08:53 - xxxxx IKE:[Mac] RX << MM_I3 : x.x.x.x Mon, 07/31/2006 07:08:53 - xxxxx IPsec: Decoded Peer's ID is ID_IPV4_ADDR:192.168.1.2 and 192.168.1.2 in st Mon, 07/31/2006 07:08:53 - xxxxx IKE:[Mac] TX >> MM_R3 : x.x.x.x Mon, 07/31/2006 07:08:53 - xxxxx IPsec:inserting event EVENT_SA_EXPIRE, timeout in 28980 seconds for #37 Re: Netgear FVS318v3 by truckstop on 2006-10-17 05:33:42 +0200 Whenever I enable a tunnel to an FVS318v3 like this it breaks the internet connectivity on the FVS318v3 side. Looks like a more than dns thing because pings disappear however traffic does go through the tunnel. DHCP with SonicWall DHCP with SonicWall by yves_kayak on 2006-10-07 04:48:10 +0200 Hello everyone, I'm using IPSecuritas for a while to connect to the office's SonicWall Pro 230 VPN server. Our sysadmin changed the VPN Server's config to assign DHCP addresses to the VPN clients. After that change, I can't connect anymore. In IPSecuritas log, there's an error message "NO-PROPOSAL-CHOSEN" at phase 2. Is that feature supported by IPSecuritas ? It seems to be a new feature in version 4 of VPN Tracker. They call that "DHCP over IPSec". Thanks, Yves Forget Re: DHCP with SonicWall by Manuel on 2007-03-15 16:07:39 +0100 Same problem/question here: is DHCP over IPSec supported by IPSecuritas? I am using 3.0RC and I'm only able to get it working if I enable "Virtual adapter settings: DHCP Lease or manual configuration" on our Sonic Pro 3060 Enhanced. Since I'm the sysadmin it doesn't really matter (to me), but it would be nice if IPSecuritas could support DHCP somehow, also to avoid IP conflicts for users who use NAT'ed IP addresses. Re: DHCP with SonicWall by jgrange on 2007-03-22 02:12:37 +0100 Okie, ive been trying to get version 3, to work with my 3060 Pro, but have been unsuccesfull, I keep geting invalid ID messages, can someone share with me how to properly set this up, as it seems i must be missing something fairly simple if serveral people seem to have this working! Any help or ideas would be very much apreacated! XAuth not working? XAuth not working? by gdanko on 2006-10-09 16:44:22 +0200 Hi all, I was helping to test 3.0b1 several months ago and I could get the username/password prompt for my SonicWall 5060. The only thing not working was the DHCP. I am now trying 3.0b14 and I am no longer prompted for username and password. I use both a Cisco 3020 and a SonicWall 5060 and TZ170. Does someone have a configuration example I can use for either of these? The Cisco 3020 uses Group Authentication. Can IPSecuritas accommodate this? Thanks in advance! Cannot connect to SonicWALL TZ170 Cannot connect to SonicWALL TZ170 by gdanko on 2006-10-09 19:32:03 +0200 ==On the SonicWALL== :General Authentication Method: IKE using Preshared Secret Name: WAN GroupVPN Share Secret: xxxxx -Proposals Phase 1 DH Group: Group 2 Encryption: 3DES Authentication: SHA1 Life Time (seconds): 28800 Phase 2 Protocol: ESP Encryption: 3DES Authentication: SHA1 Enable PFS: Disabled Life Time (seconds): 28800 :Advanced Enable Windows Networking Broadcase: Checked Enable Multicast: Unchecked Default Gateway: 0.0.0.0 Require Authentication of VPN Clients via XAUTH: Checked User Group for XAUTH users: Trusted Users :Client Cache XAUTH User Name and Password on Client: Single Session Virtual Adapter Settings: DHCP Lease Allow Connections to: Split Tunnels Set Default Route as this Gateway: Unchecked Require Global Security Client for this Connection: Unchecked Use Default Key for Simple Client Provisioning: Unchecked ==In IPSecuritas== :General Remote IPSec Device: xxxxx Local Endpoint Mode Host: Remote Endpoint Mode Network: 172.16.10.0/24 :Phase 1 Lifetime: 28800 seconds DH Group: 1024(2) Encryption: 3DES Authentication: SHA-1 Exchange Mode: Main, Aggressive Proposal Check: Obey Nonce Size: 16 :Phase 2 Lifetime: 28800 seconds PFS Group: None Encryption: 3DES Authentication: HMAC-SHA-1 :ID Local Identifier: Address Remote Identifier: Address Authentication Method: XAuth PSK Preshared Key: xxxxx Re: Cannot connect to SonicWALL TZ170==SonicWALL L by gdanko on 2006-10-09 19:33:39 +0200 ==SonicWALL Log== 10/09/2006 10:26:06.704 - Info - VPN IKE IKE Responder: Received Main Mode request (Phase 1) - [NAT'D IP], 139 (admin) [SONICWALL], 500 10/09/2006 10:26:07.352 - Info - VPN IKE NAT Discovery : Peer IPSec Security Gateway behind a NAT/NAPT Device 0.0.0.0 0.0.0.0 10/09/2006 10:26:07.880 - Info - VPN IKE IKE Responder: Main Mode complete (Phase 1) - [NAT'D IP], 43746 (admin) [SONICWALL], 4500 VPN Policy: WAN GroupVPN;3DES; SHA1; DH Group 2; lifetime=28800 secs 10/09/2006 10:26:27.720 - Warning - VPN IKE - Received packet retransmission. Drop duplicate packet [NAT'D IP], 43746 (admin) [SONICWALL], 4500 VPN Policy: WAN GroupVPN 10/09/2006 10:26:27.736 - Warning - VPN IKE - Failed payload validation - [NAT'D IP], 43746 (admin) [SONICWALL], 4500 VPN Policy: WAN GroupVPN 10/09/2006 10:26:47.736 - Warning - VPN IKE - Received packet retransmission. Drop duplicate packet [NAT'D IP], 43746 (admin) [SONICWALL], 4500 VPN Policy: WAN GroupVPN 10/09/2006 10:27:07.752 - Warning - VPN IKE - Received packet retransmission. Drop duplicate packet [NAT'D IP], 43746 (admin) [SONICWALL], 4500 VPN Policy: WAN GroupVPN 10/09/2006 10:27:27.800 - Warning - VPN IKE - Received packet retransmission. Drop duplicate packet [NAT'D IP], 43746 (admin) [SONICWALL], 4500 VPN Policy: WAN GroupVPN ==Connection Log from IPSecuritas== IPSecuritas 3.0b14 build 1019, Wed Oct 4 15:19:10 CEST 2006, nadig Darwin 8.8.1 Darwin Kernel Version 8.8.1: Mon Sep 25 19:42:00 PDT 2006; root:xnu-792.13.8.obj~1/RELEASE_I386 i386 Oct 09, 10:22:24 Info APP IKE daemon started Oct 09, 10:22:24 Info APP IPSec started Oct 09, 10:22:24 Error IKE Foreground mode. Oct 09, 10:22:24 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Oct 09, 10:22:24 Info IKE @(#)This product linked OpenSSL 0.9.7i 14 Oct 2005 (http://www.openssl.org/) Oct 09, 10:22:24 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Oct 09, 10:22:24 Info IKE Resize address pool from 0 to 255 Oct 09, 10:22:26 Error IKE Xauth mode config request but peer did not declare itself as Xauth capable Oct 09, 10:22:26 Error IKE Xauth mode config request but peer did not declare itself as Xauth capable Oct 09, 10:22:26 Error IKE Xauth mode config request but peer did not declare itself as Xauth capable Oct 09, 10:22:26 Error IKE ISAKMP mode config exchange with immature phase 1 Oct 09, 10:22:46 Warning IKE No ID match. Oct 09, 10:22:46 Error IKE No SIG was passed, hybrid auth is enabled, but peer is no Xauth compliant Oct 09, 10:22:46 Error IKE none message must be encrypted Oct 09, 10:22:56 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP [REMOTE][500]->172.16.129.16[500] Oct 09, 10:23:08 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP [REMOTE][4500]->172.16.129.16[4500] Oct 09, 10:23:17 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP [REMOTE][4500]->172.16.129.16[4500] Oct 09, 10:23:27 Error IKE Xauth mode config request but peer did not declare itself as Xauth capable Oct 09, 10:23:27 Error IKE Xauth mode config request but peer did not Re: Cannot connect to SonicWALL TZ170 by sibble-comp on 2007-06-12 00:54:04 +0200 Success!!! After about 4 or 5 days playing with this, several hours on the phone with Sonicwall support, I can successfully connect to a TZ170 running SonicOS Enhanced 3.1.0.14-49e. Box is using the GroupVPN for the pc users using GVC in automated mode (end users type in ip address, username and password in GVC to connect) with Xauth enabled. Also using DHCP relay so clients get an address from the internal dhcp server, NOT the sonicwall box itself. I am using IPSecuritas 3.0 build 1693 After several hours on the phone with Sonicwall support today and the tech finally saying he was out of ideas to try, I went back to basics, removed/reverted all the changes we had been made during testing. Sonicwall is setup thusly Security Policy TAB IPsec Keying Mode: Ike using preshared secret Name: Wan GroupVPN Shared Secret: xxxxxxxxxxxxxxxxxxxxxxxxxxx Proposals TAB IKE (phase 1) Proposal DH Group: Group 2 Encryption: 3DES Authentication: SHA1 Life Time: 28800 IPSEC (Phase 2) Proposal Protocol: ESP Encryption: 3DES Authentication: SHA1 Enable PFS is checked DH Group: Group 2 Life Time: 28800 Advanced TAB Enable Windows Networking Broadcast is checked Require Authentication of VPN Clients via XAUTH is checked User Group for XAUTH users: Trusted Users (clients authenticate against radius server on windows 2003 AD machine) Client TAB Cache XAUTH Username and Password on Client: Single Session Virtual Adapter Settings: DHCP Lease or Manual Configuration Use Default Key for Simple Client Provisioning. If an item is not listed above or below, it's because it wasn't enabled or used for this configuration. Setup on IPSecuritas General TAB Remote Ipsec device: wan ip of sonicwall Local Side Endpoint mode: host (ip address field blank) Remote Side Endpoint Mode: Network address set to the lan behind the sonicwall Phase 1 TAB Lifetime: 28800 seconds DH Group: 1024 (2) Re: Cannot connect to SonicWALL TZ170 by TimothyFerrell on 2007-06-12 05:31:25 +0200 I was very hopeful after reading how you got your connection to come up, but very disappointeted to find your instructions don't quite work for me. I adopted all your settings, and the VPN comes up, but disconnects after about 2 minutes. The log shows scrolling errors starting with "No ID match" "attribute has been modified" "inappropriate sadb acquire message passed." "attribute has been modified" "libipsec failed pfkey check (Invalid SA type)" ""unknown information element received" If anyone knows what settings and on which side I should be looking at tinkering with, any suggestions would be appreciated. The client side is IP Securitas 3.0. The Sonicwall hardware in my case is a Pro 2040 on Standard 2.1.0.1 firmware. Windows computers are not having any trouble connecting with the SonicWall client. Hoping not to have to buy VPN tracker to get this up. Re: Cannot connect to SonicWALL TZ170 by sibble-comp on 2007-06-12 07:39:30 +0200 Hmm, there is some info in another thread about that unknown info message involving turning up the logging level in ipsecuritas to debug to find out what the unknown info actually is. Also from what I understand, there's a fair bit of difference between standard and enhanced firmware and also between 2.xx and 3.xx. IIRC, when they went to 3.xx was when they dropped support for Safenet based vpn clients, but don't quote me on that ;-) Re: Cannot connect to SonicWALL TZ170 by TimothyFerrell on 2007-06-12 17:31:01 +0200 Thank you for you prompt reply. I will try to figure out where to go to increase the logging level and get back with my results. Re: Cannot connect to SonicWALL by kduane on 2009-01-27 08:13:14 +0100 This worked for me on a Sonicwall 3060 with Enhanced OS and IPSecuritas 3.1 (build 1860) Just a few diffs: === on sonicwall == Proposals TAB IPSEC (Phase 2) Proposal Enable PFS is unchecked Advanced TAB Enable Windows Networking Broadcast is unchecked Client TAB Virtual Adapter Settings: none == in ipsecuritas == DNS TAB Enable Domain Specific DNS servers is unchecked Domains: blank Name Server Addresses: blank OPTIONS TAB The following are (checked) enabled IPSEC DOI SIT_IDENTITY_ONLY Initial Contact Support Proxy Request Certificate Send Certificate Unique SAs IKE Fragmentation DISABLE NAT-T Thanks for all your work... I know there has to be a lot of people out there looking for the same info... Screw VPN Tracker [quote author=sibble-comp link=1160415123/0#2 date=1181602444]Success!!! After about 4 or 5 days playing with this, several hours on the phone with Sonicwall support, I can successfully connect to a TZ170 running SonicOS Enhanced 3.1.0.14-49e. Box is using the GroupVPN for the pc users using GVC in automated mode (end users type in ip address, username and password in GVC to connect) with Xauth enabled. Also using DHCP relay so clients get an address from the internal dhcp server, NOT the sonicwall box itself. I am using IPSecuritas 3.0 build 1693 After several hours on the phone with Sonicwall support today and the tech finally saying he was out of ideas to try, I went back to basics, removed/reverted all the changes we had been made during testing. Sonicwall is setup thusly Security Policy TAB IPsec Keying Mode: Ike using preshared secret Name: Wan GroupVPN Shared Secret: xxxxxxxxxxxxxxxxxxxxxxxxxxx FVG318 examples? FVG318 examples? by machelp on 2006-10-16 21:22:51 +0200 Has anyone had any success using IPSecuritas to connect to a Netgear FVG318? I'd love to see some examples. Thanks! Beta 14 certificate bug. Beta 14 certificate bug. by truckstop on 2006-10-17 01:25:47 +0200 I am pretty sure that there is an error in the IPSecuritas Beta 14 where the generated racoon.conf file uses the same certifcate identifier for both the system cert and the peer cert. For example this is what I have found in my racoon.conf: certificate_type x509 "5e0963d3-ffe1-4c46-a389-6f6ac4136ad0.cert" "5e0963d3-ffe1-4c46-a389-6f6ac4136ad0.priv"; peers_certfile x509 "5e0963d3-ffe1-4c46-a389-6f6ac4136ad0.cert"; So if you can't get Beta 14 to work with IPCOP that is why. Re: Beta 14 certificate bug. by bmc303 on 2006-10-19 22:13:37 +0200 I tried to find the entry in my racoon.conf. But it doesn't seem that IPSecuritas changed anything. When I for example search for my IPCops IP Adress or it's hostname nothing is matched. Do you have any idea what the reason for this could be? Goodbye! Re: Beta 14 certificate bug. by bmc303 on 2006-10-19 22:44:01 +0200 Aaah! I finally found the menu entry to see the log and the configuration file. I can confirm what the original poster stated. certificate_type x509 ... peers_certfile x509 ... both rely on the same cert. I'm back to version 2.2. Works nice! :-) Re: Beta 14 certificate bug. by houser on 2006-10-21 10:39:28 +0200 Hello, Iposted a question regarding use of a Netscreen firewall and IPsecuritas 3.0b14 and it seems I have found the same issue as you guys. 2.2 works perfectly AFAIK...and our log indicates the very same bug as you have reported. FWIW. all the best Janne A. DNS in IPSecuritas vs VPN Tracker DNS in IPSecuritas vs VPN Tracker by witchdoctor on 2006-10-19 21:58:32 +0200 I'd like to do a straight replacement of VPN Tracker with IPSecuritas 3.0b14 on my network for the Mac folk. Problem is, DNS lookups don't seem to work. The search domain is ournetwork.local, and I've specified the local DNS server address. VPN Tracker works fine, but IPSecuritas doesn't resolve the names at all. Tried dig / traceroute and it simply doesn't resolve the hostname under IPSecuritas' tunnel. Any ideas? Netscreen 5GT Netscreen 5GT by houser on 2006-10-20 13:37:50 +0200 Hello, Thanx for a great freeware VPN client! I am trying to set up IPSecuritas with a firewall from Juniper Netwoks, namely a 5GT. Any documentation / hints on how to set this up? I have it working with version 2.2 and would ideally just need a config for IPsecuritas 3 that works with the exisiting setup. It seems there is a bug or at least a change in 3 from 2.2 that stops the connection in middle of it. I have copied the settings from 2.2 to 3 and get this error: Oct 21, 10:42:57 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xxx.xxx.xxx.xx[500]->10.0.1.2[500] greatful for any feedback or hints TIA and regards janne a. Re: Netscreen 5GT by Umeboshi on 2006-10-21 11:27:01 +0200 I had a very good experience with 3b-6 beta that was available just before Lobotomo took their time out. I had to tweek the 2.1 config a little to get it to work (the parameters and settings are not identical) but it worked really well. After Lobotomo's return and the release of 3b-14 I was quick to try it again (since the 3b-6 had expired) but to this point with the same config that worked with 3b-6 it hasn't worked yet. My environment is basically the same as yours: Netscreen 5GT. I can get the current 2.2 version to work with no problems but not the 3b-14 version. I am getting a PSK not found error in the logs so it seems that my problem may be a little different. I continue to work on this as time permits and will post again if I come across anything that may be useful but ask you (and everone else with this same type of problem) to post whatever you find as well. Thanks Re: Netscreen 5GT by houser on 2006-10-21 18:47:10 +0200 Thanx for your reply. Sure, I will try some trix too. I get various errors but no success. What would be the point of using 3 over 2 anyway at this point? it does not offer anything important new, AFAIK? ah well, best Janne A. Re: Netscreen 5GT by Umeboshi on 2006-10-22 10:35:13 +0200 The things I saw in 3b-6 that I really liked were: 1. The auto connection feature. Currently 2.2 tells you that the system has gone into sleep mode and the connection has been shutdown. 3b-6 just reconnected when the network came back up as long as it was flamed-on. Security wise possibly a little dangerous but a nice feature. I believe there is also an on/off for this setting as well. 2. The XAuth support. Although the XAuth support didn't work as anticipated - I had hoped for a popup window for username and password entry (similar to the functionality of the Netscreen Windows client) - but it did work which allowed a little more generic settings between Mac and Windows on the Netscreen 5GT itself. So if I can get the current 3b-14 beta to work I am sure to use it. Thanks Re: Netscreen 5GT by houser on 2006-10-22 20:06:34 +0200 Allright, thanx. I liked the menuitem that allows on off without opening the app. Let me know if you get it to work, and I will do the same. best Janne A. Fortinet, FortiGate100 Fortinet, FortiGate100 by Bones on 2006-10-20 14:36:42 +0200 Hi, Anyone got good settings for FortiGate100, I have no problems getting it to get the VPN runnign in VPN Tracker. I have set all the settings like in Tracker but still no go... Here is the log... Oct 20, 19:12:47 Info APP IKE daemon started Oct 20, 19:12:47 Info APP IPSec started Oct 20, 19:12:47 Error IKE Foreground mode. Oct 20, 19:12:47 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Oct 20, 19:12:47 Info IKE @(#)This product linked OpenSSL 0.9.7i 14 Oct 2005 (http://www.openssl.org/) Oct 20, 19:12:47 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Oct 20, 19:12:47 Info IKE Resize address pool from 0 to 255 Oct 20, 19:13:00 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Oct 20, 19:13:00 Error IKE Xauth mode config request but peer did not declare itself as Xauth capable Oct 20, 19:13:00 Warning IKE Ignored short attribute XAUTH_USER_NAME Oct 20, 19:13:00 Warning IKE Ignored short attribute XAUTH_USER_PASSWORD Oct 20, 19:13:16 Info APP IPSec stopping Oct 20, 19:13:17 Info APP IKE daemon terminated Anyone :-) /b NetgearFVS124G<-->LinksysBEFSX41 NetgearFVS124G<-->LinksysBEFSX41 by SteveC on 2006-10-26 08:03:45 +0200 Using beta 3. No matter what I do I get the dreaded "time out from phase 1" error. What is the basic issue here? Same with v2 of IPSecuritas AND VPNTracker4 TWRoadRunner is the ISP for both. Is this a blocked port issue? Help! Steve Connecting to Sonicwall Connecting to Sonicwall by surfer on 2006-11-05 02:15:25 +0100 Hi Guys, I am having a battle with communicating ipsecuritas 3.0b14 to talk to Sonicwall TZ170. after debugging the log seems like ipsecuritas doesn't recognise Sonicwall as supporting Xauth authentication. I was wondering if anyone's got Xauth working with Sonicwall? I mean both software and hardware support it so it should work. I will keep trying to get this working. I red the post where one of the guys got a username and password prompt while authenticating using ipsecuritas 3.0b1 but that got dissapared in 3.0b14. If i have any luck i will post my findings. Regards, . Re: Connecting to Sonicwall by deanpence on 2006-11-27 19:49:32 +0100 Any luck on this? This is hat I'm getting: No ID match. couldn't find the proper pskey, try to get one by the peer's address. fatal NO-PROPOSAL-CHOSEN notify message, phase1 should be deleted. I'm on a Powerbook G4 connecting to a SonicWall TZ 170 with XAuth and PSK. Re: Connecting to Sonicwall by yves_kayak on 2006-11-28 05:24:41 +0100 Hello, I'm using a PowerMac G5 with OS X 10.4.8 and IPSecuritas 3.0b14 and connecting to a SonicWall Pro 230. I get the message "couldn't find the proper pskey, try to get one by the peer's address." as part of a "normal" (working) connection process. (It's the last message I get in the log, on a successful connection). I used to have the "fatal NO-PROPOSAL-CHOSEN notify message, phase1 should be deleted." message too. After a while I was able to get our sysadmin to set the SonicWall's DHCP optional, and now it works. I don't remember exactly, but in the Sonic's config, it was the last tab on the right (client config or something), and then the last thing at the bottom of the page (client address via DHCP). Choices are "none", "DHCP", or "both". At the beginning it was set to "NONE", and the clients were using their local IP addresses (obtained from their ISP) but people with routers were disconnected because of IP conflicts (with addresses obtained from the router's DHCP). Then the sysadmin changed the setting to DHCP. It solved the routers' IP conflicts for people on Windows, but IPSecuritas was unable to connect. (BTW, VPN Tracker 4.0 supports the DHCP setting). Changing the setting to "both" allows IPSecuritas to connect, but Mac users using routers must be careful to configure their routers to avoid IP conflicts : do not use 10.0.1.100, since most people do... By the way, be patient. After setting the DHCP to "both" on the server, it often takes IPSecuritas 10 or 15 seconds before you get the green light. I believe it was much faster before we use DHCP on the SonicWall's server. I'm connecting with XAuth and PSK too. Hope this helps, Yves what's new in IPSecuritas 2.2 ? what's new in IPSecuritas 2.2 ? by favincen on 2006-11-06 15:13:57 +0100 Hi, IPSecuritas 2.2 is available for download, but both the web page and the readme file need to be updated as both still refer to version 2.1. Could you give some details about what's new in version 2.2? thanks and regards show version show version by niko on 2006-11-06 22:48:00 +0100 Hello Everyone Am trying to find out if a netscreen 5gt that we want to setup in our office in Brasil has the "export version" of the software but I can't - the command show version doesn't work Any idea? Thanks Niko Sonicwall Config Sonicwall Config by darken9999 on 2006-11-10 12:43:56 +0100 Wow, this message board software is falling apart. Images don't work, profiles can't be adjusted. Anyway, here's my config to connect to a Sonicwall 2040 using the 3.0 beta. I figure it should be good for most current Sonicwall stuff. It's not comprehensive, since I've been using VPNTracker for awhile, but it should at least get you in the ballpark. I use XAUTH and DHCP for my config. Start a new config. I'm only showing the things you have to change. I don't use DNS on the VPN, so I'm leaving it alone. --- On the Sonicwall --- Use the VPN wizard to get things started, using the defaults. - In the general VPN settings, change the unique firewall identifier to the Sonicwall's public IP. - In the advanced VPN policy for the groupvpn, require XAUTH (trusted users). - In the client settings for the groupvpn, change virtual adapter settings to DHCP Lease or Manual Configuration. -- In IPSecuritas ----- General - Remote Device: <Sonicwall IP> - Remote side network address: <Remote VPN network> --- Phase 1 - DH Group: 1024 (2) - Encryption: 3DES - Authentication: SHA-1 - Exchange Mode: Agressive - Proposal Check: Claim --- Phase 2 - PFS Group: None - Encryption: Only DES & 3DES - Authentication: Only MD5 & SHA-1 --- ID - Authenticaiton Method: XAuth PSK - Preshared Key: <from the Sonicwall> - Username/Password: <the user/pass you created on the Sonicwall with VPN priviledges> Connect to Remote Client Connect to Remote Client by surfincajun on 2006-11-15 20:11:52 +0100 Hello, I have no idea how to set this up to work correctly. I have tried setting it up and all i get is on the last line: Resize address pool from 0 to 255. Settings I need are as follows (From remote Firewall) shared secret: XXXXXX (This is have no problems with) IKE negotiation every 1440 seconds Phase 1: 3DES, SHA1, DH group 2 Pase 2: AES-256, MD5, DH group 2 Our Networks inside the tunnel: 10.70/16 10.50/16 192.168.14.0/24 IP address of our firewall: xx.xx.xx.xxx (Full IP Address of Firewall WAN) If anyone can point me in the right direction or let me know what additional settings I need to complete the tunnell I would greatly appreciate it. Beta version will expire soon Beta version will expire soon by yves_kayak on 2006-11-28 05:00:58 +0100 Hello everybody, I installed IpSecuritas 3.0 beta 14 on October 11. When I start the application, I get a popup : "This is a beta version of IPSecuritas, which will expire in 6 days. Please download a more recent version from our web page." I went to the web site, and it seems that Beta 14 is currently the most recent version. Did someone get this message a couple of days ago ? What happened after the delay expired ? Is someone aware of a new version available within a couple of days ? Can I reinstall beta 14 and use it until a new version comes out ? Thanks, Yves Forget Re: Beta version will expire soon by Forum Admin on 2006-11-28 09:22:15 +0100 Hello, we will make the release candidate available in the coming couple of days. The release candidate will not expiry anymore and will be replaced by the final version hopefully soon. Cheers, Christoph Actiontec GT701-WG Actiontec GT701-WG by Cam on 2006-12-01 21:32:38 +0100 Does anyone have an experience using IPSecuritas through an Actiontec GT701-WG to get into a Netscreen 5GT? We have a remote user who cannot get VPN to work and I'm not having much luck connecting to her modem remotely to attempt troubleshooting. IPSecuritas 3.0 Release Candiate IPSecuritas 3.0 Release Candiate by Forum Admin on 2006-12-02 17:40:59 +0100 We're proud to announce the release candiate of IPSecuritas 3.0. Please go to http://www.lobotomo.com/products/IPSecuritas/beta.html for more information. The IPSecuritas Team. Re: IPSecuritas 3.0 Release Candiate by robotguy on 2007-02-08 14:43:20 +0100 Thanks for the release candidate! I am able to get this working with my firewall and love the changes. You mention in your feature list that XAUTH will be included but there are some forum posts that go both ways on this. Is it yet-to-be-included or is it there and I can't find it. I would expect a username/password field somewhere in the ID section or perhaps a popup requesting these when logging in. For now, I am not using XAUTH and things work but I will need to change this in the long run to please our system administrator. Any news on this? Re: IPSecuritas 3.0 Release Candiate by houser on 2007-02-09 16:44:33 +0100 Hello, This version seems to work great for us, thanx for making a nice bit of code! Just a quick question: Everything seems to work perfectly... ..but if I set log level to "warning" I get this when I logon: [code]IPSecuritas 3.0rc build 1040, Fri Dec 1 21:00:13 CET 2006, nadig Darwin 8.8.3 Darwin Kernel Version 8.8.3: Wed Oct 18 21:57:10 PDT 2006; root:xnu-792.15.4.obj~4/RELEASE_I386 i386 Feb 09, 16:37:00 Warning IKE Foreground mode. Feb 09, 16:37:07 Warning IKE ignore RESPONDER-LIFETIME notification. Feb 09, 16:37:07 Warning IKE attribute has been modified. [/code] All seems to work as expected. Is my VPN safe still? Is there any setting I should tweak thanx for your time! best Janne A. Re: IPSecuritas 3.0 Release Candiate by cnadig on 2007-02-09 18:02:05 +0100 Hi Janne, don't worry - the notification is sent by the remote side to indicate that the time your side proposes for phase is longer than what the remote side allows. You might see some connection iterruption after the remote time has bee reached. Security is not affected. To get rid of the warning, just lower the lifetime value in phase 2 to a value that the remote side accepts. Hope this helps, Christoph Re: IPSecuritas 3.0 Release Candiate by houser on 2007-02-11 12:04:24 +0100 Thanx very much for that, I will give it a whirl... I assume you mean the "lifetime" setting in phase 2? It is now 28800secs.. and I can't find the appropriate setting on the remoteside ( Juniper, NETSCREEN 5GT) to correspond to. I can't get these things in the log to go away: So I guess I can ignore that then for now...... Thanx so much for listening! best Janne A. [code]IPSecuritas 3.0rc build 1040, Fri Dec 1 21:00:13 CET 2006, nadig Darwin 8.8.3 Darwin Kernel Version 8.8.3: Wed Oct 18 21:57:10 PDT 2006; root:xnu-792.15.4.obj~4/RELEASE_I386 i386 Feb 11, 11:58:19 Error IKE Foreground mode. Feb 11, 11:58:24 Warning IKE attribute has been modified. [/code] Re: IPSecuritas 3.0 Release Candiate by budy on 2007-02-22 15:39:36 +0100 Hi Christoph, I am running 3.0rc on my MBP connecting to our VPN-1 NGX R62. As os in Beta 14 of 3.0 it seems that I cannot get the DNS to work at all. I have setp up our main domain jvm.de in the DNS section and have also setup our internal DNS servers, but I am not able to lookup any internal host. I know that this wa sa bug in beta 14 and I hoped that it would have been resolved in this version. Thanks, Budy Re: IPSecuritas 3.0 Release Candiate by budy on 2007-02-22 15:55:45 +0100 Hi, I have to jump in here again. It seems that the problem is more related to lookupd on my Mac OS X installation. As I have just noticed, IPSeciritas places its <domain>.ipsecuritas file in /etc/resolvers but lookupd just seems to ignore it. Even after restarting lookupd I still can not look up any hosts from that domain. Any ideas, anyone? Thanks, Budy Re: IPSecuritas 3.0 Release Candiate by budy on 2007-02-22 17:21:27 +0100 Now, that's fun. It turns out that the only application that does not make use of /etc/resolver/... seems to be the terminal. And tobe hornest, that was the one I tried first. All other apps connect to our internal server just fine. Cheers, Budy Re: IPSecuritas 3.0 Release Candiate by glamm on 2007-03-22 20:02:51 +0100 [quote author=robotguy link=1165077659/0#1 date=1170942200]Thanks for the release candidate! I am able to get this working with my firewall and love the changes. You mention in your feature list that XAUTH will be included but there are some forum posts that go both ways on this. Is it yet-to-be-included or is it there and I can't find it. I would expect a username/password field somewhere in the ID section or perhaps a popup requesting these when logging in. Any news on this?[/quote] I would love to have XAUTH + Certificate authentication as supported by Secure Computing's Sidewinder product. Any news on if this is possible or expected? Re: IPSecuritas 3.0 Release Candiate by omega_red on 2007-03-26 00:08:46 +0200 Feature Request: Select profile's from menu and widget. Im using the profiles to connect to various company's, if i dont use the profiles i will connect to all the company's eatch time i start ipsec. Or is there a way to connect to only one connection if they are in the same profile? If this feature is included and the xauth problem with the zywall 5 is solved(see my topic on the forum: [url]http://www.lobotomo.com/cgi-bin /yabb/YaBB.pl?board=IPSecuritas;action=display;num=1173957250[/url]), this is the absolute best ipsec software for the mac! One issue with RC3 by coreyva on 2007-05-11 03:30:50 +0200 Exporting then importing a protected connection requires a password before connection start even if unchecked. Re: IPSecuritas 3.0 Release Candiate by Forum Admin on 2007-05-12 11:25:36 +0200 Hi, thank you very much for the bug report - I fixed it. In the meantime, uncheck both 'Admin Password' and 'Query Password' and you shoulnd't be asked for a password. Cheers, Christoph XAuth bug in the 3.0RC build 1040 XAuth bug in the 3.0RC build 1040 by signal15 on 2006-12-06 19:56:41 +0100 When connecting to a Netscreen, I get the following error on the netscreen: [code] Rejected an IKE packet on untrust from y.y.y.y:2399 to x.x.x.x:4500 with cookies e808852d932c2964 and b20e19b73074190d because a Phase 2 packet arrived while XAuth was still pending. [/code] Have others had this problem? It appears that it's not sending the password. [SOLVED] VPN to multiple networks [SOLVED] VPN to multiple networks by mtoivo on 2006-12-20 14:45:03 +0100 Hi all. I'm trying to get IPSecuritas to route two remote networks (10.0.0.0/24 and 10.0.1.0/24) via the same connection. I've set them up in 'Connections' as remote side endpoint mode (networks), but after connection is established, only the upper network in the list gets routed. I tried increasing the netmask to 23 (to cover addresses from 10.0.0.1 to 10.0.1.254) with no luck. Funny enough, I couldn't get it work with vpntracker either. Firewall (sonicwall tz170) isn't the problem, I'm sure of that, because it routes similiar networks constantly. And if I'm fast enough, I'm able to ping the other network too while connection is being established, but after that it doesn't respond anymore. Is there any way of debugging the mac os x ipsec-layer in a way that I could see routes and stuff? Thanks! Mikko Toivola Re: [SOLVED] VPN to multiple networks by mtoivo on 2006-12-20 15:55:24 +0100 Ah, I forgot to set 'Unique SAs' at the options tab. I must have disabled that while trying to make it establish the connection at first. I'm kind of newbie to these VPN-thingies, didn't even know what that meant. IP range ... IP range ... by thegnorf on 2006-12-20 16:18:42 +0100 Hello ! Perhaps can someone help me in this trouble : I used to play with IPSec 2 for a while, and I'm now testing the 3rd version (3.0) ... I found that I can't have a "local side host IP" in the same range my "Remote Side Network IP". This configuration used to work with the IPsec v.2 , but now only pop up a : "collision between local and remote network" warning. Did someone had the same difficulties ? Is it a bug or will this never work again ? Of course, I could change all my IP ranges but .... it wouldn't be fun ; -) Thank you ! Re: IP range ... by brlandy on 2006-12-26 23:12:05 +0100 I had the same problem, I'm using OpenBSD as my remote gateway. In the end I reconfigured the OpenBSD side using the newer, easier, ipsec.conf file. At that point it properly routed to my client address even if I specified a client address outside of the remote network's range. This ended up working a lot better than my old setup, which required something like arpd on the gateway to route properly. So, I decided the warning was reasonable and a better setup was needed to avoid it. 3.0rc: XAuth and mode cfg working? 3.0rc: XAuth and mode cfg working? by frankly on 2006-12-27 11:47:58 +0100 Hi, is xauth and mode_cfg supposed to work? I cannot establish a connection using it :( (works with VPN tracker, if mode cfg is switched on) Thanks Frank Re: 3.0rc: XAuth and mode cfg working? by helium on 2007-01-20 22:09:58 +0100 I ran the version of racoon that ships with IPSecuritas manually and had it dump the parsed config file, and rather than parse the xauth config directive correctly racoon thinks it should use gss. Try it yourself with racoon -C on the config file IPSecuritas generates - you can grab it by starting a connection and making a copy of the racoon.conf and psk.txt that end up in /Library/Application Support/Lobotomo/IPSecuritas while a connection is running. UPDATE: I grabbed the latest CVS of ipsec-tools, compiled them myself, and found it followed the same behavior. In algorithms.[ch], there's a static struct defined that contains mappings for the config tokens to functions that implement each algorithm, and for reasons I've not yet uncovered the wrong one is being selected when any of the hybrid_* or xauth_* directives are being given. racoon crash (with 3.0rc) racoon crash (with 3.0rc) by frankly on 2007-01-03 06:57:40 +0100 Hi, still trying to use xauth togehter with mode_cfg. racoon crashes during connection: ** racoon.crash.log: Date/Time: 2007-01-03 06:34:42.826 +0100 OS Version: 10.4.8 (Build 8L127) Report Version: 4 Command: racoon Path: /Library/StartupItems/IPSecuritasDaemon/racoon Parent: IPSecuritasDaemon [215] Version: ??? (???) PID: 5739 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000001 Thread 0 Crashed: 0 racoon 0x0002c3f0 getsockmyaddr + 76 1 racoon 0x00006120 isakmp_send + 260 2 racoon 0x00006454 isakmp_ph2resend + 152 3 racoon 0x00037240 schedular + 132 4 racoon 0x00002998 session + 520 5 racoon 0x00002468 main + 648 6 racoon 0x00001bfc _start + 392 7 dyld 0x8fe01048 _dyld_start + 60 Binary Images Description: 0x1000 - 0x69fff racoon /Library/StartupItems/IPSecuritasDaemon /racoon 0x8fe00000 - 0x8fe51fff dyld 45.3 /usr/lib/dyld 0x90000000 - 0x901bcfff libSystem.B.dylib /usr/lib/libSystem.B.dylib 0x90214000 - 0x90219fff libmathCommon.A.dylib /usr/lib/system /libmathCommon.A.dylib 0x91a0c000 - 0x91ad3fff libcrypto.0.9.7.dylib /usr/lib /libcrypto.0.9.7.dylib 0x94f68000 - 0x94f85fff libresolv.9.dylib /usr/lib/libresolv.9.dylib ** from the IPsecuritas log: IPSecuritas 3.0rc build 1040, Fri Dec 1 21:00:13 CET 2006, nadig Darwin 8.8.3 Darwin Kernel Version 8.8.3: Wed Oct 18 21:57:10 PDT 2006; root:xnu-792.15.4.obj~4/RELEASE_I386 i386 Jan 03, 06:34:19 Info APP IKE daemon started Jan 03, 06:34:19 Info APP IPSec started Jan 03, 06:34:19 Debug APP State change from IDLE to RUNNING after event START Jan 03, 06:34:19 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 03, 06:34:19 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 03, 06:34:19 Error IKE Foreground mode. Jan 03, 06:34:19 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) two simultaneous connections? two simultaneous connections? by zoomin on 2007-01-03 20:15:00 +0100 Hello, I am using IPSecuritas v2.2 with Intel MacBook OSX 10.4.8. It works really well with Fortigate-60 vpn firwalls from Fortinet, but I can only establish one tunnel at a time. Is this by design or what am I missing? I can connect to either one just fine but once connected, the other tunnel will not connect. They are Host to Network tunnels and the remote networks ARE different (192.168.24.0/24 and 192.168.31.0/24). Thanks very much. Re: two simultaneous connections? by mtoivo on 2007-01-09 10:24:04 +0100 Stumbled to this same problem too, see my topic a bit lower here :). Resolution was to set "Unique SAs" option for the connection. I'm using 3.0rc version, but I think that's the reason. After that I managed to set up two individual tunnels or configure a connection with host to networks mode. Remote endpoint is Sonicwall TZ170. Re: two simultaneous connections? by zoomin on 2007-01-15 17:49:03 +0100 [quote author=mtoivo link=1167851700/0#1 date=1168334644]Stumbled to this same problem too, see my topic a bit lower here :). Resolution was to set "Unique SAs" option for the connection. I'm using 3.0rc version, but I think that's the reason. After that I managed to set up two individual tunnels or configure a connection with host to networks mode. Remote endpoint is Sonicwall TZ170.[/quote] Thanks for the intel, but I think my situation is different, in that I am not trying to setup a route to two subnets via a single ipsec connection, I am trying to establish two or more IPSEC connections to different subnet (and different endpoints) at the same time. i.e. I am trying to get my IPSEC tunnel to a branch office in Burnaby to be up at the same time as my IPSEC tunnel to Vancouver, etc. IPSecuritas 3.0rc and Lookupd IPSecuritas 3.0rc and Lookupd by nickl on 2007-01-04 07:32:03 +0100 This is a Mac OS X 10.4.8 system on a MacBook Pro with IPSecuritas 3.0rc. Has anyone had troube with IPSecuritas killing the resolver and authentication services? This appears to be a reproducible issue after having restarted a VPN session multiple times. Lookupd will crash; manually restarting it doesn't help. Any attempts at user authentication with sudo or programs requesting admin access will fail. This can be really annoying when waking the computer from sleep and it won't accept your password. A full reboot appears to be the only solution. Re: IPSecuritas 3.0rc and Lookupd by mtoivo on 2007-01-09 10:19:03 +0100 I have exactly same issues with ne 3.0rc too, talkin' about annoying feature. Didn't manage to trace it back to lookupd, allthough I saw it crashing in the reports. I figured it had to be ipsecuritas fault, since after installing it this started happening. I removed some other old services (like xgrid and such) which also seemed to be crashing. Now the only solution is to kill all VPNs before putting computer to sleep. I came to this forum because I can't get /etc/resolver -thing to work at all. IPSecuritas sets it up correctly (file named domain.tld, which contains correct nameserver -statement) and queries to the server works with dig no prob. Restarting lookupd or -flushcache doesn't help. Re: IPSecuritas 3.0rc and Lookupd by graabein on 2007-01-16 00:45:53 +0100 Exact same problem, exact same versions of Mac OS X and IPSecuritas (10.4.8 and 3.0rc). This problem has been driving me nuts and has caused me to have real data loss. Needless to say I'd like to see it fixed... (not least because IPSecuritas is a brilliant little utility). I've been running with DNS resolver enabled for all my connections (and it works for me, BTW), so I thought I'd try to disable that feature first and see if that helps. Anyone else who've seen this IPSecuritas/lookupd problem had any luck with just disabling the DNS resolver functionality of IPSecuritas? Gunnar Re: IPSecuritas 3.0rc and Lookupd by Forum Admin on 2007-01-16 22:58:13 +0100 Hello, thank you very much for your feedback! I can confirm this behaviour and a bug fix is currently in testing. I will release another 3.0 Release Candidate fixing this and a few other issues shortly. Christoph Re: IPSecuritas 3.0rc and Lookupd by mtoivo on 2007-01-19 09:17:34 +0100 Glad to know this is known bug now. My /etc/resolver -issues was not a problem after all. 'host' -command just didn't look from there, ping, web-browser etc worked fine. I just might turn off DNS resolver-thing until fix comes out, I have statically set /etc/resolver -file so there's no need for ipsecuritas to set it. 3.0rc Host -> Anywhere Setup 3.0rc Host -> Anywhere Setup by nickl on 2007-01-04 07:56:17 +0100 I've been having trouble getting packets to route over the VPN with a host to anywhere configuration. The gif0 interface doesn't appear to have been brought up and no routes are configured to send packets through the tunnel. Should I be able to get this working? If I change the IPSecuritas settings to use a fixed IP address (10.1.0.x) to our 10.20/16 network, packets will be tunneled as expected. Other than this change in the connection's general tab, the IPSecuritas settings are identical. I'm attaching two sets of setkey/netstat data below. Host -> Anywhere Info $ sudo setkey -DP 0.0.0.0[any] 172.16.1.7[any] any in ipsec esp/tunnel/xxx.xxx.xxx.xxx-172.16.1.7/require spid=2 seq=3 pid=1182 refcnt=1 0.0.0.0[500] 172.16.1.7[500] any in none spid=4 seq=2 pid=1182 refcnt=1 172.16.1.7[any] 0.0.0.0[any] any out ipsec esp/tunnel/172.16.1.7-xxx.xxx.xxx.xxx/require spid=1 seq=1 pid=1182 refcnt=1 172.16.1.7[500] 0.0.0.0[500] any out none spid=3 seq=0 pid=1182 refcnt=1 $ sudo setkey -D 172.16.1.7 xxx.xxx.xxx.xxx esp mode=tunnel spi=1423428023(0x54d7c9b7) reqid=0(0x00000000) E: rijndael-cbc 5bd78fe6 d2a9caa6 8de03783 37d4a984 A: hmac-sha1 693c10b7 0e2045d9 fe5b9aa5 eee29d7d 946f218a replay=4 flags=0x00000000 state=mature seq=1 pid=1449 created: Jan 3 20:07:27 2007 current: Jan 3 20:09:47 2007 diff: 140(s) hard: 28800(s) soft: 23040(s) last: Jan 3 20:09:44 2007 hard: 0(s) soft: 0(s) current: 2128(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 14 hard: 0 soft: 0 refcnt=2 xxx.xxx.xxx.xxx 172.16.1.7 esp mode=tunnel spi=18373546(0x01185baa) reqid=0(0x00000000) E: rijndael-cbc eb32ead6 62d69f39 b5c218f6 b344ad21 A: hmac-sha1 9c65fb38 c8ceed5b 4a5d71de 11fda7a2 6eaa729d replay=4 flags=0x00000000 state=mature seq=0 pid=1449 created: Jan 3 20:07:27 2007 current: Jan 3 20:09:47 2007 diff: 140(s) hard: 28800(s) soft: 23040(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 $ netstat -rn Routing tables Re: 3.0rc Host -> Anywhere Setup by nickl on 2007-01-04 07:57:14 +0100 IP Address -> Subnet Info $ sudo setkey -DP 10.20.0.0/16[any] 10.1.0.2[any] any in ipsec esp/tunnel/xxx.xxx.xxx.xxx-172.16.1.7/require spid=2 seq=1 pid=13466 refcnt=1 10.1.0.2[any] 10.20.0.0/16[any] any out ipsec esp/tunnel/172.16.1.7-xxx.xxx.xxx.xxx/require spid=1 seq=0 pid=13466 refcnt=1 $ sudo setkey -D 172.16.1.7 xxx.xxx.xxx.xxx esp mode=tunnel spi=1690473783(0x64c29537) reqid=0(0x00000000) E: rijndael-cbc 883a30eb f9cb44f4 8f27afb2 73065665 A: hmac-sha1 559fa16e 9815adde 2575519d 26b411b5 e6519408 replay=4 flags=0x00000000 state=mature seq=1 pid=13518 created: Jan 3 21:52:38 2007 current: Jan 3 21:53:39 2007 diff: 61(s) hard: 28800(s) soft: 23040(s) last: Jan 3 21:53:39 2007 hard: 0(s) soft: 0(s) current: 103144(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 813 hard: 0 soft: 0 refcnt=2 xxx.xxx.xxx.xxx 172.16.1.7 esp mode=tunnel spi=12559986(0x00bfa672) reqid=0(0x00000000) E: rijndael-cbc d0f55e15 697e60e1 20ee4d91 41053bdb A: hmac-sha1 6faff285 34ae44f3 06565f6e 5c5d3db7 c5bffcb0 replay=4 flags=0x00000000 state=mature seq=0 pid=13518 created: Jan 3 21:52:38 2007 current: Jan 3 21:53:39 2007 diff: 61(s) hard: 28800(s) soft: 23040(s) last: Jan 3 21:53:39 2007 hard: 0(s) soft: 0(s) current: 896592(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 781 hard: 0 soft: 0 refcnt=1 $ netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 172.16.1.1 UGSc 19 9 en1 10.20.0.0 10.1.0.2 UH 1 9 gif0 10.20/16 gif0 USc 2 0 gif0 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 20 6430 lo0 169.254 link#5 UCS 0 0 en1 172.16.1/24 link#5 UCS 1 0 en1 172.16.1.1 0:3:93:e4:86:12 UHLW 19 147 en1 1031 172.16.1.7 127.0.0.1 UHS 0 2 lo0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UH lo0 fe80::%lo0/64 fe80::1%lo0 Uc lo0 fe80::1%lo0 link#1 UHL lo0 fe80::%en1/64 link#5 UC en1 fe80::216:cbff:fe05:cff%en1 0:16:cb:5:c:ff UHL lo0 ff01::/32 ::1 U lo0 Re: 3.0rc Host -> Anywhere Setup by Keen on 2007-02-07 16:55:25 +0100 Hi! it's bug in SPD entries: "any" must be set like 0.0.0.0/0[any], but we see only host configuration: 0.0.0.0[any]. setkey use default mask /32 insted of /0. Developers, read documentation attentively! PS: Sorry for my english. Re: 3.0rc Host -> Anywhere Setup by cnadig on 2007-02-07 17:59:17 +0100 Thanks for the hint - fixed it and will be part of the release. Thanks, Christoph Re: 3.0rc Host -> Anywhere Setup by smpte on 2007-02-19 16:52:59 +0100 So for those of us trying to do a -> anywhere connection, for now, what do we do prior to the release? Default route in the -> network set up? Cannot connect to WatchGuard Firebox X550e Cannot connect to WatchGuard Firebox X550e by trehune on 2007-01-05 23:04:44 +0100 Hi, I'm trying out the IPSecuritas 3.0rc but I can't get it to work with an WatchGuard Firebox X550 running Fireware 8.3. I have worked alot with VPN but I can't really get this up and running. My private IP: 192.168.1.103 My firewalls IP: 222.250.45.240 X550e public IP: 213.85.37.3 The Firewall I'm behind is a WatchGuard Edge X5 Wireless, which support IPSec passtrough. Firebox log: 01-05 22:29:22 iked Searching ID: user domain - myData [MUVPN-Test] peerId [MUVPN-Test] 01-05 22:29:22 Process INFO_EXCHANGE : EncryptBit set before SA created new_msg=" Process INFO_EXCHANGE : EncryptBit set before SA created" 01-05 22:29:22 CreateIsakmpSA : get rasUserGroupId=2 new_msg=" CreateIsakmpSA : get rasUserGroupId=2 " 01-05 22:29:22 iked Phase 1 started by peer with policy [MUVPN-Test_mu] from 222.250.45.240:500 aggressive mode 01-05 22:29:22 iked Sending second message with policy [MUVPNTest_mu] to 222.250.45.240:500 aggressive mode 01-05 22:29:22 Process INFO_EXCHANGE : EncryptBit set before SA created new_msg=" Process INFO_EXCHANGE : EncryptBit set before SA created" 01-05 22:29:22 iked Cannot process the inform message from 222.250.45.240:500 cookies i=f38b8b37 c924f37c r=a81072e4 f2a7f6eb 01-05 22:29:28 Deny 222.250.45.240 213.85.37.3 icmp-Dest_Unreach code(3) 0-External Firebox icmp error with data src_ip=213.85.37.3 dst_ip=192.168.1.103 pr=ike/udp src_port=500 dst_port=500 src_intf='0-External' dst_intf='0-External' can not match any flow, drop this packet 56 50 (internal policy) src_user="testuser1@Firebox-DB" 01-05 22:29:34 iked Cannot process the inform message from 222.250.45.240:500 cookies i=f38b8b37 c924f37c r=a81072e4 f2a7f6eb 01-05 22:29:34 iked Drop negotiation due to peer 222.250.45.240:500 phase one retry timeout IPSecuritas log: IPSecuritas 3.0rc build 1040, Fri Dec 1 21:00:13 CET 2006, nadig Darwin 8.8.3 Darwin Kernel Version 8.8.3: Wed Oct 18 21:57:10 PDT 2006; root:xnu-792.15.4.obj~4/RELEASE_I386 i386 Jan 05, 22:29:20 Info APP IKE daemon started Jan 05, 22:29:20 Info APP IPSec started Jan 05, 22:29:20 Error IKE Foreground mode. Jan 05, 22:29:20 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jan 05, 22:29:20 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jan 05, 22:29:20 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jan 05, 22:29:20 Info IKE Resize address pool from 0 to 255 Jan 05, 22:29:21 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Jan 05, 22:29:21 Error IKE No SIG was passed, hybrid auth is enabled, but peer is no Xauth compliant Jan 05, 22:29:24 Info IKE couldn't find the proper pskey, try to get one Re: Cannot connect to WatchGuard Firebox X550e by cman on 2008-11-19 06:04:39 +0100 Did you ever solve this problem? I am having the same with a Watchguard X700 Linksys WRV54G Linksys WRV54G by jrr316 on 2007-01-08 18:26:46 +0100 I am trying to connect to a link WRV54G from a Mac running OSX 10.4.8 using IPSecuritas. I am a little stuck. I can get the linksys utility to connect from my Windows install, but on the mac it gets stuck on authentication. Anyone get this working that would share screen shots of router configuration and IPSecuritas? jrr316@mac.com Thanks! -Justin Re: Linksys WRV54G by gogojohn on 2007-04-24 19:40:58 +0200 I'm working on this as well. I have both a WRV54g and a WRV200 which I need to connect to. Since 3.0rc has support for the WRV200, that's what I'm focusing on first. I doubt that the WRV54g will be much different to get working afterward. Once I have some success, I'll share what I find with you. Re: Linksys WRV54G by gogojohn on 2007-04-24 23:01:06 +0200 After spending about a day trying to figure out how to establish a connection to the WRV54G, I tried out VPN Tracker. It worked. So this confirms that it [i]is[/i] possible to connect to the unit with my PowerBook. I'll keep trying to get IPSecuritas 3.0rc to work. But in the meantime, I'll use the VPN Tracker solution, so that at least I can get on with my business. If/when I do come across a solution, I will share it. For sake of providing any useful details on the problems that I've been experiencing though, here's the rundown: [list] [*] cannot get past phase1 of negotiating the connection [*] using pre-shared key, but this isn't working [*] have attempted in various ways to use the username and password that can be created to provide individual accounts for QuickVPN (this is the same set that I know works fine with my PC using QuickVPN), to no avail [*] upon inspection the only difference between the settings for the two tools is that VPN Tracker allows PFS (Perfect Forward Secrecy) to be enabled and disabled [*] apart from that, all the other configuration details appear to be the same [*] during testing, I've been using a dial-up connection as I haven't had access to a nearby open AP, or from another location (does IPSecuritas have issues with PPP connections?) [*] the profile in VPN Tracker that worked was for the Linksys BEFVP41 [/list] And finally: I haven't yet had a chance to work with the WRV200. The one that I use is at a remote location and appears to need a reboot... so I'll try it later and provide success/failure details. Perhaps it will also help to shed some light upon the WRV54G situation? Where is the config saved? Where is the config saved? by praenti on 2007-01-10 23:58:28 +0100 Hi, anybody here who can tell me where the configuration is saved? Needed a new harddisk in my iBook and want to migrate the old config from the old harddisk to the new one. But I haven't found the configuration file and joping you can tell me, where it is. Cheers, Mike P.S.: The forum has some problems to access graphics and the profile so I cannot change my password. Please correct that. Re: Where is the config saved? by mtoivo on 2007-01-11 01:28:56 +0100 Hi. I think the configs are in /Library/Application Support/Lobotomo Software/IPSecuritas There seems to be file 'configuration.data', which I thought might be the configuration file, but can't say since it's binary. Strange way to save such configuration as system wide, in user's Library there's nothing. Re: Where is the config saved? by praenti on 2007-01-11 09:26:29 +0100 Thank you for the quick response. Sorry that I cannot give you any more information if this answer is correct, because the expected headcrash of my old harddrive happened yesterday... :-(. (harddrive changed because of a bearing damage of the spin motor which can result in a headcrash) But a additional note. My VPN connection is running now again ;-). Cheers, Mike 3.0rc connecting to a Cisco PIX? 3.0rc connecting to a Cisco PIX? by helium on 2007-01-18 23:42:42 +0100 Anyone had any luck connecting to a PIX with 3.0rc? I can't seem to get past phase 1 negotiation. On the PIX side, I'm using vpngroups for username/password authentication. On the IPSecuritas side, I've selected Hybrid and entered the username/password there. My phase 1 settings on the client match those on the PIX, and yet for the life of me I can't manage to make a connection. I've looked through the racoon.conf and psk.txt file IPSecuritas temporarily generates at runtime, and both look reasonable enough. I've tried enabling/disabling MODE_CFG, situation identity only, DOI, unique SA's and initial contact, but perhaps i'm missing the right combination. All suggestions/feedback welcome. Thanks. Re: 3.0rc connecting to a Cisco PIX? by helium on 2007-01-19 16:27:36 +0100 [quote author=helium link=1169160162/0#0 date=1169160162]Anyone had any luck connecting to a PIX with 3.0rc? I can't seem to get past phase 1 negotiation. On the PIX side, I'm using vpngroups for username/password authentication. On the IPSecuritas side, I've selected Hybrid and entered the username/password there. My phase 1 settings on the client match those on the PIX, and yet for the life of me I can't manage to make a connection. I've looked through the racoon.conf and psk.txt file IPSecuritas temporarily generates at runtime, and both look reasonable enough. I've tried enabling/disabling MODE_CFG, situation identity only, DOI, unique SA's and initial contact, but perhaps i'm missing the right combination. All suggestions/feedback welcome. Thanks.[/quote] I manually figured out the issue. To connect, you need to use pre_shared_key as the algorithm, and local identifier needs to be in the form of 'my_identifier keyid tag "remote_username"'. Any chance the interface for 3.0 could be updated to allow KeyID as one of the selections, and then have the above config syntax output when it's selected? Obviously, the "remote_username" would be whatever is entered into the text field when KeyID is selected. Thanks. IPSec mobile clients and split horizon IPSec mobile clients and split horizon by lonnie on 2007-01-27 20:34:51 +0100 Hi, Client: Mac OS 10.4, IPSecuritas 3.0rc Server: m0n0wall 1.22, Soekris net4801, WAN, LAN, DMZ I had a common problem with others here, using IPSec mobile clients and the resulting split horizon, ie. only traffic to your local network is sent over the tunnel, all other traffic is sent direct, un-encrypted. The particular problem for me was my public POP3 and SMTP servers. One solution would be to run some sort of local proxy for these services, but I prefer that solution as last resort. I have solved this problem, and all comments are welcome. In my IPSec client (IPSecuritas 3.0 on Mac OS 10.4) I define my local endpoint as "Host" and remote endpoint as "Networks" (plural). I need to specify a local address for the "Host" (so the routing works), so I use an unused address in the DMZ. (Would a static route be a better thing to do?) The Networks are: 10.10.10.0/24 # local LAN 216.x.y.z/32 # public POP3 server 68.a.b.c/32 # public SMTP server The final 'trick' is in the 'Options' tab is to check "Unique SAs". This forces m0n0wall to make policies for each of these networks. In this scenario, remote traffic to the private LAN and public POP3 and SMTP servers are included in the IPSec tunnels. Hope this helps others. Lonnie IPSecuritas 3.0rc Menu IPSecuritas 3.0rc Menu by lonnie on 2007-01-27 20:57:27 +0100 First, I want express how wonderful IPSecuritas 3 is, definitely worth a paypal donation. May I make a suggestion (feature request) for the new menu bar menu. Since I use both PPTP and IPSec, it would be nice, for the sake of consistency, that they worked similarly. My suggestion... -/ /-----------------VPN: Idle / Connected / Authenticating (item Disabled) -----------------Connect / Disconnect / Cancel -----------------IPSec (item Disabled) o Home VPN o Office VPN -----------------Profie (item Disabled) Other (active profile checked) Work -----------------Open IPSecuritas... ------------------ Key points: 1) Change profiles via menu. Show active profile. 2) Open IPSecuritas application via menu. 3) Act similar to PPTP menu. Any other ideas? Lonnie Netgear FVS338 Netgear FVS338 by superglu on 2007-01-30 01:05:32 +0100 Has anyone got the FVS338 to work with IPSecuritas? I know it supports FVS328, but how about 338? Thanks! 3.0rc "Connection Surveillance" Defaults 3.0rc "Connection Surveillance" Defaults by lonnie on 2007-01-31 04:40:02 +0100 IPSecuritas -> Preferences -> "Connection Surveillance" [Ping Interval: and Ping Timeout:] Does anyone else think the defaults for 'Ping Interval' and 'Ping Timeout' are reversed? My suggestion is: Ping Interval: 30 sec. Ping Timeout: 3 sec. If not, please tell me the error of my thinking. Lonnie Connection to Cisco VPN Concentrator 3000 Connection to Cisco VPN Concentrator 3000 by nacho319 on 2007-02-01 13:20:24 +0100 I'm trying to connect to a Cisco VPN Concentrator and I can't get past Phase 1. I've done network traces comparing what my Mac does to attempt to connect versus what my Windows machine running the Cisco client does to connect. Right now, I think the problem is that I can't get the Mac to use an ID type of KEY_ID, type 11. The options are Address, FQDN, User FQDN, and Certificate. So I think that would be my stumbling block at this point. Is there a way to make IPSecuritas use that identity type? Right now, the Cisco won't even send a reply packet to me with the offer I send it. thanks, Chris Re: Connection to Cisco VPN Concentrator 3000 by nacho319 on 2007-02-01 13:28:31 +0100 Ok, so the Cisco didn't really care about that at all. It just wanted me to change my ID from Hybrid to Xauth-PSK. Stupid machine, I thought Xauth-PSK isn't secure, and Hybrid is better...... lost packets connecting to SonicWall lost packets connecting to SonicWall by Dave on 2007-02-05 04:37:05 +0100 I've been having a consistent problem with 3.0RC when connecting to work's SonicWall (TZ150, I think); the problem shows up as lost packets. The connection is to a network using Xauth-PSK and while I get the "green light" and can ping fine, I can't view internal websites if they contain a lot of data; simple sites load fine. For example, I'll get a redirect response or a authentication needed response fine but the full page won't load; it just sits there waiting. It feels very similar to a problem I've seen before, namely fragmented packets being dropped. So a small packet containing just a 30x redirect will get through but the full website packets will all be fragmented and dropped. In the past (beta 6), simply setting my MTU would fix it and all would be fine. But now, setting that doesn't seem to help at all; the page still stalls (and eventually times out, sometimes). So my question is, does IPsecuritas do automatic MTU adjustment? If not, is there some way I can trace this to determine who, if anyone, is dropping the packets? The logs don't really show anything interesting. P.S. Thanks for fixing the icons and other aspects of the site. I can't register with my preferred username because it is in that 1/2 registered state where it was trying to send me the email but couldn't. Re: lost packets connecting to SonicWall by Manuel on 2007-03-15 16:10:40 +0100 That's interesting, I was having the same problem connecting to our Pro 3060 - it looked like an MTU size problem. What's even more interesting is that the problem only showed up when I was opening a tunnel to multiple networks, *and* when the networks were from both the LAN and the DMZ. Opening a tunnel to the LAN or the DMZ only didn't trigger the problem. Then I uninstalled everything and started from scratch, and it doesn't do it anymore. I have no idea of what I did to fix it, but now it works... sorry I can't help, it's just to tell you that the problem does exist, and that it can be fixed - somehow. Re: lost packets connecting to SonicWall by Dave on 2007-03-17 22:26:37 +0100 [quote author=Manuel link=1170646625/0#1 date=1173971440]Then I uninstalled everything and started from scratch, and it doesn't do it anymore.[/quote] I also installed VPN Tracker but was having the same issue so I uninstalled IPSecuritas completely, including logging out. When I reinstalled, I had to drop the MTU to 1400 but it would connect! I tried it yesterday with the MTU at 1500 and it [i]still[/i] connects. Yay! :D The only issue I have now is that an https connection still stalls but that isn't that big a deal since I can get to that (internal) site in other ways. The final test will be rebooting and seeing if things still work. But I think they will so thanks! :-) Re: lost packets connecting to SonicWall by Dave on 2007-03-27 23:26:12 +0200 Update: I rebooted and it [i]didn't[/i] work; it stalled in the "usual" place. However, setting the MTU down to 1400 allowed it to connect and then setting it back to 1500 didn't change its ability to connect. So, for some reason, the MTU has to be jiggled but it only appears to be required once per login/reboot. IPSecuritas / Firewall / Apple Remote Desktop IPSecuritas / Firewall / Apple Remote Desktop by mangobuzz on 2007-02-08 06:11:01 +0100 Hello, Can anyone verify that ipsecuritas 3.0rc disables the firewall settings in system prefs --- sharing--- firewall. Everytime I start the vpn, if I click on the firewall tab in the sharing prefs I get a notice that "Other Firewall software is running...." As soon as I disable the vpn tunnel, my firewall settings go back to normal ( You will need to close system prefs and re-open the sharing prefs). Can anyone verify that this is normal or not? Can someone also verify if Apple Remote Desktop 3.1 works correctly with ipsecuritas 3.0rc. Currently I am unable to use the upgrade client software feature and i'm unable to copy files to the remote computer, however everything else seems to work. I have a feeling that the firewall problem might be causing Apple Remote Desktop to not work fully. Any suggestions? Thanks Re: IPSecuritas / Firewall / Apple Remote DesktopH by cnadig on 2007-02-09 20:49:20 +0100 Hello, IPSecuritas does not disable your firewall or any of the settings. It adds rules for NAT-T to work (in a nutshell: MacOS X does not provide proper NAT-T support and therefore IPSecuritas handles the NAT-T traffic. By adding these rules NAT-T relevant traffic is routed through IPSecuritas). The firewall prefpane does not allow editing while other applications have set their own rules - that's why you get this (a bit misleading) error message when you try. You can list the active firewall rules with the following command (in a Terminal window): ipfw list I might move the NAT-T code to a kernel extension one day, making the additional rules obsolete. If you prefer IPSecuritas not to make any of these additional rules, disable NAT-T on all tunnels. Hope this helps, Christoph Re: IPSecuritas / Firewall / Apple Remote Desktop by houser on 2007-02-11 17:00:16 +0100 I can confirm that ARDT is working just fine here with Firewall switched on in OSX. Latest OSX and latest IP securitas RC. I have noticed that these ports seem more"sensitive" to partially incorrect settings, for lack of a better word, than others like 80 etc... For example, I had my mobile 3G connection set with an outdated APN and everything was working apart from ARDT. Support updatredmy APN and now that works too, without changing anything in IpSecuritas.. FWIW,YMMV best Janne A. Linksys BEFSX41 Connection Linksys BEFSX41 Connection by jim_julian on 2007-02-12 01:45:20 +0100 Has anyone been able to establish a VPN with IPSecuritas 2 or 3 and the subject VPN Endpoint router? I haven't :'( With RC 3 I get Phase 1 timeout ... IPSecuritas 3.0rc build 1040, Fri Dec 1 21:00:13 CET 2006, nadig Darwin 8.8.3 Darwin Kernel Version 8.8.3: Wed Oct 18 21:57:10 PDT 2006; root:xnu-792.15.4.obj~4/RELEASE_I386 i386 Feb 11, 16:21:17 <ISProperAPP IKE daemon started Feb 11, 16:21:17 <ISProperAPP IPSec started Feb 11, 16:21:17 <ISProperIKE Foreground mode. Feb 11, 16:21:17 <ISProperIKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Feb 11, 16:21:17 <ISProperIKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Feb 11, 16:21:17 <ISProperIKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Feb 11, 16:21:17 <ISProperIKE Resize address pool from 0 to 255 Feb 11, 16:22:00 <ISProperIKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xxx[500]->10.0.1.3[500] Feb 11, 16:22:02 <ISProperIKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xxx[500]->10.0.1.3[500] Feb 11, 16:22:28 <ISProperAPP IPSec stopping Feb 11, 16:22:29 <ISProperAPP IKE daemon terminated Re: Linksys BEFSX41 Connection by BertMac on 2007-02-21 14:06:34 +0100 I'm trying the same thing with no luck. Everything matches on both sides so I'm not sure where the break down is. The little box says it is "up" however the red x never goes away, telling me it didn't actually make a connection. I suppose this wouldn't be so hard if I had access to the vpn router to look at it's logs from where I am at. :-/ Any direction appreciated! Re: Linksys BEFSX41 Connection by jim_julian on 2007-02-21 15:36:08 +0100 It's hard to believe that Linksys doesn't really provide any support to help with problems such as this ... sigh. Re: Linksys BEFSX41 Connection by BertMac on 2007-02-23 02:07:09 +0100 I just posted on the Linksys forum...we'll see how it goes. I'll be sure to update this [i]when[/i] Ifinally figure this out. :-? Re: Linksys BEFSX41 Connection by mrfett on 2007-02-23 13:38:32 +0100 this has been frustrating me as well. interesting thing, when i connect from my neighbors connection (next door, same cable provider) i can get in to my network fine. from anywhere else though (Panera, campus network) i get the timeout messages. dunno what to think. seems odd that it works in the first instance. Re: Linksys BEFSX41 Connection by mrfett on 2007-02-23 14:32:47 +0100 i'm thinking my issue might have to do with setting the proper NAT traversal settings. if anyone knows anything about this topic, please enlighten :) Re: Linksys BEFSX41 Connection by mrfett on 2007-02-24 20:56:13 +0100 if anyone can comment on whether or not it's possible to run an ipsec tunnel from a cable modem network (befsx41) to a laptop connected to a public wifi network, please respond. i'm unsure if i'm wasting my time trying to troubleshoot this or not. i tried all the NAT-T settings and none did the trick. still got the error message posted up top. Re: Linksys BEFSX41 Connection by mrfett on 2007-03-01 00:49:40 +0100 no one has answers about this issue, huh? still a mystery to me. could it be that things are timing out? should the timeout be made longer? seems unnecessary to me... it seems odd more ppl aren't running into this. Re: Linksys BEFSX41 Connection by Dave on 2007-03-01 01:34:39 +0100 One thing I would suggest is to crank up the debug level so you perhaps pinpoint why the phase 1 timeout is occurring. Do you have access to the router at the other end to see if there is any info in its logs that might help? Re: Linksys BEFSX41 Connection by mrfett on 2007-03-01 03:41:09 +0100 ahh good idea. i'll try that tomorrow when i'm on another network. thanks! Re: Linksys BEFSX41 Connection by mrfett on 2007-03-01 17:44:00 +0100 ok so now i have big log files to share. hopefully they'll shed some light on this: From the Linksys BEFSX41: 2007-03-01 11:37:17 IKE[6] Tx >> MM_R1 : 129.2.175.20 SA 2007-03-01 11:37:17 IKE[6] ISAKMP SA CKI=[15519997 de5465d8] CKR=[a58c90c7 9d7cae7a] 2007-03-01 11:37:17 IKE[6] ISAKMP SA DES / MD5 / PreShared / MODP_768 / 28800 sec (*28800 sec) 2007-03-01 11:37:38 IKE[6] Rx << MM_I1 : 129.2.175.20 SA, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID, VID 2007-03-01 11:37:38 IKE[6] Tx >> MM_R1 : 129.2.175.20 SA 2007-03-01 11:37:38 IKE[6] ISAKMP SA CKI=[15519997 de5465d8] CKR=[50eecdd2 65f6de12] 2007-03-01 11:37:38 IKE[6] ISAKMP SA DES / MD5 / PreShared / MODP_768 / 28800 sec (*28800 sec) Re: Linksys BEFSX41 Connection by mrfett on 2007-03-01 17:48:07 +0100 From IPSecuritas: Mar 01, 11:35:10 Debug IKE msg 5 not interesting Mar 01, 11:35:11 Debug IKE msg 5 not interesting Mar 01, 11:35:11 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:12 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:13 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:14 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:15 Debug IKE 320 bytes from 10.105.5.212[500] to 68.50.31.23[500] Mar 01, 11:35:15 Debug IKE sockname 10.105.5.212[500] Mar 01, 11:35:15 Debug IKE send packet from 10.105.5.212[500] Mar 01, 11:35:15 Debug IKE send packet to 68.50.31.23[500] Mar 01, 11:35:15 Debug IKE 1 times of 320 bytes message will be sent to 68.50.31.23[500] Mar 01, 11:35:15 Debug IKE Mar 01, 11:35:15 Debug IKE c805d786 20d54aeb 00000000 00000000 01100200 00000000 00000140 0d000034 Mar 01, 11:35:15 Debug IKE 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 Mar 01, 11:35:15 Debug IKE 80010001 80030001 80020001 80040001 0d000014 4a131c81 07035845 5c5728f2 Mar 01, 11:35:15 Debug IKE 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014 439b59f8 Mar 01, 11:35:15 Debug IKE ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f 02ec7285 Mar 01, 11:35:15 Debug IKE 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e ed937c65 Mar 01, 11:35:15 Debug IKE 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 0d000014 Mar 01, 11:35:15 Debug IKE cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 Mar 01, 11:35:15 Debug IKE ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014 4485152d Mar 01, 11:35:15 Debug IKE 18b6bbcd 0be8a846 9579ddcc 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Mar 01, 11:35:15 Debug IKE resend phase1 packet c805d78620d54aeb:0000000000000000 Mar 01, 11:35:15 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:16 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:16 Debug IKE get pfkey ACQUIRE message Mar 01, 11:35:16 Debug IKE Re: Linksys BEFSX41 Connection by mrfett on 2007-03-01 17:49:02 +0100 Mar 01, 11:35:16 Debug IKE 02060003 00260000 00000055 00000000 00030005 ff200000 10020000 0a6905d4 Mar 01, 11:35:16 Debug IKE 00000000 00000000 00030006 ff200000 10020000 44321f17 00000000 00000000 Mar 01, 11:35:16 Debug IKE 00020012 00020200 00000049 00000000 001c000d 20000000 00030000 00000000 Mar 01, 11:35:16 Debug IKE 01000800 00000000 00000001 00000001 00000000 00000000 00000000 00000000 Mar 01, 11:35:16 Debug IKE 00000000 00000000 00000000 00015180 00000000 00007080 00000000 00000000 Mar 01, 11:35:16 Debug IKE 00040000 00000000 010001c0 00000000 00000001 00000001 00000000 00000000 Mar 01, 11:35:16 Debug IKE 00000000 00000000 00000000 00000000 00000000 00015180 00000000 00007080 Mar 01, 11:35:16 Debug IKE 00000000 00000000 000c0000 00000000 01000100 00000000 00000001 00000001 Mar 01, 11:35:16 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00015180 Mar 01, 11:35:16 Debug IKE 00000000 00007080 00000000 00000000 Mar 01, 11:35:16 Debug IKE suitable outbound SP found: 10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out. Mar 01, 11:35:16 Debug IKE sub:0xbffff560: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in Mar 01, 11:35:16 Debug IKE db :0x308b48: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in Mar 01, 11:35:16 Debug IKE suitable inbound SP found: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in. Mar 01, 11:35:16 Debug IKE new acquire 10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out Mar 01, 11:35:16 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) Mar 01, 11:35:16 Debug IKE (trns_id=DES encklen=0 authtype=hmac-md5) Mar 01, 11:35:16 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-md5) Mar 01, 11:35:16 Debug IKE (trns_id=AES encklen=256 authtype=hmac-md5) Mar 01, 11:35:16 Debug IKE (trns_id=AES encklen=192 authtype=hmac-md5) Mar 01, 11:35:16 Debug IKE (trns_id=AES encklen=128 authtype=hmac-md5) Mar 01, 11:35:16 Debug IKE in post_acquire Mar 01, 11:35:16 Debug IKE configuration found for 68.50.31.23. Mar 01, 11:35:16 Info IKE request for establishing IPsec-SA was queued due to no phase1 found. Mar 01, 11:35:17 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:18 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:19 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:20 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:21 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:22 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:23 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Mar 01, 11:35:24 Debug APP Send ping packet to 192.168.1.0/24 of connection DB94 Re: Linksys BEFSX41 Connection by mrfett on 2007-03-01 17:50:35 +0100 there's more, but i think it just starts repeating. hopefully someone finds this insightful. thanks for any help you guys can give! Re: Linksys BEFSX41 Connection by Dave on 2007-03-02 16:42:33 +0100 Unfortunately, the ping lines make the log file HUGE; I really wish there was a way to turn them off (and the fact it is pinging even when the check box isn't checked is worrisome). But if you can strip those out, you might be able to see what is going on. All the "queued" bit means is that Phase 1 isn't done, which appears to be the entire problem. Are you using MAIN mode? And is the laptop behind any kind of NAT router? I've only been able to connect with Aggressive mode since I'm not using certificates and I'm behind a NAT router. Re: Linksys BEFSX41 Connection by mrfett on 2007-03-02 20:08:48 +0100 I am using main mode, and I am behind a router. My whole issue is that I can connect from my neighbor's wireless network next door, but when I go to my campus or to a cafe, I cannot connect. In both instances I'm behind a firewall, but something about the public places prevents a connection. I can go try aggressive mode. Do I put both the router and the client in aggressive mode? Thank you for your help. I've edited the log file and I'll post that now. Re: Linksys BEFSX41 Connection by mrfett on 2007-03-02 20:09:15 +0100 Mar 01, 11:35:10 Debug IKE msg 5 not interesting Mar 01, 11:35:11 Debug IKE msg 5 not interesting Mar 01, 11:35:15 Debug IKE 320 bytes from 10.105.5.212[500] to 68.50.31.23[500] Mar 01, 11:35:15 Debug IKE sockname 10.105.5.212[500] Mar 01, 11:35:15 Debug IKE send packet from 10.105.5.212[500] Mar 01, 11:35:15 Debug IKE send packet to 68.50.31.23[500] Mar 01, 11:35:15 Debug IKE 1 times of 320 bytes message will be sent to 68.50.31.23[500] Mar 01, 11:35:15 Debug IKE Mar 01, 11:35:15 Debug IKE c805d786 20d54aeb 00000000 00000000 01100200 00000000 00000140 0d000034 Mar 01, 11:35:15 Debug IKE 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 Mar 01, 11:35:15 Debug IKE 80010001 80030001 80020001 80040001 0d000014 4a131c81 07035845 5c5728f2 Mar 01, 11:35:15 Debug IKE 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014 439b59f8 Mar 01, 11:35:15 Debug IKE ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f 02ec7285 Mar 01, 11:35:15 Debug IKE 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e ed937c65 Mar 01, 11:35:15 Debug IKE 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 0d000014 Mar 01, 11:35:15 Debug IKE cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 Mar 01, 11:35:15 Debug IKE ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014 4485152d Mar 01, 11:35:15 Debug IKE 18b6bbcd 0be8a846 9579ddcc 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Mar 01, 11:35:15 Debug IKE resend phase1 packet c805d78620d54aeb:0000000000000000 Mar 01, 11:35:16 Debug IKE get pfkey ACQUIRE message Mar 01, 11:35:16 Debug IKE Mar 01, 11:35:16 Debug IKE 02060003 00260000 00000055 00000000 00030005 ff200000 10020000 0a6905d4 Mar 01, 11:35:16 Debug IKE 00000000 00000000 00030006 ff200000 10020000 44321f17 00000000 00000000 Mar 01, 11:35:16 Debug IKE 00020012 00020200 00000049 00000000 001c000d 20000000 00030000 00000000 Mar 01, 11:35:16 Debug IKE 01000800 00000000 00000001 00000001 00000000 00000000 00000000 00000000 Mar 01, 11:35:16 Debug IKE 00000000 00000000 00000000 00015180 00000000 00007080 00000000 00000000 Mar 01, 11:35:16 Debug IKE 00040000 00000000 010001c0 00000000 00000001 00000001 00000000 00000000 Mar 01, 11:35:16 Debug IKE 00000000 00000000 00000000 00000000 00000000 00015180 00000000 00007080 Mar 01, 11:35:16 Debug IKE 00000000 00000000 000c0000 00000000 01000100 00000000 00000001 00000001 Mar 01, 11:35:16 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00015180 Mar 01, 11:35:16 Debug IKE 00000000 00007080 00000000 00000000 Mar 01, 11:35:16 Debug IKE suitable outbound SP found: 10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out. Mar 01, 11:35:16 Debug IKE sub:0xbffff560: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in Mar 01, 11:35:16 Debug IKE db :0x308b48: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in Mar 01, 11:35:16 Debug IKE suitable inbound SP found: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in. Re: Linksys BEFSX41 Connection by mrfett on 2007-03-02 20:09:57 +0100 Mar 01, 11:35:28 Debug IKE 02060003 00260000 00000055 00000000 00030005 ff200000 10020000 0a6905d4 Mar 01, 11:35:28 Debug IKE 00000000 00000000 00030006 ff200000 10020000 44321f17 00000000 00000000 Mar 01, 11:35:28 Debug IKE 00020012 00020200 00000049 00000000 001c000d 20000000 00030000 00000000 Mar 01, 11:35:28 Debug IKE 01000800 00000000 00000001 00000001 00000000 00000000 00000000 00000000 Mar 01, 11:35:28 Debug IKE 00000000 00000000 00000000 00015180 00000000 00007080 00000000 00000000 Mar 01, 11:35:28 Debug IKE 00040000 00000000 010001c0 00000000 00000001 00000001 00000000 00000000 Mar 01, 11:35:28 Debug IKE 00000000 00000000 00000000 00000000 00000000 00015180 00000000 00007080 Mar 01, 11:35:28 Debug IKE 00000000 00000000 000c0000 00000000 01000100 00000000 00000001 00000001 Mar 01, 11:35:28 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00015180 Mar 01, 11:35:28 Debug IKE 00000000 00007080 00000000 00000000 Mar 01, 11:35:28 Debug IKE suitable outbound SP found: 10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out. Mar 01, 11:35:28 Debug IKE sub:0xbffff560: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in Mar 01, 11:35:28 Debug IKE db :0x308b48: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in Mar 01, 11:35:28 Debug IKE suitable inbound SP found: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in. Mar 01, 11:35:28 Debug IKE new acquire 10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out Mar 01, 11:35:28 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) Mar 01, 11:35:28 Debug IKE (trns_id=DES encklen=0 authtype=hmac-md5) Mar 01, 11:35:28 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-md5) Mar 01, 11:35:28 Debug IKE (trns_id=AES encklen=256 authtype=hmac-md5) Mar 01, 11:35:28 Debug IKE (trns_id=AES encklen=192 authtype=hmac-md5) Mar 01, 11:35:28 Debug IKE (trns_id=AES encklen=128 authtype=hmac-md5) Mar 01, 11:35:28 Debug IKE in post_acquire Mar 01, 11:35:28 Debug IKE configuration found for 68.50.31.23. Mar 01, 11:35:28 Info IKE request for establishing IPsec-SA was queued due to no phase1 found. Mar 01, 11:35:34 Debug IKE msg 5 not interesting Mar 01, 11:35:35 Debug IKE msg 5 not interesting Mar 01, 11:35:35 Debug IKE 320 bytes from 10.105.5.212[500] to 68.50.31.23[500] Mar 01, 11:35:35 Debug IKE sockname 10.105.5.212[500] Mar 01, 11:35:35 Debug IKE send packet from 10.105.5.212[500] Mar 01, 11:35:35 Debug IKE send packet to 68.50.31.23[500] Mar 01, 11:35:35 Debug IKE 1 times of 320 bytes message will be sent to 68.50.31.23[500] Mar 01, 11:35:35 Debug IKE Mar 01, 11:35:35 Debug IKE c805d786 20d54aeb 00000000 00000000 01100200 00000000 00000140 0d000034 Mar 01, 11:35:35 Debug IKE 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 Mar 01, 11:35:35 Debug IKE 80010001 80030001 80020001 80040001 0d000014 4a131c81 07035845 5c5728f2 Re: Linksys BEFSX41 Connection by mrfett on 2007-03-02 20:10:31 +0100 Mar 01, 11:35:37 Debug IKE suitable outbound SP found: 10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out. Mar 01, 11:35:37 Debug IKE sub:0xbffff560: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in Mar 01, 11:35:37 Debug IKE db :0x308b48: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in Mar 01, 11:35:37 Debug IKE suitable inbound SP found: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in. Mar 01, 11:35:37 Debug IKE new acquire 10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out Mar 01, 11:35:37 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) Mar 01, 11:35:37 Debug IKE (trns_id=DES encklen=0 authtype=hmac-md5) Mar 01, 11:35:37 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-md5) Mar 01, 11:35:37 Debug IKE (trns_id=AES encklen=256 authtype=hmac-md5) Mar 01, 11:35:37 Debug IKE (trns_id=AES encklen=192 authtype=hmac-md5) Mar 01, 11:35:37 Debug IKE (trns_id=AES encklen=128 authtype=hmac-md5) Mar 01, 11:35:37 Debug IKE in post_acquire Mar 01, 11:35:37 Debug IKE configuration found for 68.50.31.23. Mar 01, 11:35:37 Info IKE request for establishing IPsec-SA was queued due to no phase1 found. Mar 01, 11:35:38 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 68.50.31.23[500]->10.105.5.212[500] Mar 01, 11:35:38 Info IKE delete phase 2 handler. Mar 01, 11:35:41 Debug IKE msg 5 not interesting Mar 01, 11:35:41 Debug IKE msg 5 not interesting Mar 01, 11:35:48 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 68.50.31.23[500]->10.105.5.212[500] Mar 01, 11:35:48 Info IKE delete phase 2 handler. Mar 01, 11:35:49 Debug IKE get pfkey ACQUIRE message Mar 01, 11:35:49 Debug IKE Mar 01, 11:35:49 Debug IKE 02060003 00260000 00000056 00000000 00030005 ff200000 10020000 0a6905d4 Mar 01, 11:35:49 Debug IKE 00000000 00000000 00030006 ff200000 10020000 44321f17 00000000 00000000 Mar 01, 11:35:49 Debug IKE 00020012 00020200 00000049 00000000 001c000d 20000000 00030000 00000000 Mar 01, 11:35:49 Debug IKE 01000800 00000000 00000001 00000001 00000000 00000000 00000000 00000000 Mar 01, 11:35:49 Debug IKE 00000000 00000000 00000000 00015180 00000000 00007080 00000000 00000000 Mar 01, 11:35:49 Debug IKE 00040000 00000000 010001c0 00000000 00000001 00000001 00000000 00000000 Mar 01, 11:35:49 Debug IKE 00000000 00000000 00000000 00000000 00000000 00015180 00000000 00007080 Mar 01, 11:35:49 Debug IKE 00000000 00000000 000c0000 00000000 01000100 00000000 00000001 00000001 Mar 01, 11:35:49 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00015180 Mar 01, 11:35:49 Debug IKE 00000000 00007080 00000000 00000000 Mar 01, 11:35:49 Debug IKE suitable outbound SP found: 10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out. Mar 01, 11:35:49 Debug IKE sub:0xbffff560: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in Mar 01, 11:35:49 Debug IKE db :0x308b48: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in Re: Linksys BEFSX41 Connection by mrfett on 2007-03-02 20:11:11 +0100 Mar 01, 11:35:55 Debug IKE c805d786 20d54aeb 00000000 00000000 01100200 00000000 00000140 0d000034 Mar 01, 11:35:55 Debug IKE 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 Mar 01, 11:35:55 Debug IKE 80010001 80030001 80020001 80040001 0d000014 4a131c81 07035845 5c5728f2 Mar 01, 11:35:55 Debug IKE 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014 439b59f8 Mar 01, 11:35:55 Debug IKE ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f 02ec7285 Mar 01, 11:35:55 Debug IKE 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e ed937c65 Mar 01, 11:35:55 Debug IKE 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 0d000014 Mar 01, 11:35:55 Debug IKE cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 Mar 01, 11:35:55 Debug IKE ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014 4485152d Mar 01, 11:35:55 Debug IKE 18b6bbcd 0be8a846 9579ddcc 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Mar 01, 11:35:55 Debug IKE resend phase1 packet c805d78620d54aeb:0000000000000000 Mar 01, 11:35:57 Debug IKE msg 5 not interesting Mar 01, 11:35:58 Debug IKE get pfkey ACQUIRE message Mar 01, 11:35:58 Debug IKE Mar 01, 11:35:58 Debug IKE 02060003 00260000 00000057 00000000 00030005 ff200000 10020000 0a6905d4 Mar 01, 11:35:58 Debug IKE 00000000 00000000 00030006 ff200000 10020000 44321f17 00000000 00000000 Mar 01, 11:35:58 Debug IKE 00020012 00020200 00000049 00000000 001c000d 20000000 00030000 00000000 Mar 01, 11:35:58 Debug IKE 01000800 00000000 00000001 00000001 00000000 00000000 00000000 00000000 Mar 01, 11:35:58 Debug IKE 00000000 00000000 00000000 00015180 00000000 00007080 00000000 00000000 Mar 01, 11:35:58 Debug IKE 00040000 00000000 010001c0 00000000 00000001 00000001 00000000 00000000 Mar 01, 11:35:58 Debug IKE 00000000 00000000 00000000 00000000 00000000 00015180 00000000 00007080 Mar 01, 11:35:58 Debug IKE 00000000 00000000 000c0000 00000000 01000100 00000000 00000001 00000001 Mar 01, 11:35:58 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00015180 Mar 01, 11:35:58 Debug IKE 00000000 00007080 00000000 00000000 Mar 01, 11:35:58 Debug IKE suitable outbound SP found: 10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out. Mar 01, 11:35:58 Debug IKE sub:0xbffff560: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in Mar 01, 11:35:58 Debug IKE db :0x308b48: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in Mar 01, 11:35:58 Debug IKE suitable inbound SP found: 192.168.1.0/24[0] 10.105.5.212/32[0] proto=any dir=in. Mar 01, 11:35:58 Debug IKE new acquire 10.105.5.212/32[0] 192.168.1.0/24[0] proto=any dir=out Mar 01, 11:35:58 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) Mar 01, 11:35:58 Debug IKE (trns_id=DES encklen=0 authtype=hmac-md5) Mar 01, 11:35:58 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-md5) Mar 01, 11:35:58 Debug IKE (trns_id=AES encklen=256 Re: Linksys BEFSX41 Connection by mrfett on 2007-03-02 20:14:41 +0100 I think posting more would be repeating what's already there. Re: Linksys BEFSX41 Connection by Dave on 2007-03-03 00:01:54 +0100 [quote author=mrfett link=1171241120/15#15 date=1172862528]I am using main mode, and I am behind a router. My whole issue is that I can connect from my neighbor's wireless network next door, but when I go to my campus or to a cafe, I cannot connect. In both instances I'm behind a firewall, but something about the public places prevents a connection. [/quote] Note that your neighbor's router probably has VPN-passthru enabled; most home routers do this automatically. The cafe/campus router might not and that will definitely prevent you from connecting. Or the Cafe/Campus might have a limit on the number of passthru connections it can support and, again, you might be over that limit. For your campus, I'd suggest talking to the network admins and see if they can tell you any info about VPN passthru or how to create a VPN connection outbound. I'd also suggest trying NAT-T Enable but you said you already did that, right? Re: Linksys BEFSX41 Connection by mrfett on 2007-03-03 00:29:59 +0100 Yeah, I did try that. Hmm. So you think most public wifi spots block VPN traffic? Has that been your experience? It just seems strange other people aren't complaining about this. I'm tempted to get another brand of router to try. Well, I appreciate your time. I'll report back if I do get another router to work so people know not to use this one in this situation. Re: Linksys BEFSX41 Connection by Forum Admin on 2007-03-04 14:28:44 +0100 Hi, I don't think a different router will work better. Telling from the logs, your router receives the inital packet and sends a reply, which just never arrives, most probably because it's filtered in the local firewall/router. If possible, inquiry the local sysadmin about the handling of incoming UDP packets on port 500. VPN or IPSec passthru only comes into play once the connection is established and doesn't work with more than one VPN client in the local network, therefore I recommend using NAT-T whenever possible (NAT-T encapsulates the VPN traffic in UDP packets, circumventing the need for VPN passthru). My experience with public hotspots differs: VPN with NAT-T works in almost all cases. So far I only had trouble in hotspots that were part of a larger network (and at some point in the network, there was a proper firewall). Hope this helps, Christoph Re: Linksys BEFSX41 Connection by mrfett on 2007-03-04 17:06:01 +0100 Thanks so much for the explanation, Christoph. That does help explain what's happening. I'll try out a few more locations and see if it'll work any better. The campus network is part of a much larger one (I'm at the University of Maryland in College Park, and there's wifi spread all over the campus). One question: when I use NAT-T, does it matter if I use Enable, Force, or Checkpoint? Re: Linksys BEFSX41 Connection by Forum Admin on 2007-03-04 23:27:44 +0100 Hi, when set to enabled, the two peers try to find out if NAT-T is necessary and supported (i.e. if one of the two peers are in a NATed network and the remote peers supports NAT-T) - force enforces NAT-T, regardless if it is really necessary (this is usually the better choice if you know the router supports NAT-T). Checkpoint makes only sense if the remote peer is a Checkpoint (VPN-1 for example) router. Cheers, Christoph Re: Linksys BEFSX41 Connection by mrfett on 2007-03-05 19:07:29 +0100 Well all i have to say is YOU GUYS ROCK! Indeed, the campus network I was connecting to did block VPN access. The solution was to use a newer "secure" network the university set up recently. Once I configured my system to use the correct network, I was able to connect with IPSecuritas with no issues. If you hadn't nudged me to look into this, I never would've found this out. Thanks so much. I still have to figure out the local Panera (whose coffee I'm addicted to), but this is a huge first step. Many, many thanks. IPSecuritas 3.0rc doesn't work with Airport Update IPSecuritas 3.0rc doesn't work with Airport Update by bigboy on 2007-02-13 01:26:13 +0100 I have been using 3.0RC successfully until I did a system update to patch an Airport vulnerability. Now 3.0RC doesn't work. It can log into my VPN server (Zywall 2), but then as soon as I start exchanging data, the connection freezes up and ends up taking down the Finder (darn single-threaded Finder). I have a MBP (Core Duo) 15" with 2GB of memory running MacOS X 10.4.8 + all the updates. Re: IPSecuritas 3.0rc doesn't work with Airport Up by budy on 2007-02-22 15:34:42 +0100 Hi, I have just downloaded and installed 3.0rc on my MBP running all updates and I have no issue at all connecting to our CP VPN-1 via Airport. Anything in the logs? Cheers, Budy Cannot connect to IPCop Cannot connect to IPCop by worcester4x4 on 2007-02-14 09:54:52 +0100 Hi all. A client wants a roadwarrior connection from his Macbook (OSX10.4.?) to his office LAN. Firewall is IPCop 1.4.10 (similarish to Smoothwall if that helps anyone) and the authorisation method is host and user certificates. I have only recently started dabbling with Macs so am a bit of a novice. The certificates generated OK on the IPCop box, were parsed OK via terminal on the MB and imported OK into IPSecuritas. IPSecuritas runs and IPSec is shown as "up" but the damned red cross won't go away so there's obviously no connection. Also whilst IPSecuritas is running the client reports that he cannot access websites from the MB. Can someone tell me where the IPSecuritas logfiles are located? And what to look for in them once I find them? Any other hints? Many thanks for your help. Pete Re: Cannot connect to IPCop by worcester4x4 on 2007-02-23 23:19:03 +0100 Update. The VPN is now fine and the roadwarrior can see the email OK. However we still can't access the document server because I can't see any way of putting an IP address into Finder. Does anyone know how, or alternatively can IPSecuritas preferences be set up to convert a share name into an IP address? Pete Re: Cannot connect to IPCop by Dave on 2007-02-23 23:46:04 +0100 I connect to Windows shares all the time using the "Connect to Server" menu item under the Go menu in the Finder. I enter the address like this for the share "myShare" on machine 192.168.0.232: smb://192.168.0.232/myShare You can also tell IPSecuritas to use an alternate DNS server for things inside the tunnel. There have been some reports that this has problems but it might do what you need. Problem connecting to Juniper Netscreen Problem connecting to Juniper Netscreen by antg on 2007-02-18 01:09:35 +0100 Hi there, I have setup a VPN connection between IPsecuritas and a Netscreen 25, sometimes the connection works really well, and other times it seems to stall a lot, and I have to disconnect and reconnect the tunnel. When this happens I see the message "msg 'x' not interesting" in the Log, and most of the time the msg number is 5. Just wondering if anybody knows where to start looking to try and fix this, and whether it's likely a problem with the NetScreen or with my config of IPsecuritas. When this happens, I can still ping the WAN interface of the netscreen, so I don't think it's related to my internet connection.. Cheers, Ant. Re: Problem connecting to Juniper Netscreen by houser on 2007-02-19 07:52:36 +0100 We had a VPN tunnel set up for VPN Tracker. Setting the latest IP Securitas to exactly the same setting works and is a good starting point. you can probably d-loadmanuals for that at the VPN tracker site. Hope this helps jtm Re: Problem connecting to Juniper Netscreen by Rob_Z on 2007-03-21 20:59:31 +0100 [quote author=antg link=1171757375/0#0 date=1171757375]Hi there, I have setup a VPN connection between IPsecuritas and a Netscreen 25, sometimes the connection works really well, and other times it seems to stall a lot, and I have to disconnect and reconnect the tunnel.[/quote] Hello, Can you share your Netscreen configuration ? TIA -Rob Connect to Symantec VPN 200R Connect to Symantec VPN 200R by JCSF on 2007-02-22 13:14:21 +0100 I'm connecting to a network through a Symantec Firewall VPN 200R using the client software in Windows, and I want to connect from a Mac, but the setup of the client it's different than the IPSecuritas/Mac VPN. How can I configure. Thanks. Watchguard Firebox Success !!! Watchguard Firebox Success !!! by hb9wad on 2007-02-24 14:47:42 +0100 With help of an article from Watchguard support site https://www.watchguard.com/support/advancedfaqs/mac_vpntrackerfb7x.asp#mac5f I have managed to connect my Apple iMac 24" Mac OS X 10.4.8 with IPsecuritas 3.0rc Build 1040 behinde a Zyxel Prestige 652-R13 ADSL Router/Firewall ZyNOS F/W Version: V3.40(FW.7) | 6/18/2003 DSL FW Version: Alcatel, Version 4.9.10 with NAT and dynamic external IP Address to our Watchguard Firebox X700 WFS 7.41 with NAT and fix public external IP Addres. On the Firebox configure 'Network -> Branche Office VPN -> Manual IPSec...' . Create a new gateway with parameters: Key Negotiation Type: isakmp (dynamic) Remote ID Type: User Name Gateway IP Address: <empty> Gateway Identifier: me@company.com Shared Key: mypassword Phase 1 Settings: Local ID Type: IP Address Authentication: SHA1-HMAC Encryption: DES-CBC Diffie-hellmann Group: 1 Enable Perfect Forward Secrcy: OFF Enable Aggressive Mode: ON Negotiation Timeout: 0 kB ; 8 hours Create a new tunnel and assign the gateway created before: Phase 2 Settings: Type: ESP (Encapsulated Security Payload) Authentication: SHA1-HMAC Encryption: 3DES-CBC Foce key expiration: ON every 0 kB every 24 hours Create a new IPSec Routing Policy: Local: Network: company network> Remote: Host: <IP Subnet / SubnetBits of <free IP Addr out of unused Netgear FVG318 Netgear FVG318 by colinresys on 2007-02-25 18:52:39 +0100 Has anyone had any luck with the Netgear FVG318? If so, could you please share your config? Colin problems connecting to rv042 problems connecting to rv042 by mstoops on 2007-02-26 06:49:48 +0100 I'm having a connection issue with IPSecuritas 3.0rc (Mac OS X 10.4.8) to a Linksys rv042. I've successfully VPN'd over a dial-up account (thanks to these forums); the issue is I cannot connect over a DSL connection from behind a router using NAT. The main error I'm getting in the rv042 log file is this: Cannot respond to IPsec SA request because no connection is known for 10.0.1.0/24===111.222.333.444...555.666.777.888[@dusty.local]===192.168.0.2/32 (Obviously the central IP addresses are bogus to hide my network.) I've tried enabling NAT-T with no effect. Here are my IPSecuritas settings: -----------------------------------General: Remote IPSec Address: <rv041 address> Local Side: Endpoint Mode: Network IP Address: <empty> Remote Side: Endpoint Mode: Network Network Address 10.0.1.0/24 Phase 1: Lifetime: 3600s DH Group: (5) Encryption: AES 256 Auth: SHA-1 Exch Mode: Aggressive Proposal Check: Strict Nonce Size: 16 Phase 2: Lifetime: 3600s PFS Group: (5) Encryption: AES 256 Auth: SHA-1 ID: Local ID: FQDN dusty.local Remote ID: Address Auth Method: PSK Options (checked): IPSec DOI SIT_IDENTITY_ONLY Initial Contact Generate Policy Support Proxy Req Cert Send Cert -------------------------------All the settings on the rv042 seem to be properly set (they work when I VPN over dialup), so I don't think the issue lies there. Any help would be greatly appreciated. I'm not an expert at this stuff so I'm Working -- a new question by mstoops on 2007-03-05 04:12:57 +0100 Ok, so I've gotten this working, although the solution not perfect. I found that when I put the public IP address (public side of NAT router) into IPSecuritas' "Local Side IP Address," everything connects perfectly. It's round-about because I have to input the public IP every time I want to set up a VPN, which is a little frustrating when I'm moving around to different locations. New Question: can anyone tell me how I can make this work without having to find and enter the public IP every time? (I find it using a Dashboard widget called Network Stat: http://www.widgetschmie.de/widgets /NetworkStat/) Re: problems connecting to rv042 by mstoops on 2007-03-06 22:36:57 +0100 This is fun, I seem to be having a great running dialog with myself on this. Anyway, I seem to have figured the latest issue out -- no more need to put in the local public IP address. This seems to require two (actually, 3) things: 0. Make sure you have the latest firmware update, currently 1.3.8.2. Not sure if this is necessary but I don't remember the following config option. 1. On the rv042, within the VPN Tunnel configuration, click on the "Advanced +" button at the bottom and check the "NAT Traversal" checkbox. 2. In your IPSecuritas connection configuration, me sure that Options --> NAT-T is Disabled. Worked like a charm, connected from a local cafй without having to modify IPSecuritas' configuration. Now, I want to make this work using an Exchange Mode of Main, since it's supposed to be more secure than Aggressive. Anyone? Yeah, I thought so ;D Learning as I go. Hope this helps someone. v3.0 RC Menu Item v3.0 RC Menu Item by psfolliesmis on 2007-02-26 22:42:28 +0100 I have installed the 3.0 RC on a couple of machines, and it seems that the menu item will not stay on the menu bar after a logout. When I log back in, the menubar item will be gone, and if I open IPSec and go to preferences, the Show Status in Menubar is still checked. I have to check and uncheck to get it to reappear, then it is gone the next time I restart. Is this just me? Client Virtual IP address Client Virtual IP address by colinresys on 2007-02-28 11:37:54 +0100 It seesm that to connect to most ProSafe Netgear routers IPSecuritas has to be configured with a virtual IP address that won't be hidden by any intervening NAT device. I can't find instructions for this, using either IPSecuritas or the command line. Has anyone any idea of how to do it? Re: Client Virtual IP address by senzex on 2007-04-20 19:16:35 +0200 in ipsecuritas enter anything you want in the field : GENERALTAB->Local Side - Endpoint mode (HOST) : (192.168.0.6 or 10.10.2.3 or whatever) in the Netgear (FVS124G for me) in the VPN POLICIES->traffic selector-> remote IP->choose single address and fill in the IP (192.168.0.6 or 10.10.2.3 or whatever). by the way avoid same subnets : I means if at your location your are on 192.168.[b]X[/b].[b]z[/b], just choose anything but the [b]X[/b]. so if you have a local IP 192.168.[b]0[/b].1 then choose 192.168.[b]1[/b].1 for example. that's all. hope it helps. Need L2TP Support Need L2TP Support by omnibyte on 2007-03-01 17:07:46 +0100 I have a Sonicwall Pro 3040 running, with L2TP VPN Server Setup... The Windows Clients can establish the VPN connection without any problems with their build-in VPN client... I know, the build in VPN Client of the latest OS-X will just work with the OS X Server... Is there a way to get L2TP getting working on OS X with a SonicWall L2TP Server?!?! If someone can help me out, i would give support on the Sonicwall side to test this stuff!!!! Cheers Thomas from Switzerland Re: Need L2TP Support by cwolf on 2007-03-22 03:32:19 +0100 Funny, I have the exact opposite issue connecting to my Sonicwall L2TP Server. L2TP works perfect on my 10.4.9 clients using the built-in client. Windows boxes cannot connect. Re: Need L2TP Support by cwolf on 2007-03-22 03:35:48 +0100 you said : I know, the build in VPN Client of the latest OS-X will just work with the OS X Server... : Umm, this couldn't be further from the truth. The built-in client on the mac works with almost any PPTP or L2TP solution out there. It works way better than the built in windows client, and is always consistent. I say almost because I haven't tested all of them, but I have yet to have a VPN (L2TP/PPTP using built-in, IPSec using IPSecuritas) that I can't connect to. ZyXEL ZyWALL 5 ZyXEL ZyWALL 5 by omega_red on 2007-03-15 12:14:10 +0100 Does anyone know how to configure the ZyWALL? Ive tried it with VPN Tracker and it worsk great! (For 3mins than the demo version expieres the connection) Ive copied all settings from VPN Tracker and connected IPsecuritas but i keep getting the following errors: [list][*]Warning: ignore INTIAL-CONTACT notification, becouse it is only accepted after phase1[/list] [list][*]Error: No SIG was passed, hybrid auth is enabled but peer is not Xauth compliant[/list] [list][*]Error: phase2 negotiation failed due to time up waiting for phase1. ESP (remote vpn server internet-ip)[500]->(local internet-ip)[500][/list] Can anyone help? thxx!! Re: ZyXEL ZyWALL 5 by prahn on 2007-03-16 07:50:52 +0100 Hi! Sounds definitely that IPSecuritas wants to connect with Xauth authentication, but the ZyWall doesn't like it. I searched for "Hybrid Auth" and "Xauth" in the IPSecuritas config, but diddn't find anything. I also have problems with my ZyWall 2 and do not find a solution. See here: [url]http://www.lobotomo.com/cgi-bin /yabb/YaBB.pl?board=IPSecuritas;action=display;num=1173990319[/url] Maybe buying VPN Tracker is easier... but I want a manu item like IPSecuritas provides!! Greets, prahn Re: ZyXEL ZyWALL 5 by Forum Admin on 2007-03-17 01:36:06 +0100 Hi, the following settings will work with Zyxel's ZyWall series: General: Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 Phase 1: Life time: 8 hours (or less) DH Group: Mod768 Encryption: DES Authentication: MD5 Phase 2: Life time: 8 hours (or less) PFS Group: Mod768 Encryption: 3DES Authentication: SHA-1 Identification: Local Identification: FQDN (enter a name) Remote Identification: Address Authentication: Preshared Key (enter a password) Options: IPSec DOI: Enabled SIT_IDENTITY_ONLY: Enabled Verify Identifier: Disabled Initial Contact: Enabled Passive: Disabled MODE_CFG: Disabled NAT-T: Enabled Generate Policy: Disabled Support Proxy: Disabled Request Certificate: Enabled Verify Certificate: Disabled Send Certificate: Enabled Unique SA: Disabled On The ZyWall, use the following settings: Gateway Policy: NAT Traversal: Enabled My ZyWALL Adress: 0.0.0.0 Remote Gateway Address: 0.0.0.0 Enabled Preshared Key (enter the same password as in IPSecuritas) Local ID Type: IP (enter 0.0.0.0) Peer ID Type: DNS (enter the same name as in IPSecuritas) Negotiation Mode: Main Encrption Algorithm: DES Authentication Algorithm: MD5 SA Life Time: 28800 Key Group: DH1 Enabled Multiple Proposals: Disabled Network Policy: Active: Enabled Name: anything Protocol: 0 Re: ZyXEL ZyWALL 5 by Dave on 2007-03-17 22:29:50 +0100 [quote author=prahn link=1173957250/0#1 date=1174027852]I searched for "Hybrid Auth" and "Xauth" in the IPSecuritas config, but diddn't find anything.[/quote] XAuth is in the release candidate for 3.0 (RC1) and can be found on the ID tab as one of the choices in the Authentication Method dropdown. Both Xauth PSK and Hybrid are there along with PSK and Certificate. Re: ZyXEL ZyWALL 5 by omega_red on 2007-03-22 17:25:49 +0100 [quote author=Forum Admin link=1173957250/0#2 date=1174091766]Hi, the following settings will work with Zyxel's ZyWall series: General: Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 Phase 1: Life time: 8 hours (or less) DH Group: Mod768 Encryption: DES Authentication: MD5 Phase 2: Life time: 8 hours (or less) PFS Group: Mod768 Encryption: 3DES Authentication: SHA-1 Identification: Local Identification: FQDN (enter a name) Remote Identification: Address Authentication: Preshared Key (enter a password) Options: IPSec DOI: Enabled SIT_IDENTITY_ONLY: Enabled Verify Identifier: Disabled Initial Contact: Enabled Passive: Disabled MODE_CFG: Disabled NAT-T: Enabled Generate Policy: Disabled Support Proxy: Disabled Request Certificate: Enabled Verify Certificate: Disabled Send Certificate: Enabled Unique SA: Disabled On The ZyWall, use the following settings: Gateway Policy: NAT Traversal: Enabled My ZyWALL Adress: 0.0.0.0 Remote Gateway Address: 0.0.0.0 Enabled Preshared Key (enter the same password as in IPSecuritas) Local ID Type: IP (enter 0.0.0.0) Peer ID Type: DNS (enter the same name as in IPSecuritas) Negotiation Mode: Main Encrption Algorithm: DES Authentication Algorithm: MD5 SA Life Time: 28800 Key Group: DH1 Enabled Multiple Proposals: Disabled Network Policy: Active: Enabled Name: anything Protocol: 0 Re: ZyXEL ZyWALL 5 by omega_red on 2007-03-22 18:25:29 +0100 It works! But i had to turn of the xauth. My settings: IPSecuritas 2.2 [img]http://www.vanheest.nl/pf/1.tiff[/img] 10.0.0.20 is a fake address ofcourse ;D [img]http://www.vanheest.nl/pf/2.tiff[/img] [img]http://www.vanheest.nl/pf/3.tiff[/img] [img]http://www.vanheest.nl/pf/4.tiff[/img] [img]http://www.vanheest.nl/pf/5.tiff[/img] Re: ZyXEL ZyWALL 5 by omega_red on 2007-03-22 19:08:50 +0100 Ive managed to get it working on both 2.2 and 3.0rc, but i still had to disable xauth in both versions, so that was the couse of the error's described in my first post. I hope it will be able to use xauth when the final version arrives. thanks for the great app! Re: ZyXEL ZyWALL 5 by nob on 2007-05-27 22:25:12 +0200 I didnt get it to work. I am behind a Zywall 5 on the net, trying to connect to the destination Zywall. Used the Settings your Guys getting to work. May 27, 22:21:20 Error IKE Foreground mode. May 27, 22:21:21 Error IKE inappropriate sadb acquire message passed. May 27, 22:21:22 Warning IKE ignore INITIAL-CONTACT notification, because it is only accepted after phase1. May 27, 22:21:22 Error IKE mismatched ID was returned. May 27, 22:21:22 Error IKE failed to pre-process packet. May 27, 22:21:22 Error IKE phase2 negotiation failed. May 27, 22:21:26 Error IKE failed to pre-process packet. May 27, 22:21:33 Error IKE inappropriate sadb acquire message passed. May 27, 22:21:34 Error IKE failed to pre-process packet. May 27, 22:21:43 Error IKE inappropriate sadb acquire message passed. May 27, 22:21:50 Error IKE failed to pre-process packet. May 27, 22:21:53 Error IKE 217.173.146.167 give up to get IPsec-SA due to time up to wait. I tried different Settings, mostly i get the mismatched ID. Zywall Log says: 7 2007-05-27 21:21:19 Receive IPSec packet, but no corresponding tunnel exists 87.175.225.55 217.173.146.167 IPSEC 8 2007-05-27 21:21:13 IKE Packet Retransmit 217.173.146.167 87.175.225.55 IKE Re: ZyXEL ZyWALL 5 by bernard on 2007-07-01 00:37:19 +0200 After lots of trial-and-error, I managed to establish a VPN between my MacBook Pro/IPsecuritas and remote Zywall 5. Very cool :). However, there is one problem: while the VPN tunnel is established, the Zywall log shows: [code]Receive IPSec packet, but no corresponding tunnel exists[/code] exactly every 20 seconds, even when I don't do anything with this tunnel. These are the only errors in the Zywall log. Here is the IPSecuritas log: [code] IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Jun 30, 18:29:32 Info APP IKE daemon started Jun 30, 18:29:32 Info APP IPSec started Jun 30, 18:29:32 Error IKE Foreground mode. Jun 30, 18:29:32 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jun 30, 18:29:32 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jun 30, 18:29:32 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jun 30, 18:29:32 Info IKE Resize address pool from 0 to 255 Jun 30, 18:29:33 Info APP Initiated connection bernard-wpb Jun 30, 18:29:33 Error IKE inappropriate sadb acquire message passed. Jun 30, 18:29:33 Warning IKE ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Jun 30, 18:29:35 Warning IKE attribute has been modified. Jun 30, 18:32:47 Info APP IPSec stopping Jun 30, 18:32:48 Info APP IKE daemon terminated [/code] Any idea? I did not enable connection check (of course). Thanks, Bernard Re: ZyXEL ZyWALL 5 by nob on 2007-12-09 16:06:42 +0100 bump Is there a possibility to get my errors why connecting via WLAN? Re: ZyXEL ZyWALL 5 by rmarinheira on 2008-04-23 12:40:37 +0200 Hi! I get this error on Zywall 5: 2008-04-23 10:39:06 vs. My Remote [0.0.0.0]-[0.0.0.0] 2008-04-23 10:39:06 Recv ID: SINGLE, [192.168.1.38]-[192.168.1.38] 2008-04-23 10:39:06 [ID] : Rule [] Verifying Remote ID failed: 2008-04-23 10:39:03 Receive IPSec packet, but no corresponding tunnel exists (Repeated: 18) 2008-04-23 10:39:00 IKE Negotiation is in process What should be wrong? Regards Re: ZyXEL ZyWALL 5 by inky on 2008-11-07 15:04:43 +0100 I get this same error on my P-662HW-D1 (not sure if this is a Zywall 5 device?) The ID settings available on the Zyxel are only IP, DNS and Email. Does anybody know what I need to use in IPSecuritas to align with any of the above? Ta. IPSecuritas to Sonicwall doesn't delete IPSec SA IPSecuritas to Sonicwall doesn't delete IPSec SA by Manuel on 2007-03-15 17:54:01 +0100 I'm having a problem with connecting IPSecuritas 3.0RC to a Sonicwall Pro 3060 with Enhanced firmware 3.2.0.3. I'm connecting to the Sonic's "WAN GroupVPN" policy using XAUTH and a pre-shared secret. The connection works very well. The problem only shows up when disconnecting (stopping) the tunnel: according to the firewall log, IPSecuritas apparently only sends an "IKE SA delete request", without sending an "IPSec SA delete request" first (OTOH, Sonic's Global VPN client does). The result is that the tunnel remains active indefinitely on the Sonicwall. If I now try connecting again, it will somehow connect, but the connection won't work, until I manually trigger a "renegotiate connection" on the Sonicwall and try again. Is there a way to tell IPSecuritas to send that "IPSec SA delete request" as well? Maybe some checkbox in the "options" tab that I missed? Thanks -Manuel RC1 and ZyWall P2 RC1 and ZyWall P2 by prahn on 2007-03-15 21:25:19 +0100 The new IPSecuritas looks very nice, especially the menu item! Thanks for the good work! When trying to connect to our new Zywall 2 Plus I get teh following errors: Mar 15, 21:19:28 Error IKE Foreground mode. Mar 15, 21:19:29 Warning IKE remote address mismatched. db=2.3.4.5[500], act=2.3.4.5[58137] Mar 15, 21:19:30 Warning IKE remote address mismatched. db=2.3.4.5[500], act=2.3.4.5[58137] Mar 15, 21:19:30 Error IKE ignore information because ISAKMP-SAhas not been established yet. Mar 15, 21:19:30 Warning IKE remote address mismatched. db=2.3.4.5[500], act=2.3.4.5[58137] Mar 15, 21:19:30 Error IKE ignore information because ISAKMP-SAhas not been established yet. Mar 15, 21:20:00 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 2.3.4.5[500]->2.3.4.5[500] I replaced our public IP with "2.3.4.5" What's wrong here? I tried so much varieties! Connecting with the VPN Tracker Demo works!?! Pls help! Thx. Re: RC1 and ZyWall P2 by Forum Admin on 2007-03-17 01:36:27 +0100 Hi, the following settings will work with Zyxel's ZyWall series: General: Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 Phase 1: Life time: 8 hours (or less) DH Group: Mod768 Encryption: DES Authentication: MD5 Phase 2: Life time: 8 hours (or less) PFS Group: Mod768 Encryption: 3DES Authentication: SHA-1 Identification: Local Identification: FQDN (enter a name) Remote Identification: Address Authentication: Preshared Key (enter a password) Options: IPSec DOI: Enabled SIT_IDENTITY_ONLY: Enabled Verify Identifier: Disabled Initial Contact: Enabled Passive: Disabled MODE_CFG: Disabled NAT-T: Enabled Generate Policy: Disabled Support Proxy: Disabled Request Certificate: Enabled Verify Certificate: Disabled Send Certificate: Enabled Unique SA: Disabled On The ZyWall, use the following settings: Gateway Policy: NAT Traversal: Enabled My ZyWALL Adress: 0.0.0.0 Remote Gateway Address: 0.0.0.0 Enabled Preshared Key (enter the same password as in IPSecuritas) Local ID Type: IP (enter 0.0.0.0) Peer ID Type: DNS (enter the same name as in IPSecuritas) Negotiation Mode: Main Encrption Algorithm: DES Authentication Algorithm: MD5 SA Life Time: 28800 Key Group: DH1 Enabled Multiple Proposals: Disabled Network Policy: Active: Enabled Name: anything Protocol: 0 Re: RC1 and ZyWall P2 by prahn on 2007-03-17 08:29:50 +0100 Hi! Thanks a lot for your detailed answer. But this did not help... :-[ No specific error, but also no connection! Here is the actual log: Mar 17, 08:27:32 Info APP IPSec started Mar 17, 08:27:32 Error IKE Foreground mode. Mar 17, 08:27:32 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Mar 17, 08:27:32 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Mar 17, 08:27:32 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Mar 17, 08:27:32 Info IKE Resize address pool from 0 to 255 Mar 17, 08:27:38 Info IKE the packet is retransmitted by 2.3.4.5[43397]. Mar 17, 08:27:38 Error IKE ignore information because ISAKMP-SAhas not been established yet. Mar 17, 08:27:38 Error IKE ignore information because ISAKMP-SAhas not been established yet. :'( :'( :'( :'( Re: RC1 and ZyWall P2 by Forum Admin on 2007-03-17 20:11:06 +0100 Hello, please set the log level to Debug (in IPSecuritas' preferences). Could you also provide a log from the ZyWall? Thanks, Christoph Re: RC1 and ZyWall P2 by prahn on 2007-03-17 20:38:33 +0100 Hi! Thanks for your help, I will e-mail the Log-files to you. Re: RC1 and ZyWall P2 by omega_red on 2007-03-23 22:58:45 +0100 concider reading my topic about the zywall 5, perhaps it helps. xauth does not work in combination with te zywall in my case. Netgear FVS114 and IPSecuritas Netgear FVS114 and IPSecuritas by ckofer on 2007-03-22 18:59:16 +0100 Does anyone here have these working together? I tried the search feature on the forum but found nothing (not even on the term netgear). Thanks in advance. Chris in NH (USA) Re: Netgear FVS114 and IPSecuritas by uocooper on 2007-10-26 06:46:40 +0200 I have it working with firmware V1.1_01. I originally had problems getting IPSecuritas to work because I had also installed VPN Tracker. Once I completely uninstalled VPN Tracker it worked great. Coneecting to a Linksys WRVS4400N? Coneecting to a Linksys WRVS4400N? by croatoan on 2007-03-24 15:55:06 +0100 Uhm, where to begin? I am using the QuickVPN setup on the router and all I get is the yellow dot on IPSecuritas. Any ideas? Re: Coneecting to a Linksys WRVS4400N? by DistortedLoop on 2007-04-15 09:02:47 +0200 [quote author=croatoan link=1174748106/0#0 date=1174748106]Uhm, where to begin? I am using the QuickVPN setup on the router and all I get is the yellow dot on IPSecuritas. Any ideas?[/quote] You cannot use QuickVPN settings. I just finally got my WRVS4400N working with a MacBookPro by using ipsecuritas. The short version is: on the VPN tab, select IPSEC, and then create a new tunnel entry with a unique name. Local security group is your LAN ip series (ie., WRVS4400N defaults to 192.168.1.0 and 255.255.255.0). Assuming your dialing in from various locations, set Remote Security group and gateway to "any." Key maanagement is Auto, Encryption 3DES, Authentication SHA1, PFS enable, enter your preshared key, key lifetime 28800 secs. Save the configuration, hit okay through the warning about using "any" not working with QuickVPN. Click Advanced Settings tab. Operation mode = main. Local and Remote identity use the ip address circles on both. Phase 1 encryption = 3DES and SHA1 with 1024-bit and 3600 sec. Phase 2 = #DES and SHA1, PFS enable, 768-bit, key life 28800. Save settings. In IPSECURITAS version 3 setup as follows: General Tab - enter ip address of the WRVS4400N's internet presence. Local side is Host, leav ip addres blank Remot side is Network and input the 192.168.10, CIDR=24 Phase1 tab should match what's on the advanced settings of the router listed above, you can leave proposal check on claim and nonce size as 16. Phase2 tab match to the router as well. ID tab = Address in both the identifiers; Authenitcation is your Presharked Key and password. Options tab you shouldn't need to touch, but you can enable NAT-T and add a keep alive ping if you want. That's good enough to get me a green light on the connection on the mac, and an "up" status in the VPN's web interface. I'm able to ping known ip addresses on the internal network, but no joy in seeing network shares. I'll post about that in another thread. Re: Coneecting to a Linksys WRVS4400N? by croatoan on 2007-04-15 13:50:39 +0200 Thank you! I ditched the Linsys WRVS4400N after calling them when two MacBooks in our office were losing connectivity while the PCs were not. They only repled "Well, I don't really know much about Macs" and without trying to transfer me to someone who did. I bought an Apple Express and it works great. I am going to use a G4 running IPSecuritas. Your tips on the settings help a lot! Re: Coneecting to a Linksys WRVS4400N? by DistortedLoop on 2007-04-15 17:01:50 +0200 [quote author=croatoan link=1174748106/0#2 date=1176637839]Thank you! I ditched the Linsys WRVS4400N after calling them when two MacBooks in our office were losing connectivity while the PCs were not. They only repled "Well, I don't really know much about Macs" and without trying to transfer me to someone who did.[/quote] You're welcome; wish I'd been more timely in figuring this out for both our sakes. They didn't offer to transfer you to someone who knows anything about Macs because no one at Linksys knows, or even cares about Macs. I've noticed that with the router set to mixed g/n speeds, that both our Mac and PC laptops drop connections, or slow down to 1mbps connections, which is very frustrating. We switched them to our old Linksys WRT54g routers set up as Access Points (using DD-WRT firmware) and they get rock solid connectons again. In N-only mode, the WRVS4400n doesn't seem to have the problem. To be fair to Linksys, from my web searches looking for an alternative to the WRVS4400n, I don't think any brand does care about Macs for Draft-N class devices. I could not find a single device to get N-speed service on my MacBookPro - I had to resort to stealing the Airport Extreme 802.11n board out of my MacPro desktop and taking apart my laptop to replace the older model with that one (works great, but that's another story). There's certainly a lack of interest in the Mac community for this WRVS4400n device - and given some of the hassles of setting this thing up, not sure many will bother with it. The built in VPN (ipsec) and gigabit make it, in theory, a sweet 802.11n class device - much better than Apple's Airport Extreme Base Station AEBS which lacks gigabit ethernet and only does passthrough on the VPN. I was tempted to take mine back, but I think I've had it longer than the return period, and with things started to gel, I'm starting to be satisfied with it. [quote]I bought an Apple Express and it works great. I am going to use a G4 running IPSecuritas. Your tips on the settings help a lot![/quote] Did you buy the Express or the new Airport Extreme Base Station (AEBS)? The Express is the little $99 thing about the size of a deck of cards. I have the new AEBS in our mix; this device only supports VPN passthrough, and there appears to be issues with that as seen on this Apple Support Thread: http://discussions.apple.com/thread.jspa?messageID=4046689 Depending on what you'll be using to actually host the VPN service, you could probably just use OS X's built-in client rather than needing ipsecuritas. Re: Coneecting to a Linksys WRVS4400N? by croatoan on 2007-04-17 01:28:15 +0200 Yeah, I got the AEBS in place of the WRVS4400n. I like the AEBS ALOT more then the WRVS4400n. The set up interface is so much better. I knew about the gigabit ethernet but I have a gigabit switch that they run through so that was not a big deal. It is a 4 person real estate office. I a Customer Support Engineer for Cisco Systems back in 1996-99. We used to care about all our customers. Also Cisco was actually an all Apple outfit back then but in 2000 they went to the dark side. If we did not know something we used to walk around to findsomeone who did. I was hoping since they bought Linksys they would have aquired some of that attitude. I guess not. Re: Coneecting to a Linksys WRVS4400N? by DistortedLoop on 2007-04-18 15:45:47 +0200 So, was your purpose in trying the 4400N to get 802.11n, or to get a hardware VPN solution. If 802.11, the AEBS sure works better with Macs in terms of connection speed and data throughput, but if you were after VPN, AEBS is only passthrough, so how are you protecting your LAN from the WAN side? p.s. - on a side note, I think yahoo mail is killing email notifications from this forum as spam - they're not even making it into my junk folder. Can someone post the email address they come from so I can add it to my address book? Or does that feature not work here? Re: Coneecting to a Linksys WRVS4400N? by croatoan on 2007-04-18 15:59:02 +0200 >So, was your purpose in trying the 4400N to get 802.11n, or to get a hardware VPN solution. I wanted it all! I was hoping it would be a complete solution. The 4400N said nothing about Macs not being able to connect. You would think that a VPN was a VPN. :-? I remember the day when an RFC was an RFC. As far as protection, I have not set up VPN or anything yet. The AEBS has a decent firewall. Re: Coneecting to a Linksys WRVS4400N? by DistortedLoop on 2007-04-18 23:12:25 +0200 Yeah, we all want it all. ;-) In retrospect, now that I've gotten VPN to work with the Mac and the 4400N, I have no regrets, and it seems easy now. IPsec has a bit of a reputation as being "voodoo" or "black magic" to set it up. The problem with our Macs is that the Mac only supports L2 or PPTP vpn out of the operating system, hence the need the third party stuff. That's a Mac issue, not the WRVS4400N's problem. Part of the allure of Linksys products was the QuickVPN solution which is supposed to make it an idiot-proof connection; and to Linksys's defense I'll say that the box does say Windows under system requirements. Like I said, once I figured out that the trick was just getting something like IPSecuritas or VPNTracker on the same page as Linksys, it's a no-brainer now. Hindsight is 20/20, though. I have to go to the Linksys forums and correct some posts I made stating that IPsecuritas wouldn't work with the 4400N. It might not have worked with the old version; I am using the newer one. I have both the AEBS and 4400N in the mix. Both have issues, but both are very good at what they do in terms of the things they do right. Re: Coneecting to a Linksys WRVS4400N? by mdaitzman on 2007-04-25 06:31:43 +0200 Thank you thank you thank you thank you thank you . . . . . . I've been banging my head against this for a few weeks . . . . I'd just about given up when I saw your post and - hurray!!!! It worked. Thanks again! Re: Coneecting to a Linksys WRVS4400N? by mdaitzman on 2007-04-25 16:16:51 +0200 Hmm - worked last night from home (vpn and my PC on a switch both running PPOE.) When I got the office, different internet connectin (both Verizon FIOS) and tried to connect I received the following: IPSecuritas 3.0rc build 1040, Fri Dec 1 21:00:13 CET 2006, nadig Darwin 8.8.3 Darwin Kernel Version 8.8.3: Wed Oct 18 21:57:10 PDT 2006; root:xnu-792.15.4.obj~4/RELEASE_I386 i386 Apr 25, 09:55:58 Error IKE Foreground mode. Apr 25, 09:56:09 Error IKE fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Apr 25, 09:56:28 Error IKE fatal INVALID-MESSAGE-ID notify messsage, phase1 should be deleted. Apr 25, 09:56:33 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 71.248.163.15[500]->192.168.10.168[500] Apr 25, 09:56:38 Error IKE 71.248.163.15 give up to get IPsec-SA due to time up to wait. Apr 25, 09:56:39 Error IKE fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Apr 25, 09:57:00 Error IKE fatal INVALID-MESSAGE-ID notify messsage, phase1 should be deleted. Apr 25, 09:57:09 Error IKE 71.248.163.15 give up to get IPsec-SA due to time up to wait. Apr 25, 09:57:09 Error IKE fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Apr 25, 09:57:38 Error IKE Foreground mode. Apr 25, 09:57:41 Error IKE fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Apr 25, 09:58:01 Error IKE fatal INVALID-MESSAGE-ID notify messsage, phase1 should be deleted. Apr 25, 10:01:27 Error IKE Foreground mode. Apr 25, 10:01:30 Error IKE fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Apr 25, 10:11:33 Error IKE Foreground mode. Apr 25, 10:11:35 Error IKE fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Apr 25, 10:11:53 Error IKE Foreground mode. Apr 25, 10:11:57 Error IKE fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Apr 25, 10:12:17 Error IKE fatal INVALID-MESSAGE-ID notify messsage, phase1 should be deleted. Apr 25, 10:12:27 Error IKE 71.248.163.15 give up to get IPsec-SA due to time up to wait. Any ideas on how to fix? Thanks! Re: Coneecting to a Linksys WRVS4400N? by mdaitzman on 2007-05-07 22:39:41 +0200 I thought this was due to an issue with the actiontec router, it turns out that it doens't work from anyplace except plugged into the same swtich as my wrvs4400n - so, any ideas what causes those kinds of errors? (Note, I wil ltry with newer RC to see if it helps and update. ) Re: Coneecting to a Linksys WRVS4400N? by corbywan on 2007-06-22 05:40:03 +0200 OK, I'm going crazy. I'm new to the world of VPN but I had a CCNA and CCDA back in the day, so I'm not totally clueless. I've been trying to use the instructions above to get into my WRVS4400N with no luck. Setup is exactly as described. Looking through the logs here is what I've found. I fought for a few hours with some messages I don't have anymore that were to effect of my local IP subnet was the same as the remote IP subnet. Here at my house I have a Linksys WRT54 setup to use 192.168.1.0 for IPs. That's the same thing that is set up at the office. That must be a bad thing because after I changed my network here at home to a 10net range I at least started to get a yellow light. Are there any other givens I need to know about, or should this not have been a problem? I think I'm failing in phase 1. I tried VPNTracker and its log was helpful to figure that out. Here is the log from IPSecuritas [code]Jun 21, 20:26:08 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jun 21, 20:26:08 Info IKE Resize address pool from 0 to 255 Jun 21, 20:26:08 Info APP Initiated connection huh Jun 21, 20:26:08 Error IKE inappropriate sadb acquire message passed. Jun 21, 20:26:09 Error IKE fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Jun 21, 20:26:14 Error IKE fatal INVALID-MESSAGE-ID notify messsage, phase1 should be deleted. Jun 21, 20:26:15 Info APP Initiated connection huh Jun 21, 20:26:19 Error IKE fatal INVALID-MESSAGE-ID notify messsage, phase1 should be deleted. Jun 21, 20:26:22 Info APP Initiated connection huh Jun 21, 20:26:24 Error IKE OFFICE.IP.ADDRESS.HERE give up to get IPsec-SA due to time up to wait. Jun 21, 20:26:29 Info APP Initiated connection huh Jun 21, 20:26:29 Error IKE fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Jun 21, 20:26:34 Error IKE fatal INVALID-MESSAGE-ID notify messsage, phase1 should be deleted. Jun 21, 20:26:36 Info APP Initiated connection huh Jun 21, 20:26:36 Error IKE inappropriate sadb acquire message passed. Jun 21, 20:26:39 Error IKE fatal INVALID-MESSAGE-ID notify messsage, phase1 should be deleted. Jun 21, 20:26:41 Warning APP Connection huh timed out Jun 21, 20:26:41 Warning APP Giving up Jun 21, 20:26:41 Error IKE unknown Informational exchange received. Jun 21, 20:26:44 Error IKE OFFICE.IP.ADDRESS.HERE give up to get IPsec-SA due to time up to wait. Jun 21, 20:27:24 Info APP IPSec stopping Jun 21, 20:27:25 Info APP IKE daemon terminated[/code] Can someone please help? Does this give anyone a clue? I recommended the purchase of this box because I saw that people got it working with this app on Macs. The office is an all Mac outfit so if I can't get this to work we are going to have to figure something else out. Thanks in advance. Re: Coneecting to a Linksys WRVS4400N? by Forum Admin on 2007-06-22 10:58:54 +0200 Hello, the INVALID-ID-INFORMATION notification you're getting means that either the local or the remote endpoint address is not what the router expects. Most probably the 10.x.x.x range you're using is not what the router accepts - have a look at the router for the remote network range, choose an address from that range and enter it into the local endpoint address field in IPSecuritas to override the real local address which is taken if you leave the field blank. The reason you got the red dot before you changed your local LAN address was a collision between the local endpoint address and the remote endpoint network (both had the same range). If you want to do this, you have to enable the 'Local IP in remote Network' option for this connection (please note that it very much depends on the router if this is supported at all) Hope this helps, Christoph Re: Coneecting to a Linksys WRVS4400N? by corbywan on 2007-06-22 23:56:28 +0200 Thanks for the info. Still no joy. I set my home network back to a 192.168.1.0/24. Here's the deal. Office Network: Behind the router it's a 192.168.1.0/24 network. Home Network: Behind the router it's a 192.168.1.0/24 network. At home I have assigned my laptop 192.168.1.50, an address I know that no other machine on either network is using. I'm still getting basically the same log as above with all the INVALID-MESSAGE-ID stuff. Is the problem I'm having an IP addressing problem? I think all the security stuff is working fine. Re: Coneecting to a Linksys WRVS4400N? by corbywan on 2007-06-23 16:48:30 +0200 I was doing some more testing with VPNTracker and it looks like I'm failing phase 2. Interestingly enough, it won't even try to connect if my local subnet is the same as the remote subnet. I have to change it to anything other than whatever the remote subnet is and it make an effort. Also, this is an aside to anyone using the WRVS4400N. If you are using Safari to manage your router, you need to turn "Block pop-up windows" off or you won't be able to access the Advanced Settings options. The Log pop-up works fine, every other pop-up works fine, but just that one won't. Hope that helps someone because it killed me for a few hours. Re: Coneecting to a Linksys WRVS4400N? by Dave on 2007-06-24 01:24:34 +0200 [quote author=corbywan link=1174748106/0#14 date=1182610110]Interestingly enough, it won't even try to connect if my local subnet is the same as the remote subnet. I have to change it to anything other than whatever the remote subnet is and it make an effort. [/quote] The local and remote subnets [b]must[/b] be different or it will never work; that is a requirement for any VPN client that I know of. I'd suggest turning up the logging level with IP Securitas (in the Preferences...) and then see if you can figure out why it is failing Phase 1. Re: Coneecting to a Linksys WRVS4400N? by corbywan on 2007-06-24 01:55:57 +0200 See, that's what I thought to until someone told me to turn on the option for local IP on remote network, but the effects were still the same. And it seems to be passing Phase 1 and choking on Phase 2. Here is a link to the log file for the curious (link because it's too long to paste here). I have replaced the IP of the Linksys for obvious reasons. [url]http://www.stephensfam.net/ph2fails.txt[/url] Re: Coneecting to a Linksys WRVS4400N? by corbywan on 2007-06-24 06:14:47 +0200 Is there anything I need to do with my home router other that set it to VPN passthrough? I'm not trying to bridge my home network to the office, just one computer. Re: Coneecting to a Linksys WRVS4400N? by Dave on 2007-06-25 17:03:07 +0200 [quote author=corbywan link=1174748106/15#17 date=1182658487]Is there anything I need to do with my home router other that set it to VPN passthrough? I'm not trying to bridge my home network to the office, just one computer.[/quote] Did you enable NAT for this connection? If you are behind a home router (and given the IP address you're using, it looks like you're doing NAT), this has to be enabled for IP Securitas to work. From your log: [i]phase2 negotiation failed due to time up waiting for phase1. ESP 71.59.168.142[500]->192.168.2.101[500] [/i] Phase 1 failed and given the connection ports, it looks like you aren't doing NAT-T; when I enable this, it connects through port 4500 instead. So try enabling NAT on the Options page, I believe, and see if that helps. Re: Coneecting to a Linksys WRVS4400N? by corbywan on 2007-06-25 20:30:05 +0200 Thanks for the suggestion. NAT-T is set to enable, and I set the Exchange to mode Aggressive as well. I'm still seeing port 500 in the log. I even tried NAT-T on force and no such luck. Re: Coneecting to a Linksys WRVS4400N? by corbywan on 2007-06-28 15:16:20 +0200 Christopher from Lobotomo was a HUGE help for me. Really too the time to personally help me. He found that you could not have the Remote Security Group set to any, that it had to be set to your specific IP (your private one behind your local LAN). If you set that, and then also enter that same IP in the General tab under Host, you could connect. You can then create a tunnel for the various IPs that will be able to connect in. I tried setting mine to Subnet so I wouldn't have to worry about specific IPs but that didn't seem to work either. It's curious that the same router can work for some people with one set of settings and not for others. Anyway, that's what did it for me. Cheers to Christopher! Re: Coneecting to a Linksys WRVS4400N? by corbywan on 2007-07-04 18:00:42 +0200 OK. This is getting a little irritating. I can get a green light every time I connect, but I'm only really connected 25% of my attempts. I can have a green light but the Status of my 4400 shows the tunnel as Down. I cannot ping the internal IP of the 4400 nor any IP on the network. Any ideas? Here is a sample from the log after a green connection. This basically repeats. [code]Jul 04, 08:59:06 Debug IKE === Jul 04, 08:59:06 Debug IKE 284 bytes message received from 71.59.168.142[4500] to 192.168.2.101[4500] Jul 04, 08:59:06 Debug IKE 715c2b68 b5221021 a571a22a adb72c05 08102001 b73b8825 0000011c 00cdca15 Jul 04, 08:59:06 Debug IKE 5da4aea8 2dea5cbb 30630e5a 7da5a09b 8b49e65f 01420c81 129e7c9c 35c02772 Jul 04, 08:59:06 Debug IKE 71cf88d8 e3ff16cc 3e9c2f79 def46aef c9d1a904 2ad32eab 66bda644 9174d6b7 Jul 04, 08:59:06 Debug IKE 72428a62 4ce56262 db6be7fb 9630b0bb 41d918b0 d3205e5a 86522942 88c7f078 Jul 04, 08:59:06 Debug IKE 3cdfa8fe 1e1cca63 64c384e7 fae3a92e f76b0709 b18ae995 c2a4d7c6 bc797cb3 Jul 04, 08:59:06 Debug IKE 4fbfa4a6 5a90df19 7ec4d1fd 7d788f63 62d89fe1 206b3d09 e951d992 3ff25821 Jul 04, 08:59:06 Debug IKE 1f1cd1e5 6fdd8aca 4482beda 60eca6f2 971eeefd a89f8053 a2c799cc 1c234d3a Jul 04, 08:59:06 Debug IKE 5f4f5630 1504ad97 9d8607cb 18ddea60 5f66bf50 336ff580 09bc244a 6f68cfdd Jul 04, 08:59:06 Debug IKE 073470cc 6cea7b0d b541d062 83a2367c 5a90a295 c20c0adc dbf0d3c8 Jul 04, 08:59:06 Debug IKE configuration found for 71.59.168.142. Jul 04, 08:59:06 Debug IKE new cookie: Jul 04, 08:59:06 Debug IKE 4010463c6e3d15a1 Jul 04, 08:59:06 Debug IKE Marking ports as changed Jul 04, 08:59:06 Debug IKE Adding NON-ESP marker Jul 04, 08:59:06 Debug IKE 44 bytes from 192.168.2.101[4500] to 71.59.168.142[4500] Jul 04, 08:59:06 Debug IKE sockname 192.168.2.101[4500] Jul 04, 08:59:06 Debug IKE send packet from 192.168.2.101[4500] Jul 04, 08:59:06 Debug IKE send packet to 71.59.168.142[4500] Jul 04, 08:59:06 Debug IKE 1 times of 44 bytes message will be sent to 71.59.168.142[4500] Jul 04, 08:59:06 Debug IKE 00000000 715c2b68 b5221021 4010463c 6e3d15a1 0b100500 ade98364 00000028 Jul 04, 08:59:06 Debug IKE 0000000c 00000001 01000004 Jul 04, 08:59:06 Debug IKE sendto Information notify. Jul 04, 08:59:06 Error IKE can't start the quick mode, there is no ISAKMP-SA, 715c2b68b5221021:a571a22aadb72c05:b73b8825 Jul 04, 08:59:15 Debug IKE === [/code] Linksys RVS4000 Linksys RVS4000 by Kender on 2007-03-27 03:45:47 +0200 Has anyone had any success connecting to a Linksys RVS4000 VPN router? Every time I try to connect I get the following log entries: [code] Mar 26, 16:36:11 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Mar 26, 16:36:11 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Mar 26, 16:36:11 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Mar 26, 16:36:11 Info IKE Resize address pool from 0 to 255 Mar 26, 16:38:16 Info APP IPSec stopping Mar 26, 16:38:17 Info APP IKE daemon terminated Mar 26, 16:38:17 Info APP IKE daemon started Mar 26, 16:38:17 Info APP IPSec started Mar 26, 16:38:17 Info IKE Foreground mode. Mar 26, 16:38:17 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Mar 26, 16:38:17 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Mar 26, 16:38:17 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Mar 26, 16:38:17 Info IKE Resize address pool from 0 to 255 Mar 26, 16:38:49 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 1.1.1.1[500]->2.1.1.2[500] Mar 26, 16:39:01 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 1.1.1.1[500]->2.1.1.2[500][/code] And then it repeats. Any ideas? This happens from home (behind an Airport Extreme) and "barenaked" to the Internet. Re: Linksys RVS4000 by Dave on 2007-03-27 05:39:09 +0200 All that says is that the phase 1 negotiations failed; I'd suggest increasing the log level in the Preferences to capture more info. While the log will get rather large, you should be able to get a better idea why the phase 1 failed. Re: Linksys RVS4000 by mrchew on 2007-04-23 16:53:12 +0200 Has anyone been able to get the Linksys RVS4000 working with IPSecuritas? If yes, can you please post detailed configuration details. thanks Re: Linksys RVS4000 by Kender on 2007-06-02 15:37:34 +0200 Well I finally got around to this - here is the full debug log of the issue. [code]IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Jun 02, 09:30:25 Info IKE Resize address pool from 0 to 255 Jun 02, 09:30:25 Debug IKE lifetime = 3600 Jun 02, 09:30:25 Debug IKE lifebyte = 0 Jun 02, 09:30:25 Debug IKE encklen=0 Jun 02, 09:30:25 Debug IKE p:1 t:1 Jun 02, 09:30:25 Debug IKE 3DES-CBC(5) Jun 02, 09:30:25 Debug IKE MD5(1) Jun 02, 09:30:25 Debug IKE 768-bit MODP group(1) Jun 02, 09:30:25 Debug IKE pre-shared key(1) Jun 02, 09:30:25 Debug IKE compression algorithm can not be checked because sadb message doesn't support it. ... Jun 02, 09:30:25 Info APP Initiated connection Remax-GV Jun 02, 09:30:25 Debug IKE get pfkey ACQUIRE message ... Jun 02, 09:30:25 Error IKE inappropriate sadb acquire message passed. Jun 02, 09:30:25 Debug IKE get pfkey ACQUIRE message Jun 02, 09:30:25 Debug IKE 02060003 14000000 27000000 9f4b0000 03000500 ff200000 10020000 0a00012a Jun 02, 09:30:25 Debug IKE 00000000 00000000 03000600 ff200000 10020000 42b853a2 00000000 00000000 Jun 02, 09:30:25 Debug IKE 0a000d00 20000000 000c0000 00000000 00010001 00000000 01000000 01000000 Jun 02, 09:30:25 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Jun 02, 09:30:25 Debug IKE 80700000 00000000 00000000 00000000 02001200 02000200 07000000 00000000 Jun 02, 09:30:25 Debug IKE suitable outbound SP found: 10.0.1.42/32[0] 192.168.10.0/24[0] proto=any dir=out. Jun 02, 09:30:25 Debug IKE sub:0xbffff55c: 192.168.10.0/24[0] 10.0.1.42/32[0] proto=any dir=in Jun 02, 09:30:25 Debug IKE db :0x308b78: 192.168.10.0/24[0] 10.0.1.42/32[0] proto=any dir=in Jun 02, 09:30:25 Debug IKE suitable inbound SP found: 192.168.10.0/24[0] 10.0.1.42/32[0] proto=any dir=in. Jun 02, 09:30:25 Debug IKE new acquire 10.0.1.42/32[0] 192.168.10.0/24[0] proto=any dir=out Jun 02, 09:30:25 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) Jun 02, 09:30:25 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-sha) Jun 02, 09:30:25 Debug IKE in post_acquire Jun 02, 09:30:25 Debug IKE configuration found for xx.xxx.xx.162. Jun 02, 09:30:25 Info IKE IPsec-SA request for xx.xxx.xx.162 queued due to no phase1 found. Jun 02, 09:30:25 Debug IKE === Jun 02, 09:30:25 Info IKE initiate new phase 1 negotiation: 10.0.1.42[500]<=>xx.xxx.xx.162[500] Jun 02, 09:30:25 Info IKE begin Base mode. Jun 02, 09:30:25 Debug IKE new cookie: Jun 02, 09:30:25 Debug IKE 88c9d13eecd614ad Re: Linksys RVS4000 by Dave on 2007-06-03 03:53:03 +0200 One thing that is kind of odd is that it is doing BASE mode negotiation. Most VPN endpoints do either Main (for certificates, I think) or Aggressive (required if you're being a NAT router, I believe). Try using Main, Aggressive or just Aggressive and see what you get. Re: Linksys RVS400 by cheese2 on 2007-06-06 01:00:14 +0200 I am pretty much in the same boat - cant connect to my brand new rvs4000 for love nor money. My log looks just exactly like Kender's (except for the ips of course...) One question I do have - in the previous firmware for the 4000 you could specify the remote security gateway as Any but in the most recent version you must specify either an ip or an ip + domain name. You can specify the remote group as any. By my understanding this means that it wont work with a roaming endpoint (ie my macbook running IPSecuritas) or am I confused? (Probably) Even when I do put my ip address in still wont connect... Re: Linksys RVS4000 by corbywan on 2007-06-25 08:52:14 +0200 I've posted in another thread on this and I know people are looking into it. I have a WRSV4400N and am having the same issue. My log looks pretty much identical. Re: Linksys RVS4000 by corbywan on 2007-06-28 15:15:35 +0200 Christopher from Lobotomo was a HUGE help for me. Really too the time to personally help me. He found that you could not have the Remote Security Group set to any, that it had to be set to your specific IP (your private one behind your local LAN). If you set that, and then also enter that same IP in the General tab under Host, you could connect. You can then create a tunnel for the various IPs that will be able to connect in. I tried setting mine to Subnet so I wouldn't have to worry about specific IPs but that didn't seem to work either. It's curious that the same router can work for some people with one set of settings and not for others. Anyway, that's what did it for me. Cheers to Christopher! Re: Linksys RVS4000 by jklinephd on 2007-07-04 08:23:09 +0200 Can you outline the settings both for the router and the settings for the computer connecting to the server. I cannot get this to work. thanks Jeff Re: Linksys RVS4000 by cnadig on 2007-07-04 09:31:57 +0200 Hi, basically, follow the setup description for the Linksys WRV200 (http://www.lobotomo.com/products/IPSecuritas/howto /Linksys%20WRV200%20HOWTO.pdf), but don't set the Remote Secure Group (page 3) to Any but any other address instead (preferrably any private address from RFC 1918 like 10.x.x.x - should not be part of the LAN behind the router). Enter the same address as a virtual IP address IPSecuritas (page 6). If multiple users need simultanous access, you need a seperate tunnel for each (identical settings except for the remote secure group address preshared secret must be the same for all tunnels!) Hope this helps, Christoph Re: Linksys RVS4000 by davewu on 2007-08-01 12:44:14 +0200 Hallo, I have the same problem, but christophers succestions did not work for me. Can some one please post a working setup. thanks David Re: Linksys RVS4000 by rnoser on 2007-11-27 08:47:22 +0100 I would truly appreciate any info anyone can give regarding getting the RVS4000 to work with IPSecuritas. It feels like I've been beating my head against a wall trying to get it to work. It's probably something real easy, but it feels like I've had every setting/option in every possible configuration. Thanks in advance! Re: Linksys RVS4000 by roborino on 2007-11-28 12:34:27 +0100 I am in the same boat. I have tried just about anything and would really appreciate some help. The notes above have been tried without success. Any assistance would be much appreciated. I have tried to follow the how-to-guide on the WRV200 to no avail. Thanks! Re: Linksys RVS4000 by roborino on 2008-02-28 15:27:26 +0100 Really hard to believe that no one has a working version of this with the RVS4000. Is there a better solution? Desperately need a VPN solution that works within a Mac environment? Thanks in advance!!! Re: Linksys RVS4000 by marcus178 on 2008-06-30 11:46:41 +0200 Has anyone found a way to connect to the rvs4000? Tried all sorts and just can't get it to work. Problem with connection Problem with connection by epoc1000 on 2007-03-31 13:08:23 +0200 Hi, I have a problem, when I try to connect to our Sonicwall. I have this error logs. I configured everything simular to VPN-Tracker where it worked perfectly. Can anyone tell me, where I can track for errors or what I can do: Mar 31, 13:00:48 Debug IKE suitable outbound SP found: 192.168.2.10/32[0] 192.168.1.0/24[0] proto=any dir=out. Mar 31, 13:00:48 Debug IKE sub:0xbffff560: 192.168.1.0/24[0] 192.168.2.10/32[0] proto=any dir=in Mar 31, 13:00:48 Debug IKE db :0x308958: 192.168.1.0/24[0] 192.168.2.10/32[0] proto=any dir=in Mar 31, 13:00:48 Debug IKE suitable inbound SP found: 192.168.1.0/24[0] 192.168.2.10/32[0] proto=any dir=in. Mar 31, 13:00:48 Debug IKE new acquire 192.168.2.10/32[0] 192.168.1.0/24[0] proto=any dir=out Mar 31, 13:00:48 Error IKE failed to get sainfo. Everytime it ends with "failed to get sainfo". Bye Re: Problem with connection by Dave on 2007-04-01 03:36:22 +0200 The first thing I always suggest is to turn up the debugging level in the Preferences; it might make it easier to see what is going on before things fail. I'm guessing that sainfo is "Security Association Info" but I don't know any more than that. Given that both of these addresses are "fake," might you need to turn on NAT-T? Anyone have success w/ xAuth yet? Anyone have success w/ xAuth yet? by leopard on 2007-04-13 02:59:39 +0200 Has anyone had success getting xAuth to work against any appliance? :-? Re: Anyone have success w/ xAuth yet? by Dave on 2007-04-13 04:17:39 +0200 I've got xAuth working against a SonicWall TZ170 (I think that is the model). I have to drop the MTU down to 1400 manually to get the connect not to fragment and drop packets but once it is working, I can bring it back up to 1500. But the xAuth part works flawlessly. Re: Anyone have success w/ xAuth yet? by leopard on 2007-04-13 16:00:58 +0200 I have a FortiGate 100A that I can get VPN access to. But the second I implement xAuth my phase 1 negation fails. FortiGate support can not deduce what is failing. IPSecuritas log shows the following Apr 09, 10:38:46 Info IKE Resize address pool from 0 to 255 Apr 09, 10:38:47 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Apr 09, 10:38:47 Warning IKE Ignored short attribute XAUTH_USER_NAME Apr 09, 10:38:47 Warning IKE Ignored short attribute XAUTH_USER_PASSWORD Anyone have any input?? Thanks. Re: Anyone have success w/ xAuth yet? by pingu on 2007-04-30 18:24:39 +0200 We've got it working with a Sonicwall 3060, finicky, but it works eventually. No luck getting the Sonicwall to look up XAuth user info from OpenDirectory though. Anybody had luck with this? Dan Re: Anyone have success w/ xAuth yet? by lleung on 2007-05-23 08:26:37 +0200 Just to add my $.02 into the the pot.. I have 4 Fortigate's. 300A, 100A, 60ADSL and 60M. (they're all linked via ipsec tunnels) Like everyone else, everything works on all 4 of them except xauth. it if means anything, I also have a vpn tracker. vpn tracker handles it fine in aggressive mode, + xauth using pap if anyone is lobotomo is interested, I can set up a test connection for you to experiment on. Re: Anyone have success w/ xAuth yet? by cnadig on 2007-05-25 14:39:36 +0200 Hello, the problem could be solved thanks to the great support from Lynda (lleung) in providing a test account. The fix will be included in the final 3.0 release to be released coming Sunday, and will work on other types of firewalls too, if any of the following log lines appeared when using XAUTH: Ignored short attribute XAUTH_USER_NAME Ignored short attribute XAUTH_USER_PASSWORD Cheers, Christoph Using 3.0 to connect to Windows in transport mode Using 3.0 to connect to Windows in transport mode by Athanyel on 2007-04-13 21:44:24 +0200 I am aiming to establish IP Security in transport mode to a Windows 2003 server for just the standard SMB/CIFS ports (UDP 137 and 138, TCP 139 and 445). I have built a Windows server that requires IPSec on these four ports and uses certificates for authentication. All of my Windows machines (both on my domain and off of my domain) are working just fine. I hope to use 3.0 as the primary IPSec UI for our Macintosh customers. The ability to easily import both the configuration and PKCS#12 certificates in 3.0 would greatly simplify the deployment of IPSec to my user community. With 2.2, I am able to establish an IPSec connection to my Windows server with certificate based authentication. I can then connect to the locked down ports with IPSecuritas. Once the connection is established, 2.2 is encrypting ALL traffic to the server. I haven't found a way (if there is) to only encrypt traffic on the four ports. With 3.0, I am able to connect (I get the little green ball) and the Windows server declares that main mode and quick mode were successfully negotiated and that a security association is in place. Once established, I cannot actually connect to the secured ports on my server. I am testing the IPSec connection to the server by pinging the server and attempting to connect to both a port that I do not protect (WebDAV over SSL on port 443) and a port I do protect (SMB/CIFS on port 139). When 2.2 is connected, the pings do not go through and I cannot connect to port 443 but can connect to 139. As soon I as stop IPSec on 2.2, the pings go through, I can connect to the WebDAV share and lose my connection to port 139. With 3.0, I can ping the server and connect to port 443 but cannot to port 139 regardless of what 3.0 declares the state of the IPSec connection is. My primary concern is making 3.0 work in a similar fashion to 2.2. I'm not really worried about the client blindly attempting to encrypt all traffic to my server. I just need to make sure that I am actually encrypting the data that I need to have encrypted. Does anyone know of anything I can modify/test? I am establishing my connection as follows: GENERAL Remote IPSec device is set to the DNS name of the server I am attempting to connect to. Both the Local and Remote Side are set to Host with Transport Mode checked. PHASE 1 Lifetime 8 hours DH Group 1024 (2) Encryption 3DES Authentication SHA-1 Exchange Mode Main Proposal Check Obey Nonce Size 16 PHASE 2 Lifetime 8 hours PFS Group 1024 (2) Encryption 3DES Authentication HMAC SHA-1 Re: Using 3.0 to connect to Windows in transport m by Dave on 2007-04-13 23:53:57 +0200 I'll recommend setting the MTU on the Mac down to 1400 and see if things work then. I've had to do this once a connection is established to get packets not to fragment and get dropped. Oddly enough, once packets are flowing, I can boost up the MTU back to 1500 and it still works! :) But try that and see if it lets you connect. Re: Using 3.0 to connect to Windows in transport m by Athanyel on 2007-04-14 00:24:06 +0200 I followed the instructions in http://docs.info.apple.com /article.html?artnum=303192 and set the MTU to 1400. I then shut down the 3.0 Daemon (Command+Option+Q) and restarted IPSecuritas 3.0. I repeated my tests as outlined in the original post. No joy. :-[ Re: Using 3.0 to connect to Windows in transport m by Dave on 2007-04-14 04:22:57 +0200 That's not what I did. I changed the MTU to 1400 [i]while[/i] the connection was active; that seemed to "wake it up." Short of that, you can try pinging in the Windows box using the "Do not Fragment" bit and increasingly higher ping packet size until it fragments and see what happens. I can't say if this will fix anything, only that it worked for me. Re: Using 3.0 to connect to Windows in transport m by Athanyel on 2007-04-16 17:13:59 +0200 Argh! No luck there either! I toggled the MTU all over the map (every hundred from 500 to 1500) and nothing at all. Next up, I bombarded it from the Windows server...nothing (from tiny packets to packets bigger than the client's MTU). It's like the policy on the IPSecuritas side is "don't encrypt anything" It's negotiating...and then not encrypting! Do you know of a way to view the active policy? In Windows, it's really straight forward. Thanks! Re: Using 3.0 to connect to Windows in transport m by Athanyel on 2007-04-17 21:11:22 +0200 I got it! If you're using 3.0rc in Transport mode, you need to first clear the "Transport Mode" checkbox on the General page for your connection. Specify the IP address of the machine you want to connect to in the "IP Address" field of the "Remote Side" area of the General page. Then check "Transport Mode" option again. In 2.2, setting the Mode of Operation to "Host To Host (Transport)" appears to use the Remote IPSec Device to determine the IP address that data will be encrypted to. In my mind, 3.0 should be operating the same way as 2.2 (i.e. when 3.0 is in Transport mode, the policy should be defined by the "Remote IPSec Device" and not by the "IP Address" field in the "Remote Side" area of the "General" page). I'll be sending this along to the support@lobotomo.com address as well. Re: Using 3.0 to connect to Windows in transport m by Forum Admin on 2007-04-20 12:56:13 +0200 Hi, this is indeed a bug, thank you very much! I have fixed this and it will have to release a final release candidate soon. Cheers, Christoph Re: Using 3.0 to connect to Windows in transport m by Athanyel on 2007-05-30 23:38:02 +0200 Alright, I've now gone back and tried this with the final release...and it stopped working! My configuration has not changed since what I listed here. I've got two Macs set up. Both are clean installs of 10.4 and updated to 10.4.9. One has 3.0rc installed and the other 3.0 final. In the 3.0rc build, I was able to establish the connection after: [list][*]Clearing the "Transport Mode" checkbox on the General page for your connection[*]Setting the IP address of the machine I want to connect to in the "IP Address" field of the "Remote Side" area of the General page.[*]Checking the "Transport Mode" option again.[/list]In 3.0 final, I click "Start" and the main window shows "IPSec active" then very quickly "IPSec inactive". The debug log shows that ISAKMP-SA is established between the two hosts. Immediately after, it declares "begin QUICK mode" and then reads "IKE daemon terminated" after "compute DH's private" and "compute DH's public". HELP! Unable to see network shared drives Unable to see network shared drives by DistortedLoop on 2007-04-15 09:10:33 +0200 I did a bit of searching and can't find if this has been asked before - forgive me if it's an asked and answered question, I've managed to get my MacBookPro to connect into my LAN using ipsecuritas v3rc. The router is a Linksys WRVS4400N. The router shows a valid ipsec tunnel in place, and I am able to ping all valid addresses on the internal network, and I can access those devices (a network attached storage device and several routers/acces points) that have webinterfaces by typing their ip address into Safari. The problem is I can't see any of my network drives, or other Mac machines in Finder's Network. Should I be able to? The whole purpose of VPN into the network is to have access to shared files while on the road. Any ideas what I am doing wrong? Should Bonjour work? I've read it doesn't through a VPN. I do have "windows sharing" turned on in OSX system preferences, and the network attached drive plugs straight into the router's ethernet ports. UPDATE: If I look real close at Finder, just as my VPN connection finishes negotians, I see the network shares flash momentarily in Finder, and then disappear. I'm also able to get dir listings of SMB/CIFS shares by using the smbclient command in Terminal, though the "get" command seems to fail for actually transferring a file. Any ideas? Re: Unable to see network shared drives by DistortedLoop on 2007-04-15 20:23:53 +0200 Okay! Figured out a workaround for this "problem" (if indeed it is a problem and not a design feature) all on my own: Once the VPN tunnel is established, I can go to the Finder Menu Bar, Select Go, Connect To Server (Command-K), then type in the ip address of the shared drive I am looking for. The normal connect menu from Finder then pops up and allows you to select which particular share you're looking to connect to. I've loaded every drive on the network this way, except for one - the USB drive that's shared on my Airport Extreme Base Station. This one may take some more time to figure out. profiles and mode_cfg profiles and mode_cfg by coreyva on 2007-04-17 08:09:56 +0200 Using 3.0rc, I created a few profiles for various connections. The problem is I am unable to change the profile from the pulldown. Selecting it does nothing. Anyone else seen this? My bigger issue is with mode_cfg. I need to be able to specify a ippool on my firewall (netscreen 25), but once I do, and enable mode_cfg, I can no longer connect. I am able to with VPN tracker, using that configuration. Aside from those two issues, it works great for me. Re: profiles and mode_cfg by coreyva on 2007-04-17 18:09:36 +0200 Actually, the pulldown does work, but it wil only activate at the very bottom edge of the pulldown. Still not getting mode_cfg to function. XAUTH works nicely though. IPSECURITAS working everywhere but not on MACPRO IPSECURITAS working everywhere but not on MACPRO by senzex on 2007-04-20 19:05:47 +0200 Hello there, I've set up some NETGEAR FVS124G, and I'm able to connect to them with no pb in almost anywhere. My problem is, that I'm working 4 days a week at a Office at which I'm happy to drive a MacPro. I've entered the exact same settings on the MacPro and it is a NO GO. Nothing, nada. the red pill status stays [b] RED[/b], it does not even get [b]orange[/b] (meaning something is going on). just to be sure I log on the web interface to check the VPN STATUS window but, nothings happens everythings stays IDLE. I just don't understand. I've installed Bootcamp and was, until not long only working on W$ ;(Not MY choice). For now on I'm using Parrallels with much Joy so I'm back at my favorite OS. I thought first that some how parrallels was the culprit, but with or without it nothing happens. Another thing is that we are behind 2 IPCOP boxes (v3 !! I know it's just so old.... as IPCOP is now at v10 or v11... but I can't make them change this for now) -> so I was wondering if IPCOP may be the one(s) that tricks me. again I don't know. @ home or others oFFices, as soon as I'm connected it's just OK in a bunch of seconds and I can see any of all the computers on the remote networks (via apple Remotedesktop and or finder). And here just nothing happens. So if anyone has any idea, I'll be glad to read it ;) Cause right I have to launch Apple remote desktop on the Macpro, then remote connect to my "home" server, them from here start IPSECURITAS and launch remote desktop and from there I can see what I want. but it's just not very simple nor handy (it works but... U know I just want to get it from here the Office I'm talking about). Office1->remotedesktop->Server->IPSEC+remotedesktop->Target Office(s) pfff many connections. Hope I was clear enough and pardon my Bad english. IPsecuritas 3 is just what I wanted and saved me some applescript coding to switch settings ;), it just rocks.... IPSecuritas works /w Check Point VPN-1 NGX (R65) IPSecuritas works /w Check Point VPN-1 NGX (R65) by dantro on 2007-04-24 14:03:43 +0200 Hi, after struggling with the software a bit I finally got IPSecuritas 3.0 rc working with our Check Point VPN-1 NGX (R65) firewall. Respect to the Lobotomo dev team. Now we are not limited anymore to Check Point's aged SecureClient R65 for OSX. It always slowed down our hosts once installed. Best regards, Danny Trommer CCSA/CCSE/CCSE+ Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by skyb on 2007-05-21 13:36:56 +0200 Hi Danny, currently I have problems to connect with our Checkpoint, too. I would be great if you could tell me how it worked for you. Christoph Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by Mr.Bove on 2007-10-22 19:28:09 +0200 [quote author=dantro link=1177416223/0#0 date=1177416223]Hi, after struggling with the software a bit I finally got IPSecuritas 3.0 rc working with our Check Point VPN-1 NGX (R65) firewall. Respect to the Lobotomo dev team. Now we are not limited anymore to Check Point's aged SecureClient R65 for OSX. It always slowed down our hosts once installed. Best regards, Danny Trommer CCSA/CCSE/CCSE+[/quote] I'm new to the MAC world, I would really like to know how to configure the IP Securitas client to work with Checkpoint VPN-1 NGX. Without revealing too much info can you send me what you did? Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by pstouffer on 2007-11-02 22:06:02 +0100 trying to get IPSecuritas to talk to Checkpoint VPN-1. Has anyone gotten this to work and if so what settings needed to be changed from the wizard settings. Pete Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by asnow_hk on 2007-11-17 06:22:55 +0100 I am also trying to get this to work, but have not been able to. In my CheckPoint setup I have the following: Authentication: Scheme: SecurID User name: <my username> "Use Key FOB hard token" Profile: Advanced: "Office Mode" Once connected I have the following in the Status: Office Mode IP: 10.88.8.xxx (can I assume that the network is 10.88.8.0/24) So essentially I use my username, password and tokencode to log in. I've not noticed any tokencode prompt in IPSecuritas. Is there one!? Is it possible for someone to help me please? I'd like to know how to translate this seemingly simple setup into an IPSecuritas Connection. Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by mangus on 2007-11-18 18:13:59 +0100 I have had both success and failures trying to connect to our Checkpoint VPN-1 Firewall using the Wizard set up. Once I achieved success connecting I thought my troubles were over, but unfortunately this was not to be the case. Since the initial success I later had problems connecting with the same settings. Not knowing much about the technical aspects of VPN I decided to save a debug-log for the failed attempts and then compare them to a successful attempt. I just now managed to get a connection again, and here's my findings comparing the two log-files. Please note that just before achieving success again I had been connected to the firewall through the Checkpoint client inside of VMware Fusion. This may or may not be the key to success. I have still to verify this, when I'm back to failing. Anyhow... Here's what I can see when I compare the log-files: Just above the log-row that reads: "Initiated connection Checkpoint" I get a "msg 5 not interesting" in the successful attempt. Not so in the failed attempt. Later, after negotiations on encryption, hash and authentication seem to be finished, the log states: "Adding NON-ESP marker" and then the client sends 88 bytes of data. In the successful attempt the firewall responds with a 1652 bytes long message, while in the failed attempt only 76 bytes are received. After this, things seem to go really bad in the failed attempt, spawning messages like: "Short payload" and "mode config 6 from xxx.xxx.xxx.xxx[4500], but we have no ISAKMP-SA." As I said, I don't know anything about anything VPN, but maybe this could help somehow... (Update: Since finishing this post I was back to failing, so I launched VMware and connected with the Checkpoint client to see if this would help IPSecuritas, but it didn't. So WMware doesn't seem to have anything to do with success/failure rates.) Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by mmulin on 2007-12-11 12:45:45 +0100 Hey Guys, at least for the ones who get partial success, could you please publish your IPSecuritas settings? Am not trying to be smart here but, 1st, other's might be able to help better and for the ones, like me, who have no success at all, it might bring them on the right path.. Thanks Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by bugfish on 2007-12-13 00:35:19 +0100 Well, I upgraded to Leopard, which killed Secureclient. After some fiddling, I got IPSecuritas working with our Checkpoint setup at work, and since people are asking, here are all the settings I'm using. Of course some of these are probably sepecific to my place of employment. i usd the wizard and chose Checkpoint VPN-1, but i made a few changes. here are the settings from each tab. I HOPE THIS HELPS SOMEONE! General: Remote IPSec Device: (our vpn ip at work) Local Side: Endpoint Mode: Host remote Side: Endpoint Mode: Anywhere Phase1: Lifetime: 10 minutes DH Group: 1024 (2) Encryption: 3DES Authentication: SHA-1 Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 Phase 2: Lifetime: 10 minutes PFS Grpoup: 768 (1) Encryption: DES, 3DES, AES 256, AES 192, AES 128 (the rest are unchecked) Authentication: HMAC MD5, HMAC SHA-1 (the rest are unchecked) ID: Local Identifier: User FQDN (filled in with my user name at work) Remote Identifier: User FQDN (filled in with my user name at work) Authentication Method: XAuth RSA Username: (filled in with my user name at work) Password: (filled in with my current password at work) DNS: (all blank) Options: IPSec DOI, SIT_IDENTITY_ONLY, Initial Contact, Request Certificate, Send Certificate, Unique SAs, IKE Fragmentation NAT-T: Force Action after connection timeout: Retry immediately Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by mmulin on 2007-12-13 08:11:26 +0100 Thanks, that actually helped me too. I have one problem though. My routes are not locally updated as it would happen with SecureClient. I need to specify all 120 networks under the "remote networks" settings manually. Now, I wonder, if I use the same configuration and choose the "Anywhere" option it doesn't connect at all. Any thoughts there? Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by travelguy2500 on 2007-12-29 23:51:16 +0100 I followed all of bugfish's suggestions and it connects just fine (thanks!!) but I can't browse any web pages. I'm new to MAC (my first mac - have always been a pc person) and was wondering if anybody has any assist on how to get web pages to view. Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by bugfish on 2007-12-30 01:10:33 +0100 The inability to get to web pages with my setup is probably because I left the DNS settings all blank. I left mine blank because I don't need them for what I connect to work for (it's all IP address based). But if you know the DNS ip addresses at work and plug those in, you'll probably get the web back. Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by travelguy2500 on 2007-12-30 03:50:13 +0100 thanks for the prompt reply. tried adding in my local dns server ip addresses but still no luck. i'm getting the green light to show a connection but something isn't allowing me to get to any internet addresses. I tried to ping the dns server but that's coming back failed. any ideas? Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by macman365 on 2008-01-18 08:16:26 +0100 Based on the setting posted by bugfish (thanks!), I can now connect to my work VPN. I did specify "Anywhere" for the remote side endpoint and that does allow me to see every network on my office LAN. However, I need to access my local network at the same time (for printing), but if I set the local side endpoint mode to "Network" rather than "Host" the connection isn't even attempted. Below is the full "Debug" log when I try to connect: [font=Courier New]IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Jan 18, 07:12:09 Info APP IPSec authenticating Jan 18, 07:12:09 Info APP IKE daemon started Jan 18, 07:12:09 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Jan 18, 07:12:09 Info APP IPSec started Jan 18, 07:12:09 Warning IKE Foreground mode. Jan 18, 07:12:09 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jan 18, 07:12:09 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jan 18, 07:12:09 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jan 18, 07:12:09 Info IKE Resize address pool from 0 to 255 Jan 18, 07:12:09 Debug IKE parse successed. Jan 18, 07:12:09 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jan 18, 07:12:09 Debug IKE my interface: fe80::1%lo0 (lo0) Jan 18, 07:12:09 Debug IKE my interface: 127.0.0.1 (lo0) Jan 18, 07:12:09 Debug IKE my interface: ::1 (lo0) Jan 18, 07:12:09 Debug IKE my interface: 172.16.1.14 (en1) Jan 18, 07:12:09 Debug IKE my interface: fe80::21c:42ff:fe00:0%en2 (en2) Jan 18, 07:12:09 Debug IKE my interface: 10.37.129.2 (en2) Jan 18, 07:12:09 Debug IKE my interface: fe80::21c:42ff:fe00:1%en3 (en3) Jan 18, 07:12:09 Debug IKE my interface: 10.211.55.2 (en3) Jan 18, 07:12:09 Debug IKE configuring default isakmp port. Jan 18, 07:12:09 Debug IKE 8 addrs are configured successfully Jan 18, 07:12:09 Info IKE 10.211.55.2[500] used as isakmp port (fd=6) Jan 18, 07:12:09 Info IKE fe80::21c:42ff:fe00:1%en3[500] used as isakmp port (fd=7) Jan 18, 07:12:09 Info IKE 10.37.129.2[500] used as isakmp port (fd=8) Jan 18, 07:12:09 Info IKE fe80::21c:42ff:fe00:0%en2[500] used as isakmp port (fd=9) Jan 18, 07:12:09 Info IKE 172.16.1.14[500] used as isakmp port (fd=10) Jan 18, 07:12:09 Info IKE ::1[500] used as isakmp port (fd=11) Jan 18, 07:12:09 Info IKE 127.0.0.1[500] used as isakmp port (fd=12) Jan 18, 07:12:09 Info IKE fe80::1%lo0[500] used as isakmp port (fd=13) Jan 18, 07:12:09 Debug IKE get pfkey X_SPDDUMP message Jan 18, 07:12:09 Debug IKE 02120200 02000000 00000000 b50c0000 Jan 18, 07:12:09 Debug IKE pfkey X_SPDDUMP failed: No such file or directory [/font] The last line of the log appears to be the real clue. What file or directory is it looking for? Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by brantwinter on 2008-01-20 14:05:27 +0100 I am having the same issue. My VPN ( IPSecuritas -> Draytek 2800 ) was working fine yesterday, but today keeps failing with error: pfkey X_SPDDUMP failed: No such file or directory Funny thing is, I have another profile in IPSecuritas set up that goes off to a different VPN endpoint that continues to work fine. I have used Frameseer to look at the outgoing traffic on both setups, the one that works does a DNS lookup first, the failing VPN configuration sends NO traffic out the interface at all. Just out of interest, my psk.txt file in: /Library/Application Support/Lobotomo Software/IPSecuritas/ is empty... Obviously psk.txt gets overwritten each time the vm config loads. When I use the vpn config for my working vpn I have entries in the psk.txt file. In my non-working vpn setup, the psk.txt remains empty. WTF????? As I said previousy, this same vpn config worked fine yesterday.... Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by macman365 on 2008-01-22 16:45:12 +0100 I've found this thread on another forum: http://ubuntuforums.org/showthread.php?t=441078 Does this help anyone more knowledgeable than me...? Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by gajos on 2008-01-29 22:50:39 +0100 Hi, my first time here. I need to connect to CheckPoint Safe@Office but using Checkpoint VPN client under Tiger was really problematic (if connection was successful then I had connection only to LAN without Internet), now I have Leopard and Checkpoint won't install. IPSecuritas 3.1 still doesn't connect. I tried to configure connection as [b]bugfish[/b] suggested previously but still nothing. Here is log: Jan 29, 20:50:56 Info APP IPSec authenticating Jan 29, 20:50:56 Info APP IKE daemon started Jan 29, 20:50:56 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Jan 29, 20:50:56 Info APP IPSec started Jan 29, 20:50:56 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 29, 20:50:56 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 29, 20:50:56 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 29, 20:50:56 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 29, 20:50:56 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 29, 20:50:56 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 29, 20:50:56 Error IKE Foreground mode. Jan 29, 20:50:56 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jan 29, 20:50:56 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jan 29, 20:50:56 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jan 29, 20:50:56 Info IKE Resize address pool from 0 to 255 Jan 29, 20:50:56 Debug IKE lifetime = 600 Jan 29, 20:50:56 Debug IKE lifebyte = 0 Jan 29, 20:50:56 Debug IKE encklen=0 Jan 29, 20:50:56 Debug IKE p:1 t:1 Jan 29, 20:50:56 Debug IKE 3DES-CBC(5) Jan 29, 20:50:56 Debug IKE SHA(2) Jan 29, 20:50:56 Debug IKE 1024-bit MODP group(2) Jan 29, 20:50:56 Debug IKE Hybrid RSA client(64221) Jan 29, 20:50:56 Debug IKE compression algorithm can not be checked because sadb message doesn't support it. Jan 29, 20:50:56 Debug IKE parse successed. Jan 29, 20:50:56 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jan 29, 20:50:56 Info IKE 192.168.1.2[4500] used as isakmp port (fd=6) Jan 29, 20:50:56 Info IKE 192.168.1.2[500] used as isakmp port (fd=7) Jan 29, 20:50:56 Debug IKE get pfkey X_SPDDUMP message Jan 29, 20:50:56 Debug IKE 02120000 0f000200 05000000 720f0000 03000500 ff000000 10020000 00000000 Jan 29, 20:50:56 Debug IKE 00000000 00000000 03000600 ff200000 10020000 c0a80102 00000000 00000000 Jan 29, 20:50:56 Debug IKE 07001200 02000100 20000000 00000000 28003200 02035800 10020000 59ab6892 Jan 29, 20:50:56 Debug IKE 00000000 00000000 10020000 c0a80102 Problem with Fortinet Fortigate 50A Problem with Fortinet Fortigate 50A by mspr on 2007-04-27 13:16:54 +0200 Hello, I hope that you can help me... I have a problem with IPSecuritas 3.0 Release Candidate and my Fortinet Fortigate 50A I tried to configure a VPU with a preshared key and XAuth but every time I receive a notify message "fatal NO-PROPOSAL-CHOSEN, phase1 should be deleted" and I cannot start my VPN I tried to disable the XAuth procedure and the VPN seems to work fine (only Preshared key authentication) These are my VPN parameters: [b]IPSecuritas Preferences[/b] [URL=http://img63.imageshack.us/my.php?image=07uu0.jpg][IMG]http: //img63.imageshack.us/img63/3673/07uu0.th.jpg[/IMG][/URL] [b]Connections General[/b] [URL=http://img101.imageshack.us/my.php?image=01lr6.jpg][IMG]http: //img101.imageshack.us/img101/7812/01lr6.th.jpg[/IMG][/URL] [b]Connections Phase 1[/b] [URL=http://img230.imageshack.us/my.php?image=02xl5.jpg][IMG]http: //img230.imageshack.us/img230/3806/02xl5.th.jpg[/IMG][/URL] [b]Connections Phase 2[/b] [URL=http://img170.imageshack.us/my.php?image=03id8.jpg][IMG]http: //img170.imageshack.us/img170/4381/03id8.th.jpg[/IMG][/URL] [b]Connections ID[/b] [URL=http://img230.imageshack.us/my.php?image=04sp3.jpg][IMG]http: //img230.imageshack.us/img230/157/04sp3.th.jpg[/IMG][/URL] I tried to insert Username/Psswd directly in this panel but I received the same message error If possible I would like that IPSecuritas asks me the Username/Psswd on VPN login [b]Connections DNS[/b] [URL=http://img145.imageshack.us/my.php?image=05qs1.jpg][IMG]http: //img145.imageshack.us/img145/7426/05qs1.th.jpg[/IMG][/URL] [b]Connections Options[/b] [URL=http://img291.imageshack.us/my.php?image=06ho1.jpg][IMG]http: //img291.imageshack.us/img291/8168/06ho1.th.jpg[/IMG][/URL] [b]This is the log:[/b] IPSecuritas 3.0rc build 1040 Info APP IKE daemon started Info APP IPSec started Error IKE Foreground mode. Info IKE @(#)ipsec-tools CVS (http://ipsec-tools.sourceforge.net) Info IKE @(#)This product linked OpenSSL 0.9.7i 14 Oct 2005 (http://www.openssl.org/) Info IKE Reading configuration from "/Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Info IKE Resize address pool from 0 to 255 Error IKE fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Error IKE fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP My server IP XXX.XXX.XXX.XXX[500]-> My computer IP 192.168.XXX.XXX[500] Re: Problem with Fortinet Fortigate 50A by Forum Admin on 2007-04-27 15:53:06 +0200 Hi, have you tried 'Hybrid' instead of XAUTH PSK? Christoph Re: Problem with Fortinet Fortigate 50A by mspr on 2007-04-27 16:01:35 +0200 [quote author=Forum Admin link=1177672614/0#1 date=1177681986]Hi, have you tried 'Hybrid' instead of XAUTH PSK? Christoph[/quote] Hi, yes I tried to set "Hybrid" instead of XAuth but it doesn't work Re: Problem with Fortinet Fortigate 50A by Forum Admin on 2007-04-27 18:10:49 +0200 Hi again, could you please provide logs with log level set to 'Verbose'? Thanks alot, Christoph Re: Problem with Fortinet Fortigate 50A by mspr on 2007-05-03 11:27:52 +0200 [quote author=Forum Admin link=1177672614/0#3 date=1177690249]Hi again, could you please provide logs with log level set to 'Verbose'? Thanks alot, Christoph[/quote] Hi, Christoph, I sent you by email the logs (XAuth and Hybrid) Thank you VPN Case Study.com has solution for VPN Client VPN Case Study.com has solution for VPN Client by jmizoguchi on 2007-05-03 18:59:04 +0200 I have two new documents using FVS124G IPSecuritas 3 (Mac OS X) using Prosafe VPN/Firewall Router FVS124G VPN Tracker 4 (Mac OS X) using Prosafe VPN/Firewall Router FVS124G http://vpncasestudy.com/casestudy/others/casestudy.html www.vpncasestudy.com If these docuemens help you. please e-mail me at info@vpncasestudy.com for your testimonials Dynamic dns as host Dynamic dns as host by omega_red on 2007-05-04 13:01:09 +0200 when i set my dynamic dns hostname in the Remote IPSec Device field i cannot connect to my ZyWALL 5 UTM but when i enter my remote ip(witch changes every day) it works. im using the beta client thanks! ping to remote site impossible ping to remote site impossible by Joe on 2007-05-05 14:38:11 +0200 I have installed ipsecuritas 3.0rc3 for the first time on my Macbook Pro (OS X 10.4.9). First of all: very nice and helpful tool !! I established a connection to my remote site without problems, the light shows 'green' and the router log tells me: ...connection established.... My problem: i am not able to ping any host at the remote site ? Trying it with the exact same settings in a windows box (parallels session with win xp on the same Mcbook) is working without any problems! How can i manage this on the Mac OS site ? Re: ping to remote site impossible by Joe on 2007-05-05 16:17:35 +0200 Followup (is this the correct engl. expression ? sorry for my bad english): if i take a look at my if-settings and routing tables i'm really wondering about, that there are no settings at all for the established vpn connection ?! After that, i tried this: # ifconfig gif0 172.16.0.10 192.168.23.0 netmask 255.255.255.0 # route add 192.168.23.0 172.16.0.10 # ping 192.168.23.200 PING 192.168.23.200 (192.168.23.200): 56 data bytes 64 bytes from 192.168.23.200: icmp_seq=0 ttl=126 time=57.507 ms 64 bytes from 192.168.23.200: icmp_seq=1 ttl=126 time=56.945 ms ... So, now it works. My question is now: do i have to do it by hand with IPSecuritas after establishing a connection, or are there any automatisms which i can use for that? Endpoint mode: anywhere still not work in 3.0rc3 Endpoint mode: anywhere still not work in 3.0rc3 by Keen on 2007-05-05 21:34:06 +0200 Last log messages: May 05, 23:20:22 Debug May 05, 23:20:22 Debug May 05, 23:20:22 Debug directory IKE get pfkey X_SPDDUMP message IKE 02120200 00020000 00000000 00003790 IKE pfkey X_SPDDUMP failed: No such file or Re: Endpoint mode: anywhere still not work in 3.0r by nickl on 2007-05-11 04:31:51 +0200 I got it to work with my configuration by enabling the "Local IP in Remote Network" option. Re: Endpoint mode: anywhere still not work in 3.0r by Forum Admin on 2007-05-12 11:26:25 +0200 Hello, thank you very much for this answer - I removed the necessity to enable this option for host to anwhere mode. Christoph Phase 2 trouble Phase 2 trouble by ad_agent on 2007-05-16 03:01:27 +0200 When I initiate a connection, Phase 1 seems to complete but Phase 2 fails. Below is a relevant portion of the IPSecuritas log. Host is an iBook G4 running MacOS X 10.4.8. Testing is over Earthlink dialup as representative of service offered in many hotels. Network router is Netgear FVX538. Version of IPSecuritis is 3.0rc3. I would post my host and network settings gladly, but am not doing so now since I hope to get preliminary analysis of problem just posting log excerpts. LOG EXCERPTS (certain IP addresses redacted) May 15, 20:09:19 Debug IKE begin QUICK mode. May 15, 20:09:19 Info IKE initiate new phase 2 negotiation: 4.249.6.45[500]<=>x.x.x.x[500] May 15, 20:09:19 Debug IKE compute IV for phase2 May 15, 20:09:19 Debug IKE phase1 last IV: May 15, 20:09:19 Debug IKE 5be42a2e 67590499 e50b77d1 May 15, 20:09:19 Debug IKE hash(sha1) May 15, 20:09:19 Debug IKE encryption(3des) May 15, 20:09:19 Debug IKE phase2 IV computed: May 15, 20:09:19 Debug IKE d1077c37 bd8058ce May 15, 20:09:19 Debug IKE call pfkey_send_getspi May 15, 20:09:19 Debug IKE pfkey GETSPI sent: ESP/Tunnel x.x.x.x[0]->4.249.6.45[0] May 15, 20:09:19 Debug IKE pfkey getspi sent. May 15, 20:09:19 Debug IKE get pfkey ACQUIRE message ............ May 15, 20:09:19 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00015180 May 15, 20:09:19 Debug IKE 00000000 00007080 00000000 00000000 00020012 00020200 0000000d 00000000 May 15, 20:09:19 Debug IKE ignore the acquire because ph2 found May 15, 20:09:19 Debug IKE get pfkey GETSPI message May 15, 20:09:19 Debug IKE 02010003 000a0000 00000012 00000134 00020001 0b9edf00 40060000 7f000001 May 15, 20:09:19 Debug IKE 00030005 ff200000 10020000 44a34441 00000000 00000000 00030006 ff200000 May 15, 20:09:19 Debug IKE 10020000 04f9062d 00000000 00000000 May 15, 20:09:19 Debug IKE pfkey GETSPI succeeded: ESP/Tunnel 68.163.68.65[0]->4.249.6.45[0] spi=194961152(0xb9edf00) May 15, 20:09:19 Debug IKE use local ID type IPv4_address May 15, 20:09:19 Debug IKE use remote ID type IPv4_subnet May 15, 20:09:19 Debug IKE IDci: May 15, 20:09:19 Debug IKE 01000000 c0a83202 May 15, 20:09:19 Debug IKE IDcr: May 15, 20:09:19 Debug IKE 04000000 c0a80100 ffffff00 May 15, 20:09:19 Debug IKE add payload of len 284, next type 10 May 15, 20:09:19 Debug IKE add payload of len 16, next type 5 May 15, 20:09:19 Debug IKE add payload of len 8, next type 5 May 15, 20:09:19 Debug IKE add payload of len 12, next type 0 May 15, 20:09:19 Debug IKE HASH with: ............ May 15, 20:09:19 Debug IKE hmac(hmac_sha1) May 15, 20:09:19 Debug IKE HASH computed: May 15, 20:09:19 Debug IKE add payload of len 20, next type 1 May 15, 20:09:19 Debug IKE begin encryption. May 15, 20:09:19 Debug IKE encryption(3des) May 15, 20:09:19 Debug IKE pad length = 8 ............... May 15, 20:09:19 Debug IKE 39bb3b63 ee17ccbd a4bcf648 0500000c 01000000 c0a83202 00000010 04000000 May 15, 20:09:19 Debug IKE c0a80100 ffffff00 104609a6 2903de07 NetScreen SSG5 NetScreen SSG5 by glancyguy on 2007-05-18 23:24:09 +0200 Hello, I downloaded the latest stable version of IPSecuritas today from the main site. I am trying to configure it for a NetScreen SSG5. This is a managed firewall/VPN device that I do not have access to. We have a windows client and corresponding policy file. Using the windows file, I believe I have reverse engineered the settings. I also downloaded "VPN Tracker" and configured it. It worked out of the box with our NetScreen. I copied the settings from the VPN Tracker into the IPSecuritas config screen. The only setting that did not map is the ID. The NetScreen uses an email address for local ID and the VPN Tracker software makes that specification. The IPSecuritas only allows for a DN. I am not sure if this makes a difference. I used a the email address in the DN field of the IP Securitas software. I enabled verbose logging. And tried to connect to the NetScreen. I am getting hung in Phase 1 and timing out. I have attached the log file to this message. I am hoping that someone can pull something out of the debug to help. I would much rather use this product than the VPN tracker. Here are interesting erors from the log: May 18 16:07:56 darren-hochs-computer racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory\n May 18 16:07:56 darren-hochs-computer racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey REGISTER message\n May 18 16:07:56 darren-hochs-computer racoon: DEBUG: pfkey.c:234:pfkey_handler(): not supported command REGISTER\n May 18 16:07:56 darren-hochs-computer racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting\n May 18 16:07:56 darren-hochs-computer racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting\n May 18 16:07:56 darren-hochs-computer racoon: INFO: isakmp.c:2047:isakmp_post_acquire(): IPsec-SA request for 216.128.24.73 queued due to no phase1 found.\n May 18 16:07:56 darren-hochs-computer racoon: DEBUG: isakmp.c:1803:isakmp_ph1resend(): resend phase1 packet 75d194a46e9b155f:0000000000000000\n May 18 16:07:58 darren-hochs-computer racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 16 not interesting\n May 18 16:07:58 darren-hochs-computer racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 15 not interesting\n May 18 16:08:16 darren-hochs-computer racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.105[50] May 18 16:08:27 darren-hochs-computer racoon: ERROR: isakmp.c:2139:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 216.128.24.73->192.168.1.105 \n May 18 16:08:27 darren-hochs-computer racoon: INFO: Re: NetScreen SSG5 by Dave on 2007-05-19 17:17:26 +0200 I'm not sure if it will help but in the ID section of IPSecuritas, you can select FQDN which is basically an email address. Note that I'm using the RC3 version of 3.0; if you have 2.2, it might be called something else. Fortigate 300A to optain DHCP on using IPSecuritas Fortigate 300A to optain DHCP on using IPSecuritas by lleung on 2007-05-23 12:53:45 +0200 Have anyone had problems with IPSecuritas getting a DHCP address from a Fortigate 300A (Firmware 3.00, Build0477,070126) ? I seem to have no problems getting the windows (Parallels VM) ipsec client (Forticlient) to connect and request an address from it's DHCP server. But no luck doing that natively. I can however get around this by defining a static address for the connection. But of course, that's messy when there are multiple users.. Re: Fortigate 300A to optain DHCP on using IPSecur by varruss on 2007-07-21 23:02:01 +0200 I figured this one out yesterday. :) You need a rule on the FG Inside--Your subnet--outside--all--DHCP---Encrypt. Leave the rule after your inside-outside-any rule. If you have any Fortigate questions don't hesitate ask. Zyxel ZyWALL 35 Zyxel ZyWALL 35 by steffen on 2007-05-24 17:39:56 +0200 Hi All, it took some time to make IPSecuritas work with our ZyWALL 35. So I've decided to let you know a working configuration for both. - ZyWALL 35 firmware: V4.01(WZ.3) | 12/04/2006 - IPSecuritas 3.0rc - Mac OS X 10.4 The configuration works for dynamic client IP Adresses. You'll find the screenshots of the ZyWALL's web configuration utilitity and the IPSecuritas VPN client here: [url]http://www.semture.de/images/stories/external /ipsecutitas-screenshots.zip[/url] Re: Zyxel ZyWALL 35 by nob on 2007-05-27 18:20:55 +0200 This looks good, but did not work for me. I get a Error, tried different other settings. But i canґt get it to work.... Error in IPSecuritas: inappropriate sadb aquire message passed Error in Zywall Log: Recv:[HASH][NOTFY:ERR_ID_INFO] IPSecuritas 3.0rc3 Zywall 5W, Firmware Version V4.01(XD.2) NAT in VPN-Rule is off. Re: Zyxel ZyWALL 35 by steffen on 2007-05-27 22:14:07 +0200 Hi nob, the error indicates that you are using a different ID in IPSecuritas and the Zywall. First check the FQDN entries (or what ever you choose for identification/ID). Secondly even if you choose FQDN the adress ranges must match too. So compare the "Remote side" entry for "Network Adress" of IPSecuritas with the "Local Network" settings in the ZyWALL setup. Maybe you've translatet the Subnet mask to a wrong CIDR, if so have a look at [url]http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing[/url] for computing it. Hope it helps Steffen Re: Zyxel ZyWALL 35 by steffen on 2007-05-27 22:19:10 +0200 Hi all, I've noticed that if your Mac OS client is behind a firewall too, you have to switch the NAT-T to "Disabled" in IPSecuritas. You can (should?) leave NAT-Traversal in the Zywall enabled. Support Apple Keychain Support Apple Keychain by dbertolo on 2007-05-25 09:04:25 +0200 Hi I am currently evaluating IPsec clients for Mac OS X. I came across IPSecuritas which I find is doing great and is probably my favorite. But unfortunately, one requirement is not met. Our new client should support the Apple Keychain to store the user certificates. Would be nice, if this feature will be implemented in the near future. Regards, Daniel Bertolo Lost internet at VPN network... Lost internet at VPN network... by aklschnapps on 2007-05-25 20:17:41 +0200 I've run into an odd situation. - Macbook Pro on external wifi network. - Sonicwall Pro 2040 acting as firewall/dhcp/vpn for internal network. I can connect to my sonicwall 2040 with VPN Tracker without any problems. It took me a while to tweak the settings and get IPSecuritas to connect to the VPN. However, when it succeeds all of the computers on the internal network (connected to the sonicwall) lose their internet connection! As soon as I disconnect IPSecuritas from the VPN the internet connection resumes. Any thoughts? Anything I should do to test further? I've looked in the sonicwall logs but can't see anything odd after I've connected with IPSecuritas. Unfortunately I can't leave it connected for long periods to test, as it cuts off the entire office from the internet. Any help would be much appreciated! Here's my configuration in IPSecuritas: Host to Network Aggressive, Claim 16 Phase 1, Mod1024, 3DES, SHA1 Phase 2, None, 3DES, HMAC SHA1 Checked Options: IPSec DOI SIT_IDENTITY_ONLY Initial Contact MIP6 DHCP Pass-Through Establish IKE immediately IPSecuritas and racoon IPSecuritas and racoon by lithium on 2007-05-30 13:46:23 +0200 Is there a reason for IPSecuritas to install and use another version of racoon? -r-xr-xr-x 1 root wheel 877932 Jan 3 08:38 /usr/sbin/racoon -rwxr-xr-x 1 root wheel 1232888 May 27 18:43 /Library/StartupItems /IPSecuritasDaemon/racoon Re: IPSecuritas and racoon by cnadig on 2007-05-30 16:33:34 +0200 Hi, yes, the version of racoon included with MacOS doesn't support XAUTH and only offers limited, outdated NAT-T support as well as a few more things that are available with the racoon version that comes with IPSecuritas. Cheers, Christoph Re: IPSecuritas and racoon by Athanyel on 2007-05-31 00:13:08 +0200 Does the version of racoon that ships with IPSecuritas support GSSAPI/Kerberos? This would be ideal for large IPsec deployments. Re: IPSecuritas and racoon by cnadig on 2007-05-31 09:41:35 +0200 No, while there is support for it in the code, it is disabled. According to the documentation, it is very experimental and will most probably only work with very few firewalls. Christoph Re: IPSecuritas and racoon by Athanyel on 2007-06-01 03:43:49 +0200 Well, for IPsec implementations in Transport mode (vs. Tunnel mode for VPNs and firewalls), Kerberos would be a huge benefit for large deployments. I'd love to see it long term. Thanks for all the great work on this! Re: IPSecuritas and racoon by .guru on 2008-02-29 22:29:16 +0100 As racoon and the ipsec-tools are open source projects it would be great to see your modifications to the code. Is it possible to publish your MacOS X compatible version of racoon as sources? .guru Sonicwall & X-AUTH Sonicwall & X-AUTH by mpgough on 2007-05-30 18:13:09 +0200 Hi, I have installed v3 today but am unable to connect to either of my two sites. Both Sonicwall TZ-170's which I can connect to fine using VPN Tracker but no IPSecuritas. I have tried configuring both connections using the wizard and also copying the config from VPN Tracker to IPSecuritas, also reducing my mtu to 1400 but no joy. I have attached the error Im getting but my suspision is its something to do with the handling of XAUTH?? IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 May 30, 17:12:51 Info APP IKE daemon started May 30, 17:12:51 Info APP IPSec started May 30, 17:12:51 Error IKE Foreground mode. May 30, 17:12:51 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) May 30, 17:12:51 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) May 30, 17:12:51 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" May 30, 17:12:51 Info IKE Resize address pool from 0 to 255 May 30, 17:12:52 Info APP Initiated connection KP Couriers May 30, 17:12:52 Error IKE inappropriate sadb acquire message passed. May 30, 17:12:52 Warning IKE No ID match. May 30, 17:12:52 Info IKE couldn't find the proper pskey, try to get one by the peer's address. May 30, 17:12:53 Error IKE fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. May 30, 17:12:53 Error IKE Message: 'v No proposal is chosen'. May 30, 17:12:54 Info APP IPSec stopping May 30, 17:12:55 Info APP IKE daemon terminated Re: Sonicwall & X-AUTH by TimothyFerrell on 2007-06-12 17:30:03 +0200 Make sure your phase 1 is set to aggressive mode. If that doesn't do anything for you, I'd try matching the settings from the post "Cannot connect to Sonicwall TZ170." I am getting the same error about no ID match even with copying his settings. Good luck. losing settings... losing settings... by lithium on 2007-06-03 21:41:34 +0200 Every time when I make some changes to a connection in IPSecuritas 3.0 (e.g. Change phase 1 information) it seems that my configuration is lost. I don’t mean that my settings in the different menus are lost but whenever I start an IPSEC connection I get an error mentioning a missing key file. I understand the warning in the log because /Library/Application Support/Lobotomo/IPsecuritas/psk.txt is empty and Library/Application Support/Lobotomo/IPsecuritas/racoon.conf is missing some vital information about just about everything (there is something mentioning padding…and that is it). The only solution I found is killing the IPSecuritas daemon, removing everything from Library/Application Support/Lobotomo/IPsecuritas. After restarting IPSecuritas and setting up a new connection everything works fine…until I have the need to change some settings. Any ideas about this problem? Quick mode to Windows Server 2003 fails! Quick mode to Windows Server 2003 fails! by Athanyel on 2007-06-06 00:09:38 +0200 Please see the topic "Using 3.0 to connect to Windows in transport mode" ([url]http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?board=IPSecuritas; action=display;num=1176493464[/url]) for a brief description of what I'm trying to do. The above worked in 3.0rc and 3.0rc3. In 3.0 Final, it's broken. The client completes the main mode, begins quick mode and immediately fails. Here's an excerpt from the connection log: [code]Jun 05, 09:57:43 Info IKE ISAKMP-SA established x.x.x.x[500]-y.y.y.y[500] spi:04a82d40810af54e:142c9e35ad31af0b Jun 05, 09:57:43 Debug IKE === Jun 05, 09:57:44 Debug IKE === Jun 05, 09:57:44 Debug IKE begin QUICK mode. Jun 05, 09:57:44 Info IKE initiate new phase 2 negotiation: x.x.x.x[500] <=>y.y.y.y[500] Jun 05, 09:57:44 Debug IKE compute IV for phase2 Jun 05, 09:57:44 Debug IKE phase1 last IV: Jun 05, 09:57:44 Debug IKE 5699e40c ca453648 e41a1ab6 Jun 05, 09:57:44 Debug IKE hash(sha1) Jun 05, 09:57:44 Debug IKE encryption(3des) Jun 05, 09:57:44 Debug IKE phase2 IV computed: Jun 05, 09:57:44 Debug IKE 54bdd941 4c341df1 Jun 05, 09:57:44 Debug IKE call pfkey_send_getspi Jun 05, 09:57:44 Debug IKE pfkey GETSPI sent: ESP/Transport y.y.y.y[0]->x.x.x.x[0] Jun 05, 09:57:44 Debug IKE pfkey getspi sent. Jun 05, 09:57:44 Debug IKE get pfkey GETSPI message Jun 05, 09:57:44 Debug IKE 02010003 0a000000 01000000 07010000 02000100 0ae31793 00000000 00000000 Jun 05, 09:57:44 Debug IKE 03000500 ff200000 10020000 ac107c90 00000000 00000000 03000600 ff200000 Jun 05, 09:57:44 Debug IKE 10020000 803e5e12 00000000 00000000 Jun 05, 09:57:44 Debug IKE pfkey GETSPI succeeded: ESP/Transport y.y.y.y[0]->x.x.x.x[0] spi=182654867(0xae31793) Jun 05, 09:57:44 Debug IKE hmac(modp1024) Jun 05, 09:57:44 Debug IKE hmac(modp1024) Jun 05, 09:57:44 Debug IKE hmac(modp1024) Jun 05, 09:57:44 Debug IKE compute DH's private. Jun 05, 09:57:44 Debug IKE 4928d074 54d4d6e4 b2aa3856 9cc570c2 ca8aad46 3bbe69c1 80913006 43a81766 Jun 05, 09:57:44 Debug IKE b8d6c017 1d924020 cc701d58 8070c3eb 0d226a5c d422672a a8486b61 7f96ce81 Jun 05, 09:57:44 Debug IKE ac1e2050 06205d44 23ca1723 fc7926b2 5d9be4bf 15b8e4a2 f270e305 3684b9ee Jun 05, 09:57:44 Debug IKE 6e677469 c7df9a57 611a6837 b24e51e5 e4358ee1 5a8deac4 8dab7505 ca1822f9 Jun 05, 09:57:44 Debug IKE compute DH's public. Jun 05, 09:57:44 Debug IKE c3a4f9dc ffd616ca 650fcd03 1c7c1ad7 66cb5e88 b8694dc1 bb1ee61a bf521f56 Jun 05, 09:57:44 Debug IKE 418313d7 2073a766 f12b36ca 31274310 be9301ef 141564fc 565bdc95 76c95823 Jun 05, 09:57:44 Debug IKE c12ba88e 34ca7282 cb64b967 e0f231c5 053abf72 a547040a 8407d74c 9a5e7040 Jun 05, 09:57:44 Debug IKE efb70f61 bf2a9fc5 08ab2e1d 475687be 748c114d 3ea47a16 55827b84 2dc19c7c Jun 05, 09:57:45 Info APP IKE daemon terminated Jun 05, 09:57:45 Debug APP State change from RUNNING to IDLE after event RACOON TERMINATED Jun 05, 09:57:45 Debug APP Received SADB message type X_SPDDELETE Re: Quick mode to Windows Server 2003 fails! by Athanyel on 2007-06-07 01:18:39 +0200 After a bit more digging, it appears that Racoon is crashing. I'm running on a MacBook Pro with an Intel Core Duo. I'm going to try downloading the application again...but I'm not sure what else I can do to try to fix this. [code]Host Name: alexs-computer Date/Time: 2007-06-06 18:13:26.620 -0500 OS Version: 10.4.9 (Build 8P2137) Report Version: 4 Command: racoon Path: /Library/StartupItems/IPSecuritasDaemon/racoon Parent: IPSecuritasDaemon [110] Version: ??? (???) PID: 255 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000004 Thread 0 Crashed: 0 racoon 0x00064f05 0x1000 + 409349 1 racoon 0x0003f739 0x1000 + 255801 2 racoon 0x00033d11 0x1000 + 208145 3 racoon 0x00018551 0x1000 + 95569 4 racoon 0x0000900f 0x1000 + 32783 5 racoon 0x000257a2 0x1000 + 149410 6 racoon 0x00023e37 0x1000 + 142903 7 racoon 0x00002de8 0x1000 + 7656 8 racoon 0x00002618 0x1000 + 5656 9 racoon 0x000021ee 0x1000 + 4590 10 racoon 0x00002115 0x1000 + 4373 Thread 0 crashed with X86 Thread State (32-bit): eax: 0x00000004 ebx: 0x0003f703 ecx: 0x00000080 edx: 0x00309114 edi: 0x00000004 esi: 0x00000001 ebp: 0xbffff568 esp: 0xbffff530 ss: 0x0000001f efl: 0x00010206 eip: 0x00064f05 cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 Binary Images Description: 0x1000 - 0x86fff racoon /Library/StartupItems/IPSecuritasDaemon /racoon 0x8fe00000 - 0x8fe4afff dyld 46.12 /usr/lib/dyld 0x90000000 - 0x90170fff libSystem.B.dylib /usr/lib/libSystem.B.dylib 0x901c0000 - 0x901c2fff libmathCommon.A.dylib /usr/lib/system /libmathCommon.A.dylib 0x90bd0000 - 0x90bd7fff libgcc_s.1.dylib /usr/lib/libgcc_s.1.dylib 0x9193a000 - 0x919ecfff libcrypto.0.9.7.dylib /usr/lib /libcrypto.0.9.7.dylib 0x949d0000 - 0x949edfff libresolv.9.dylib /usr/lib /libresolv.9.dylib[/code] Re: Quick mode to Windows Server 2003 fails! by Forum Admin on 2007-06-07 09:51:29 +0200 Hello Athanyel, this seems to be a bug in racoon - I will contact you by mail for further investigation on this. Thanks, Christoph Attempting to connect to Netscreen 5gt Attempting to connect to Netscreen 5gt by lysistbp on 2007-06-07 17:38:20 +0200 Hey guys, I'm a Windows user that recently made the switch a month ago. I'm also an IT guy who knows little about VPNs unfortunately when it comes to troubleshooting (I use Netscreens with their software. It's pretty basic) Below is a log of when I try to connect to one of my clients. Can somebody explain what this is saying and tell me what changes should be made? The "red dot" next to the connection name states "network collision". Thanks in advance. IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Jun 07, 11:33:10 Debug APP State change from IDLE to AUTHENTICATING after event START Jun 07, 11:33:10 Info APP IKE daemon started Jun 07, 11:33:10 Info APP IPSec started Jun 07, 11:33:10 Debug APP State change from AUTHENTICATING to RUNNING after event AUTHENTICATED Jun 07, 11:33:10 Info IKE Foreground mode. Jun 07, 11:33:10 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jun 07, 11:33:10 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jun 07, 11:33:10 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jun 07, 11:33:10 Info IKE Resize address pool from 0 to 255 Jun 07, 11:33:10 Debug IKE parse successed. Jun 07, 11:33:10 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jun 07, 11:33:10 Debug IKE my interface: ::1 (lo0) Jun 07, 11:33:10 Debug IKE my interface: fe80::1%lo0 (lo0) Jun 07, 11:33:10 Debug IKE my interface: 127.0.0.1 (lo0) Jun 07, 11:33:10 Debug IKE my interface: fe80::217:f2ff:feec:7f3c%en1 (en1) Jun 07, 11:33:10 Debug IKE my interface: 10.10.1.109 (en1) Jun 07, 11:33:10 Debug IKE my interface: fe80::201:23ff:fe45:6789%en2 (en2) Jun 07, 11:33:10 Debug IKE my interface: 192.168.1.10 (en2) Jun 07, 11:33:10 Debug IKE my interface: fe80::210:32ff:fe54:7698%en3 (en3) Jun 07, 11:33:10 Debug IKE my interface: 10.211.55.2 (en3) Jun 07, 11:33:10 Debug IKE configuring default isakmp port. Jun 07, 11:33:10 Debug IKE 9 addrs are configured successfully Jun 07, 11:33:10 Info IKE 10.211.55.2[500] used as isakmp port (fd=7) Jun 07, 11:33:10 Info IKE fe80::210:32ff:fe54:7698%en3[500] used as isakmp port (fd=8) Jun 07, 11:33:10 Info IKE 192.168.1.10[500] used as isakmp port (fd=9) Jun 07, 11:33:10 Info IKE fe80::201:23ff:fe45:6789%en2[500] used as isakmp port (fd=10) Jun 07, 11:33:10 Info IKE 10.10.1.109[500] used as isakmp port (fd=11) Jun 07, 11:33:10 Info IKE fe80::217:f2ff:feec:7f3c%en1[500] used as isakmp port (fd=12) Jun 07, 11:33:10 Info IKE 127.0.0.1[500] used as isakmp port (fd=13) Jun 07, 11:33:10 Info IKE fe80::1%lo0[500] used as isakmp port (fd=14) Jun 07, 11:33:10 Info IKE ::1[500] used as isakmp port (fd=15) Jun 07, 11:33:10 Debug IKE get pfkey X_SPDDUMP message Re: Attempting to connect to Netscreen 5gt by lysistbp on 2007-06-07 17:54:03 +0200 Alright sweet . . . I got it working (green light) but I cannot ping or rdp into anything. Below is a copy of the ping. The forum is yelling at me if I try to paste my log . . . Any ideas guys? steve-taylors-computer:~ Steve$ ping 192.168.0.2 PING 192.168.0.2 (192.168.0.2): 56 data bytes 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3889 0 0000 3d 01 78ff 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 388b 0 0000 3d 01 78fd 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 388c 0 0000 3d 01 78fc 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 388f 0 0000 3d 01 78f9 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3891 0 0000 3d 01 78f7 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3893 0 0000 3d 01 78f5 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3894 0 0000 3d 01 78f4 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3896 0 0000 3d 01 78f2 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3897 0 0000 3d 01 78f1 10.10.1.109 192.168.0.2 ^Z [4]+ Stopped ping 192.168.0.2 Re: Attempting to connect to Netscreen 5gt by cnadig on 2007-06-07 22:11:32 +0200 Hello, the log probably won't show anything since the tunnel can be established propetly. May I ask you to post the output of the following commands while IPSec is active? ifconfig -a netstat -nr The ICMP error is sent by 8.14.177.53 - what is this (the remote firewall or your ISP)? Cheers, Christoph Troubled while accessing Cisco PIX Firewalls Troubled while accessing Cisco PIX Firewalls by p0ddie on 2007-06-15 10:25:35 +0200 Hi there, I have two Cisco Pix Firewalls (a 501 and a 515E) I would like to connect to. The Cisco Client works smooth (of course), but I have trouble getting them to connect with IPSecuritas. I'll try to be as detailed as possible about my efforts to connect to the Pix 501. I am quite new to Cisco VPN stuff and spoiled by less complex PPTP connections with OS X / Windows' integrated clients... so please excuse my n00by descriptions... I set up a profile and connection and this is what I get in the log: IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Jun 15, 09:53:43 Info APP IKE daemon started Jun 15, 09:53:43 Info APP IPSec started Jun 15, 09:53:43 Error IKE Foreground mode. Jun 15, 09:53:43 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jun 15, 09:53:43 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jun 15, 09:53:43 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jun 15, 09:53:43 Info IKE Resize address pool from 0 to 255 Jun 15, 09:53:43 Info APP Initiated connection Pix 501 Jun 15, 09:53:50 Info APP Initiated connection Pix 501 Jun 15, 09:53:50 Error IKE inappropriate sadb acquire message passed. Jun 15, 09:53:57 Info APP Initiated connection Pix 501 Jun 15, 09:53:59 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xx[500]->172.30.17.31[500] Jun 15, 09:54:04 Info APP Initiated connection Pix 501 Jun 15, 09:54:06 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xx[500]->172.30.17.31[500] Jun 15, 09:54:11 Info APP Initiated connection Pix 501 Jun 15, 09:54:11 Error IKE inappropriate sadb acquire message passed. Jun 15, 09:54:13 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xx[500]->172.30.17.31[500] Jun 15, 09:54:14 Error IKE phase1 negotiation failed due to time up. 9cbf694fbedd0fa8:1234ed12347e918e Jun 15, 09:54:16 Warning APP Connection Pix 501 timed out Jun 15, 09:54:16 Warning APP Giving up Jun 15, 09:54:20 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xx[500]->172.30.17.31[500] Jun 15, 09:54:27 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xx[500]->172.30.17.31[500] Jun 15, 09:54:49 Info APP IPSec stopping Jun 15, 09:54:50 Info APP IKE daemon terminated ************** The Pix is on a leased line with fixed IP and connects smoothly with Cisco VPN clients. We use a pre-shared key (PSK) for authentication. Apparently the Phase 1 negotiation failes. This is quite weird since I checked with my Cisco expert to have the correct settings he applied to the Pix for Phase 1: Lifetime 1800 sec Re: Troubled while accessing Cisco PIX Firewalls by cnadig on 2007-06-17 23:19:42 +0200 Hello, I received a Cisco PIX 501 a few days ago and just managed to find a working configuration today (Main mode + preshared key, no XAUTH yet). I will make a short description available within the next few days. Cheers, Christoph Re: Troubled while accessing Cisco PIX Firewalls by Forum Admin on 2007-07-02 11:17:00 +0200 Hello, an updated wizard template is available for download at http://www.lobotomo.com/products/IPSecuritas/howtoUpdates.html. It includes templates and setup instructions for all PIX models. Cheers, Christoph Re: Troubled while accessing Cisco PIX Firewalls by ajscam on 2007-08-02 22:37:48 +0200 Hello Christoph, I tried the new wizards against my PIX 515E. Unfortunately, on my PIX, the IPSec rules are already established, and I can't use your recommendations in the HOWTO. In short, I have the following differences: IPSec Rules for Remote Side Host/Network: 192.168.30.192/27. Tunnel Policy for Transform Set: ESP-3DES-MD5 IKE Policies for Hash: md5 IKE Policies for D-H Group: 2 I think I have modified IPSecuritas Phase 1 settings to match the IKE Policies above, but I'm not sure what I need to do to IPSecuritas for the IPSec Rules & Tunnel Policy above. In the log, I see the following errors: <snip> Error IKE inappropriate sadb acquire message passed. <snip> Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xx[500]->10.191.1888.160[500] To me, it looks like the PIX doesn't like the sadb acquire message.... But beyond that I have no idea... Thanks for you help. Re: Troubled while accessing Cisco PIX Firewalls by cnadig on 2007-08-03 12:35:18 +0200 Hello, you need to increase the log level to Debug in order to see the relevant stuff. You may send me the log to lobotomo@lobotomo.com if you need assistance. Cheers, Christoph IPSecuritas 3.0 & Certificates IPSecuritas 3.0 & Certificates by deanjaz on 2007-06-18 19:40:54 +0200 Hello, I have upgraded to IPSecuritas 3.0 from previous version (2.2?) and imported the connection profile. But the connection fails to authenticate properly using certificates. I've verified the connection setup, and everything is properly setup. There just seems to be some kind of issue with client/server certificate exchange. This same profile worked fine with 2.2 of IPsecuritas, and the settings also work fine in VPN Tracker Demo. I think there might be something funky with the certificate manager and how it is dealing with Certificate/Key pairs? If you need any further information please let me know. Re: IPSecuritas 3.0 & Certificates by deanjaz on 2007-06-19 02:28:41 +0200 Hi, In case anyone was wondering :P The problem i was having turned out to be ModeConfig. It seemed to be interfering with the Authentication of the client ID somehow. Manually specifying the ip address for the client works just fine. I would be interested in helping to debug this problem if it would be of interest or use to anyone. hx Re: IPSecuritas 3.0 & Certificates by Forum Admin on 2007-06-19 16:22:45 +0200 Hello deanjaz, thank you very much for your feedback and your assistance offer. If possible, please send us exported logs to lobotomo@lobotomo.com once with MODE_CFG [i]enabled[/i] and once with MODE_CFG [i]disabled[/i], both with the log level set to [i]Verbose[/i]. Thanks a lot, Christoph Re: IPSecuritas 3.0 & Certificates by deanjaz on 2007-06-19 20:07:25 +0200 Will do! :) Ipsecuritas v3.0 and smoothwall Ipsecuritas v3.0 and smoothwall by richardk on 2007-06-19 18:55:05 +0200 Hi, Has anbody had any success connecting v3 to a smoothwall corp server. My version 2 setup works great but version three cannot connect. Thanks Richard Kingsley Re: Ipsecuritas v3.0 and smoothwall by barneygrice on 2007-06-27 12:56:32 +0200 Same problems here; v2 worked great but v3 does not. I have tried quite a few permutations of the connection "Options" to no avail. The SmoothWall logs do not even show a connection attempt - it's as if IPSecuritas 3.0 is not even trying to connect?! I'm still looking into this; I'll post back with any updates. In the mean time, please post here if you've had any luck. Thanks, Barney Grice. Re: Ipsecuritas v3.0 and smoothwall by richardk on 2007-06-27 18:21:32 +0200 Really had no luck. Bit ashamed to say that i am a certified smoothwall reseller and had absolutely no luck at all. Going to have another try getting it working tonight on a new smoothwall installation using preshared keys instead of cetificate based connection to see if it works that way. I am also going to try connecting v3 to an ipcop vpn see if that helps. BTW, I have tried using smoothwall advanced firewall 2 as well as smoothwall corporate server 5 (not the free versions) Thanks Richard Re: Ipsecuritas v3.0 and smoothwall by barneygrice on 2007-06-27 18:30:16 +0200 Sorry, should have stated that I'm trying using CF4, for the record. Still no luck, but I haven't given up - I'll look at it again when I have time. Barney. Re: Ipsecuritas v3.0 and smoothwall by Forum Admin on 2007-06-27 22:29:02 +0200 Hi, could you please send me an IPSecuritas log with log level set to Verbose to lobotomo@lobotomo.com (from IPSecuritas 3.0 and 2.2, if possible)? Thanks a lot, Christoph Re: Ipsecuritas v3.0 and smoothwall by Forum Admin on 2007-06-28 20:09:29 +0200 Hello, IPSecuritas checks the received identifier more strictly than IPSecritas 2.2 did. If the received a different remote identifier from what is configured, an error will be logged (invalid ID payload). Try deselecting the option 'Verify Identifier' or check the configuration of the firewall to see what identification is sent. Hope this helps, Christoph Re: Ipsecuritas v3.0 and smoothwall by richardk on 2007-06-28 21:07:39 +0200 Thank you very much for your help Christoph. I changed the remote identifier to fqdn and the connection worked first time. I shall some time this weekend take some screen grabs of my settings and created a mini howto for ipsecuritas 3 and smoothwall Best Regards Richard Re: Ipsecuritas v3.0 and smoothwall by barneygrice on 2007-09-01 08:43:13 +0200 Hi all, I actually got some grabs from Smoothwall that helped me get this working this week. I'll post my own grabs online when I have a chance, but after importing my old IPSecuritas settings I think the "Local IP in Remote Network" was the checkbox that made the difference...... Barney. Sonicwall: 'No proposal chose' error on 2nd netw.. Sonicwall: 'No proposal chose' error on 2nd netw.. by Banacek on 2007-06-20 01:10:26 +0200 Hello, you'll have to forgive me because I am new to all of this VPN business :) We're using a Sonicwall Pro 2040 and I can successfully connect to the VPN and ping machines on 10.0.10.x. Now, we also have a network at 10.0.20.x that we would like to have access too, but every time I try I get the following: Jun 19, 15:52:09 Error IKE messsage, phase1 should be Jun 19, 15:52:09 Error IKE Jun 19, 15:52:24 Error IKE to time up to wait. fatal NO-PROPOSAL-CHOSEN notify deleted. Message: '2 No proposal is chosen'. xxx.xxx.xxx.xxx give up to get IPsec-SA due Does anyone have any ideas as to why this is happening? Thanks! [m]: Fan Control on macbook [m]: Fan Control on macbook by on 2007-06-20 07:03:33 +0200 [moved] [link=http://www.lobotomo.com/cgi-bin /yabb/YaBB.pl?num=1182315813/0]Others[/link] [move by] Forum Admin. IPSecuritas 2.2 and video iChat? IPSecuritas 2.2 and video iChat? by villaged on 2007-06-20 20:08:04 +0200 So, I am trying to have two users running iChat and IPS2.2 video chat with each other. After a bunch of investigating, we can see what is happening. iChat is looking for all of the network devices on the machine, and IPS hasn't registered a device, and hence, never gets its VPN IP address. It just grabs the public address, which then fails to initiate the video chat, since these computers can not see each other outside of the VPN. Is there a way to create a device with IPS so that its IP gets snagged? Any ideas? Thanks. IPSecuritas and Linksys WRV54G IPSecuritas and Linksys WRV54G by lcortex on 2007-06-21 22:24:51 +0200 I recently purchased a Linksys WRV54G vpn router and I'm trying to setup my vpn connection via IPSecuritas v. 3. I'm having the following problems in my log and cannot get it to work. Can anyone suggest what to try to fix it? Thanks! IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Jun 21, 13:03:42 Info APP IKE daemon started Jun 21, 13:03:42 Info APP IPSec started Jun 21, 13:03:42 Error IKE Foreground mode. Jun 21, 13:03:42 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jun 21, 13:03:42 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jun 21, 13:03:42 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jun 21, 13:03:42 Info IKE Resize address pool from 0 to 255 Jun 21, 13:03:42 Info APP Initiated connection NCT Jun 21, 13:03:49 Info APP Initiated connection NCT Jun 21, 13:03:56 Info APP Initiated connection NCT Jun 21, 13:03:56 Error IKE inappropriate sadb acquire message passed. Jun 21, 13:03:58 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.234.198.167[500]->10.51.21.30[500] Jun 21, 13:04:03 Info APP Initiated connection NCT Jun 21, 13:04:05 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.234.198.167[500]->10.51.21.30[500] Jun 21, 13:04:10 Info APP Initiated connection NCT Jun 21, 13:04:12 Error IKE phase1 negotiation failed due to time up. 78f8c8ae9fb0c975:0000000000000000 Jun 21, 13:04:12 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.234.198.167[500]->10.51.21.30[500] Jun 21, 13:04:15 Warning APP Connection NCT timed out Jun 21, 13:04:15 Warning APP Giving up Jun 21, 13:04:19 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.234.198.167[500]->10.51.21.30[500] Jun 21, 13:04:26 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.234.198.167[500]->10.51.21.30[500] Jun 21, 13:04:27 Info APP IPSec stopping Jun 21, 13:04:28 Info APP IKE daemon terminated Any help will be greatly appreciated! Thanks! --Ross Re: IPSecuritas and Linksys WRV54G by tiffert on 2007-07-05 08:17:10 +0200 If you have found a solution or a configuration that works with the WRV54G, please let me know. Thanks!! Re: IPSecuritas and Linksys WRV54G by tiffert on 2008-02-05 20:45:11 +0100 I have managed to setup a reliable VPN to my Linksys WRV54G (hardware rev .02, firmware 2.39.2) using IPSecuritas 3.1 and MacOS X 10.5.1. The WRV54G has rotten firmware. Sometimes saved changes to the VPN or DYNDNS settings do not actually take effect, even though the changes display in the browser window. After pointlessly trying every authentication and encryption combination under the sun for phases 1 and 2, I just deleted my existing tunnel and set one up from scratch. suddenly, the settings stuck and the VPN connection worked. I am using 3DES, SHA-1, 3600 sec., 1024, Main. In IPSecuritas, my configuration has the following options checked: IPSec DOI, SIT_IDENTITY_ONLY, Verify Identifier, IKE Fragmentation i hope this helps. Re: IPSecuritas and Linksys WRV54G by tiffert on 2008-02-06 06:37:51 +0100 I spoke a moment too soon when I declared victory. The VPN is in fact stable once connected. But when I returned home and tried to connect, I discovered that I cannot negotiate Phase 1 from behind my router. I had heard that the WRV54G has problems traversing a NAT router and this seems to confirm it. But, to repeat, if my local client is not behind a NAT router, the VPN works well. fails with Leopard fails with Leopard by theagent on 2007-07-09 19:28:55 +0200 Is there an alpha or beta build that works? Can someone send me a pointer? Re: fails with Leopard by dublezero on 2007-07-17 05:41:16 +0200 bump Re: fails with Leopard by cnadig on 2007-07-17 09:47:04 +0200 Working on it... a Beta will be releases this week. Cheers, Christoph Re: fails with Leopard by dublezero on 2007-07-17 13:37:35 +0200 Excellent. You guys do an excellent job on this software. Thanks. Re: fails with Leopard by theagent on 2007-07-17 16:12:51 +0200 Thanks a ton... really appreciate the effort. fix and you can get it done quick. Hopefully it's not that big of a thanks again Re: fails with Leopard by theagent on 2007-07-19 23:36:56 +0200 Any idea how much longer for the beta that run on Leopard. I'm dead in the water... Re: fails with Leopard by cnadig on 2007-07-22 21:22:36 +0200 Hello, I just published a Leopard compatible version. Please download it from this link: http://www.lobotomo.com/products/downloads /IPSecuritas%20Leopard.dmg Cheers, Christoph Re: fails with Leopard by theagent on 2007-07-23 00:20:34 +0200 Thank... works like a charm to my SonicWall 2040 PRO Re: fails with Leopard by theagent on 2007-07-31 22:04:01 +0200 I have found an issue with host --> networks. I am unable to get to my other subnets. Three separate networks via permanent VPN's. I can get into my main but not the other 3. 192.168.55.0/24 main 192.168.54.0/24 192.168.56.0/24 192.168.57.0/24 Re: fails with Leopard by Forum Admin on 2007-08-01 00:11:00 +0200 Hello, have you tried enabling the 'Unique SA' option? Cheers, Christoph Re: fails with Leopard by theagent on 2007-08-20 22:04:27 +0200 SA doesn't change a thing.... all other networks are inaccessible. What info do you want from me to assist in debugging this? Re: fails with Leopard by dublezero on 2007-09-20 22:03:16 +0200 Looks like the beta just expired. Can we get an updated one? Re: fails with Leopard by Forum Admin on 2007-09-20 22:48:59 +0200 Hello, 3.0b2 is available for download. Christoph Re: fails with Leopard by dublezero on 2007-09-20 22:59:47 +0200 Link? Re: fails with Leopard by Forum Admin on 2007-09-21 06:27:06 +0200 http://www.lobotomo.com/products/downloads /IPSecuritas%20Leopard.dmg Re: fails with Leopard by dublezero on 2007-09-21 15:37:27 +0200 Thanks! I had tried that link earlier but I probably jumped the gun and got it before you updated it. Host to Anywhere with IPCOP connection problem Host to Anywhere with IPCOP connection problem by oortmanp on 2007-07-11 01:18:52 +0200 Hi all, I managed to get ipsecuritas to work with ipcop. But only when I'm using a specified range like 192.168.1.0/24. When I try to connect with the endpoint mode "anywhere" setting, I don't get a connection. (I'm using version 3, build 1693) Both setups have also been tested in Windows with thegreenbow vpn, where both setups work fine. The debug of ipsecuritas wasn't much help for me either. [code]IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Jul 11, 01:01:55 Debug APP State change from IDLE to AUTHENTICATING after event START Jul 11, 01:01:55 Info APP IKE daemon started Jul 11, 01:01:55 Info APP IPSec started Jul 11, 01:01:55 Debug APP State change from AUTHENTICATING to RUNNING after event AUTHENTICATED Jul 11, 01:01:55 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jul 11, 01:01:55 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jul 11, 01:01:55 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jul 11, 01:01:55 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jul 11, 01:01:55 Debug IKE Foreground mode. Jul 11, 01:01:55 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 11, 01:01:55 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 11, 01:01:55 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 11, 01:01:55 Info IKE Resize address pool from 0 to 255 Jul 11, 01:01:55 Debug IKE lifetime = 28800 Jul 11, 01:01:55 Debug IKE lifebyte = 0 Jul 11, 01:01:55 Debug IKE encklen=0 Jul 11, 01:01:55 Debug IKE p:1 t:1 Jul 11, 01:01:55 Debug IKE 3DES-CBC(5) ... ... ... Jul 11, 01:01:56 Info IKE ISAKMP-SA established 10.71.14.222[500]-217.120.247.4[500] spi:8ff28b05d6afb4eb:de62ecd58bb1e726 Jul 11, 01:01:56 Debug IKE === Jul 11, 01:01:56 Debug IKE === Jul 11, 01:01:56 Debug IKE begin QUICK mode. Jul 11, 01:01:56 Info IKE initiate new phase 2 negotiation: 10.71.14.222[500]<=>217.120.247.4[500] Jul 11, 01:01:56 Debug IKE compute IV for phase2 Jul 11, 01:01:56 Debug IKE phase1 last IV: Jul 11, 01:01:56 Debug IKE c7c53315 1367dacb 81e4df67 Jul 11, 01:01:56 Debug IKE hash(sha1) Jul 11, 01:01:56 Debug IKE encryption(3des) Jul 11, 01:01:56 Debug IKE phase2 IV computed: Re: Host to Anywhere with IPCOP connection problem by richardk on 2007-07-20 00:48:33 +0200 Hi, Any chance of sharing what connection settings you are using with IPCOP and ipsecuritas. Not sure what to enter in the authentication form on ipsecuritas when using cert based roadwarrior connection Thanks Richard Kingsley Re: Host to Anywhere with IPCOP connection problem by oortmanp on 2007-08-19 15:25:46 +0200 @richardk with boardsearch "ipcop" you would have found: http://www.taupehat.com/vpn/ good luck setting up your certificate vpn oortmanp Frustrated with VPN on my new WRVS4400N Frustrated with VPN on my new WRVS4400N by Christian on 2007-07-15 03:08:13 +0200 I had VPN working on my WRT54G running DD-WRT, but I bricked it, so I decided to buy a router with built-in VPN. I've read through the other messages regarding the WRVS4400N and still can not get my iBook to log in to my home network. I've posted my debug log file here: [url]http://www.pariahware.com /vpnlog.txt[/url] Any help would be appreciated as I've spent way too much time butting my head against this door. :( Thank you very much. Re: Frustrated with VPN on my new WRVS4400N by Christian on 2007-07-15 19:18:11 +0200 I turned on VPN logging for my router. Here is what the router has logged: [url]http://www.pariahware.com/routervpn.txt[/url] Re: Frustrated with VPN on my new WRVS4400N by cnadig on 2007-07-16 10:55:57 +0200 Hello Christian, you need to set the Remote Security Group to a specific address, e.g. 10.1.1.1. Setting it to Any will for some reasons only Linksys knows not work. You then need to enter the same address in IPSecuritas for the local endpoint (Host Mode). Hope this helps, Christoph Re: Frustrated with VPN on my new WRVS4400N by Christian on 2007-07-16 18:34:47 +0200 Thank you for the tip, but that still didn't work. I've updated my two log files, one from the router and the other from the app. [url]http://www.pariahware.com/vpnlog.txt [/url] [url]http://www.pariahware.com/routervpn.txt [/url] To update, my router settings are: IPsec VPN Tunnel: Enabled Tunnel named: HomeVPN Local Sec. Group Type: Subnet IP Address: 192.168.2.x Subnet: 255.255.255.0 Remote Sec. Group Type: IP Addr. IP Address: 10.1.1.1 Remote Sec Gateway Type: Any Key Exchange Method: Auto. (IKE) Encryption: 3DES Auth: SHA1 PFS: Enable PSK: xxx Key Life: 28800 NetBIOS: false Phase1: Op Mode: Main Local ID: Name, HomeVPN Remote ID: Remote IP Encryptin: 3DES Auth: SHA1 Group: 1024 Key Life Time: 3600 Phase2: Enc: 3DES Auth: SHA1 PFS: Enable Group: 768 Key Life: 28800 IPSecuritas Settings: General Tab: Remote IPSec Device: DDNS address IPv6: Disabled Local Side: Endpoint Mode: Host, IP: 10.1.1.1 Remote Side: Endpoint Mode: Host, IP: Router's internal gateway address Transpoirt Mode: Disabled Phase1: Lifetime: 3600 DH Group: 1024 Encrypt: 3DES Auth: SHA-1 Exchange Mode: Main Re: Frustrated with VPN on my new WRVS4400N by Forum Admin on 2007-07-16 21:49:38 +0200 Hello Christian, two more things you need to change: In your router settings, change the local identification to address too (required for main mode) and in IPSecuritas, change the remote endpoint mode to Network (instead of host) and set the address to 192.168.2.0/24 Cheers, Christoph Re: Frustrated with VPN on my new WRVS4400N by Christian on 2007-07-16 23:04:57 +0200 Thank you very much! I now have a green light and am on my LAN. ;D The one remaining issue is that my web surfing (and I'm assuming e-mail) are not going through my router, but rather, the router where I currently have my iBook off-site. Can you please tell me how to remedy this last piece of the puzzle? Thanks again! problem with Netgear FVX538 problem with Netgear FVX538 by cenotaph on 2007-07-17 14:22:15 +0200 Hi, I am totally excited about IPSecuritas as it seems like a really great piece of software, and free too! However, I am having trouble trying to connect to a Netgear FVX538. The wizard had instructions for the FVS328 and also listed the FVX538 but the settings are somewhat more advances, and I can't get past phase1 of connecting. I can post debug logs, but first of all, are there any more specific instructions for configuring the FVX538? Thanks! Re: problem with Netgear FVX538 by cnadig on 2007-07-17 17:34:06 +0200 Hello, have you had a look at the HOWTO yet? (in IPSecuritas->Windows->HowTo List) Or direct link: http://www.lobotomo.com/products/IPSecuritas/howto /Netgear%20FVS114%20FVS328%20HOWTO.pdf Cheers, Christoph Re: problem with Netgear FVX538 by cenotaph on 2007-07-18 17:52:05 +0200 Yep - the HOWTO is great for the FVS328 but I have the FVX538 which is a bit different so I'm not sure if I'm setting it up right. I can send logs to someone (I don't want to post them here for security reasons) if anyone is up for helping. Re: problem with Netgear FVX538 by ade76 on 2007-07-23 19:02:22 +0200 version 2 firmware is different on the FVX538 hence it not looking the same, I've had ipsecuritas 2 working fine until recently, version 3 is giving a few errors with connection failures I'll post up some logs later on. last time i did it i just followed the wizard in how to and it worked fine Sonicwall Pro2040 config with IPSecuritas Sonicwall Pro2040 config with IPSecuritas by coot on 2007-07-18 13:00:11 +0200 Hi all, I spent lot's of wasted hours a few weeks ago trying to get IPSecuritas to work with our Sonicwall Pro 2040 firewall. I was unsuccessful! >:( Before I start to look at this again, has anybody successfully connected to a Sonicwall Pro 2040 and would you be so kind as to let me know the configurations both at the ipsecuritas side and the sonicwall side? Here's hoping. Regards.. Karl Re: Sonicwall Pro2040 config with IPSecuritas by JoeG on 2007-08-29 01:52:26 +0200 Same problem here, Karl. It seems I am able to connect just fine with VPN Tracker but the settings don't quite translate directly. I will tell you that I suspect that IPSecuritas does not support DHCP; you must get you admin to assign a static IP and use that in you local connection... I think. I would like to get this program working to avoid the high cost of VPN Tracker. Re: Sonicwall Pro2040 config with IPSecuritas by matthewyoung on 2007-08-30 02:17:10 +0200 Have a similar problem with our SonicWall 4100 - does not have DHCP therefore I am still struggling to get things to work - also strugging to get the hosts set up correctly as I can connect to our firewall but cannot go further. Re: Sonicwall config with IPSecuritas by netnoah on 2007-09-15 15:38:52 +0200 Hey Folks. I don't know if this helps y'all, but after 3 hours of trying to get IPSecuritas to connect to my VPN (SonicWall) I have (partial) success! Since I am not in the IT dept (just trying to replicate my VPN Tracker setup on company laptop to my home desktop using a shared key), I've had to guess that the SonicWall is configured as per Equinux's specs (phase 1:3DES & SHA1; Phase 2:Strong Encrypt and Authenticate (ESP 3DES HMAC SHA1) Frankly, this is a lot of Greek to me, but I can tell you that the following settings connect with the same functionality as VPN tracker. (this is the result of the export wizard template menu command) The only thing that isn't working now is connecting to multiple subnets simultaneously...which didn't work with VPN tracker either. phase1.localEndpointMode: ISEndpointModeHost phase1.remoteEndpointMode: ISEndpointModeNetworks phase1.exchangeMode: ISExchangeModeAggressiveMain phase1.proposalCheck: ISProposalCheckObey phase1.nonceSize: 16 phase1.lifetimeValue: 28800 phase1.lifetimeUnit: ISLifetimeSeconds phase1.dhGroup: ISDHGroupMod768 phase1.encryption: ISEncryption3DES phase1.authentication: ISAuthenticationSHA1 phase2.lifetimeValue: 1800 phase2.lifetimeUnit: ISLifetimeSeconds phase2.pfsGroup: ISPFSGroupNone phase2.encryptions: ISEncryption3DES phase2.authentications: ISAuthenticationHmacSHA1 localIdentification.mode: ISIdentificationName remoteIdentification.mode: ISIdentificationName authentication.mode: ISAuthenticationPresharedKey options.ipsecDoi: 0 options.identityOnly: 0 options.verifyIdentifier: 0 options.initialContact: 0 options.generatePolicy: 0 options.supportProxy: 0 options.verifyCertificate: 0 options.sendCertificate: 0 options.sendCertificateRequest: 0 options.modeCfg: 0 options.uniqueSa: 0 options.ikeFragmentation: 0 options.nattMode: ISNATTDisable options.dhcpPassThrough: 0 Re: Sonicwall Pro2040 config with IPSecuritas by coot on 2007-09-17 11:34:35 +0200 I got this working. Here is my setup: ==On the SonicWALL== :General Authentication Method: IKE using Preshared Secret Name: WAN GroupVPN Share Secret: xxxxx -Proposals Phase 1 DH Group: Group 2 Encryption: 3DES Authentication: MD5 Life Time (seconds): 9600 Phase 2 Protocol: ESP Encryption: 3DES Authentication: MD5 Enable PFS: Disabled Life Time (seconds): 28800 :Advanced Enable Windows Networking Broadcase: Unchecked Apply NAT and Firewall Rules: Unchecked Forward Packets to remote VPNS: unchecked Default Gateway: 0.0.0.0 Terminated at: LAN/DMZ (I require DMZ access) Require Authentication of VPN Clients via XAUTH: Checked :Client Cache XAUTH User Name and Password on Client: Single Session Virtual Adapter Settings: DHCP Lease or Manual Allow Connections to: Split Tunnels Set Default Route as this Gateway: Unchecked Require Global Security Client for this Connection: Unchecked Use Default Key for Simple Client Provisioning: Checked ==In IPSecuritas== :General Remote IPSec Device: xxxxx Local Endpoint Mode Host: Remote Endpoint Mode Network: 10.5.1.1/16 Phase 1 Lifetime: 9600 seconds DH Group: 1024(2) Encryption: 3DES Authentication: MD5 Exchange Mode: Main, Aggressive Proposal Check: Claim Nonce Size: 16 Phase 2 Lifetime: 28800 seconds PFS Group: None Encryption: DES, 3DES Authentication: HMAC-SHA-1, MD5 :ID Local Identifier: Address Re: Sonicwall Pro2040 config with IPSecuritas by deepstructure on 2007-09-19 19:46:10 +0200 hey coot, i've used your exact same settings and can't get them to work! i keep immediately getting: error: IKE: foreground mode error: IKE: inappropriate sadb acquire message passed error: IKE: delete phase1 handle anyone else able to make these settings work? my pc still connects fine with the settings coot used for the server, but no dice for my macbookpro with ipsecuritas. Re: Sonicwall Pro2040 config with IPSecuritas by coot on 2007-09-20 10:48:28 +0200 If you're using a Sonicwall that isn't a pro 2040 running standard firmware then I'd guess there must be slight differences in the models. I can't really help any further as I was in the same boat as you, I just tried messing with the settings, Sorry! [smiley=sad.gif] PS: My PC's also worked fine with no problems. Re: Sonicwall Pro2040 config with IPSecuritas by 16thnotes on 2007-10-05 12:47:49 +0200 I too get the same errors in my application log when trying to connect to ZyWALL hardware. (alas VPN Tracker works fine) see this thread... [url]http://www.lobotomo.com/cgi-bin /yabb/YaBB.pl?num=1191350831[/url] Re: Sonicwall Pro2040 config with IPSecuritas by providence on 2007-10-10 16:56:42 +0200 What is Network Address Endpoint Mode or Network Mask (CIDR) ? Is this something that I have to set up on my SonicWall? Is there any way to get an update to the SonicWall instructions to take advantage of the latest firmware update? Problems importing certs for requests generated Problems importing certs for requests generated by pacronce on 2007-07-21 23:45:06 +0200 Hi all, We've been using VPN Tracker for years with certificate authentication via our own CA. I'm exploring using IPSecuritas as an alternative, but I'm running into problems with certificates. The problem is there doesn't seem to be a way to import a certificate the corresponds to a certificate request generated in IPSecuritas. It looks like all I can do is import a certificate with a private key. But since I generated the request using IPSecuritas, and there isn't an option to export its corresponding private key, I don't see how to make this work. I would have thought that the workflow for processing requests would be something like this: 1. Generate the request with IPSecuritas. Under the hood a key pair is also created. 2. Send the request to the CA admin. 3. The CA admin generates the associated certificate and sends it back. 4. Import the certificate in IPSecuritas. The program should match the certificate imported to the keypair/request generated and enable that certificate for use in a connection. The above is what happens with VPN Tracker. Note that the certificates we're generating are in PEM format, in case that matters. But I can't get the above to work with IPSecuritas. The only cert import option that remotely matches my situation is "PEM/DER encoded foreign certificate". But when I use that, the resulting certificate is not available for selection in the connection. The other options fail to import at all. If I bypass IPSecuritas for certificate request generation and instead import a complete encrypted PKCS#12 file with a private key, then the resulting certificate does work. But I don't like the idea of providing all of our VPN clients with a key pair and cert. Because it opens up security issues like the strength of the password, transport and secure disposal of the PKCS#12 file, etc. Note that I have not tried converting the PEM certificate to a PKCS#12 file without a private key. Maybe that would work, but it seems like an unnecessary step. Why not just allow import of a PEM certificate that matches a request? Thanks in advance for any help you can provide. Best regards, -Allen Cronce Re: Problems importing certs for requests generate by cnadig on 2007-07-22 20:44:23 +0200 Hello Allen, you're right, this is a misconception in IPSecuritas, which certainly needs to be fixed. I will get in touch with you once it's done. Thanks a lot, Christoph Re: Problems importing certs for requests generate by pacronce on 2007-08-22 20:56:27 +0200 [quote author=cnadig link=1185054306/0#1 date=1185129863] you're right, this is a misconception in IPSecuritas, which certainly needs to be fixed. I will get in touch with you once it's done. [/quote] Thanks for getting back to me. Have you been able to make any progress on the fix? Thanks in advance! Best regards, -Allen Cronce Re: Problems importing certs for requests generate by cnadig on 2007-08-29 17:57:33 +0200 Hello Allen, yes, this is fixed. Please let me know if you need a pre-release. Otherwise it will be available with 3.1 in a couple of weeks. Cheers, Christoph Re: Problems importing certs for requests generate by pacronce on 2007-08-30 17:24:21 +0200 [quote author=cnadig link=1185054306/0#3 date=1188403053] yes, this is fixed. Please let me know if you need a pre-release. Otherwise it will be available with 3.1 in a couple of weeks. [/quote] Great! Thanks Christoph! I'd be happy to beta test the pre-release, if you'd like to make it available. Maybe you could PM me with the download URL? Thanks in advance, -Allen Cronce Re: Problems importing certs for requests generate by pacronce on 2007-09-18 01:57:35 +0200 Hi Christoph, [quote author=cnadig link=1185054306/0#3 date=1188403053]yes, this is fixed. Please let me know if you need a pre-release. Otherwise it will be available with 3.1 in a couple of weeks. [/quote] I'm just checking in again to see if I can help test the pre-release. Thanks in advance. Best regards, -Allen Cronce Re: Problems importing certs for requests generate by pacronce on 2008-01-05 19:10:13 +0100 Looks like this feature works, mostly. I tested it when 3.1 came out in October and was able to generate requests, then import the corresponding certificate. It's been successful for other users of ours also. Thanks for implementing this feature. But I had problems when I tried to use the feature today to renew several certificates. What I did was generate 3 requests, then created the corresponding 3 certificates, then imported the certificates into IPSecuritas. I got a message each time indicating that the request was found and that the private key was associated with the imported certificate. But none of the new certificates worked. I looked at the log on our server side and found digital signature errors. It occurred to me that maybe if there are more than one request, IPSecuritas gets confused at import time and associates the wrong private key with the certificate. So as an experiment, I deleted all of my requests and certs. Then I generated the 3 certificates one at a time. After each import, I deleted the corresponding request. When I did it this way, all of the certificates were valid and I was able to connect. Would it be possible for you to take a look at the import code to see if there's a bug with associating a certificate with a private key when there is more than one request? Re: Problems importing certs for requests generate by pacronce on 2008-01-25 17:58:48 +0100 I hate to be a pest, but this is really becoming a problem. So far every user of ours that needs multiple certificates has run into the bug. The work around of deleting all requests before processing a new one seems to work. But it's counterintuitive and our users don't seem to be able to follow instructions (big surprise). It would be *really* great if this bug could be fixed. Otherwise the support headaches will force me to seek some alternative solution. Thanks in advance, -Allen Cronce IPSecuritas NOT compatible with Mac OS X 10.5 Beta IPSecuritas NOT compatible with Mac OS X 10.5 Beta by galphanet on 2007-07-22 19:12:04 +0200 Hello, I've tested your exellent software on Mac OS X 10.5 Beta (Build 9A466) and IPSecuritas starts but continues jumping on the dock and say that he can't connect to the deamon and after quit unexpectly ! But IPSecuritasDeamon is really running... I think it'll be easy to adapt it for 10.5... I can help you if you want to test it ! (sorry for my bad english..say if I do mistakes) Re: IPSecuritas NOT compatible with Mac OS X 10.5 by cnadig on 2007-07-22 21:21:49 +0200 Hello, I just published a Leopard compatible version. Please download it from this link: http://www.lobotomo.com/products/downloads /IPSecuritas%20Leopard.dmg Cheers, Christoph Re: IPSecuritas NOT compatible with Mac OS X 10.5 by galphanet on 2007-07-22 21:25:20 +0200 Hello, Thanks you very much for this ! 8-) FortiGate 800 configuration problem FortiGate 800 configuration problem by dg on 2007-07-23 22:27:26 +0200 Hi, my wife's workplace now uses FortiGate 800. Their support site explicitly recommends Mac users to use IPsecuritas. However, their IT guy claims that they use "two methods" authentication in Phase 1. In IPsecuritas, you only have a popup menu with a single method choice. Therefore he claims that IPsecuritas cannot be made to work on their VPN. Is this guy just giving me some B.S.? Any help appreciated, thanks. I have a FortiGate client profile. In theory, it should be possible to gather the configuration options out of that profile, but it is not that easy. Somebody here could do that? Thanks. Re: FortiGate 800 configuration problem by varruss on 2007-07-24 06:20:50 +0200 I have 5 Fortigate firewalls working fine with IPSecuritas. They all use XAuth and preshared secret. (In IPSecuritas under ID - Authentication Method). Have him confirm what does he mean by 2 methods authentication. Re: FortiGate 800 configuration problem by dg on 2007-07-24 16:43:52 +0200 Well, this guy claims that in the Phase 1 authentication method, you need to select multiple methods (same as you can do in the Phase 2 setup, where you can check more than one method). IPCOP and ipsecuritas IPCOP and ipsecuritas by richardk on 2007-07-23 23:45:36 +0200 Hi Has anybody sucessfully used ipsecuritas to connect to ipcop? If so,please post details of what to enter on the ID and option screen on ipsecurits. Have been trying for about 2 days with no luck whatsover. Thanks Richard Re: IPCOP and ipsecuritas by cnadig on 2007-07-24 09:14:01 +0200 Hello, please have a look at http://www.taupehat.com/vpn/ Although it describes the setup for the older version 2.x, it should be easy enough to use it to configure 3.0 (the settings should be the same). The Wizard plugin for IPCop could help, too. Hope this helps, Christoph Trying to connect to Fortinet FGT-60 Trying to connect to Fortinet FGT-60 by zoomin on 2007-07-26 15:36:10 +0200 Hello, I am trying to connect to a Fortinet Fortigate 60 at work. I have read Fortinet's instructions here: http://kc.forticare.com/default.asp?SID=&Lang=1&id=2012 but they seem a bit contradictory. At the top, it says "Authentication Method - Preshared Key (Note that the Pre-shard key must be empty)" and then at the bottom it says to "Select Id/Auth and enter the Pressured Secret (preshared key)." I am trying to set it up in Host to Network mode. Thanks for any tips. Re: Trying to connect to Fortinet FGT-60 by cnadig on 2007-07-26 16:27:44 +0200 Hello, although I don't have a Fortinet available here, I can't imagine that the preshared key may be empty. I rather expect it to identical with the one entered in IPSecuritas. Please note XAUTH now also works with IPSecuritas and Fortinet (the instructions refer to the older version 2.x) - once you have it running with preshare key, you may try with XAUTH PSK (same preshared key, but per user passwords). Cheers, Christoph Re: Trying to connect to Fortinet FGT-60 by zoomin on 2007-07-26 19:23:32 +0200 I have upgraded to Ipsecuritas 3.0 but I am still unable to establish a dial-up connection. I do have some successful connections setup to different networks behind the same hardware (FGT-60) using the static ip method but I am hoping to downgrade my service here and will no longer have a static IP, so that is why I am attempting to set this up with dial-up / roaming settings. I am unsure what to put in the ID section so I left the defaults but I am pretty sure that without a static IP I cannot use the ip address as local identifier: local identifier: address remote identifier: address authentication method: preshared key and put in my preshared key from the fortinet. Does "Mutual Authentication" work with cisco 3000? Does "Mutual Authentication" work with cisco 3000? by cwalter on 2007-07-27 17:35:44 +0200 Dear All, I am trying to attach to a cisco 3000. It is running in Cisco's version of Hybrid Auth, which they call "mutual authentication". It uses a certificate for remote identification in the 1st phase and also uses xauth and a pre-shared key. I can't get it to work, and I can't figure out from the web page or the forums if it is really supported. Can anyone tell me? About the closest setup I can find is local id: key-id (set to group name) remote-id: certificate Auth method: Xauth RSA user name: (set to xauth name) password: (set to xauth password) I have imported our root certificate into the certificate manager but there is an "!" mark next to the connection name which if I hover over it says: "remote identifier set to certificate but no XAUTH server certificate chosen." However I can't find an option anywhere to "choose a certificate". Does anyone have any ideas, or is this configuration not supported at all? BTW, thanks for the work! I am using ipsecuritas to to attach to another system not-using hybrid-auth and it is great! -Chris Problem Connecting With SonicWall TZ-170 Problem Connecting With SonicWall TZ-170 by jmarsan on 2007-07-30 17:23:29 +0200 I'm trying to setup IPSecuritas 3.0 to connect to a SonicWall TZ-170. Right now when I try to connect, the indicator remains red and all I see is the following in the debug log: IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Jul 28, 16:49:22 Debug APP State change from IDLE to AUTHENTICATING after event START Jul 28, 16:49:22 Info APP IKE daemon started Jul 28, 16:49:22 Info APP IPSec started Jul 28, 16:49:22 Debug APP State change from AUTHENTICATING to RUNNING after event AUTHENTICATED Jul 28, 16:49:22 Info IKE Foreground mode. Jul 28, 16:49:22 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 28, 16:49:22 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 28, 16:49:22 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 28, 16:49:22 Info IKE Resize address pool from 0 to 255 Jul 28, 16:49:22 Debug IKE parse successed. Jul 28, 16:49:22 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jul 28, 16:49:22 Debug IKE my interface: ::1 (lo0) Jul 28, 16:49:22 Debug IKE my interface: 127.0.0.1 (lo0) Jul 28, 16:49:22 Debug IKE my interface: fe80::21b:63ff:fe04:da0b%en1 (en1) Jul 28, 16:49:22 Debug IKE my interface: 2002:d018:3087::21b:63ff:fe04:da0b (en1) Jul 28, 16:49:22 Debug IKE my interface: 192.168.1.94 (en1) Jul 28, 16:49:22 Debug IKE configuring default isakmp port. Jul 28, 16:49:22 Debug IKE 5 addrs are configured successfully Jul 28, 16:49:22 Info IKE 192.168.1.94[500] used as isakmp port (fd=7) Jul 28, 16:49:22 Info IKE 2002:d018:3087::21b:63ff:fe04:da0b[500] used as isakmp port (fd=8) Jul 28, 16:49:22 Info IKE fe80::21b:63ff:fe04:da0b%en1[500] used as isakmp port (fd=9) Jul 28, 16:49:22 Info IKE 127.0.0.1[500] used as isakmp port (fd=10) Jul 28, 16:49:22 Info IKE ::1[500] used as isakmp port (fd=11) Jul 28, 16:49:22 Debug IKE get pfkey X_SPDDUMP message Jul 28, 16:49:22 Debug IKE 02120200 02000000 00000000 03050000 Jul 28, 16:49:22 Debug IKE pfkey X_SPDDUMP failed: No such file or directory Do you have any hints or suggestions as to either debug this or what I'm missing in the setup? Re: Problem Connecting With SonicWall TZ-170 by jmarsan on 2007-08-20 17:20:28 +0200 I got past this problem - my remote network uses (used) the same IP range as the network I was trying to connect to - this apparently causes problems for IPSecuritas. Now I'm on to the next issue...the connection attempt gets much further along but now my TZ-170 is reporting: 08/18/2007 21:19:29.192 IKE Responder: IPSec proposal does not match (Phase 2) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.x.xxx.xxx/32 -> xxx.xxx.x.x/16 08/18/2007 21:19:29.192 IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route xxx.xx.xx.xxx xxx.xxx.xxx.xxx xxx.xxx.x.x/16 Re: Problem Connecting With SonicWall TZ-170 by BHunsaker on 2007-09-26 03:37:40 +0200 I got the "X_SPDDUMP failed" message when the value for "Remote IPSec Device" under the General tab is a DNS string that won't translate. For example, I used "me.dyndns.com" instead of "me.dyndns.[b]org[/b]". Problem connecting to Exchange server via IMAP Problem connecting to Exchange server via IMAP by RobertF on 2007-07-30 17:47:54 +0200 I'm trying to connect to our Exchange server from home. It has IMAP turned on and I can access it using Mail.app from work with no difficulty. However, when I try to access it from home using the VPN, I get a message saying it can't access the server. I am able to access internal network shares via the VPN, so it's not a simple connectivity problem. I can access my mail account via Web mail without difficulty. The mail server is on a 192.168 address, while the servers I'm able to access are on 10.0 addresses. However, the IP address I'm being assigned is in the 192.168 range and I can ping 192.168.1.1. Any troubleshooting ideas? Netgear DG834 Netgear DG834 by robinb on 2007-08-10 12:19:55 +0200 Hi All Noob question which hopefuly hasn't been answered (I have searched forum) Has anyone had any sucess connecting securitas on OS X to a Netgear DG834? I have used the Netgear Wizzard and the Securitas Wizzard using (what I think) is going to be the nearest NG device on the list (124G) and the connection fails on phase 1. Error is Aug 10, 11:04:50 Info APP Initiated connection XXX Aug 10, 11:04:50 Error IKE inappropriate sadb acquire message passed. Aug 10, 11:04:52 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 213.2.210.66[500]->10.20.30.39[500] Aug 10, 11:04:57 Info APP Initiated connection XXX Aug 10, 11:04:59 Error IKE phase1 negotiation failed due to time up. 37646a8215af9cf4:0000000000000000 I am assuming that it is due to the device i chose but the 834 is not listed. I did try a couple of others but no joy. Can anyone point me in the right direction please TIA VPN and Gateway VPN and Gateway by Christian on 2007-08-14 22:34:26 +0200 So, it has been about a month and I'm in need of my VPN again. As I mentioned back then, I can now connect to the VPN, but my home router is not my gateway for web traffic. How do I set up my Mac so that when I'm connected to my VPN, my home router is my gateway for all network traffic? Thank you! Spit DNS? Spit DNS? by phssec on 2007-08-22 11:13:34 +0200 Hello. Has anyone got the Split DNS working with IPSecuritas 3.0? My problem is that it seems to work [i]only[/i] when there is also a public name. Example: a.example.fi has local address 10.0.0.1 b.example.fi has local address 10.0.0.2 [i]and[/i] public address 80.74.149.177 When I activate IPSecuritas' Split DNS feature for example.fi I can connet to b.example.fi but not to a.example.fi. With netstat I can check that b.example.fi connection really goes to 10.0.0.2 so it is using IPSec. host command can not find any address for a.example.fi and only public address for b.example.fi. VPN Tracker seems to be able to handle split dns properly. Remote Network Settings Remote Network Settings by matthewyoung on 2007-08-23 18:51:51 +0200 We have IP addresses of 172.x.0.0 and I am trying to set this up so I can connect through to our SonicWall and into our network. I have it so I can connect to the SonicWall as I can login to the firewall management site but the network settings I have listed are not the same as if I use sonicwall's own vpn software on my windows machine (they don't make one for macs) - if on there I see the network as being 0.0.0.0 255.255.255.255 - how do I get that as the remote endpoint setting? Also....using the fireall software my computer gets a dhcp ip address from the firewall and I cannot see a setting for this in IPSecuritas. I can give myself a manual setting (Local Endpoint) but one on the firewall I cannot ping or connect to anything else on the network whether on 172.16.x.x (which is the firewall's internal) or another 17 address we have. any suggestions???? Linksys WRV200 Linksys WRV200 by rdfisher on 2007-09-05 06:03:03 +0200 I'm trying to establish a workstation to network VPN connection with a Linksys WRV200 router. Through searching these forums I found reference to an outdated guide (http://www.lobotomo.com/products/IPSecuritas /howto/Linksys%20WRV200%20HOWTO.pdf) but I haven't been successful at making a connection using these directions. Has anyone had success at connecting to this router, specifically running (current) firmware 1.0.32.2? I will certainly post logs etc if troubleshooting is necessary, but figured I'd first start by looking for any known good configurations. Thanks for the help. rf Re: Linksys WRV200 by dandor on 2007-09-07 07:02:15 +0200 Hi, I've just been trying to get the same things working. I think I managed to work around the outdated HowTo--- not too much changed, luckily. After putting in all the details, I've got a connection, according to "sudo setkey -D" and "ifconfig". However, the link doesn't work! Pinging the router returns silence. In the next day or two I'll return to this forum either 1) to ask how to get it working, or 2) explain how I sorted it out. D. Re: Linksys WRV200 by dandor on 2007-09-07 18:17:36 +0200 Hi, using the HowTo as a guide, I got it working. Need the configuration details? I can try to post a series of screenshots. Would that be helpful? [b]UPDATE:[/b] [url=http://www.flickr.com/photos/xandxor/1342694152/][img]http: //farm2.static.flickr.com/1055/1342694152_906f7897b5_b.jpg[/img][/url] I suspect the WRV200 settings are more useful. Next update. Re: Linksys WRV200 by dandor on 2007-09-07 18:58:54 +0200 WRV settings: (Note that the "Advanced Settings" should have the "Allow All" radio button checked, but that is in fact the default.) [url=http://www.flickr.com/photos/xandxor/1341846071/][img]http: //farm2.static.flickr.com/1317/1341846071_77e7df7bdf_o.jpg[/img][/url] Re: Linksys WRV200 by rdfisher on 2007-09-20 07:02:38 +0200 That worked! I tried your solution a few weeks ago and it didn't work at that time. I don't know what I did different this time around but I'm connected right now. Excellent help with the screenshots! Thanks for the help. IPSecuritas connecting to OS X Server 10.4 IPSecuritas connecting to OS X Server 10.4 by alex_schenkman on 2007-09-05 10:12:01 +0200 Hi: Is is possible to connect to an OSX Server 10.4 with IPSecuritas? I know that I can use the OSX built-in client, but I wonder if I can offer my users a single interface for connecting to all our resources. Thanks in advance! IPSecuritas & Netgear DGFV338 IPSecuritas & Netgear DGFV338 by ridgedale on 2007-09-16 07:34:06 +0200 I wonder if anyone might be able to help. I'm trying to VPN into a Netgear DGFV338 and am having no success. Would someone be able to tell me where I am going wrong? I've provided a log of an attempted connection below: Sep 16, 06:06:52 Info APP IKE daemon started Sep 16, 06:06:53 Info APP IPSec started Sep 16, 06:06:53 Error IKE Foreground mode. Sep 16, 06:06:53 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 16, 06:06:53 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 16, 06:06:53 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 16, 06:06:53 Info IKE Resize address pool from 0 to 255 Sep 16, 06:06:53 Info APP Initiated connection <connectionName> Sep 16, 06:06:53 Error IKE inappropriate sadb acquire message passed. Sep 16, 06:06:54 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Sep 16, 06:07:00 Info APP Initiated connection <connectionName> Sep 16, 06:07:07 Info APP Initiated connection <connectionName> Sep 16, 06:07:09 Error IKE <routerIP> give up to get IPsec-SA due to time up to wait. Sep 16, 06:07:14 Info APP Initiated connection <connectionName> Sep 16, 06:07:14 Error IKE inappropriate sadb acquire message passed. Sep 16, 06:07:21 Info APP Initiated connection <connectionName> Sep 16, 06:07:26 Warning APP Connection <connectionName> timed out Sep 16, 06:07:26 Warning APP Giving up Sep 16, 06:07:29 Error IKE <routerIP> give up to get IPsec-SA due to time up to wait. Sep 16, 06:08:29 Info APP IPSec stopping Sep 16, 06:08:30 Info APP IKE daemon terminated Thanks in advance. Re: IPSecuritas & Netgear DGFV338 by cnadig on 2007-09-17 07:12:22 +0200 Hello, could you please set the log level to Debug (in IPSecuritas' preferences) and post such a log again (please make sure to remove your public address and other confidential information from the output)? Thanks, Christoph Re: IPSecuritas & Netgear DGFV338 by ridgedale on 2007-09-18 21:03:27 +0200 Christoph, Thanks for your reply. I've managed to sort the issue out - everything's working fine now. I'll remember to heed your comments when posting in future. Thanks again Dene Re: IPSecuritas & Netgear DGFV338 by AKirchner on 2007-09-21 12:49:00 +0200 Hey I have the same Hard- and Software but I can't fix it. Thats my log. The Support-Hotline from Netgear is incompetent i think. IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Sep 21, 12:34:09 Info APP IPSec stopping Sep 21, 12:34:10 Info APP IKE daemon terminated Sep 21, 12:34:10 Info APP IKE daemon started Sep 21, 12:34:11 Info APP IPSec started Sep 21, 12:34:11 Info IKE Foreground mode. Sep 21, 12:34:11 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 21, 12:34:11 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 21, 12:34:11 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 21, 12:34:11 Info IKE Resize address pool from 0 to 255 Sep 21, 12:34:11 Info APP Initiated connection Rudi Renner Bellinghausen Sep 21, 12:34:11 Error IKE inappropriate sadb acquire message passed. Sep 21, 12:34:18 Info APP Initiated connection Rudi Renner Bellinghausen Sep 21, 12:34:25 Info APP Initiated connection Rudi Renner Bellinghausen Sep 21, 12:34:27 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xxx[500]->192.168.2.20[500] Sep 21, 12:34:32 Info APP Initiated connection Rudi Renner Bellinghausen Sep 21, 12:34:34 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xxx[500]->192.168.2.20[500] Sep 21, 12:34:39 Info APP Initiated connection Rudi Renner Bellinghausen Sep 21, 12:34:39 Error IKE inappropriate sadb acquire message passed. Sep 21, 12:34:41 Error IKE phase1 negotiation failed due to time up. fd391904457e4be8:0000000000000000 Sep 21, 12:34:41 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xxx[500]->192.168.2.20[500] Sep 21, 12:34:44 Warning APP Connection Rudi Renner Bellinghausen timed out Sep 21, 12:34:44 Warning APP Giving up Sep 21, 12:34:48 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xxx[500]->192.168.2.20[500] Sep 21, 12:34:55 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xxx[500]->192.168.2.20[500] Sep 21, 12:35:50 Info APP IPSec stopping Sep 21, 12:35:51 Info APP IKE daemon terminated Sep 21, 12:35:53 Info APP IKE daemon started Sep 21, 12:35:53 Info APP IPSec started Sep 21, 12:35:53 Error IKE Foreground mode. Sep 21, 12:35:53 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 21, 12:35:53 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 21, 12:35:53 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 21, 12:35:53 Info IKE Resize address pool from 0 to 255 Sep 21, 12:35:53 Info APP Initiated connection Rudi Renner Bellinghausen Re: IPSecuritas & Netgear DGFV338 by gmandil on 2008-11-12 20:58:18 +0100 ridgedale could you please explain us what have you done to make it work ? thanks in advance Guillaume IPSecuritas - problem accessing the DMZ IPSecuritas - problem accessing the DMZ by coot on 2007-09-17 11:25:47 +0200 Hi all, We have a problem accessing our DMZ from home using the IPSecuritas VPN Client. We are connecting to a sonicwall pro 2040. I have two remote endpoints. One is the DMZ and one is the LAN. I can connect successfully to all LAN computers. I cannot connect to any computers in the DMZ. I have tested the Sonicwall VPN Client on a Windows PC and can access both the LAN and DMZ computers. Does anyone have an idea of what could be causing this problem? If you need any extra info about this then just let me know. Regards.. Karl Re: IPSecuritas - problem accessing the DMZ by coot on 2007-09-17 17:40:29 +0200 I'm really stumped on this. I think there may be a problem accessing the second network. In the scenario above, I had the DMZ listed as the second network in the Remote Endpoint "Networks" section. I changed it around so that the DMZ network is listed first and the LAN network second. Now I can connect to the DMZ but not the LAN. :-/ Any ideas? Problems connecting to Sonicwall TZ-170 Problems connecting to Sonicwall TZ-170 by adacey on 2007-09-19 13:53:21 +0200 I had this working fine under 2.1 but with 3.0 I can't connect. I imported my connection from 2.1 but when I connect the log shows "Id expected IP address in main mode but received FQDN" (sorry, posting from work so I don't have the exact message). I have identifiers set to address for both sides of the connection, I've checked the Sonicwall's configuration and can't find what it's using for identifiers. The closest option I found was the firewall's unique firewall identifier, which I did try inputting for it's identifier (as a FQDN) but that also didn't work. Any suggestions? Fios Actiontec M1424-WR Fios Actiontec M1424-WR by headbaker on 2007-09-22 04:23:00 +0200 I have been using IPSecuritas on my Macbook Pro from home over a Linksys WRK54G router while with Comcast to a Sonicwall 4060. I just switched to Verizon FIOS with a Actiontec M1424-WR router and have had no luck. I am using the same LAN IP on this new router as the old one. I can connect from the MAC when booting into Vista and running Sonicwall's GlobalVPN client. Has anyone else experienced any difficulties switching over to FIOS or the Actiontech router? Re: Fios Actiontec M1424-WR by headbaker on 2007-09-23 00:42:07 +0200 Well, with persistance I was able to get it working. The only configuration change was to disable NAT-T. It is working fine now. Addressing questions Addressing questions by Roger408 on 2007-09-28 19:51:01 +0200 I'm setting up IPSecuritas for the first time, using a Netgear FVS114 there and a Mac mini here. I can get a connection established, but have trouble reaching anything at the end with the router (there). Addressing on the LAN there is 192.168.0.0/24. At present my Mac is on my home LAN (here) and is 10.43.x.x. Attempting to ping anything on 192.168.0.x fails, since I assume it is trying to ping on my home LAN. I'm not clear on how to direct traffic through the IPsec link to the 192.168... LAN. Can anyone clarify this for me? Here is the log for this session. The last three lines are repeated many times... Sep 28, 09:35:41 Info APP IKE daemon started Sep 28, 09:35:41 Info APP IPSec started Sep 28, 09:35:41 Error IKE Foreground mode. Sep 28, 09:35:41 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 28, 09:35:41 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 28, 09:35:41 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 28, 09:35:41 Info IKE Resize address pool from 0 to 255 Sep 28, 09:35:42 Info APP Initiated connection SVCF Sep 28, 09:35:42 Error IKE inappropriate sadb acquire message passed. Sep 28, 09:35:45 Warning IKE trns_id mismatched: my:DES peer:3DES Sep 28, 09:35:49 Info IKE the packet is retransmitted by 76.210.165.xx[500]. $ xx inserted by me. Sep 28, 09:35:54 Info IKE the packet is retransmitted by 76.210.165.xx[500]. Sep 28, 09:35:59 Info IKE the packet is retransmitted by 76.210.165.xx[500]. Sep 28, 09:36:44 Error IKE failed to get sainfo. Sep 28, 09:36:44 Error IKE failed to get sainfo. Sep 28, 09:36:44 Error IKE failed to pre-process packet. Sep 28, 09:36:48 Error IKE failed to get sainfo. Re: Addressing questions by Forum Admin on 2007-10-01 17:36:52 +0200 Hello, when a connection is established, traffic to the remote network is directed automatically through the established tunnel, i.e. there is no need for an extra route entry. If you can't get traffic to or from the remote network although the connection is established (green dot), I see two possible problems: 1. NAT problem: your local router might not support VPN-passthrough or there are other IPSec tunnels active from the local network. Try enabling NAT-T 2. The remote firewall is not the default route for the machine you try to reach, the 10.x.x.x network is routed differently or not all. I'd try to specify a different "virtual" local IP (enter the address into the local endpoint address field), say from the 172.24.x.x range. If this doesn't help, try to find out if the traffic you send is reaching the other end at all, i.e. sniff the local network for traffic destined to the machine you're trying to reach, to see which direction doesn't work. Hope this helps, Christoph Connection speed issue Connection speed issue by wilfredoz on 2007-10-01 14:35:12 +0200 Hello, Thank you for this great pice of software, I use it occasionaly with my mackbook-gprs connection to a monowall ip-sec router to login to a couple of servers at work via ssh and for a remote desktop machine. Now I got one problem. when I use a gprs (slow) connection everything is going well, when I connect with ssh I can control the remote servers perfectly, but when I use a highspeed cable of adsl connection the ssh session locks up when I try to use some commands like "ls". The same happens with remote desktop on Mac os x, the remote screen appears completly on a gprs connection but when I use a high speed connection the remote screen even doesn't appears. Is this a known problem and what can I do about it? Thanks! Re: Connection speed issue by Forum Admin on 2007-10-01 17:26:53 +0200 Hello, this looks like an issue with the MTU. IPSec encapsulates the original user data into an ESP packet, probably making the resulting packet larger than allowed. Please try to decrease the MTU on the m0n0walls' WAN interface by 8 (no NAT-T) or 28 (NAT-T enabled). Hope this helps, Christoph Re: Connection speed issue by wilfredoz on 2007-10-03 22:14:38 +0200 [quote author=Forum Admin link=1191242112/0#1 date=1191252413]Hello, this looks like an issue with the MTU. IPSec encapsulates the original user data into an ESP packet, probably making the resulting packet larger than allowed. Please try to decrease the MTU on the m0n0walls' WAN interface by 8 (no NAT-T) or 28 (NAT-T enabled). Hope this helps, Christoph[/quote] Thanks for your reply, I tried to decrease the MTU size but it did not solve the problem. I think when It was the other way around, it could be a MTU issue.. Re: Connection speed issue by Dave on 2007-10-31 16:17:11 +0100 [quote author=wilfredoz link=1191242112/0#2 date=1191442478]Thanks for your reply, I tried to decrease the MTU size but it did not solve the problem. I think when It was the other way around, it could be a MTU issue..[/quote] When I connect to the SonicWall at work, I have to set the Mac's MTU down to around 1400, do a couple of pings with no-fragment set, and then set it back up to 1500. After doing all this, things will work. If I don't, the first fragmented packet stalls the connection. Is there some way to do this automagically when the connection starts? MacBook Pro can't find VPN server. MacBook Pro can't find VPN server. by gmoon on 2007-10-01 18:35:54 +0200 My office set up a VPN mostly to be used by me when I'm out of the office. I was given the .ipsc file to import, and I'm able to get connected in IPSecuritas (it shows green), but when I try to connect to server from the finder it says it's looking up the server, but then says it can't find it. A coworker has essentially the same Mac as me, I copied his .ipsc file and he is able to connect but I am not (from the same remote location). I have also tried from home on my other 2 macs, each shows green, but can't find the server. We went through all of our network and sharing settings to see if anything was different and it all appears the same. Is there a setting I may need to change on my Mac? When I'm at home I'm using an Airport extreme and I have to set NAT-T to enable and check "Local IP in Remote Netwrok", but even from the cafe up the street where we tried it, his works and mine won't! Any thoughts?? Thanks. Re: MacBook Pro can't find VPN server. by Forum Admin on 2007-10-01 21:04:11 +0200 Hello, this seems odd... Have you tried to just ping a remote machine? Could you please run the following commands in a Terminal window on both your and your collueges machine, possibly from the same remote location (one command per line): ifconfig -a netstat -nr sudo setkey -DP sudo setkey -D (The second last command will ask you to enter your administrator password). Could you please e-mail me the output to lobotomo@lobotomo.com? Thanks, Christoph Zywall 5 and XAUTH Zywall 5 and XAUTH by wf10 on 2007-10-02 20:47:10 +0200 Hi everyone I use Zywall 5, Firmware Version 4.x and IPSecuritas Version 3. I want to manage the access using Extended Authentication and PSK. I can't establish a connection to my gateway. With PSK only, it runs fine. Even with VPN Tracker, it runs also. Any hint? Thanks a lot! Dave Re: Zywall 5 and XAUTH by 16thnotes on 2007-10-05 12:24:39 +0200 I too would like to do Xauth with the ZyWALL 35 and 70 models with the 4.X firmware, but simply get following errors in the IP Securitas application connection log: [color=#990000]Oct 05, 19:07:53 Error IKE Xauth mode config request but peer did not declare itself as Xauth capable Oct 05, 19:07:53 Error IKE Hash verification failed Oct 05, 19:07:53 Error IKE unknown Informational exchange received. [/color] Re: Zywall 5 and XAUTH by 16thnotes on 2007-10-05 12:41:14 +0200 I discovered that there was the option under the ID tab for Xauth PSK. I did not see that the first time, however, I still get the following errors in the IP Securitas application log: [color=#990000]Oct 05, 19:36:53 Error IKE inappropriate sadb acquire message passed. Oct 05, 19:36:54 Warning IKE ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Oct 05, 19:36:54 Error IKE No SIG was passed, hybrid auth is enabled, but peer is no Xauth compliant Oct 05, 19:36:54 Warning IKE Short payload[/color] IPSecuritas and XAUTH IPSecuritas and XAUTH by sohonet on 2007-10-03 13:19:19 +0200 Hi, i am currently testing the final release of IPSecuritas adn i can't get xauth to work. The VPN connection is successful but i expected a pop up windows to come up so that the users can authenticate to the remote Netwscreen in my case. Any ideas anyone? Re: IPSecuritas and XAUTH by 16thnotes on 2007-10-05 12:42:25 +0200 I'm unable to get it working with my ZyWALL 35 hardware as well. Did you try using the new option under the ID tab for Xauth PSK? Draytek Vigor and "host to anywhere" Draytek Vigor and "host to anywhere" by wanabe_cool on 2007-10-03 15:23:51 +0200 Hi, Anyone had any experience with connecting to a Draytek Vigor router with IPSecuritas? I've set up a "host to network" which works fine, but not when trying to route all traffic through the VPN (host to anywhere). The connection seems to just die when trying to connect. Below are a selection of details which I hope might help someone to understand what is happening: My system log shows: Oct 3 14:12:57 CG-MBP crashdump[704]: racoon crashed Oct 3 14:12:57 CG-MBP crashdump[704]: crash report written to: /Library /Logs/CrashReporter/racoon.crash.log the crash log shows this: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000004 I have the following settings: Version = 3.0rc3 (build 1693) General -> Remote Side -> Endpoint mode = Anywhere + DHCP Pass-Through enabled Phase 1 and Phase 2 should be OK as it works with the same config when connecting "host to network" ID -> Local Identifier = Address ID -> Remote Identifier = Address ID -> Authentication Method = Preshared Key Options Selected: IPSec DOI SIT_IDENTITY_ONLY Verify Identity Local IP in Remote Network Unique SAs IKE Fragmentation NAT-T = Enable (my client is behind a NAT firewall) The connection appears to get through phase 1 and possibly phase 2 until this happens: Oct 03, 14:12:57 Info APP IKE daemon terminated Oct 03, 14:12:57 Debug APP State change from RUNNING to IDLE after event RACOON TERMINATED Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE - IPSecuritas 3 and AVM Fritz Box IPSecuritas 3 and AVM Fritz Box by yap on 2007-10-09 16:56:50 +0200 Hallo, I have an AVM Fritz!Box with the actual firmware "Labor-Version 29.04.34-7728" installed. With the version 2.2 of IPSecuritas I can use VPN perfect. But it doesn't work with the new version of IPSecuritas. I had imported my settings from version 2.2 to version 3 but I only get this log entries: [code]IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Oct 09, 16:33:22 Info APP Network configuration change detected Oct 09, 16:33:37 Info APP IKE daemon started Oct 09, 16:33:38 Info APP IPSec started Oct 09, 16:33:38 Error IKE Foreground mode. Oct 09, 16:33:38 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Oct 09, 16:33:38 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Oct 09, 16:33:38 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Oct 09, 16:33:38 Info IKE Resize address pool from 0 to 255 Oct 09, 16:34:53 Info APP IPSec stopping Oct 09, 16:34:54 Info APP IKE daemon terminated Oct 09, 16:35:15 Info APP Network configuration change detected Oct 09, 16:35:46 Info APP Network configuration change detected [/code] I don't know what's wrong. Can anyone help me? These are my settings: [quote] General: Remote IPSec Device: myadress.dyndns.org Local Side, Endpoint Mode: Host IP Adress (optional): 192.168.178.201 Remote Side, Endpoint Mode: Network Network Address: 192.168.178.0 Network Mask (CIDR) 24 Phase 1: 28800 Seconds 1024 (2) 3DES SHA-1 Aggressive Claim 16 Phase 2: Lifetime: 28800 Seconds PFS Group: 1024 (2) Encryption: AES 128 Authentication: HMAC MD5, HMAC SHA-1 ID: User FQDN me@something.com Adress Preshared Key Re: IPSecuritas 3 and AVM Fritz Box by Forum Admin on 2007-10-09 19:19:47 +0200 Hello, could you possibly send me the log output of both versions 2.2 and 3.0 with log level set to debug to lobotomo@lobotomo.com? Thank you very much, Christoph Re: IPSecuritas 3 and AVM Fritz Box by yap on 2007-10-14 12:45:25 +0200 Hi, thank you, but now it works. Just a few days ago AVM, the producer of the Fritz!Box, wrote a howto to connect with IPSecuritas to the AVM Fritz Box. Here the link to the HOWTO: http://www.avm.de/de/Service/Service-Portale/Service-Portal /VPN_Interoperabilitaet/box_zu_securitas.php?portal=VPN thanks Re: IPSecuritas 3 and AVM Fritz Box by Forum Admin on 2007-10-16 15:15:21 +0200 Thank you very much for the link. IPSecuritas 3.1 now contains a wizard template and a HOWTO for the FRITZ!Box. Christoph IPSecuritas and FVS318v3 IPSecuritas and FVS318v3 by fallous on 2007-10-18 04:53:25 +0200 ok, I've got a FVS318v3 sitting as the edge router for a local network that uses the 192.168.16.x local block for internal servers. I'm trying to connect with a remote client that's sitting in a 192.168.1.x NAT'd network. I went through the IPSecuritas doc for setting this net up, and when I try and connect the connect indicator turns green, but I can't ping anything or connect to anything. In addition a connect seems to fubar the FVS so that you can't web connect to the management page without power cycling the router, which sucks. I do have a second router on the net that handles traffic to other sites that are in the 192.168.x.x block and I'm wondering if I'm running into a problem there. Re: IPSecuritas and FVS318v3 by jdsmcroy on 2007-11-08 23:29:35 +0100 I would be interested to know if you found a solution to this problem. I am experiencing the exact same issue. Re: IPSecuritas and FVS318v3 by bstender on 2007-11-29 01:53:06 +0100 try setting the client ip to 10.0.0.1 IPSecuritas connecting to Netscreen NS25 XauthPSK IPSecuritas connecting to Netscreen NS25 XauthPSK by bence8810 on 2007-10-18 16:18:18 +0200 Hi I am trying to connect to a Netscreen Firewall, NS5, and I am using IPSecuritas. I am brand new to Mac, so I may be missing a lot of things. Firstly, the Netscreen requires a Xauth - PSK authentication, a Pre Shared key first, then a user supplied password, as we have multiple users on the Netscreen. I tried my best to set up IPSecuritas, but I obviously was not good enough. I have also set up a Client for Windows with the same PSK and Xauth login, and it works like a charm. I am including logs from the Netscreen when connecting successfully from Windows, and the error when connecting from IPSecuritas. Both connections are made from the same Wireless Router, so there is no difference between the two scenarrios, except the OS and VPN client, and of course, the settings. Successfull connection with Netscreen Remote Connect on Windows: [code] 2007-10-17 22:21:23 info IKE<MY WIFI LAN STATIC IP> Phase 2 msg ID <f90990ca>: Completed negotiations with SPI <78a068ee>, tunnel ID <32770>, and lifetime <3600> seconds/<0> KB. 2007-10-17 22:21:23 info IKE<MY WIFI LAN STATIC IP> Phase 2 msg-id <f90990ca>: Completed for user <USER@DOMAIN.XXX>. 2007-10-17 22:21:23 info IKE<MY WIFI LAN STATIC IP> Phase 2 msg ID <f90990ca>: Responded to the peer's first message from user <USER@DOMAIN.XXX>. 2007-10-17 22:21:21 info IKE<MY WIFI LAN STATIC IP>: XAuth login was passed for gateway <NETSCREEN-GW-NAME>, username <Xauth Username>, retry: 0. 2007-10-17 22:21:16 info IKE<MY WIFI LAN STATIC IP>: Received initial contact notification and removed Phase 1 SAs. 2007-10-17 22:21:16 info IKE<MY WIFI LAN STATIC IP> Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime. 2007-10-17 22:21:16 info IKE<MY WIFI LAN STATIC IP> Phase 1: Completed for user <USER@DOMAIN.XXX>. 2007-10-17 22:21:16 info IKE<MY WIFI LAN STATIC IP>: Received initial contact notification and removed Phase 2 SAs. 2007-10-17 22:21:16 info IKE<MY WIFI LAN STATIC IP>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>. [/code] And the Unsuccessfull one from Mac OS X and IPSecuritas: [code]2007-10-17 23:23:38 info Rejected an IKE packet on untrust from MY WIFI LAN STATIC IP:500 to NETSCREEN IP:500 with cookies 8d838541ab3c6dda and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.[/code] I would appreciate any help with this, Thanks Ben Re: IPSecuritas connecting to Netscreen NS25 Xauth by Forum Admin on 2007-10-18 18:40:53 +0200 Hello Ben, which version of IPSecuritas did you use? Only 3.1 (or any beta of 3.1) is able to talk to Juniper's XAuth implementation. If you were using 3.1, could you send me a log output from IPSecuritas (with log level set to Debug) to lobotomo@lobotomo.com? Thanks, Christoph Re: IPSecuritas connecting to Netscreen NS25 Xauth by bence8810 on 2007-10-18 22:19:23 +0200 Hi Cristoph, I am happy to announce that I found a couple of mistakes, and after fixing those, I am now able to connect, and stay connected. I must say, although I havent used it that much all together, it seems rather stable. Thanks for all the effort, its a unique tool, and it finally FINALLY allows me to not have a Windows box at home. I want to send you a bottle of champagne :) Cheers Ben Re: IPSecuritas connecting to Netscreen NS25 Xauth by gr33d on 2007-10-31 18:26:19 +0100 What did you finally come up with? I'm having a similar problem creating a simple policy-based VPN between my Juniper SSG5 and a Cisco PIX 501. IKE<cisco static ip>: Received initial contact notification and removed Phase 1 SAs IKE<cisco static ip>: Received initial contact notification and removed Phase 2 SAs IKE<cisco static ip>: Received a notification message for DOI <1> <24578> <INITIAL-CONTACT>. IKE<cisco static ip>: Phase 2: Initiated negotiations. IKE<cisco static ip>: Phase 1: Completed Main mode negotiations with a <28800>-second lifetime. I wasn't even getting negotiations yesterday, but these started today when I'm test pinging to bring the VPN up. Thanks in advance Re: IPSecuritas connecting to Netscreen NS25 Xauth by bence8810 on 2007-11-01 08:58:42 +0100 Hi Actually I had the PSK wrong :( I know this is such an amature mistake, but that is what I had. From your logs though, you are showing a successfull or at least very near to successful connection. Those are the exact same logs I was getting when connecting successfuly from the windows PC. I guess you can fine tune some timings, delays, and timeouts, etc. Cheers Ben IP Securitas Startup IP Securitas Startup by Tacitus on 2007-10-19 21:15:00 +0200 I run as user rather than admin. Every time I start IPSecuritas it asks for an Admin name & password. I think it does this because it is not connected to the Daemon. Is there anyway the connection can be made automaticaly or the Daemon run as a startup item? Would there be a security risk with this? I notice there are two IPSecuritas processes running already, ID 1407 and 769. They are using 0% cpu but around 8.5Mb memory. Re: IP Securitas Startup by Tacitus on 2007-10-25 08:55:53 +0200 Any help out there? Please... :-) no LAN IP when connected to RV042 no LAN IP when connected to RV042 by foilpan on 2007-10-22 15:48:54 +0200 i finally got a working connection between a client's linksys RV042 (firmware 1.3.8.2) and ipsecuritas 3.1, but i don't get an IP in the LAN when connected. the linksys config is basically the defaults for a client-to-gateway setup, and ipsecuritas config mirrors this. i've tried enabling NAT-T on both sides and NETBIOS and keepalive on the linksys. with these options enabled or disabled, i'm able to connect but can't ping or otherwise access anything on the client's LAN. any ideas? Re: no LAN IP when connected to RV042 by sortofdumb on 2007-10-24 14:08:50 +0200 Hello, Have you had any luck getting this to work? I've got an RV042 as well and I'm curious to know if I can use IPSecuritas with it. Thanks! Re: no LAN IP when connected to RV042 by foilpan on 2007-10-30 13:40:23 +0100 [quote author=sortofdumb link=1193060934/0#1 date=1193227730]Hello, Have you had any luck getting this to work? I've got an RV042 as well and I'm curious to know if I can use IPSecuritas with it. Thanks![/quote] no, i haven't gotten it to work, but i haven't tested much in the past week. i'll post back with an update as soon as i have one. Re: no LAN IP when connected to RV042 by foilpan on 2007-11-13 22:04:26 +0100 has anyone gotten this to work? i'm still unsuccessful getting ipsecuritas to connect properly. may thanks for any tips. mode_cfg not getting IP address from remote host mode_cfg not getting IP address from remote host by farlander on 2007-10-27 00:04:04 +0200 I'm using Juniper NetScreen SSG520 (similar to NetScreen-50 in all regards, when it comes to VPN), set up to use XAuth and Mode_Config, with "Host to Everywhere" set up. I can log in just fine, and I can ping remote gateway, however I'm not getting an IP address from a remote host and when I log into Juniper web GUI I can see that it shows that I'm logging in from a public IP address, not from an internal IP I'm supposed to get from Mode_Config. Bascially, there's no new interface created, and no aliases assigned to any of the existing ones on my Mac. When I use VPN Tracker, it creates a new point-to-point interface with an IP address from 172.x.x.x subnet (the subnet I use for dial-up VPN connections). Any ideas? Is this a bug in IPSecuritas or am I missing something? m0n0wall to m0n0wall connection m0n0wall to m0n0wall connection by wilfredoz on 2007-10-31 13:58:00 +0100 Hello, A few weeks ago I posted a message with the subject "connection speed issue", and I disscoverd that the problem is that I cannot get the connection right like this: (I CAN connect but network sessions like ssh and vnc hangs immediately) computer (ipsecuritas)---->m0n0wall(ipsec)---->INTERNET---->m0n0wall(ipsec)---->computer (reversed also fails) But this configuration works fine: computer (ipsecuritas)----> any brand router---->INTERNET---->m0n0wall(ipsec)---->computer computer (ipsecuritas)----> GPRS/3G via phone---->INTERNET---->m0n0wall(ipsec)---->computer Both m0n0walls are a soekris 4501 board with m0n0wall ver. 1.21, NATed and some basic firewall rules. Does anyone had the same problem and came up with a solution? Help much appreciated, thanks! Netgrar FVS124G connection problem Netgrar FVS124G connection problem by robinb on 2007-10-31 14:56:37 +0100 Hi All I have seen this error msg posted on here but the user then just said sorted thanks without saying what they did! I have a Netgear FVS124G and 3.1 IPSecuritas. I have followed to the letter the installtion guid provided but had no sucess. always with the same error. I have deleted all settings and tried again but always the same here is IPS log IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Oct 31, 13:54:51 Info APP IPSec authenticating Oct 31, 13:54:51 Info APP IKE daemon started Oct 31, 13:54:51 Info APP IPSec started Oct 31, 13:54:51 Info APP Initiated connection JIA Oct 31, 13:54:51 Error IKE Foreground mode. Oct 31, 13:54:51 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Oct 31, 13:54:51 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Oct 31, 13:54:51 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Oct 31, 13:54:51 Info IKE Resize address pool from 0 to 255 Oct 31, 13:54:58 Info APP Initiated connection JIA Oct 31, 13:55:05 Info APP Initiated connection JIA Oct 31, 13:55:12 Info APP Initiated connection JIA Oct 31, 13:55:12 Error IKE inappropriate sadb acquire message passed. Oct 31, 13:55:17 Error IKE 87.194.169.58 give up to get IPsec-SA due to time up to wait. Oct 31, 13:55:19 Info APP Initiated connection JIA Oct 31, 13:55:24 Warning APP Connection JIA timed out Oct 31, 13:55:24 Warning APP Giving up Oct 31, 13:55:29 Info APP IPSec stopping Oct 31, 13:55:30 Info APP IKE daemon terminated Oct 31, 13:55:30 Info APP IPSec stopped Anyone know what I need to do please? I am sure it will be easy TIA Robin Bateman ipsecuritas -> FGT-60 ipsecuritas -> FGT-60 by zoomin on 2007-10-31 17:04:38 +0100 I am using Ipsecuritas 3.0 build 1693 to connect to a dozen different FGT-60 in our network. The FGT-60 are all on the same firmware: Fortigate-60 3.00,build0247,060417 The settings are exactly the same on both ends for ALL connections, save, of course, the things that must be different(networking bits). All tunnels are established as far as Ipsecuritas is concerned, however on just some of the FGT-60s, traffic travels from my Mac to the FGT-60 but not back again. In these cases, the FGT-60 shows *many* IPSEC connections being made in the Monitor screen: erik_161 123.123.123.123:4500 192.168.33.220 erik_152 123.123.123.123:4500 192.168.33.220 erik_143 123.123.123.123:4500 192.168.33.220 erik_134 123.123.123.123:4500 192.168.33.220 erik_180 123.123.123.123:4500 192.168.33.220 erik_171 123.123.123.123:4500 192.168.33.220 erik_162 123.123.123.123:4500 192.168.33.220 erik_153 123.123.123.123:4500 192.168.33.220 erik_144 123.123.123.123:4500 192.168.33.220 erik_135 123.123.123.123:4500 192.168.33.220 erik_181 123.123.123.123:4500 192.168.33.220 erik_172 123.123.123.123:4500 192.168.33.220 erik_163 123.123.123.123:4500 192.168.33.220 erik_154 123.123.123.123:4500 192.168.33.220 erik_145 123.123.123.123:4500 192.168.33.220 my.name@my.domain 926 192.168.71.* my.name@my.domain 596 192.168.71.* my.name@my.domain 291 192.168.71.* my.name@my.domain 2 192.168.71.* my.name@my.domain 1552 192.168.71.* my.name@my.domain 1264 192.168.71.* my.name@my.domain 958 192.168.71.* my.name@my.domain 628 192.168.71.* my.name@my.domain 328 192.168.71.* my.name@my.domain 35 192.168.71.* my.name@my.domain 1583 192.168.71.* my.name@my.domain 1296 192.168.71.* my.name@my.domain 995 192.168.71.* my.name@my.domain 692 192.168.71.* my.name@my.domain 366 192.168.71.* Any direction appreciated. NOTE: The few tunnels that will now not pass traffic in both directions used to work, and there have been no changes to configuration of either endpoint. The ipsecuritas logs have a few errors in them in regards to the failing tunnels: Error IKE inappropriate sadb acquire message passed. Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 123.123.123.123[4500]->192.168.33.220[4500] issue with leopard? issue with leopard? by spectre on 2007-10-31 18:12:53 +0100 So I got Leopard on my Macbook and had version 2.2 of IpSecuritas and for some reason when I connected to my Netscreen VPN it would connect fine but I wouldn't have any access to the remote network. Upgraded IPSecuritas to 3.1 and imported the old connection and it worked without a hitch. Just thought I would post this incase people were having issues with the old version. What does "inappropriate sadb acquire message" ? What does "inappropriate sadb acquire message" ? by palouis on 2007-11-02 07:14:38 +0100 can someone at least tell me what this cryptic response means? I have spent days trying to get IPsecuritas working with my NetGear DG834 Put me out of my misery please. paul Re: What does "inappropriate sadb acquire message" by robinb on 2007-11-08 21:31:27 +0100 I too have posted about this but had no reply but just to let you know you are not alone in having the problem Re: What does "inappropriate sadb acquire message" by palouis on 2007-11-09 04:37:55 +0100 Oh well looks like VPN Tracker for me - no support is no good to me. Thanks anyway. Re: What does "inappropriate sadb acquire message" by Forum Admin on 2007-11-09 11:58:21 +0100 Hello, the sadb message is sent by the kernel to the IKE daemon racoon, whenever a new tunnel needs to be established or when an established tunnel is about to expire. Some of these messages are not used and therefore ignored by racoon, leading to this log entry. I will remove or rename this log entry, since it seems to cause confusion. Cheers, Christoph Connection becomes available - NETSCREEN 5GT Connection becomes available - NETSCREEN 5GT by houser on 2007-11-05 13:16:54 +0100 Dear all, Using IP Securitas 3.1 under OSX 10.5. Works fine...but the connection becomes unavailable after a while... I am connecting to a Juniper, NETSCREEN 5GT and after a while, I can not connect. Restart fixes it every time.. Any idea of where to tweak a setting? best Janne A. Re: Connection becomes available - NETSCREEN 5GT by Forum Admin on 2007-11-05 14:15:42 +0100 Hello Janne, by restart you mean restarting IPSec or rebooting the computer? Christoph Re: Connection becomes available - NETSCREEN 5GT by houser on 2007-11-05 14:16:47 +0100 Thanx for reply, Sorry to be unclear, I meant rebooting the computer, as restarting Ip Sec does not help. TIA and regards Janne A. [quote author=Forum Admin link=1194265014/0#1 date=1194268542]Hello Janne, by restart you mean restarting IPSec or rebooting the computer? Christoph[/quote] Re: Connection becomes available - NETSCREEN 5GT by Forum Admin on 2007-11-08 09:54:48 +0100 Hello Janne, could you please check the following? Once the connection becomes unavailable and a restart of IPSec won't re-establish it, could you run the command 'sudo ipfw list' and see if there is more than one entry? Thanks a lot, Christoph Re: Connection becomes available - NETSCREEN 5GT by houser on 2007-11-08 11:40:14 +0100 I get this line when I type that: "65535 allow ip from any to any" sorry, not fluent in Unix... best Janne A. [quote author=Forum Admin link=1194265014/0#3 date=1194512088]Hello Janne, could you please check the following? Once the connection becomes unavailable and a restart of IPSec won't re-establish it, could you run the command 'sudo ipfw list' and see if there is more than one entry? Thanks a lot, Christoph[/quote] IPsecuritas 3.1 and Firebox X700 IPsecuritas 3.1 and Firebox X700 by chimera on 2007-11-06 22:07:43 +0100 Hi there, I'm hardly trying to setup a vpn-connection to a firebox x700. It works great with VPN-Tracker, so I duplicated the settings from VPN-tracker. I get the following messages in the logfile: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Nov 06, 22:03:54 Info APP IPSec authenticating Nov 06, 22:03:54 Error APP Tunnel creation failed with errno 39 Nov 06, 22:03:54 Error APP Activation of connection test01 failed Nov 06, 22:03:54 Info APP IKE daemon started Nov 06, 22:03:54 Info APP IPSec started Nov 06, 22:03:54 Info IKE Foreground mode. Nov 06, 22:03:54 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Nov 06, 22:03:54 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Nov 06, 22:03:54 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Nov 06, 22:03:54 Info IKE Resize address pool from 0 to 255 Nov 06, 22:03:59 Info APP IPSec stopping Nov 06, 22:04:00 Info APP IKE daemon terminated Nov 06, 22:04:00 Info APP IPSec stopped I did not follow the configuration instructions on lobotomo's website, because it took a long time to get the tunnel work with vpn-tracker and I don't see a reason, why the settings shouldn't work with IPsecuritas. Can anybody help? Thanks! Need Help Dubugging Connection with Cisco PIX 501 Need Help Dubugging Connection with Cisco PIX 501 by yodarunamok on 2007-11-07 16:52:54 +0100 Hello All, I'm working on setting up a connection to a Cisco PIX 501, and though I've looked at the log, I'm not sure what it's telling me. Basically, I try to connect, but the attempt eventually times out. When I look at the log, I see apparently the same process repeated over and over... [code] Nov 05, 09:41:02 Info IKE initiate new phase 1 negotiation: 192.168.2.8[500]<=>71.216.36.206[500] Nov 05, 09:41:02 Info IKE begin Identity Protection mode. Nov 05, 09:41:02 Debug IKE new cookie: Nov 05, 09:41:02 Debug IKE 444600aba4c7d84b Nov 05, 09:41:02 Debug IKE add payload of len 52, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 20, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 0 Nov 05, 09:41:02 Debug IKE 348 bytes from 192.168.2.8[500] to 71.216.36.206[500] Nov 05, 09:41:02 Debug IKE sockname 192.168.2.8[500] Nov 05, 09:41:02 Debug IKE send packet from 192.168.2.8[500] Nov 05, 09:41:02 Debug IKE send packet to 71.216.36.206[500] Nov 05, 09:41:02 Debug IKE 1 times of 348 bytes message will be sent to 71.216.36.206[500] Nov 05, 09:41:02 Debug IKE 444600ab a4c7d84b 00000000 00000000 01100200 00000000 0000015c 0d000038 Nov 05, 09:41:02 Debug IKE 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 Nov 05, 09:41:02 Debug IKE 00015180 80010005 80030001 80020002 80040001 0d000014 4a131c81 07035845 Nov 05, 09:41:02 Debug IKE 5c5728f2 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014 Nov 05, 09:41:02 Debug IKE 439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f Nov 05, 09:41:02 Debug IKE 02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e Nov 05, 09:41:02 Debug IKE ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 Nov 05, 09:41:02 Debug IKE 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e Nov 05, 09:41:02 Debug IKE 086381b5 ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014 Nov 05, 09:41:02 Debug IKE 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f Nov 05, 09:41:02 Debug IKE 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Nov 05, 09:41:02 Debug IKE resend phase1 packet 444600aba4c7d84b:0000000000000000 Nov 05, 09:41:09 Info APP Initiated connection Nifty West Nov 05, 09:41:09 Debug IKE get pfkey ACQUIRE message Nov 05, 09:41:09 Debug IKE 02060003 14000000 45000000 73410000 03000500 ff200000 10020000 c0a80208 Problems With Securitas and VPN-1 Edge X ADSL Problems With Securitas and VPN-1 Edge X ADSL by yakuzah on 2007-11-07 21:03:25 +0100 I have just discovered this software on Macupdate and am testing it at the moment. If it works for me I would be happy to donate via Paypal, but I am experiencing some weird problems, and was wondering if anyone could help? I am using a Checkpoint VPN-1 Edge X (Safe@office) device on a UK ADSL Broadband service and have enabled VPN on the router to allow remote access to my home network. I initially tried the "Checkpoint VPN-1" Profile using the supplied wizard, but could never get past Phase One authentication. So I thought I would try Safe@Office, and to my surprise I got a green light in the IPSecuritas Status window. The problem is even though I can connect, I can not ping anything through the established tunnel? If I use a windoze machine using Checkpoint Secure Client I get connected fine and can ping through the tunnel to devices on the other side, but I can not ping when using the tunnel and IPSecuritas. Can anyone possibly advise or help? If I type netstat -rn on the command line, the right IP addresses appear to be there, just can't get connected. I am running Leopard 10.5 Thanks G ;) Re: Problems With Securitas and VPN-1 Edge X ADSL by yakuzah on 2007-11-12 16:58:57 +0100 Well no one has replied no I guess this software does not work for me? I am looking at the routes on the Mac when a VPN is established with Securitas and then comparing them with Checkpoint under windows, and the allocated IP address and default gateway that Securitas thinks is correct is all Wrong!! I can not seem to correct the route entries either, so I am stuck with a workin tunnel with no IP connectivity... Oh well guess I will have to wait for Xmas 2020 for Checkpoint to release their client... :( Openswan Connection fails Openswan Connection fails by gerritche on 2007-11-08 11:58:25 +0100 Hello, there, I'm trying unsuccessfully to connect with Version 3.x to a FreeSWAN/ openSWAN Gateway. Version 2.1 works beautifully and importing the details into 3.x succeeds but connection fails. IPSecuritas claims a collision of local host and remote network addresses and refuses to start a connection. The firewall admin doesn't find any connection attempts in his logs. In "Firewalladdress" I enter the address of the IPSec Gateway. In "Local IP for Host" I enter the address I got from the administrator of the VPN Gateway. In "Remote Network" I set 10.0.0.0/8. IPSecuritas seems to be unhappy with these settings though they work fine in the older version. Any ideas? Best regards :) Gerrit Re: Openswan Connection fails by Forum Admin on 2007-11-08 13:01:52 +0100 Hello Gerrit, enabling the option 'Local IP in remote network' should resolve this issue. Hope this helps, Christoph Tunnelling from DrayTek Vigor to Sonicwall Pro Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-09 19:12:48 +0100 Hi, I've got IPSecuritas set up on my MacBook to connect to one of my clients' VPNs, which is hosted on a Sonicwall Pro 2040. I generally have no problems accessing the 2040. However, I often encounter intermittent problems when my MacBook is behind a DrayTek Vigor 2910 router. What seems to happen is the VPN tunnel, for some reason, cannot be re-established at some point, then I have to actually stop the VPN in IPSecuritas, wait at least 15 minutes, then try connecting again. Sometimes it works, sometimes it doesn't. Rebooting the DrayTek seems to do the trick, but this is obviously not an ideal solution since that affects everyone in our office. We are running the latest DrayTek firmware for this model (3.1.0.1). I realize this sounds like an issue with the DrayTek router, but has anyone else encountered this problem before? I haven't found any configuration options in the DrayTek web interface that might be causing these problems... Thanks in advance! Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-09 23:44:23 +0100 I was able to reproduce this condition just now. Here is a snippet of the debug log if it helps: Nov 09, 17:36:17 Info IKE initiate new phase 1 negotiation: 192.168.1.112[500]<=>xxx.xxx.xxx.xxx[500] Nov 09, 17:36:17 Info IKE begin Aggressive mode. Nov 09, 17:36:17 Debug IKE new cookie: Nov 09, 17:36:17 Debug IKE 33b733c8f62a4ebe Nov 09, 17:36:17 Debug IKE use ID type of IPv4_address Nov 09, 17:36:17 Debug IKE compute DH's private. Nov 09, 17:36:17 Debug IKE 4b4e15df b841bd78 d8b4ea02 f8612e55 906bafe6 3e56b3ba afcb2090 f2a5db7d Nov 09, 17:36:17 Debug IKE ac6a2312 bde6c528 9ca12ee2 b3a29284 6f16b16d 165807f2 c7daee43 ad5ff4d5 Nov 09, 17:36:17 Debug IKE 7d52a343 df805b3b 733de06a f4352bef 0e7c71a0 2d8fdfa2 f02ae55a 97ecb912 Nov 09, 17:36:17 Debug IKE 748c3244 fba8af07 b8092555 5f355a16 5f64d545 efc078eb ff50e35a d5498311 Nov 09, 17:36:17 Debug IKE compute DH's public. Nov 09, 17:36:17 Debug IKE 2ddd8cc6 8a74e8bd 706967d9 190e8b8b 2304340f a60bfc7f 13921143 d3b2cc0b Nov 09, 17:36:17 Debug IKE 5c8c298c c8a3de89 75808fc7 2a334099 26d3bbbb 5916caf0 db95c838 4be219b8 Nov 09, 17:36:17 Debug IKE 9abc94c1 1cd42aee 19394d40 f7cd1fa3 ec374bb3 0cb35396 8e5838b0 455c4d2c Nov 09, 17:36:17 Debug IKE de2068b0 b1907a53 c4e3db8f c7811f77 ba7801a5 0490bb63 965a7a1c 0ff974f6 Nov 09, 17:36:17 Debug IKE authmethod is pre-shared key Nov 09, 17:36:17 Debug IKE add payload of len 48, next type 4 Nov 09, 17:36:17 Debug IKE add payload of len 128, next type 10 Nov 09, 17:36:17 Debug IKE add payload of len 16, next type 5 Nov 09, 17:36:17 Debug IKE add payload of len 8, next type 13 Nov 09, 17:36:17 Debug IKE add payload of len 16, next type 0 Nov 09, 17:36:17 Debug IKE 264 bytes from 192.168.1.112[500] to xxx.xxx.xxx.xxx[500] Nov 09, 17:36:17 Debug IKE sockname 192.168.1.112[500] Nov 09, 17:36:17 Debug IKE send packet from 192.168.1.112[500] Nov 09, 17:36:17 Debug IKE send packet to xxx.xxx.xxx.xxx[500] Nov 09, 17:36:17 Debug IKE 1 times of 264 bytes message will be sent to xxx.xxx.xxx.xxx[500] Nov 09, 17:36:17 Debug IKE 33b733c8 f62a4ebe 00000000 00000000 01100400 00000000 00000108 04000034 Nov 09, 17:36:17 Debug IKE 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 Nov 09, 17:36:17 Debug IKE 80010005 80030001 80020002 80040002 0a000084 2ddd8cc6 8a74e8bd 706967d9 Nov 09, 17:36:17 Debug IKE 190e8b8b 2304340f a60bfc7f 13921143 d3b2cc0b 5c8c298c c8a3de89 75808fc7 Nov 09, 17:36:17 Debug IKE 2a334099 26d3bbbb 5916caf0 db95c838 4be219b8 9abc94c1 1cd42aee 19394d40 Nov 09, 17:36:17 Debug IKE f7cd1fa3 ec374bb3 0cb35396 8e5838b0 455c4d2c de2068b0 b1907a53 c4e3db8f Nov 09, 17:36:17 Debug IKE c7811f77 ba7801a5 0490bb63 965a7a1c 0ff974f6 05000014 ec6a0571 16d9677d Nov 09, 17:36:17 Debug IKE f1e0ee58 300bb493 0d00000c 011101f4 c0a80170 00000014 afcad713 68a1f1c9 Nov 09, 17:36:17 Debug IKE 6b8696fc 77570100 Nov 09, 17:36:17 Debug IKE resend phase1 packet 33b733c8f62a4ebe:0000000000000000 ... Nov 09, 17:36:31 Info APP Initiated connection HTC Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-15 16:59:34 +0100 FWIW, ever since I assigned a static (internal) IP address for my MacBook to the DrayTek router a couple of days ago, I've not seen a recurrence of this problem. *crosses fingers* If this is the solution, then I hope it helps someone out! Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-19 16:21:00 +0100 Just a followup: I thought this "solution" was working, but it is no longer. :'( Nobody can offer any clues? Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-23 09:03:36 +0100 Well, in case this helps anyone, downgrading the firmware from 3.1.2 to 3.0.7 appears to have at least temporarily solved my VPN issues. In fact, since upgrading to the 3.1.2 version that was released a couple of days ago, I had been completely unable to use my VPN. IPSecuritas would show a green light as if everything was okay, but no traffic was going through the VPN. However, in the last few hours since I've downgraded the firmware, all seems okay so far... Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by racoon on 2007-11-23 10:57:02 +0100 Where can you download the archived version from? Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-23 18:31:04 +0100 [quote author=racoon link=1194631968/0#5 date=1195811822]Where can you download the archived version from? [/quote] Click the "more edition" link in the bottom left corner of the "Firmware of Vigor 2910..." box [url]http://www.draytek.com/support/download /Vigor2910.php#Firmware[/url]. It'll take you to their FTP site where they store previous versions of the firmware. Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by wailaki on 2007-11-27 21:21:50 +0100 Derek, I work for SonicWALL and we have a customer needing expert help with ipsecuritas connecting to a similar SonicWALL Pro Model. What version of SonicOS are you running (version # and Standard vs. Enhanced)? Thanks in advance. Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-28 17:54:38 +0100 [quote author=wailaki link=1194631968/0#7 date=1196194910]Derek, I work for SonicWALL and we have a customer needing expert help with ipsecuritas connecting to a similar SonicWALL Pro Model. What version of SonicOS are you running (version # and Standard vs. Enhanced)? Thanks in advance.[/quote] Hi, We are running SonicOS Enhanced 3.2.3.0-6e. FYI, since downgrading our Draytek's firmware as previously mentioned, I have had no further connection issues to our Sonicwall. FYI #2: I never had any issues connecting to our Sonicwall through my Linksys router at home. Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by wailaki on 2007-11-28 18:19:29 +0100 Thanks Derek. I'll search upthread, but I believe you had this working with NAT-Traversal enabled on the ipsecuritas side? Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-28 18:30:57 +0100 [quote author=wailaki link=1194631968/0#9 date=1196270369]Thanks Derek. I'll search upthread, but I believe you had this working with NAT-Traversal enabled on the ipsecuritas side?[/quote] NAT-Traversal never made a difference either way. When it was working (including now), it was working with or without NAT-T enabled. When it wasn't working, enabling NAT-T didn't make a difference.. Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by wailaki on 2007-11-28 18:41:35 +0100 Thanks Derek. PM me with your account on www.mysonicwall.com and I'll give you a gift for your efforts. Not connecting in Leopard Not connecting in Leopard by syber on 2007-11-12 02:51:47 +0100 I did a clean install of Leopard and used Export/ Import to copy my configuration from Tiger and now it seems that Ipsecuritas no longer connects to my VPN. It says that the connection times out. However, it seems to timeout long before the set timeout ( in seconds ). Phase 1 is supposed to timeout in 360 seconds. Log IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Nov 11, 20:48:38 Info APP Smart Environment Detection enabled Nov 11, 20:48:39 Info APP IKE daemon started Nov 11, 20:48:39 Info APP IPSec starting Nov 11, 20:48:39 Info APP Smart Environment Detection: Start Nov 11, 20:48:39 Error IKE Foreground mode. Nov 11, 20:48:39 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Nov 11, 20:48:39 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Nov 11, 20:48:39 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Nov 11, 20:48:39 Info IKE Resize address pool from 0 to 255 Nov 11, 20:48:39 Info APP Initiated connection Office Nov 11, 20:48:39 Error IKE inappropriate sadb acquire message passed. Nov 11, 20:48:46 Info APP Initiated connection Office Nov 11, 20:48:53 Info APP Initiated connection Office Nov 11, 20:49:00 Info APP Initiated connection Office Nov 11, 20:49:00 Error IKE inappropriate sadb acquire message passed. Nov 11, 20:49:07 Info APP Initiated connection Office Nov 11, 20:49:09 Error IKE phase1 negotiation failed due to time up. 7ce6c32f663c8b06:0000000000000000 Nov 11, 20:49:10 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:14 Info APP Initiated connection Office Nov 11, 20:49:17 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:21 Info APP Initiated connection Office Nov 11, 20:49:21 Error IKE inappropriate sadb acquire message passed. Nov 11, 20:49:24 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:28 Info APP Initiated connection Office Nov 11, 20:49:31 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:35 Info APP Initiated connection Office Nov 11, 20:49:38 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:42 Warning APP Connection Office timed out Nov 11, 20:49:42 Warning APP Giving up Nov 11, 20:49:45 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:52 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:59 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:50:06 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Re: Not connecting in Leopard by syber on 2007-11-12 18:56:13 +0100 I've confirmed that this issue only exists when connecting via WLAN. Connecting via WLAN on my macbook works fine but not on my macbook pro. Re: Not connecting in Leopard by planetzeos on 2007-12-12 18:10:52 +0100 We've duplicated the same issue. Same cert on tiger and leopard. Same configuration on fresh installs of tiger and leopard. Tiger connects using wifi Leopard does not connect using wifi -- it times out on phase1 from the log Checkpoint VPN-1 with Certificates on macbook pro's Re: Not connecting in Leopard by cottard on 2008-01-31 15:35:07 +0100 I've also run across this issue: Leopard and Wifi. Currently forced to run Windows XP in Parallels and connect with Checkpoint SecureClient - as I share a connection with my neighbours via Wifi. I'm really looking forward to using IPSecuritas (free, vendor-agnostic) to connect to my work VPN! Re: Not connecting in Leopard by jrsharp on 2008-08-08 18:25:51 +0200 Can anyone comment on the current status of this issue? XAuth + RSA mutual authentication XAuth + RSA mutual authentication by Daniel on 2007-11-14 21:57:30 +0100 Hey guys, I'm trying to set-up IPSecuritas 3.1 to connect to our corporate Netscreen SSG140 firewall. Mutual authentication with RSA certificates works like a charm. However, when I try to add XAuth I run into an issue. It seems like IPSecuritas doesn't support XAuth with RSA mutual authentication? Unfortunately, hybrid mode is not supported by Netscreen, and I really like the thought of using certificates (we already have our own company-wide PKI). On the ID page I've got the following selected: - Local ID: certificate - Remote ID: certificate - Authentication method: XAuth RSA The GUI seems to accept this selection, even though I'm unable to select my local and peer certificate. The debug log shows: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Nov 14, 21:54:59 Debug APP State change from IDLE to AUTHENTICATING after event START Nov 14, 21:54:59 Info APP IPSec authenticating Nov 14, 21:54:59 Info APP IKE daemon started Nov 14, 21:54:59 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Nov 14, 21:54:59 Info APP IPSec started Nov 14, 21:54:59 Debug APP Received SADB message type X_SPDUPDATE - not interesting Nov 14, 21:54:59 Debug APP Received SADB message type X_SPDUPDATE - not interesting Nov 14, 21:54:59 Info IKE Foreground mode. Nov 14, 21:55:00 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Nov 14, 21:55:00 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Nov 14, 21:55:00 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Nov 14, 21:55:00 Info IKE Resize address pool from 0 to 255 Nov 14, 21:55:00 Error IKE /Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf:55: "}" ASN1 ID not specified and no CERT defined! Nov 14, 21:55:00 Error IKE Nov 14, 21:55:00 Error IKE fatal parse failure (1 errors) Nov 14, 21:55:00 Error IKE racoon: failed to parse configuration file. Nov 14, 21:55:00 Info APP IKE daemon terminated Nov 14, 21:55:00 Debug APP State change from RUNNING to IDLE after event RECONFIGURE Nov 14, 21:55:00 Info APP IPSec terminated Nov 14, 21:55:00 Debug APP Received SADB message type X_SPDDELETE - not interesting Nov 14, 21:55:00 Debug APP Received SADB message type X_SPDDELETE - not interesting Nov 14, 21:55:00 Debug APP Received SADB message type X_SPDFLUSH - not interesting Nov 14, 21:55:00 Debug APP Received SADB message type FLUSH Nov 14, 21:55:00 Debug APP SA change detected Re: XAuth + RSA mutual authentication by Daniel on 2007-11-15 22:19:06 +0100 I did some more diggin' on this and it seems the generated config is indeed for XAuth + RSA hybrid authentication: Part of the /Library/Application Support/Lobotomo Software/IPSecuritas /racoon.conf file: # Connection "test" remote X.X.X.X { verify_cert on; verify_identifier on; initial_contact on; passive off; support_proxy off; generate_policy off; verify_cert on; send_cert on; send_cr on; mode_cfg off; ike_frag off; doi ipsec_doi; situation identity_only; nat_traversal on; exchange_mode main; proposal_check obey; nonce_size 16; my_identifier asn1dn; peers_identifier asn1dn; xauth_login "daniel"; proposal { lifetime time 28800 seconds; encryption_algorithm aes 128; hash_algorithm sha1; authentication_method hybrid_rsa_client; <=== the GUI needs to change this to xauth_rsa_client dh_group modp1024; } } It does seem that the version of racoon IPSecuritas uses already supports XAuth + RSA mutual authentication: bash-3.2# strings /Applications/IPSecuritas.app/Contents/Resources /racoon | grep xauth_rsa xauth_rsa_server xauth_rsa_client Sooo, any chance you guys can add this option to the GUI ? Shoudn't be too hard to add, no? :) Thanks. Re: XAuth + RSA mutual authentication by Daniel on 2007-11-15 22:20:01 +0100 And of course the GUI needs to add the "certificate_type" parameter to the above config :) Re: XAuth + RSA mutual authentication by Forum Admin on 2007-11-16 10:35:50 +0100 Hi Daniel, thank you very much for your investigation. I will have a look at racoon and what's possible Cheers, Christoph Re: XAuth + RSA mutual authentication by Forum Admin on 2007-11-16 21:20:22 +0100 Hello Daniel, done - do you want to test it? Cheers, Christoph Re: XAuth + RSA mutual authentication by Daniel on 2007-11-19 22:23:06 +0100 Hell yeah! If you drop me an email where I can download it, I'd be more than happy to give it a shot! :) Re: XAuth + RSA mutual authentication by markguz on 2007-11-26 11:48:41 +0100 Hi there, we're also using Xauth-rsa with netscreen isg2000s. I wonder if it would be possible to have access to this test verison you mention here to test against our setup as we are very keen to start using this software. Kind regards Mark Guz RIPE NCC http://www.ripe.net Re: XAuth + RSA mutual authentication by Forum Admin on 2007-11-26 22:54:28 +0100 Hello, a preview version of 3.1.1 is available from [url]http://www.lobotomo.com /products/downloads/IPSecuritas311p1.dmg[/url]. Please report and problems (and successes too, please) to lobotomo@lobotomo.com Cheers, Christoph Re: XAuth + RSA mutual authentication by markguz on 2007-11-29 14:36:29 +0100 Hi there, This preview version is a step closer to working with our setup. However closer inspection of our VPN Tracker configuration shows that we are using Certificates + XAuth. At present there doesn't seem to be an option for this within ipsecuritas, or the racoon version underneath it. Is this a hard change or an easy change to implement? Thanks for your support so far guys Cheers Mark Guz RIPE NCC http://www.ripe.net FVS318 setup FVS318 setup by kamikaze2112 on 2007-11-20 16:42:53 +0100 I purchased an FVS318 V1 (running the 2.4 firmware) to use on my home network so I can securely access my files and use VNC, but I can't seem to get it working with IPSecuritas. This is way more complicated than I was expecting. Here's all the info that I think is relevant: I'm using DSL with a dynamic IP, however I am using a DDNS service and it's setup and working properly. DDNS hostname is kiddt.homeip.net. My LAN is 10.1.35.0. The computer that I will be using to connect to the VPN is behind a NAT router and all the VPN protocols are allowed for pass-thru. I'm not sure what other info is necessary, but whatever is needed to get this working I'll try my best to provide. Thanks in advance. Re: FVS318 setup by bstender on 2007-11-29 01:46:57 +0100 wish i had an answer for you, bc it would be because i had successfully solved the identical problem. well, same box and same software, after that it is a very large set of variables. waaaaaay too complicated for 2007 it seems to me. last time i faced this (2 yrs ago) i ended up buying vpntracker and i was up and running in no time. i would do that now but the vpntracker isnt ready for leopard yet so i'm trying again to make it work. sigh. i used to enjoy these challenges, but i'm getting too old to watch my life drain away for this! but it is really cool that this product exists and gives me a fighting chance. an amazing amount of effort and a nice looking piece of software. is this thing all volunteer? -newbie bill MODE_CFG not working? MODE_CFG not working? by gswallow on 2007-11-20 17:49:56 +0100 Hi, I just got started with IPSecuritas today, in response to my Checkpoint not working in Leopard. Everything seems to go peachy with IPSecuritas, save for "Office Mode"/MODE_CFG. My Checkpoint Firewall reports that I've authenticated using my certificate (!! -- nice job!), then reports that I've gone successfully through IKE quick mode, and hands off SA's. According to my firewall, I'm in. However, I try to initiate TCP connections and I see rejects with source = IP address of my laptop (not Office mode address). Also, the connection beacon for my connection goes green, but the logs window reports that Phase 2 failed due to a Phase 1 timeout. I've tried this using DHCP for my wireless setup, and using a static IP address as I've seen some people suggest. I also looked at the files in /Library/Application Support/Lobotomo... but they appear to be volatile, disappearing when I start / stop IPSec connections. Any ideas? I'd be more than willing to test / report issues. Re: MODE_CFG not working? by Daniel on 2007-11-20 19:01:45 +0100 once connected, open up Terminal and type 'ifconfig gif0'. This should be your 'virtual' tunnel interface with the IP address you received through mode_cfg. Re: MODE_CFG not working? by gswallow on 2007-11-20 22:48:33 +0100 dhcp-88:~ gswallow$ ifconfig gif0 gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 That's it. I get plenty of these with TCPdump: 16:49:01.013330 IP 172.16.42.88 > vpn.xxx.com: ESP(spi=0x734cd09f,seq=0x41), length 124 16:49:01.128750 IP 172.16.42.88 > vpn.xxx.com: ESP(spi=0x734cd09f,seq=0x42), length 124 I also get plenty of rejects on my firewall from connection attempts from my original address. The tunnel's coming up, but gif0 isn't being assigned an IP address? Re: MODE_CFG not working? by racoon on 2007-11-22 10:11:48 +0100 Has any one resolved this issue as im getting the same problems. No ip being assiged to the adapter!!. gif0 Re: MODE_CFG not working? by phila on 2007-11-24 23:05:57 +0100 same problem here. 10.5.1 and a checkpoint firewall on the other side. Re: MODE_CFG not working? by gswallow on 2007-11-26 15:49:12 +0100 Hey again, I'm on the verge of downgrading OS X back to 10.4.x since I can't do critical things out of the office, like manage my servers. Any chance someone is looking at this issue, first? Thanks. Re: MODE_CFG not working? by Forum Admin on 2007-11-26 17:20:56 +0100 Hello, could you please send me an IPSecuritas log with lo level set t Debug to lobotomo@lobotomo.com? It seems that MODE_CFG is never run or fails. Cheers, Christoph Repair Permissions deleted config? Repair Permissions deleted config? by starlir on 2007-11-21 07:55:41 +0100 Been using V3 for a number of months and recently upgraded to Leopard with no problems. Yesterday decided to do a Repair Permissions for first time, afterwards my IPSecuritas config had completely disappeared, including my certificate in certificate manager. I was able to reimport the config from V2.x. I cannot be certain that Repair Permissions has caused this problem but the co-incidence is suspicious and I don't see what else could have deleted the config. D-Link DFL-1600 D-Link DFL-1600 by Gunverth on 2007-11-29 12:08:45 +0100 Hi all! I've been trying IPSecuritas on a DFL-1600 for a couple of days now. No success! VPN Tracker works fine with the included DFL-800 preset. Anybody out there with fresh ideas what to try next in the IPSecuritas config? XAUTH is mandatory. Unfortunately I'm not in the position to manage the firewall itself. Just using it. Openswan with transport mode Openswan with transport mode by rmoore on 2007-12-01 00:21:16 +0100 I am connecting to a Linux server running Openswan in transport mode. Upgrading the client from Tiger to Leopard broke that connection, which led me to try IPSecuritas. At first, this didn't work either; I would always get the red status indicator for the connection, even though I set it for a transport connection and matched settings, parameter for parameter, with the host computer. I found that switching the connection from a host-to-host transport connection, to a host-to-anywhere connection, caused the status indicator to go yellow, indicating partial progress towards a connection, but still no dice. I noticed that the psk.txt file generated by IPSecuritas was empty, even though I specified a preshared key. Finally, after playing with every other option, I switched back to a host-to-host connection. Strangely, the check box to select a transport mode connection was gone. However, equally strangely, the connection was working! So now I'm happy, but does anybody know what happened there? One other comment. When I boot up and log in, the IPSecuritas button is in the menu bar, but I have to manually start the connection. Is there any way to make it start automatically? Re: Openswan with transport mode by rmoore on 2007-12-10 17:59:16 +0100 I should report that the problem of not having the connection automatically established on login seems to have gone away on its own. However, after getting IPSecuritas working on our Leopard machine, I decided to try it on our other MacBook, which is still running Tiger. By setting it up field for field to match the Leopard configuration, I couldn't get a connection to my Openswan server no matter how many times I tried. Then I exported the configuration from the Leopard MacBook and imported it on the Tiger MacBook, and now both are working. It's troubling that I was only able to get this configuration working on Tiger by importing from Leopard, and that I was only able to get it working on Leopard by shear luck. On the plus side, both systems seem to be stable now. Next I will try comparing the outputs from "setkey -P -D" resulting from a manual configuration and from the imported configuration, and if I see any interesting differences I will post those here. RV042 - any successful connections? RV042 - any successful connections? by pbrommer@gmail.com on 2007-12-04 18:35:57 +0100 Has anyone been able to successfully connect to the Linksys RV042? I just made the switch to Apple, and was used to the luxury of the Linksys QuickVPN client. Does anyone have *detailed* instructions for configuring both sides to make this work? Firmware 1.3.8.2. I found a couple of other posts via google, but had no success after following instructions, including this post - http://www.linksysinfo.org /forums/showthread.php?t=49879. I'm probably missing a couple of extra details I should know about, but don't unfortunately. Thanks so much for any help Paul WG Fireware Pro with IPSecuritas and Securid (RSA) WG Fireware Pro with IPSecuritas and Securid (RSA) by gorstein on 2007-12-11 12:29:33 +0100 Trying to get this combination to work, but still no success Here is a doc how to set it up: http://www.lobotomo.com/products /IPSecuritas/howto/WatchGuard%20Firebox%20HOWTO.pdf But if I put it up like that I cannot use Xauth (at least no in any way I can figure out), ok then I try to put it up in "normal way" like the way you set up a VPN client in this box, and now I got problem with authentication of the client (see below (IP's are changed)) 2007-12-11 10:54:31 iked WARNING: Rejected phase 1 aggressive mode from 100.5.33.196 to 100.5.33.212 (no matching policy) cookies i=eab20266 65142077 r=00000000 00000000 2007-12-11 10:54:31 iked Searching ID: user domain - myData [vpn] peerId [vpn_mu] 2007-12-11 10:54:31 iked Searching ID: user domain - myData [vpn_mu] peerId [vpn_mu] 2007-12-11 10:54:31 iked ike_match_proxy_id: peer ID type (0) not supported 5 2007-12-11 10:54:31 iked CreateIsakmpSA : get rasUserGroupId=3 Look at: "peer ID type (0) not supported 5". And: "The MUVPN on Fireware expects the client software to use Full qualified Username as the ID of the Client, the remote ID (Firebox) is IP Address." So how to tell the Ipsecuritas to use "Full qualified Username as the ID", is it possible? any answer welcome best reg /Goran Problem with Ipsecuritas "Full qualified Username" Problem with Ipsecuritas "Full qualified Username" by gorstein on 2007-12-13 08:47:35 +0100 Trying again with another topic :-) guess my old thread were misleading WG Fireware Pro with IPSecuritas and Securid (RSA) 11. Dec 2007 at 12:29 Trying to get this combination to work, but still no success Here is a doc how to set it up: http://www.lobotomo.com/products /IPSecuritas/howto/WatchGuard%20Firebox%20HOWTO. pdf But if I put it up like that I cannot use Xauth (at least no in any way I can figure out), ok then I try to put it up in "normal way" like the way you set up a VPN client in this box, and now I got problem with authentication of the client (see below (IP's are changed)) 2007-12-11 10:54:31 iked WARNING: Rejected phase 1 aggressive mode from 100.5.33.196 to 100.5.33.212 (no matching policy) cookies i=eab20266 65142077 r=00000000 00000000 2007-12-11 10:54:31 iked Searching ID: user domain - myData [vpn] peerId [vpn_mu] 2007-12-11 10:54:31 iked Searching ID: user domain - myData [vpn_mu] peerId [vpn_mu] 2007-12-11 10:54:31 iked ike_match_proxy_id: peer ID type (0) not supported 5 2007-12-11 10:54:31 iked CreateIsakmpSA : get rasUserGroupId=3 Look at: "peer ID type (0) not supported 5". And: "The MUVPN on Fireware expects the client software to use Full qualified Username as the ID of the Client, the remote ID (Firebox) is IP Address." So how to tell the Ipsecuritas to use "Full qualified Username as the ID", is it possible? IPSecuritas + Linksys RVS4000 IPSecuritas + Linksys RVS4000 by abalamut on 2007-12-13 14:30:25 +0100 Hello everybody, yestoday I bought Linksys RVS4000 & fund that I cant easy setup vpn connection beetwen Linksys RVS4000 & my macintosh (10.5.1). I ask at linksys forum, but they told me that I should ask here. So, can anybody help me how setup vpn connection? I have tried but can not. FREE 1 GB Resell Rights eGoods as bonus? FREE 1 GB Resell Rights eGoods as bonus? by sacxooo on 2007-12-14 00:57:06 +0100 web-packages.com Download FREE 548 ebooks from 19 categories! Among them: + + + + + + + + + + + + + + + + + + + Arts Automobiles Business Computers Education Fiction Games Health & Beauty Home & Family Internet Marketing Kids & Teens Music Real Estate Reference Self-Improvement Shopping Society Sports Travel & Recreation Also much more Web Sites, Scripts and a lot of SOFT for you site! Visit NOW! web-packages.com IPCOMP with IPSecuritas IPCOMP with IPSecuritas by rodknocker on 2007-12-14 11:43:21 +0100 Hello! I can't found an option to turn IPCOMP on :( Where is this option (in the GUI)? Greetings David Leopard and/or SonicWall Leopard and/or SonicWall by matthewyoung on 2007-12-16 17:30:48 +0100 I had a load of problems setting up IPSecuritas to work with our SonicWall 4100 Pro at work but eventually it did work perfectly. Since upgrading my MacBook to Leopard though I have not been able to connect....or at the most I can connect and ping the SonicWall but nothing else on the remote network. I have not changed the config file, and I tried a complete removal and reinstall of IPSecuritas but it doesn't make a difference. Has anyone else had this problem with Leopard and/or a SonicWall. As far as I can tell everything I have entered that can match the settings on the Sonicwall does match...here are my settings: Remote IPSec Device: Sonicwall IP Local Endpoint: Host (left blank as dhcp on sonicwall) Remote Endpoint: Networks (have added all internal network ranges) Phase 1 Lifetime: 28800 DH Group: 1024 (2) Encryption: 3DES Authentification: SHA-1 Exchange Mode: Aggressive, Main Proposal Check: Claim Nonce Size: 16 Phas 2 Lifetime: 28800 PFS Group: 1024 (2) Encryption: 3DES Authentification: HMAC SHA-1 ID Local Identifier: Address Remote Identifier: FWDN (with number from sonicwall) Authentification Method: XAuth PSK (with preshared key and username/password entered) DNS Internal (remote) domains and dns servers entered Options IPSec DOI SIT_IDENTIFY_ONLY Initial Contact Local IP in Remote Network Generate Policy Request Certificate Send Certificate Unique SAs WG Firebox with XAUTH WG Firebox with XAUTH by mellander on 2007-12-30 21:41:23 +0100 I've done some extensive testing to get IPSecuritas to work with the WatchGuard Firebox using external authentication to a RADIUS server (XAUTH). If I specify the local tunnel IP statically in the client, it works. But there is no XAUTH happning. (Seems like sort of a bug in the Firebox which allows me establish a tunnel anyway, but it can be discussed, since firewall rules defined on usergroup of Filter-IDs returned by the RADIUS server don't work anyway... Perhaps IKE/IPSec/XAUTH is designed this way, that a tunnel actually can be defined even before the XAUTH is accepted.) If I try and set it up as a local client (user account local in the Firebox) instead, it works. But that is more or less the same thing as defining it in a L2L tunnel, as described by your guide. But that's only handy for a handful of clients or so. If XAUTH would work, it would bring alot of advantages, if REM_CFG works that is... I've done a detailed comparision with WatchGuards own OEM VPN client (they recently changed from SafeNet to NCP). I don't know why the XAUTH is not initiated properly, but I'm hoping that you find something out from the logs and packet traces that I've sent. There's both logs from the Firebox, the VPN client(s) and packet captures at the client. Thanks in advance. Connection problems with SonicWall PRO1060 Connection problems with SonicWall PRO1060 by shadowman on 2008-01-05 17:13:54 +0100 [font=Verdana]Hello I'm trying to connect with Mac OSX Leopard to a network with an SonicWall PRO1060. I followed the wizard to set up my connection in IPSecuritas and read trough the template manual of SonicWall PRO,deliverd with the application. I cannot connect. This is what i'm seeing in my logging of IpSecuritas:[/font] [font=Courier]Error for phase1[/font] [font=Courier]Info IKE phase2 negotiation failed due to time up waiting IKE delete phase 2 handler.[/font] [font=Verdana]And this is what i'm seeing in my SonicWall logs:[/font] [font=Courier]IKE Responder: IKE proposal does not match (Phase 1)[/font] Does anyone know a method that i connect and doesnt't see this errors anymore.If more information is needed, just ask me and i will post it in this topic. Thanks for the help in advance. Guido Manually removing IPsecuritas Manually removing IPsecuritas by antonij on 2008-01-06 03:05:10 +0100 Hi, The uninstaller that comes with the program fails to uninstall it from my machine. Any advise on removing it manually? Antoni J. Re: Manually removing IPsecuritas by Forum Admin on 2008-01-07 00:12:28 +0100 Hello Antoni, sorry that the uninstaller is not working. To manually remove all components of IPSecuritas, you will need to remove the following directories and folders /Library/StartupItems/IPsecuritasDaemon /Library/Application Support/Lobotomo Software/IPSecuritas ~/Library/Preferences/com.lobotomo.IPSecuritas.plist (in your home folder) ~/Library/Widgets/IPSecuritas.wdgt The application itself. To stop the menu bar item, press and hold the Alt key while opening the menu. A Quit item will appear as the last entry in the menu, Hope this helps, Christoph Checkpoint VPN-1 with SecurID Checkpoint VPN-1 with SecurID by kridan on 2008-01-10 05:45:27 +0100 I've searched the forums, newgroups, and manuals and can't seem to find anyone using Checkpoint with SecurID. With our setup at work, I use a usernname, a PIN, and then current SecurID token. I know I'm close though, since I'm getting a bad un/pw message from the remote site. Here is the log: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 [code]Jan 09, 23:21:11 Info APP IPSec authenticating Jan 09, 23:21:11 Info APP IKE daemon started Jan 09, 23:21:11 Info APP IPSec started Jan 09, 23:21:11 Warning IKE Foreground mode. Jan 09, 23:21:11 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jan 09, 23:21:11 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jan 09, 23:21:11 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jan 09, 23:21:11 Info IKE Resize address pool from 0 to 255 Jan 09, 23:21:11 Info APP Initiated connection Cognos Jan 09, 23:21:11 Error IKE inappropriate sadb acquire message passed. Jan 09, 23:21:12 Warning IKE ignore 2nd CERT payload. Jan 09, 23:21:12 Warning IKE No ID match. Jan 09, 23:21:12 Warning IKE Ignored attribute XAUTH_CHALLENGE_VPN1 Jan 09, 23:21:13 Warning IKE Ignored attribute XAUTH_CHALLENGE_VPN1 Jan 09, 23:21:15 Error IKE Xauth authentication failed Jan 09, 23:21:15 Info IKE XAUTH Message: 'Access denied - wrong user name or password (msg_obj :format (1.0) :id (VPN_CUMULATE_PROMPT) :def_msg ("Access denied - wrong user name or password ") :arguments ( :0 ( :type (msg_obj) :val (msg_obj :format (1.0) :id (CPSC_SECURID_USER_DENIED) :def_msg ("Access denied - wrong user name or password ") :arguments () ) :def_text ("Access denied - wrong user name or password ") ) ) ) '. Jan 09, 23:21:15 Warning IKE Ignored attribute XAUTH_MESSAGE_VPN1 Jan 09, 23:21:17 Info APP IKE daemon terminated Jan 09, 23:21:17 Info APP IPSec terminated [/code] So am I wrong in thinking that this means (since it knows the pw is wrong) that it must at least be communicating with the remote site? This doesn't surprise me though, since it never prompts me for the token, so how could it possibly authenticate properly. In the Authentication Method drop down I've selected XAuth RSA....is this right? If so, why am I not getting prompted for the token? Any help is VERY MUCH appreciated. Dwayne Re: Checkpoint VPN-1 with SecurID by mellander on 2008-01-10 20:51:10 +0100 "XAUTH_CHALLENGE_VPN1" makes me think that CheckPoint have made their own modifications to the protocol. The problem with XAUTH seems to be that there is no "official" RFC for it. At least not listed on the RFC pages at IETF. I found thins among many [url]http://tools.ietf.org/html/draft-ietf-ipsecisakmp-xauth-06[/url] where "XAUTH_CHALLENGE" is listed. But the suffix VPN1 smells like CheckPoint Proprietary all the way... Re: Checkpoint VPN-1 with SecurID by kridan on 2008-01-14 04:57:14 +0100 Anyone else here successfully using Checkpoint with SecurID? DK Re: Checkpoint VPN-1 with SecurID by siromega on 2008-01-15 13:34:15 +0100 I followed the instructions in [url=http://www.lobotomo.com/cgi-bin /yabb/YaBB.pl?num=1177416223/7#7]this post,[/url] and I was able to successfully connect. However once I connected I wasn't able to get anywhere in the corporate network, and my ability to access the internet stopped working completely until I disconnected. The only other addition I have was is the password field in the ID tab, I put my pin and the secureid token value and I was able to successfully authenticate. private dns not working private dns not working by pong on 2008-01-12 17:31:55 +0100 i don't know if it'S leopard related but i can't get the private dns to work. system is 10.5.1, ipsecuritas is 3.1, firewall is a fortigate 60. the vpn connection works, i cann also connect to all servers inside the vpn but only via ip-adress. the dns is set for the internal domain private.lan but even if i set the private domain to * the private names don't resolve. but i can ping and connect to the internal dns. but it seems that it isn't involved in name resolving. Translation needed Translation needed by Forum Admin on 2008-01-14 12:41:51 +0100 Hello, we are looking for people who could translate a few sentences from English into their native language for a few extensions of IPSecuritas. We need translations to the following languages: French, Italian, Spanish, Portugiese, Dutch, Norwegian and Japanese. If you are interested to support IPSecuritas in this way, please e-mail me at lobotomo@lobotomo.com Christoph, Lobotomo Software Cannot import PKCS#12 Certs Cannot import PKCS#12 Certs by franziskaner on 2008-01-17 12:31:19 +0100 Hi there, i'm trying to connect my MacBook over IPSec with an Linux based Firewall/VPN-Gateway. I have generated Certificates on the Linux Appliance and exported them to the Mac. When i try to import them in IPSecuritas, i get an error message, that it is either not an PKCS#12 Cert or the passphrase ist incorrect. I have tested the same Certificate with my NCP IPSec Client on a WinXP Machine, it works fine there. IPSecuritas V3.1 Build 1860 on a MacBook Intel, running Leopard 10.5.1, VPN has worked fine with Preshared-Key Authentication, but i would prefer to use Certs. Anyone any idea? Re: Cannot import PKCS#12 Certs by e-baba on 2008-04-02 14:29:47 +0200 Hello Everyone, I've got the same problem importing signed certs (pkcs#12) made with openssl on WinXP. I am running ipsecuritas 3.1 build 1860 using osx leopard. The same certs have been working on previous releases of ipsecuritas an osx. Are there any restrictions using pkcs#12-certs? Or is it a known bug wich is getting fixed in future releases? Regards Jьrgen Re: Cannot import PKCS#12 Certs by cnadig on 2008-04-10 15:53:11 +0200 Hello, there is no known restrictions, so this is probably a bug. Is it possible to send an example of such a certificate to lobotomo@lobotomo.com (a test certificate, not a production one of course)? Cheers, Christoph Re: Cannot import PKCS#12 Certs by franziskaner on 2008-04-10 18:01:15 +0200 hello Christoph, the certificate is on the way to you. regards, Hartmut Re: Cannot import PKCS#12 Certs by benjconrad on 2008-04-25 12:25:46 +0200 I don't know if this applies, but certainly p12 files from Smoothwall can not be imported directly from the firewall in to IPSecuritas. I have no idea why not! This is taken from the smoothwall website: Notes on IPSecuritas configuration To configure IPSecuritas the CA can be exported from the Smoothwall in a PEM format and imported into IPSecuritas using the certificate manager. The client certificate needs to be exported in a PKCS12 format, but before importing into IPSecuritas first convert it into a certificate public key and private key components by typing the following commands in an OS X terminal: openssl pkcs12 -in cert.p12 -nokeys -clcerts -out cert.pem cert.pem will contain the public key part. openssl pkcs12 -in cert.p12 -nodes -nocerts -out key.pem key.pem will contain the private key part. Substituting cert.p12 with the name of the pkcs12 certificate exported. The certificate public and private key can then be imported using the certificate manager. Note that both public and private keys will be asked for in succession when selecting the import 'personal certificate with private key' option. I hope this helps. Obviously you need to cd in Terminal to the folder that contains the VPN certs. Re: Cannot import PKCS#12 Certs by artemide on 2008-04-25 15:48:08 +0200 I read this on the SW site, but I have imported the P12 keys directly into IPSecuritas .. but it only works once and while .. I have not idea why .. I have one key that imported immediately, one key that took like 3 tries .. and now I have another one that will not import at all .. the interesting thing is, my connections fail with some cert errors .. I wonder .. I am going to split the P12 up and try again .. Re: Cannot import PKCS#12 Certs by artemide on 2008-04-25 16:21:16 +0200 I tried with a new test cert and split out the key, set it all back up .. and I still have the same issues with my connections .. so that doesn't help I keep getting unable to get certificate CRL(3) and libipsec failed pfkey check ( invalid sa type ) Re: Cannot import PKCS#12 Certs by benjconrad on 2008-04-25 18:11:09 +0200 I imagine you have done all this correctly - but when you get the P12 file split in to two .pem files, one the cert, and one the key - you then need to import them in to the Certificate Manager - choosing .pem with key. You select the cert.pem first, and then the key.pem - I don't think you need to provide the password, but you do need it to split the p12 file. Then obviously you need to select the correct certificate in the actual connection setup. At least, that is how I did it. Re: Cannot import PKCS#12 Certs by artemide on 2008-04-25 21:59:26 +0200 [quote author=benjconrad link=1200569480/0#7 date=1209139869]I imagine you have done all this correctly - but when you get the P12 file split in to two .pem files, one the cert, and one the key - you then need to import them in to the Certificate Manager - choosing .pem with key. You select the cert.pem first, and then the key.pem - I don't think you need to provide the password, but you do need it to split the p12 file. Then obviously you need to select the correct certificate in the actual connection setup. At least, that is how I did it.[/quote] Yup did all that .. the connection goes green .. but it never actually comes up .. I can't ping across the network .. and the logs complain about invalid SA Re: Cannot import PKCS#12 Certs by artemide on 2008-04-25 22:57:24 +0200 The certs need to have subjectAltname ( ID ) set in order for them to import correctly. It is a Mac thing not an IPSecuritas thing Re: Cannot import PKCS#12 Certs by artemide on 2008-04-25 23:07:28 +0200 lol .. well .. the ID does need to be there .. but the importing is still hit or miss. IPSecuritas with a Juniper Netscreen SSG20 F-wall. IPSecuritas with a Juniper Netscreen SSG20 F-wall. by rosshuts on 2008-01-17 13:25:13 +0100 Good afternoon! I was wondering if anyone could help with a Netscreen Firewall Query. I am in the process of setting up VPN dialup for a Mac user using the IPSecuritas software. We use a Netscreen SSG20 Firewall and its not listed in the supported models. Looking at the setup guide it mentions Netscreen SSG models in general and therefore was hoping that it would still work? The Netscreens tend to use the same sort of firmware or ScreenOS files and was really hoping that it would work. Does anyone know if this will be ok or not? There is also the Equinux VPN Tracker although its not free, but works with Netscreens, however again, they don't list the SSG's in the list. Any help in this matter would be greatly appreciated. Regards, Ross. Re: IPSecuritas with a Juniper Netscreen SSG20 F-w by Daniel on 2008-01-25 21:53:42 +0100 IPSecuritas works like a charm with ScreenOS, including the SSG series. Re: IPSecuritas with a Juniper Netscreen SSG20 F-w by Forum Admin on 2008-01-28 01:05:27 +0100 Hello, I use IPSecuritas with a Juniper SSG140 with Xauth. The firmware of all Juniper models are identical or similar, there should be not problem to use it with a SSG20. Please email me at lobotomo@lobotomo.com if you need more information. Cheers, Christoph Stop IPSecuritas daemon from launching at startup. Stop IPSecuritas daemon from launching at startup. by techess on 2008-01-17 20:02:41 +0100 I have IPSecuritas 3.1 installed on a Leopard MacBook Pro. So far it works great, but I don't want the daemon to automatically start at reboot. It interferes with other software I need to run. I tried removing /Library /StartupItems/IPSecuritasDaemon but at reboot the daemon still starts. I still have to open IPSecuritas and manually choose the quit and terminate daemon. Then the other software I need will run. The only thing that removing /Library/StartupItems/IPSecuritasDaemon seems to do is to stop the menu bar item for IPSecuritas from launching. Anyone have a way of stopping the daemon from starting other than uninstalling? Re: Stop IPSecuritas daemon from launching at star by Forum Admin on 2008-01-28 01:08:58 +0100 Hello, the daemon is an essential part of IPSecuritas and needs to run in order to establish a connection. It is installed and started every time you start IPSecuritas and asked for the administrator's password. Maybe you could tell me with what other software it interferes so that I could do something about this? Thanks a lot, Christoph Re: Stop IPSecuritas daemon from launching at star by techess on 2008-01-28 17:06:57 +0100 One of the pieces is the Mac OS X built in VPN. The other software that doesn't work is a custom Citrix client needed for secure accounting/student info transactions. Everything works fine if I open IPSecuritas,quit the daemon and then launch the software. Then if I need to connect to the checkpoint firewall I can start it up again and this works really well. I was hoping that there would be an easy way of not having the service start on boot, and then manually launch it when I needed it. Thanks! Re: Stop IPSecuritas daemon from launching at star by hkirschk on 2008-04-22 09:22:52 +0200 Just wanted to state that I would also be interested in having a global preference which defines if the IPSecuritas daemon should be automatically started at system startup. It interferes with the Apani Contivity client, I also have to switch off the IPSecuritas daemon and restart the Apani Contivity client. Heiko Re: Stop IPSecuritas daemon from launching at star by .guru on 2008-04-22 10:57:13 +0200 By the way, what exactly is the daemon for? I thought IPSecuritas relies on the racoon IKE service only? .guru Re: Stop IPSecuritas daemon from launching at star by Forum Admin on 2008-04-23 20:35:44 +0200 Hello, the daemon fulfills a number of purposes: 1. Control of the IPSec kernel configuration and control of racoon and its configuration file 2. Autostart, for when no GUI is running 3. Detection of environment changes (network, user etc.) 4. NAT-T implementation, since Apple's implementation is old and broken. Hope this answers your question, Christoph Re: Stop IPSecuritas daemon from launching at star by hkirschk on 2008-04-29 14:38:32 +0200 [quote author=hkirschk link=1200596561/0#3 date=1208848972]Just wanted to state that I would also be interested in having a global preference which defines if the IPSecuritas daemon should be automatically started at system startup. It interferes with the Apani Contivity client, I also have to switch off the IPSecuritas daemon and restart the Apani Contivity client. Heiko[/quote] Sorry for the noise, some further investigation showed that the IPSecuritas daemon itself does not interfere with the Apani Contivity client. Unless there is no VPN connection initiated by IPSecuritas, there are no problems, and IMHO it does not make sense trying to have both an active IPSecuritas client and an active Apani Contivity client. Heiko Weird - this was working - pfkey X_SPDDUMP failed Weird - this was working - pfkey X_SPDDUMP failed by brantwinter on 2008-01-20 14:33:46 +0100 My VPN ( IPSecuritas -> Draytek 2800 ) was working fine yesterday, but today keeps failing with error: pfkey X_SPDDUMP failed: No such file or directory Funny thing is, I have another profile in IPSecuritas set up that goes off to a different VPN endpoint that continues to work fine. I have used Frameseer to look at the outgoing traffic on both setups, the one that works does a DNS lookup first, the failing VPN configuration sends NO traffic out the interface at all. Just out of interest, my psk.txt file in: /Library/Application Support/Lobotomo Software/IPSecuritas/ is empty... Obviously psk.txt gets overwritten each time the vpn config loads. When I use the vpn config for my working vpn I have entries in the psk.txt file. In my non-working vpn setup, the psk.txt remains empty. WTF????? As I said previously, this exact same vpn config worked fine yesterday.... Re: Weird - this was working - pfkey X_SPDDUMP fai by cnadig on 2008-01-22 00:27:31 +0100 Hello, the empty psk.txt is an indication that the connection isn't even started, therefore you don't see any network activity either. This is usually the case if the connection definition is incomplete or when there are conflicts in the definition. Can you see a red dot next to the connection in the main window after you started the non-working connection? If so, please hoover the mouse over the red icon and wait for the tooltip to appear. If it says 'Connection definition incomplete', please open the connection manager and hoover the mouse over the grey exclamation mark symbol next to the connection to see what's wrong. I hope this helps, Christoph Re: Weird - this was working - pfkey X_SPDDUMP fai by brantwinter on 2008-01-24 13:01:57 +0100 This did not help unfortunately. The red dot appears as soon as the VPN is dialed, but it has no tool tip when hovered over, and hence no grey dot in the connection manager screen. Re: Weird - this was working - pfkey X_SPDDUMP fai by brantwinter on 2008-01-26 00:29:56 +0100 Update: I can also confirm that an uninstall / re-install does nothing to help the situation.... This is quite frustrating ! Is there anyone that can give me a hand ?? Re: Weird - this was working - pfkey X_SPDDUMP fai by brantwinter on 2008-01-27 12:57:41 +0100 Can anyone help out here ?? I have moved 2000km's from home and need to be able to VPN to my mother to assist some probs she is having. As I said in the first post - this was working fine. It just stopped working. Re: Weird - this was working - pfkey X_SPDDUMP fai by brantwinter on 2008-01-28 11:07:43 +0100 This gets even better !!!!!! I just uninstalled IPSecuritas 3.1 - I used the uninstaller which actually reported failing......but anyway I re-installed IPSECURITAS VERSION 2.2 and put in all the same setting for my broken VPN and walla !!!! It connected and I can access the network on the other end. Si I have now confirmed that only this one tunnel is broken in v3.1 and the whole thing works an v2.2 and I have also installed a demo copy of VPNTracker which works as well. I can not for the life of me work out why this would / could be the case...... I did some other investigation and found that the racoon.conf file is not being written properly/fully on the broken VPN. I copied the file under both the working and broken configurations and they look totally different. I dont know how to troubleshoot any further however. I would love to have 3.1 working but at present v2.2 is my only option ! Re: Weird - this was working - pfkey X_SPDDUMP fai by cnadig on 2008-01-28 12:47:37 +0100 Hello, this is indeed interesting. Could you send me the two racoon.conf files and the connection log with log level set to debug (from the working and the non-working configuration) to lobotomo@lobotomo.com? Please replace any confident information like the public IP and please do not send the psk.txt file! Thank you alot, Christoph Re: Weird - this was working - pfkey X_SPDDUMP fai by brantwinter on 2008-01-28 14:22:36 +0100 Sent..... Re: Weird - this was working - pfkey X_SPDDUMP fai by brantwinter on 2008-01-30 14:28:16 +0100 Hi Christoph - any luck with the logs I sent through on this issue ?? Thanks in advance. Re: Weird - this was working - pfkey X_SPDDUMP fai by brantwinter on 2008-02-02 08:43:19 +0100 I can now confirm that this issue has something to do with the "Remote Side" config item in the VPN setup. If I change this option to "Endpoint mode - Anywhere" I get past the pfkey error. The VPN still does not connect, but I do get a racoon.conf file created and a psk.txt file populated. When I change the config back to "Endpoint mode - Network" ( or any other option ) I get the pfkey issue again. Like always, any help is appreciated. Re: Weird - this was working - pfkey X_SPDDUMP fai by Forum Admin on 2008-02-03 20:09:33 +0100 Hello Brant, thank you very much for the log file. In your case, no connection is started, most probably because of a configuration fault or a network conflict. Does the local network and remote network overlap, or did you enter a local IP address that is part of the remote network by any chance? If so, please enable the 'Local IP in Remote Network' option in the Options section of your connection. This would also explain your success connecting with the remote mode set to Anywhere, as you describe in another post. Please note that such network overlaps should be avoided since there might be undesired side effects. Hope this helps, Christoph Re: Weird - this was working - pfkey X_SPDDUMP fai by brantwinter on 2008-02-05 12:09:13 +0100 Hi there Christoph - I can;t help but think that there is a bug causing this behavior. The output of an ifconfig is such: lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280 stf0: flags=0<> mtu 1280 en0: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500 ether 00:1b:63:a1:88:b2 media: autoselect status: inactive supported media: autoselect 10baseT/UTP <half-duplex> 10baseT/UTP <full-duplex> 10baseT/UTP <full-duplex,hw-loopback> 10baseT/UTP <full-duplex,flow-control> 100baseTX <half-duplex> 100baseTX <fullduplex> 100baseTX <full-duplex,hw-loopback> 100baseTX <fullduplex,flow-control> 1000baseT <full-duplex> 1000baseT <fullduplex,hw-loopback> 1000baseT <full-duplex,flow-control> none fw0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 4078 lladdr 00:1d:4f:ff:fe:5f:4c:74 media: autoselect <full-duplex> status: inactive supported media: autoselect <full-duplex> en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether 00:1c:b3:bc:9a:11 media: autoselect (<unknown type>) status: inactive supported media: autoselect en2: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500 ether 00:1c:42:00:00:00 media: autoselect status: inactive supported media: autoselect en3: flags=8822<BROADCAST,SMART,SIMPLEX,MULTICAST> mtu 1500 ether 00:1c:42:00:00:01 media: autoselect status: inactive supported media: autoselect gif1: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500 inet 10.164.45.63 --> 10.6.6.6 netmask 0xff000000 When I set the 'Remote Endpoint' to anything BUT 10.0.10.0/24 it works. As soon as I enter a subnet that begins with 10.x.x.x it fails. The above network for the ppp0 adapter is a class A subnet. The only think I can think of is that somehow IPSecuritas is ignoring the fact that I am setting the Remote Endpoint to 10.0.10.0/24 and assuming the 10. subnet is a class A ?????? If I set the Remote endpoint to somethign random, say, 11.0.11.0/24 it creats the racoon.conf / psk.txt files and dials up. It is ONLY the 10.x.x.x network thing that is causing all the problems. Does this help in troubleshooting ?? Re: Weird - this was working - pfkey X_SPDDUMP fai by Forum Admin on 2008-02-13 22:56:15 +0100 Hello Brant, the problem is indeed that the two networks 10.0.0.0/24 and 10.0.10.0/24 overlap. This is not recommended (and probably also against the specification) for various reasons (one being that other computers will not be reachable anymore, another that there might an address conflict between the local address and a machine in the remote network with the same address). However, I will add an option to disable these collision checks or simply ignore the remote address for PPP interfaces, since several people asked for it. For now, the easiest (and cleanest anyway) solution is to change her local network range to a different private range, please have a look at RFC 1918, section 3 (<http://www.faqs.org/rfcs/rfc1918.html>) Cheers, Christoph Re: Weird - this was working - pfkey X_SPDDUMP fai by brantwinter on 2008-02-14 08:36:00 +0100 Not sure if I wrote the last post incorrectly or if it has been interpreted wrong, but the two 10.x.x.x addresses ARE on DIFFERENT subnets. The ISP address is a /8 address and the remote VPN subnet is a /24 What I am postulating is that IPSecuritas is interpreting the remote VPN subnet as a /8 ( Class A ) subnet by virtue of the 10.x.x.x subnet ( if you are going by RFC 1918 part 3 - Private address space ) it is true that 10.x.x.x subnets SHOULD be numbered as Class A subnets, but they can be applied in a Class C address space. I am not sure I am making sense.... Re: Weird - this was working - pfkey X_SPDDUMP fai by Forum Admin on 2008-02-15 21:53:32 +0100 Hello Brant, sorry, I was quoting the addresses incorrectly. The remote network of your ppp0 interface is 10.0.0.0/8, which includes the smaller remote network 10.0.10.0/24 you're trying to access. IPSecuritas does these checks to avoid indetermined (or at least unexpected) behaviour, but I will add an option to bypass these checks for the brave among you. Cheers, Christoph Re: Weird - this was working - pfkey X_SPDDUMP fai by brantwinter on 2008-02-18 11:39:41 +0100 Thanks for that Christoph - I will wait for an update. IPSecuritas vs. Netvanta 7100 IPSecuritas vs. Netvanta 7100 by NotThatLuke on 2008-01-20 20:24:31 +0100 Hi, I'm trying to use IPSecuritas 3.1 build 1860 to connect to my company's firewall, an Adtran Netvanta 7100 and it's no joy every time. I don't even seem to be getting past Phase 1. I'm pretty sure I have all the settings correct except for the Phase 2 Authentication (set to Null) and the Options (DOI, Initial Contact, Local IP, Support Proxy, Unique SAs, IKE Frag are selected, NAT-T enabled)--not sure what those should be so I've been using trial and error. Here's a log example: Info APP IPSec authenticating Info APP IKE daemon started Info APP IPSec started Info IKE Foreground mode. Info IKE @(#)ipsec-tools CVS (http://ipsec-tools.sourceforge.net) Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Info IKE Reading configuration from "/Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Info IKE Resize address pool from 0 to 255 Info APP Initiated connection Work Error IKE inappropriate sadb acquire message passed. Error IKE delete phase1 handle. Info APP Initiated connection Work Info APP Initiated connection Work Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP (IP Obscured by me)[500]->10.0.1.198[500] Info APP Initiated connection Work Error IKE inappropriate sadb acquire message passed. Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP (IP Obscured by me)[500]->10.0.1.198[500] Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP (IP Obscured by me)[500]->10.0.1.198[500] Info APP Initiated connection Work Error IKE phase1 negotiation failed due to time up. 20d32e7094980c58:0000000000000000 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP (IP Obscured by me)[500]->10.0.1.198[500] Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP (IP Obscured by me)[500]->10.0.1.198[500] Warning APP Connection Work timed out Warning APP Suspending for 30 seconds Info APP IPSec stopping Info APP IKE daemon terminated Info APP IPSec stopped Anyone ever try this with a Netvanta? Any ideas? Any help is very welcome. Thanks! Luke Cannot connect to AFP server Cannot connect to AFP server by TedA on 2008-01-23 14:36:21 +0100 I have IPSecuritas connected to a Netgear FVS318, and I'm able to connect to the vpn, but I'm unable to connect to a afp server on the vpn network. I can ping the machine and I can control the machine using Apple Remote Desktop, but I can't connect via afp. When I go to "Go To Server.." all I get is "Connecting to afp://192.168.0.201" until it eventually times out. I have connected to this afp server in the past when it was on the same network as the vpn. Computers on the internal network can still connect to the afp server and computers on a separate vpn (via another Netgear FVS318) can connect to the afp server. Re: Cannot connect to AFP server by TedA on 2008-01-24 21:03:56 +0100 I fixed the problem, the firewall was filtering any non 192.168.0.0 addresses. Re: Cannot connect to AFP server by esailor on 2008-04-11 15:21:35 +0200 Did you turn on the apple Talk flag in the network preferences? Re: Cannot connect to AFP server by mann on 2008-04-23 06:08:02 +0200 How do you know if the router is filtering addresses as I am having the same problem only certain places does the AFP work over the VPN. IPSecuritas and Checkpoint FW-1 - timeout IPSecuritas and Checkpoint FW-1 - timeout by StefanVollmar on 2008-01-23 23:50:29 +0100 Hello, I am new to this forum and have just started using IPSecuritas 3.1 Build 1860 on MacOS X Leopard. Connecting to systems through a Checkpoint FW-1 firewall works fine. However, during ssh connections the terminal freezes if there was not any traffic for a number of minutes. Pressing a key sometimes continues the session (with a delay off several seconds after the key was pressed), more often than not I need to create a new connection. Is there a way to keep a connection open even if there is no traffic for a considerable amount of time, maybe by setting up "keep alive" messages (or equivalent)? Many thanks in advance, Stefan Re: IPSecuritas and Checkpoint FW-1 - timeout by cnadig on 2008-01-25 10:14:04 +0100 Hello Stefan, please enable the connection check in the options tab and enter an IP address, that replies to pink requests. Hope this helps, Christoph Re: IPSecuritas and Checkpoint FW-1 - timeout by StefanVollmar on 2008-01-25 11:50:22 +0100 Dear Christoph, as far as I can see, this solved my problem beautifully. Thanks, Stefan only remote DNS works when connected only remote DNS works when connected by prahn on 2008-01-24 22:02:55 +0100 Hi! When I connect to my VPN the resolution of the local DNS does not work anymore. Remote DNS works perfect, but nothing more local. If I switch the DNS of in the IPSecuritas profile local DNS works. Even when the VPN is down. Do I need to set a local searchdomain in Network control panel? Leopard IPsecuritas 3.1 not working with Leopard Leopard IPsecuritas 3.1 not working with Leopard by Rommel on 2008-01-26 20:51:03 +0100 We had IPSecuritas 2.1 OS X.4 behind a Netopia R910 working well. Upgraded to IPSecuritas 2.1 OS X.5 – would not work. Upgraded to IPSecuritas 3.1 OS X.5 – would not work. Had imported the settings from IPSecuritas 2.1. This is the log file. IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Jan 25, 13:49:52 Info APP IPSec restarting Jan 25, 13:49:53 Info APP IKE daemon terminated Jan 25, 13:49:53 Info APP IPSec restarting Jan 25, 13:49:53 Info APP IKE daemon started Jan 25, 13:49:53 Info APP IPSec started Jan 25, 13:49:53 Error IKE Foreground mode. Jan 25, 13:49:53 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jan 25, 13:49:53 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jan 25, 13:49:53 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jan 25, 13:49:53 Info IKE Resize address pool from 0 to 255 Jan 25, 13:49:54 Info APP Initiated connection Kodak DirectView Jan 25, 13:49:54 Error IKE inappropriate sadb acquire message passed. Jan 25, 13:50:01 Info APP Initiated connection Kodak DirectView Jan 25, 13:50:08 Info APP Initiated connection Kodak DirectView Jan 25, 13:50:10 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 216.197.193.153[500]->192.168.123.103[500] Jan 25, 13:50:15 Info APP Initiated connection Kodak DirectView Jan 25, 13:50:15 Error IKE inappropriate sadb acquire message passed. Jan 25, 13:50:17 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 216.197.193.153[500]->192.168.123.103[500] Jan 25, 13:50:22 Info APP Initiated connection Kodak DirectView Jan 25, 13:50:24 Error IKE phase1 negotiation failed due to time up. c746ba12283e6bfd:0000000000000000 Jan 25, 13:50:24 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 216.197.193.153[500]->192.168.123.103[500] Jan 25, 13:50:27 Warning APP Connection Kodak DirectView timed out Jan 25, 13:50:27 Warning APP Giving up Jan 25, 13:50:31 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 216.197.193.153[500]->192.168.123.103[500] Jan 25, 13:50:38 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 216.197.193.153[500]->192.168.123.103[500] Any ideas? Re: Leopard IPsecuritas 3.1 not working with Leopa by ask on 2008-02-02 01:29:18 +0100 I have almost the same history / problem. I had IPsecuritas working fine pre-OSX 10.5 and pre IPSecuritas 3.1 with my Juniper NS25, NS5XP, etc... but since the upgrade to OSX 10.5.x and the migration to the new IPSecuritas, I can't get anything to connect. I have tried the wizards and instructional PDFs... no luck. Anyone have any ideas? Re: Leopard IPsecuritas 3.1 not working with Leopa by Rommel on 2008-02-02 18:37:55 +0100 Changed Exchange Mode from Aggressive to Main, Aggressive. This did not get transferred properly in the importation. Works just fine now. :) Re: Leopard IPsecuritas 3.1 not working with Leopa by ask on 2008-02-08 21:51:02 +0100 Tried that... still not working for me. IPSecuritas Stopped Working After Leopard Upgrade IPSecuritas Stopped Working After Leopard Upgrade by ask on 2008-01-29 02:50:09 +0100 I have been using IPSecuritas with my Juniper firewalls for a couple years now. I recently upgraded my OS to Leopard and my existing VPN would not connect. I tried upgrading to the latest IPSecuritas and importing my existing VPN configs... bu tstill no luck. I have tried recreating my VPNS with the wizards on my firewall and in IPSecuritas according to the Juniper Netscreen HOWTO.pdf... no luck. as anyone had any luck getting IPSecuritas on Leopard to connect to and Juniper/Netscreen firewalls? Thanks! Spencer Re: IPSecuritas Stopped Working After Leopard Upgr by brantwinter on 2008-01-29 12:06:25 +0100 I don't know if I am having the same issues, but totally uninstall IPSecuritas 3.1 and install the older 2.2 version. When I did this mine worked. If this does work please let Christoph know and he will probably ask for some logs etc. Re: IPSecuritas Stopped Working After Leopard Upgr by mribiz on 2008-01-30 15:44:45 +0100 I can't seem to get 3.1 to work on Leopard as well. Where can I get the old version? Re: IPSecuritas Stopped Working After Leopard Upgr by ask on 2008-02-03 01:16:01 +0100 I tried using IPSecuritas v2.2 again... still no luck. Re: IPSecuritas Stopped Working After Leopard Upgr by brantwinter on 2008-02-03 06:03:00 +0100 I fixed my issues under Leopard by setting the Endpoint Mode to Anywhere rather than Network. Still not good, but at least I can get a tunnel up now. Re: IPSecuritas Stopped Working After Leopard Upgr by ask on 2008-02-08 21:52:01 +0100 That did not fix the issue for me. Anyone else? Re: IPSecuritas Stopped Working After Leopard Upgr by 2fs2ns on 2008-03-07 21:08:01 +0100 Same issue, installed IPSecuritas on 5 macbooks running pre-lepoard OS, all work just fine. The one Leopard machine we have, it doesn't work. I've tried all the above suggestions with no luck. Re: IPSecuritas Stopped Working After Leopard Upgr by Cucumber on 2008-03-17 04:20:59 +0100 i just discovered IPSecuritas hoping that it would allow me to connect to a clients NetScreen 5GT. i went through the Wizards and while it said it connected. pings or anything else would just hang (and finally timeout). i tried all the above suggestions, and resorted to randomly changing the options (one at a time) disabling NAT-T was the winner for me :) i'm using IPSecuritas 3.1 on 10.5.2 Re: IPSecuritas Stopped Working After Leopard Upgr by 2fs2ns on 2008-03-19 17:32:49 +0100 Just got it to work, checked the "Local IP in Remote Network" check box in Options... :-/ 3.1 Does not work, 2.2 does 3.1 Does not work, 2.2 does by rghiglianovich on 2008-01-29 19:58:11 +0100 Hi, I have IPSecuritas 2.2 connecting to an IPCop box and it works quite good (using preshared key), OSX 10.4.11 on my site Now I have downloaded 3.1 ; copied the configuratione parameters and so on... The new version does not work. Why? Is there something to do? Thanks, RIc Re: 3.1 Does not work, 2.2 does by brantwinter on 2008-01-31 12:36:58 +0100 Set your log to Debug in 3.2 and post the output here ( please remove destination IP address ) - I am having similar issues as well. I have sent logs and configs to the author but haven't heard back as yet. Trouble Exporting Trouble Exporting by BladesAway on 2008-02-01 02:36:45 +0100 I have no idea what I am doing wrong....I have build up a connection that is working perfectly. I need to export it to use on another machine. When I go to Edit Connections and then select Export I enter a file name to export to and then click on Export. I then get prompted with Missing Import Password Please enter an Import password. Even if I put something in the Import Password field I get the error. Any ideas of what I might be doing wrong? Thanks Scott Re: Trouble Exporting by Forum Admin on 2008-02-01 09:52:44 +0100 Hello Scott, this is probably due to the Leopard related bug (see http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?num=1195575910). Please press TAB one more time after you entered a password and the export should just work fine. Hope this helps, Christoph Re: Trouble Exporting by BladesAway on 2008-02-01 12:11:43 +0100 That was it. Thank you. That was driving me crazy! Being new to Mac OS and being a veteran of PC for over 20 years I couldn't help but wonder if it was me! Thanks again. can connect to ipsec vpn, other subnet unreachable can connect to ipsec vpn, other subnet unreachable by blst on 2008-02-05 06:09:25 +0100 i have a tunnel between a fortigate firewall and a dlink firewall which works fine. i have a vpn connection remotely to the fortigate, but cannot reach resources on the other subnet. has anyone solved this problem before? can't seem to figure out if it's firewall issues or client issues. thanks! Where is the Wizard? Where is the Wizard? by jscooper on 2008-02-06 12:53:39 +0100 OK, it's early, so I must just be beery-eyed. But just downloaded this app and cannot find this "wizard" icon anywhere. Not on the menu. in the app. Where is it? Thanks, Jeff Re: Where is the Wizard? by jscooper on 2008-02-07 03:50:12 +0100 Nevermind, I found it. Looks like when you choose Open IPSecuras form the menubar, it opens version 2.1 but when you click the application icon, you get v3.1. Is this a bug or did I miss some setting somewhere? Thanks, Jeff ps- used this app a couple years ago and loved it. The site vanished for a while -- I'm very happy to see it back! :) Re: Where is the Wizard? by jscooper on 2008-02-07 04:08:25 +0100 Nevermind, I found it. Looks like when you choose Open IPSecuras form the menubar, it opens version 2.1 but when you click the application icon, you get v3.1. Is this a bug or did I miss some setting somewhere? Thanks, Jeff ps- used this app a couple years ago and loved it. The site vanished for a while -- I'm very happy to see it back! :) Netgear G834GT Netgear G834GT by andy on 2008-02-07 22:00:44 +0100 Been having difficulty getting into my remote network remotely. Do I need to make alterations on the pass through on the router? Re: Netgear G834GT by Tanster on 2008-02-19 01:27:26 +0100 Pass through to *WHAT*? IPSecuritas is acting as the client side. You must have a server side. If your router doesn't have a VPN server built-in (and the Netgear G834GT doesn't from the specs I see on the Netgear website), then what are you connecting to behind it? Do you have a VPN server sitting there? Otherwise, you're barking up the wrong tree. Re: Netgear G834GT by andy on 2008-02-19 09:51:27 +0100 Yes, was a bit cryptic. But you have helped on other post. First job - get a new VPN server able locally router. Thanks not creating racoon.conf completely not creating racoon.conf completely by coreyva on 2008-02-08 21:22:42 +0100 I'm having issues with IPSecuritas 3.1 on a 10.5.1 intel system. The log stops at Resize address pool. Looking at the created racoon.conf, it is incomplete. It contains no connection setting. I've tried removing and reinstalling IPSecuritas, creating new profiles and connections, and creating a new user. No change. Below is the contents of of the created racoon.conf. # Racoon configuration created by IPSecuritas log notify; path pre_shared_key "/Library/Application Support/Lobotomo Software/IPSecuritas/psk.txt"; path certificate "/Library/Application Support/Lobotomo Software/IPSecuritas/certs"; padding { maximum_length 20; randomize on; strict_check off; exclusive_tail on; } timer { counter 5; interval 5 seconds; persend 1; phase1 15 seconds; phase2 15 seconds; } listen { adminsock "/Library/Application Support/Lobotomo Software/IPSecuritas /admin.sock"; } Anyone else seen this happen? Re: not creating racoon.conf completely by brantwinter on 2008-02-09 08:29:29 +0100 Yes - I have been battling with exactly the same issue, but have had no real response or fix for the issue from these boards. I got around mine by changing the 'Endpoint Mode' to 'Anywhere' In my case I was routing to a 10.x.x.x subnet, although I was using a Class C subnet mask ( /24 ) I think IPSecuritas was applying the standard Class A subnet mask to this subnet. This is the only explanation I can come up with as my Telstra NextG internet connection always gives me a 10.x.x.x/8 IP address. As I said, nobody has replied to my issues so I am only speculating. Try changing the endpoint mode and get back to me. Re: not creating racoon.conf completely by coreyva on 2008-02-11 17:36:50 +0100 I'll give that a try, but what's strange, is it's only one system having that issue. My laptop works fine. Both are intel systems for what it's worth. Re: not creating racoon.conf completely by Forum Admin on 2008-02-13 22:50:07 +0100 Hello, hovering the mouse over the red indicator in the main window should give you a short indication of what's wrong. In your case, the connection is considered 'not runnable' for some reason, hence the empty racoon.conf file. Hope this helps, Christoph Re: not creating racoon.conf completely by brantwinter on 2008-02-14 08:55:10 +0100 When I was having issues ( Intel MBP 10.5.1 ) hovering over the red dot did nothing. I never got any help text... Re: not creating racoon.conf completely by coreyva on 2008-02-22 20:35:54 +0100 [quote author=Forum Admin link=1202502162/0#3 date=1202939407]Hello, hovering the mouse over the red indicator in the main window should give you a short indication of what's wrong. In your case, the connection is considered 'not runnable' for some reason, hence the empty racoon.conf file. Hope this helps, Christoph[/quote] Thanks, but no go. Hovering over the dot produces nothing. I am using a working exported policy. Double checked all of the settings, and they are identical on the system that works and the one that doesn't. In fact, I can not get it to make a connection to any of my VPN's. One difference between the two systems is that the working one was an upgrade to leopard, and the non-working one was a fresh install. Not sure if that is contributing to the issue or not. The fact that it is only one system I'm seeing an issue with, makes me believe it's something with that system rather than ipsecuritas, but I've not found it. Connection successful, but can't reach network Connection successful, but can't reach network by gould on 2008-02-09 20:23:23 +0100 I can establish a connection to the remote Lancom 1722 VPN gateway (green status dot), but besides the gateway I can't ping any computer in the remote network. This is my configuration: Host 192.168.223.232 to network 192.168.223.0/24 I can only ping 192.168.223.0 and 192.168.223.254, no other server in the same network. I suppose no data come back from the remote side. First I thought the router on the local part, where my Mac is, blocks the packages, but when I use my Linux PC everything is fine - without changing the router configuration. Ergo: Linux with Shrew VPN Manager works, IPSecurtias (VPN Tracker neither) on Mac not. Leopard firewall is off. I really have no idea whats wrong with my Mac configuration. Is there a routing problem? Any suggestions what I can do? By the way: MODE_cfg never works, while I get a IP from the gateway on my Linux PC. Really weird. Re: Connection successful, but can't reach network by Forum Admin on 2008-02-13 22:53:35 +0100 Hello, please try to change the local (virtual) IP to an address that's outside the remote network (interpreting the IPSec standard strictly, this is nor allowed, although some router allow it). Hope this helps, Christoph Re: Connection successful, but can't reach network by gould on 2008-02-13 23:18:40 +0100 An IP address outside the remote network is not allowed. Furthermore, I was told that I shouldn't give an IP myself, because IKE config mode is configured. Due to the fact, that MODE_CFG in IPSecuritas doesn't work for me, the Lancom gateway has no MAC address of the local interface and can't reach my local machine. My system administrator adviced my to use a client that supports IKE config. Are there any known problems with the MODE_CFG option in IPSecuritas? Re: Connection successful, but can't reach network by gould on 2008-02-15 15:37:54 +0100 In the meantime I'm pretty sure: The config mode is the problem. Is there a way to proof wheather MODE_CFG in IPSecuritas works correctly? I think there must be something wrong the this option. Re: Connection successful, but can't reach network by Tanster on 2008-02-19 01:54:43 +0100 Just curious but is "Local IP in Remote Network" checked under the "Options" tab? Re: Connection successful, but can't reach network by gould on 2008-02-21 14:33:36 +0100 Yes, it's checked. Otherwise I'd get a collision error. What do you reckon? What do you reckon? by andy on 2008-02-10 17:40:24 +0100 I run a newspaper and want my journalists to roam and link to network. A friend recommended Lobo's software, saying it was very easy to set up. So I took a MacBook pro with MacOSX 10.5.1 The local work router is a Netgear DG834GT fronting a Mac and PC network that we want to get into. The remote router is a Netgear DG834G. I have been told that we cannot configure the firewall on the DG834GT (no IKE etc etc), while the DG834G has VPN policies available. VPN Tracker's network environment checker shows both routers to be functional for IPSec and NAT. Should I buy a new office router? What would you recommend? Re: What do you reckon? by Tanster on 2008-02-19 01:44:17 +0100 Insufficient data to work with. Could you give us more info about your intended network topology (i.e., what and where do you want to connect to what: connect the dots for us a bit more than you have thus far)? The Netgear DG843GT doesn't have a VPN server (according to the Netgear website) while the Netgear DG834G does (5 endpoints, again according to the Netgear website). But it's on the remote end. Which doesn't make sense. And where does IPSecuritas fit into the whole shebang you've described above? Note that "VPN traversal" does *NOT* mean VPN-server capable--it just means that it allows VPN packets to get through to a separate VPN server sitting somewhere on the back end on the local side. Normally, if you don't have a separate VPN server sitting on the back end, you'd have a VPN server-capable router at the local end (i.e., use the Netgear DG834G and toss the Netgear DG834GT) with all the roaming, remote laptops having IPSecuritas installed on them and connecting to the local end (i.e., the Netgear DG834G) from the outside via broadband or similar. And that's just the 30,000 foot view with really broad strokes of the paintbrush. I don't know if this is all you want or you have something else in mind. Hope it helps. Re: What do you reckon? by andy on 2008-02-19 09:40:53 +0100 Yup, sorry :-/ I'm a novice but we can't afford a techie I will firstly get a VPN server router fitted locally. Then I'll get IPSecuritas loaded onto the remote laptops. Basically, I need them to run 'anywhere to local network' But you have confirmed what I wasn't sure about, that the local router is not capable. Thanks for that. Andy IP collision between local and remote networks IP collision between local and remote networks by blst on 2008-02-13 17:15:29 +0100 i have set up a an ipsec tunnel to a fortigate 60B with three users and only one seems to work. everything works fine for me (leopard), but on the users' machine (tiger) she started getting this message. my network at home is 10.0.1.0 and hers at home is 192.168.7.0 and the remote network is 192.168.0.0. i have a feeling it is probably not related to the client software but i am not really sure. does anyone have any idea why this is happening? thanks so much, jason Re: IP collision between local and remote networks by Forum Admin on 2008-02-13 22:48:11 +0100 Hello Jason, the problem is indeed that the two networks 192.168.7.0 and 192.168.0.0 overlap. This is not recommended (and probably also against the specification) for various reasons (one being that other computers will not be reachable anymore, another that there might an address conflict between the local address and a machine in the remote network with the same address). However, I will add an option to disable these collision checks, since several people asked for it. For now, the easiest (and cleanest anyway) solution is to change her local network range to a different private range, please have a look at RFC 1918, section 3 (<http://www.faqs.org/rfcs/rfc1918.html>) Hope this helps, Christoph Re: IP collision between local and remote networks by blst on 2008-02-13 23:29:08 +0100 christoph, turns out that local ip in remote network became unchecked. is there an explanation of what this setting means some where in the docs? thanks so much for the quick reply. --jason Re: IP collision between local and remote networks by Tanster on 2008-02-18 21:28:15 +0100 [quote author=Forum Admin link=1202919329/0#1 date=1202939291] the problem is indeed that the two networks 192.168.7.0 and 192.168.0.0 overlap. [/quote] I was just reading through this thread and noticed that the original poster didn't provide subnet mask or CIDR info. I'm curious as to what clued you in to the two networks overlapping. Is there any other info that's not showing up here? Re: IP collision between local and remote networks by blst on 2008-02-18 21:42:18 +0100 my original post: IP collision between local and remote networks 13. Feb 2008 at 17:15 Quote i have set up a an ipsec tunnel to a fortigate 60B with three users and only one seems to work. everything works fine for me (leopard), but on the users' machine (tiger) she started getting this message. my network at home is 10.0.1.0 and hers at home is 192.168.7.0 and the remote network is 192.168.0.0. i have a feeling it is probably not related to the client software but i am not really sure. does anyone have any idea why this is happening? thanks so much, jason Re: IP collision between local and remote networks by Tanster on 2008-02-19 01:02:56 +0100 It kinda looks exactly the same to me. There's still no subnet mask (e.g., 255.255.255.0) or CIDR (e.g. /24) info. Now, if your subnet mask was, say, 255.255.0.0 (i.e., CIDR of /16) or 255.0.0.0 (i.e., CIDR of /8), then I can see where 192.168.0.0 and 192.168.7.0 would overlap. But if your subnet mask was 255.255.255.0 (i.e., CIDR of /24), which is what most class C subnets would use, then 192.168.0.0 and 192.168.7.0 would not overlap. Since you didn't provide this info, there's no way to tell as far as I could see just from network addresses alone. That's why I was wondering if there was something I wasn't seeing here. Re: IP collision between local and remote networks by blst on 2008-02-19 04:50:30 +0100 sorry, i see what you mean now. acually, this didn't seem to be the problem after all. what ended up being wrong is that the "local IP in remote network" option was not checked. once i changed this, it was all fine. this doesn't make sense to me though. is the local address the one you define in host endpoint or is it your local address outside the vpn? thanks for any light you could shed on this. we used to have a less sophisticated firewall and the mac vpn connections we sufficient and had far less options. --jason Sonicwall tz170w and non-standard VPN Profile Sonicwall tz170w and non-standard VPN Profile by russ990 on 2008-02-16 17:03:40 +0100 I have a tz170w running enhanced OS. The default GroupVPN policy has been configured to be used as our default L2TP server for windows clients. I am trying to get IP Securitas to connect to a different VPN Profile, but I can't figure out how to specify the VPN Profile to use. When I connect to the Sonicwall, the logs indicate that is is always trying to connect to the WAN GroupVPN. Is there a way to specify to IPSecuritas to tell it to use a different profile? I have attempted to configure the IPSecuritas side with the same parameters as our default groupVPN, but that doesn't seem to want to connect. Re: Sonicwall tz170w and non-standard VPN Profile by JimPBarber on 2008-06-07 01:25:58 +0200 On the ID Tab set the Local Identifier to Key ID and enter the VPN Group ID If you were connecting to the default group id it would be GroupVPN Just enter the name of the new VPN you created. Recommend me a VPN server Recommend me a VPN server by andy on 2008-02-19 11:23:56 +0100 Can you recommend a VPN server with firewall that IPSecuritas likes and is featured in the preloads? Thanks Andy Re: Recommend me a VPN server by Forum Admin on 2008-02-21 21:12:50 +0100 Hello Andy, I can recommend the following models, all of them can be setup very easily, work very reliably in my test environment and support NAT-T (which is important, if you want to connect from public W-LAN or mobile phone networks): - Zyxel ZyWall (e.g. P1 or ZyWall 5) - Linksys WRV200 - Juniper Netscreen 5x or SSG models - m0n0Wall (http://www.m0n0.ch) , for example on this platform (http://www.pcengines.ch/alix.htm) - very flexible and powerful, needs some tinkering, though There is quite a range in price and features (besides VPN capability), best choose what you need. Please feel free to get in touch with me again if you need further information. Hope this helps, Christoph Re: Recommend me a VPN server by andy on 2008-02-22 08:51:38 +0100 Thanks Christoph. I will be looking at several today. I might run some spec by you if I may. Cheers Andy Re: Recommend me a VPN server by Forum Admin on 2008-02-22 19:58:22 +0100 Sure, anytime Cheers, Christoph Connection Green, but not working - Leopard Connection Green, but not working - Leopard by neil456 on 2008-02-23 00:02:23 +0100 Mac os x 10.5.2. Can not ping or otherwise use the connection. Nothing seems to work. Have tried all of the things mentioned in the forum for Leopard. Reused the wizard to create a new connection. If it helps I am out of the country, but can IM and Audio Conference without the vpn to the home network. It was also working prior to upgrade to Leopard and has worked from the same hotel outside the country prior to leopard for sure. It also worked using my WAN cellular card prior to leaving the country with Leopard. My WAN card does not work internationally so I am trying to use the same config with wired ethernet. How do I troubleshoot the problem? Log: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Feb 22, 16:55:42 Info APP IPSec authenticating Feb 22, 16:55:43 Info APP IKE daemon started Feb 22, 16:55:43 Info APP IPSec started Feb 22, 16:55:43 Error IKE Foreground mode. Feb 22, 16:55:43 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Feb 22, 16:55:43 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Feb 22, 16:55:43 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Feb 22, 16:55:43 Info IKE Resize address pool from 0 to 255 Feb 22, 16:55:43 Info APP Initiated connection Bloomingdale AT&T Card Feb 22, 16:55:43 Error IKE inappropriate sadb acquire message passed. Feb 22, 16:55:47 Warning IKE No ID match. Feb 22, 16:55:47 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Feb 22, 16:55:50 Info APP Initiated connection Bloomingdale AT&T Card Feb 22, 16:55:51 Info IKE the packet is retransmitted by 76.223.254.88[500]. Feb 22, 16:55:57 Info IKE the packet is retransmitted by 76.223.254.88[500]. Feb 22, 16:55:57 Info IKE the packet is retransmitted by 76.223.254.88[500]. Feb 22, 16:56:02 Error IKE libipsec failed pfkey check (Invalid SA type) Feb 22, 16:56:02 Info IKE the packet is retransmitted by 76.223.254.88[500]. Feb 22, 16:56:02 Info IKE the packet is retransmitted by 76.223.254.88[500]. Feb 22, 16:56:08 Info IKE the packet is retransmitted by 76.223.254.88[500]. Feb 22, 16:56:08 Info IKE the packet is retransmitted by 76.223.254.88[500]. Re: Connection Green, but not working - Leopard by neil456 on 2008-02-24 15:19:42 +0100 OK, Touch down in Miami and everything works. I am going back in 3 weeks and need to have this working. How do I troubleshoot this? Could be one of several possibilities? 1. Network is being filtered and some part of the VPN does not work. The hotel network provider indicates they allow VPNs and have not had any problems. 2. The method of securing internet access keeps the VPN from working. You know the problem, browser comes up and you have to put in code to get access to the hotel network. 3. Leopard is unreliable. Any Ideas? Re: Connection Green, but not working - Leopard by neil456 on 2008-03-21 14:11:35 +0100 Solved :) Need to get public IP from ISP. Now it works. Why couldn't IP Securitas tell me it needed a public IP address? Neil Connecting to Nortel Contivity (DreamHost) Connecting to Nortel Contivity (DreamHost) by tuatara on 2008-02-23 02:19:45 +0100 DreamHost offers a VPN for customers. They're using Nortel Contivity. There are a few mentions of this VPN type in the forums here, but mainly seem to be unresolved issues. Has anyone successfully connected to this VPN? Nortel Contivity doesn't appear in IPSecuritas' setup wizard, so I'm trying to configure it manually, using the rather brief info at the DreamHost wiki, [url]http://wiki.dreamhost.com/KB_/_Account_Control_Panel_ /_VPN_Users[/url]. The main info they give is that it uses IPSec, ESP (Encapsulated Security Payload) and AH (Authentication Header), encryption is 3DES, key length is 168 bits (56 bits per DES cipher). (Is that key length related to the DH Group option in IPSecuritas?) I've tried a few different permutations with no luck so far. Most recently, I tried it with the General tab set with IPSec Device ant.cloudconnector.com, a dimmed-out local Endpoint Mode, a remote Endpoint Mode set to Anywhere and DHCP Pass-Through enabled. The Phase 1 tab has Lifetime of 1800 seconds, DH Group as 1024 (2), Encryption as 3DES, Authentication as SHA-1 (I've also tried MD5), and the rest left at their defaults (Main, Obey, and Nonce Size of 16). I never seem to get past Phase 1. This is from the connection log, with some hex data stripped (just in case my password is in there). I'm not familiar with VPN setup so I may have missed something obvious. Hopefully there's some data here that's useful. Thanks for any help! Matt [code]Feb 23, 14:01:11 Info APP Initiated connection DreamHost VPN Feb 23, 14:01:11 Debug IKE get pfkey ACQUIRE message (Stripped hex data ...) Feb 23, 14:01:11 Debug IKE suitable outbound SP found: 192.168.0.2/32[0] 0.0.0.0/0[0] proto=any dir=out. Feb 23, 14:01:11 Debug IKE sub:0xbffff35c: 0.0.0.0/0[0] 192.168.0.2/32[0] proto=any dir=in Feb 23, 14:01:11 Debug IKE db :0x108bf8: 0.0.0.0/0[0] 192.168.0.2/32[0] proto=any dir=in Feb 23, 14:01:11 Debug IKE suitable inbound SP found: 0.0.0.0/0[0] 192.168.0.2/32[0] proto=any dir=in. Feb 23, 14:01:11 Debug IKE new acquire 192.168.0.2/32[0] 0.0.0.0/0[0] proto=any dir=out Feb 23, 14:01:11 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=22:21) Feb 23, 14:01:11 Debug IKE (trns_id=DES encklen=0 authtype=hmac-md5) Feb 23, 14:01:11 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-md5) Feb 23, 14:01:11 Debug IKE (trns_id=AES encklen=256 authtype=hmac-md5) Feb 23, 14:01:11 Debug IKE (trns_id=AES encklen=192 authtype=hmac-md5) Feb 23, 14:01:11 Debug IKE (trns_id=AES encklen=128 authtype=hmac-md5) Feb 23, 14:01:11 Debug IKE in post_acquire Feb 23, 14:01:11 Debug IKE configuration found for 66.33.195.193. Feb 23, 14:01:11 Info IKE request for establishing IPsec-SA was queued due to no phase1 found. Re: Connecting to Nortel Contivity (DreamHost) by tuatara on 2008-03-06 08:44:09 +0100 Any other info I can give? Is it reasonable to think IPSecuritas might work with the Contivity system? iPhone support? iPhone support? by unhitched on 2008-02-26 01:39:34 +0100 hey guys, Will IPSECURITAS ever work on an iPhone or iPod touch? cheers Re: iPhone support? by cnadig on 2008-02-26 18:39:44 +0100 Hello, this depends on the capabilities and availability of the Apple's iPhone SDK. There are definitely intentions to port IPSecuritas to the iPhone. Cheers, Christoph Re: iPhone support? by unhitched on 2008-02-26 23:46:58 +0100 hey, thanks for the quick reply. I am a little confused over how the IPSECURITAS product is... 'written'. Does it use the 'builtin' osx client which appears to me to be only L2TP/PPTP or have you guys written some funky pure-IPSEC feature-set to interact with or work over the top of OSX? The reason I ask is I have a few Apple engineers I may be able to help depending on the answers. cheers Re: iPhone support? by cnadig on 2008-02-29 19:24:13 +0100 Hello, IPSecuritas comes with its own version of racoon, the IKE daemon, and does not use Apple's standard version of racoon (with 3.0, that is). The version supplied with IPSecuritas is based on the ipsec-tools rather than the KAME project and has a few extensions for NAT-T, ModeCfg support for certain firewall vendors as well as Checkpoint specific extensions. The rest of IPSecuritas is written in Objective-C using Cocoa. Any help for porting this to the iPhone is highly appreciated, of course. Cheers, Christoph Netgear FVG318 Netgear FVG318 by Tanster on 2008-02-28 00:07:44 +0100 Does anybody out there have an Netgear FVG318 that can help me? I'm getting this issue where a setting of 0.0.0.0 or "Any" for the remote IP in the VPN policy (for traveling users whose IPs cannot be determined until activation time) results in everybody in the LAN losing connectivity to the Internet and each other. But all of them can ping the remote user using IPSecuritas 3.1. According to all the articles I've read in the Netgear KB, the remote IP setting of "Any" is correct. But it doesn't quite work in reality. The problem smacks to me of a routing issue but I can't figure out how to rectify on the FVG318 side since this problem occurs even if I just activate the VPN Policy but without any VPN tunnels active. Basically, I think I somehow need to specify that all packets intended for the remote user go through the VPN but everything else go through the FVG318's LAN port (and thereby either resent through the local LAN or out through the WAN port). But no other router such as ZyWALL or SonicWall has ever required me to do this manually. Does the FVG318 require special static routes set up manually? Sonicwall 3060 Enhanced Sonicwall 3060 Enhanced by TeckboyNY on 2008-02-29 02:20:03 +0100 Anyone get it to work with a 3060 enhanced model? Just curious. Re: Sonicwall 3060 Enhanced by megamiles on 2008-03-07 23:00:21 +0100 Hello TeckboyNY Suffering with the same problem on our SonicWall Pro box. Have started a new post, but solution if found will certainly assist you in connecting. Regards Re: Sonicwall 3060 Enhanced by el_doctor on 2008-03-18 14:46:20 +0100 I'm working with a 2040 Pro Enhanced. If I follow the setup wizard with SonicWall model and Sonic Pro selection, it dosen't work. I tried with the TZ170 pre-configuration setup wizard and it works!!! Re: Sonicwall 3060 Enhanced by andyfram on 2008-03-21 19:24:04 +0100 I'm also using the 3060Pro Enhanced and can't get it to work. I have the following in the logs if this means anything to anyone: ERROR IKE inappropriate sadb acquire message passed. ERROR IKE delete phase1 handle. ERROR IKE delete phase1 handle. Initiated Connection delete phase1 handle Initiated Connection delete phase1 handle ERROR IKE phase2 negotiation failed due to time up waiting for phase1. It repeats that a few times and then says: Warning APP giving up. Re: Sonicwall 3060 Enhanced by JimPBarber on 2008-06-07 00:44:03 +0200 You can get it working but you have to drop XAUTH.... It is broken between sonicwall and ipsecuratas and causes a hang in phase2 negotiation. Just turn off xauth. I am a CSSA and it took me a couple of days to work it all out. Here are the settings. [color=#003366]SonicWall WAN GroupVPN:[/color] [color=#003399][b]General Tab:[/b][i][/i][highlight][/highlight][/color] Authentication Method: IKE using Preshared Secret Name: WAN GroupVPN Shared Secret: <your shared secret> [color=#003366][b]Proposals Tab:[/b][/color] [u][color=#003399][b]IKE (Phase 1) Proposal[/b][/color][/u] [u]DH Group:[/u] Group 2 [u]Encryption:[/u] 3DES [u]Athentication:[/u] Sha1 [u]Lifetime: [/u]28800 [color=#003399][u][b]Ipsec (Phase 2) Proposal[/b][/u][/color] [u]Protocol: [/u]ESP [u]Encryption:[/u] 3DES [u]Authentication:[/u] Sha1 [b]Enable Perfect Forward Secrecy [unchecked][/b] [u]Life Time[/u] (seconds): 28800 [color=#003366][u][b]Advanced Settings Tab:[/b][/u][/color] [i][color=#003366][u](Optional)[/u][/color][/i] [x]Enable Windows Networking (NetBIOS) Broadcast [x]Enable Multicast Management via this SA: [] HTTP [] HTTPS [] SSH Default Gateway: 0.0.0.0 Client Authentication [] Require Authentication of VPN Clients via XAUTH User Group for XAUTH users: Greyed out Allow Unauthenticated VPN Client Access: <network of your choice> [u][color=#003366][b]Client Tab:[/b][/color][/u] [u][color=#003366]User Name and Password Caching[/color][/u] Cache XAUTH User Name and Password on Client: How you want it. <mine Re: Sonicwall 3060 Enhanced by jessica on 2008-09-17 03:53:11 +0200 I was able to get this to work with XAuth. Here's my setup: SonicWALL Pro3060, OS Enhanced 4.0.0.2-51e DHCP on, WAN GroupVPN with default settings (shown in detail in [URL="http://www.equinux.com/cms_components/media /vpnt/VPNT_Interop_Howtos/1065/SonicOS_Enhanced-5-EN.pdf"]VPN Tracker's guide[/URL]) IPSecuritas 3.1, running on OS 10.5.4, settings as follows: Remote IPSec Device: SonicWALL's external address Local Endpoint Mode: Host, blank Remote Endpoint Mode: Network, 10.1.10.0, 24 (of course yours will be different) Phase 1: 28800 sec, 1024(2), 3DES, SHA-1, Agressive, Claim, 16 Phase 2: 28800 sec, none, checked: DES, 3DES, HMAC MD5, HMAC SHA-1 ID: Address, Address, XAuth PSK, with my info entered Options Checked: IPSec, SIT, Initial Cont, Request Cert, Send Cert, Unique SAs, IKE Frag; NAT-T Enabled I got it working without XAuth first, then crossed my fingers and re-enabled it, and it worked. Hopefully it will work for others, as well. Saves me $120 for VPN Tracker! AT&T Global Network Client AT&T Global Network Client by drgonzo2k2 on 2008-03-04 05:38:20 +0100 Greetings, My company makes us use AT&T Global Network Client on PCs to connect remotely to their VPN. They offer absolutely no Mac support, and those of us with Mac laptops are left out in the cold. I was wondering if anyone had used this software as a replacement for the AT&T software, and if so how did you set it up to work properly? Any help would be appreciated. Work with IPSecuritas from the command line Work with IPSecuritas from the command line by sologroupmc on 2008-03-04 23:28:49 +0100 Is it possible to work with IPS from the command line? We do a lot of remote terminal work and it would be nice to be able to initiate/sever a connection using terminal. We could also then use bash scripting to automate tasks. Thanks! Re: Work with IPSecuritas from the command line by Forum Admin on 2008-03-04 23:35:46 +0100 Hello, we were actually thinking about a command line version, but would appreciate any input on the requirements of such a tool (how would you want to use it etc.) Thank you very much, Christoph Re: Work with IPSecuritas from the command line by sologroupmc on 2008-03-05 00:12:35 +0100 A CLI version would be fantastic. I'll post some usage/feature requests here, let me know if you would like me to post them elsewhere (issue tracker, etc.) We use IPS for some of our client installations of software, establishing a VPN to our servers for subversion and file xfer access. So for us, a typical use would be to create the SA, export to a file, deploy to client workstation and configure IPS. It would be good if this was a CLI procedure, but not critical. It would be nice to create a package installer and deploy with ARD, or using SSH, but again, not critical. The crucial part for us is deployment and updates to software. We would like to ssh to the client machine (or have a script perform) a vpn connection to our servers. then we could perform via CLI the svn updates, etc. When done, we could tear-down the tunnel and close ssh. So in this case, the CLI version would only have to create and tear-down the tunnel. Some feedback on the connection would be good. But really, just the basics to start out. It would be much better for us to not have to use ARD/Timbuktu each time we need to connect. Thanks Christoph for a truly wonderful piece of software. SonicWall connections SonicWall connections by megamiles on 2008-03-06 23:28:57 +0100 Hello all, I am trying to make a connection to a SonicWall Pro Firewall (could be any SonicWall Pro model, 2040, 3060 etc) using Lobomoto 3.1 on Mac 10.5.2 (Intel) Have followed configurations, have correct VPN parameters etc, but fails Phase 1. Transcript of log follows if anyone can help...... IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Mar 06, 20:45:18 Info APP Smart Environment Detection enabled Mar 06, 20:45:18 Info APP Smart Environment Detection: No environment found, reconfiguration Mar 06, 22:13:06 Info APP IPSec authenticating Mar 06, 22:13:06 Info APP IKE daemon started Mar 06, 22:13:06 Info APP IPSec started Mar 06, 22:13:06 Info APP Initiated connection XXXXX VPN Mar 06, 22:13:06 Error IKE Foreground mode. Mar 06, 22:13:06 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Mar 06, 22:13:06 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Mar 06, 22:13:06 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Mar 06, 22:13:06 Info IKE Resize address pool from 0 to 255 Mar 06, 22:13:13 Info APP Initiated connection XXXXX VPN Mar 06, 22:13:20 Info APP Initiated connection XXXXX VPN Mar 06, 22:13:27 Info APP Initiated connection XXXXX VPN Mar 06, 22:13:34 Info APP Initiated connection XXXXX VPN Mar 06, 22:13:34 Error IKE inappropriate sadb acquire message passed. Mar 06, 22:13:39 Warning APP Connection XXXXX VPN timed out Mar 06, 22:13:39 Warning APP Giving up Mar 06, 22:14:47 Info APP IPSec stopping Mar 06, 22:14:48 Info APP IKE daemon terminated Mar 06, 22:14:48 Info APP IPSec stopped Have tried with VPN Tracker 5 in demo mode, and made a connection immediately and could browse remote network, use the beta Microsoft RDP client to link to a Windows Terminal Server. Looked at VPN Tracker Log, and could see a lot of stuff going on, I can post this if this would help find a solution. Clearly, I would like to use the Lobotomo IPSecuritas Thanks Re: SonicWall connections by cnadig on 2008-03-07 10:13:08 +0100 Hello, setting the log level to debug (in IPSecuritas' preferences) will reveal more information. From what I see in this log, there does not seem to be an answer from the remote side, but the detailed log will give more information on which part the negotiation fails. Cheers, Christoph Re: SonicWall connections by megamiles on 2008-03-07 22:57:15 +0100 Hello Christophe, Many thanks for the quick post. A little bit of info, which may be obvious, the remote network and my home network are NAT'ed The remote network firewall is a SonicWall Pro 2040 (Enhanced software) which has a public IP, which has been replaced with xxx.xxx.xxx.xxx, but is reachable by the software. As advised VPN Tracker 5 works straight of the bat, with the same Phase 1 / Phase 2 settings and basic IP info. Also my Windows XP system (using the SonicWall Global VPN Client) connects no problems. Debug log is too long to attach, and exceeds the 5500 character limit... please advise how to attach this. Can offer to send via e-mail as a PDF Many thanks Re: SonicWall connections by diwa on 2008-04-06 16:28:10 +0200 Hi, since I am facing the same error, I am posting in this thread instead of creating a new one. I have a SonicWall Pro 230, to which I was able to connect using my Macbook Pro running OS 10.4 and an older version of IPSecuritas. After upgrading to Leopard (now 10.5.2), I was installing IPSecuritas 3.1 (Build 1860), but I fail to connect to my SonicWall. As megamiles describes, I am able to connect using VPN Tracker 5 with the same settings as for IPSecuritas... Here's my debug-level log: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Apr 06, 16:20:16 Debug APP State change from IDLE to AUTHENTICATING after event START Apr 06, 16:20:16 Info APP IPSec authenticating Apr 06, 16:20:16 Info APP IKE daemon started Apr 06, 16:20:16 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Apr 06, 16:20:16 Info APP IPSec started Apr 06, 16:20:16 Debug APP Received SADB message type X_SPDUPDATE - not interesting Apr 06, 16:20:16 Debug APP Received SADB message type X_SPDUPDATE - not interesting Apr 06, 16:20:16 Info IKE Foreground mode. Apr 06, 16:20:16 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Apr 06, 16:20:16 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Apr 06, 16:20:16 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Apr 06, 16:20:16 Info IKE Resize address pool from 0 to 255 Apr 06, 16:20:16 Debug IKE lifetime = 28800 Apr 06, 16:20:16 Debug IKE lifebyte = 0 Apr 06, 16:20:16 Debug IKE encklen=0 Apr 06, 16:20:16 Debug IKE p:1 t:1 Apr 06, 16:20:16 Debug IKE 3DES-CBC(5) Apr 06, 16:20:16 Debug IKE SHA(2) Apr 06, 16:20:16 Debug IKE 1024-bit MODP group(2) Apr 06, 16:20:16 Debug IKE pre-shared key(1) Apr 06, 16:20:16 Debug IKE hmac(modp1024) Apr 06, 16:20:16 Debug IKE compression algorithm can not be checked because sadb message doesn't support it. Apr 06, 16:20:16 Debug IKE parse successed. Apr 06, 16:20:16 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Apr 06, 16:20:16 Info IKE 192.168.0.202[4500] used as isakmp port (fd=6) Apr 06, 16:20:16 Info IKE 192.168.0.202[500] used as isakmp port (fd=7) Apr 06, 16:20:16 Debug IKE get pfkey X_SPDDUMP message Apr 06, 16:20:16 Debug IKE 02120000 0f000200 01000000 bb050000 03000500 ff180000 10020000 c0a80200 Apr 06, 16:20:16 Debug IKE 00000000 00000000 03000600 ff200000 10020000 c0a800ca 00000000 00000000 Re: SonicWall connections by diwa on 2008-04-06 16:28:52 +0200 Apr 06, 16:20:17 Debug IKE suitable outbound SP found: 192.168.0.202/32[0] 192.168.2.0/24[0] proto=any dir=out. Apr 06, 16:20:17 Debug IKE sub:0xbffff67c: 192.168.2.0/24[0] 192.168.0.202/32[0] proto=any dir=in Apr 06, 16:20:17 Debug IKE db :0x108c28: 192.168.2.0/24[0] 192.168.0.202/32[0] proto=any dir=in Apr 06, 16:20:17 Debug IKE suitable inbound SP found: 192.168.2.0/24[0] 192.168.0.202/32[0] proto=any dir=in. Apr 06, 16:20:17 Debug IKE new acquire 192.168.0.202/32[0] 192.168.2.0/24[0] proto=any dir=out Apr 06, 16:20:17 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) Apr 06, 16:20:17 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-sha) Apr 06, 16:20:17 Debug IKE in post_acquire Apr 06, 16:20:17 Debug IKE configuration found for 192.168.0.220. Apr 06, 16:20:17 Info IKE IPsec-SA request for 192.168.0.220 queued due to no phase1 found. Apr 06, 16:20:17 Debug IKE === Apr 06, 16:20:17 Info IKE initiate new phase 1 negotiation: 192.168.0.202[500]<=>192.168.0.220[500] Apr 06, 16:20:17 Info IKE begin Aggressive mode. Apr 06, 16:20:17 Debug IKE new cookie: Apr 06, 16:20:17 Debug IKE 152f943f37bb765a Apr 06, 16:20:17 Debug IKE use ID type of IPv4_address Apr 06, 16:20:17 Debug IKE compute DH's private. Apr 06, 16:20:17 Debug IKE 4cbdf7e5 6b3d95a2 7f74fb3b 4d59c9dc 546fbe97 846eb042 bfe382d0 bdd5067c Apr 06, 16:20:17 Debug IKE f81af96f dfd5a1a3 f58077f7 988fe2fd 8ff2aa78 50e0337a 24f6b86f 2b798d08 Apr 06, 16:20:17 Debug IKE abddfc0a cb1b4eb6 37f49011 c10b8a79 be73ec5a 1c915b15 77b50d3c b6559693 Apr 06, 16:20:17 Debug IKE 188dff70 6348f6d0 74acd4bb 5492305f 334abeb5 5c801a01 19ea9fb0 eddd6fde Apr 06, 16:20:17 Debug IKE compute DH's public. Apr 06, 16:20:17 Debug IKE 0e2ce8b4 e7bd1302 a9be84f8 16c827b9 ab07327e e30199a7 efe2cd3c 345b2676 Apr 06, 16:20:17 Debug IKE cf97d6a5 73fcad2c 842e35b7 e9b27f77 03631fbd 112137f8 fd260e80 8a6c8c31 Apr 06, 16:20:17 Debug IKE 53b391fd 63179c33 0605f5a9 6f04b37e aa375613 bf953f87 a1ba5ba7 9d5f956a Apr 06, 16:20:17 Debug IKE a0bee2e3 0be905dd a9d801fb 3b3b45b8 419ac03e c6ed1d3f 5129fda7 d1ddc34d Apr 06, 16:20:17 Debug IKE authmethod is pre-shared key Apr 06, 16:20:17 Debug IKE add payload of len 48, next type 4 Apr 06, 16:20:17 Debug IKE add payload of len 128, next type 10 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 5 Apr 06, 16:20:17 Debug IKE add payload of len 8, next type 13 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 13 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 13 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 13 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 13 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 13 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 13 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 13 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 13 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 13 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 13 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 13 Apr 06, 16:20:17 Debug IKE add payload of len 16, next type 0 Apr 06, 16:20:17 Debug IKE 484 bytes from 192.168.0.202[500] to Re: SonicWall connections by diwa on 2008-04-06 16:30:09 +0200 Apr 06, 16:20:17 Debug IKE 02060003 26000000 7a000000 00000000 03000500 ff200000 10020000 c0a800ca Apr 06, 16:20:17 Debug IKE 00000000 00000000 03000600 ff200000 10020000 c0a800dc 00000000 00000000 Apr 06, 16:20:17 Debug IKE 02001200 02000200 9b000000 00000000 1c000d00 20000000 00030000 00000000 Apr 06, 16:20:17 Debug IKE 00010008 00000000 01000000 01000000 00000000 00000000 00000000 00000000 Apr 06, 16:20:17 Debug IKE 00000000 00000000 80510100 00000000 80700000 00000000 00000000 00000000 Apr 06, 16:20:17 Debug IKE 00040000 00000000 0001c001 00000000 01000000 01000000 00000000 00000000 Apr 06, 16:20:17 Debug IKE 00000000 00000000 00000000 00000000 80510100 00000000 80700000 00000000 Apr 06, 16:20:17 Debug IKE 00000000 00000000 000c0000 00000000 00010001 00000000 01000000 01000000 Apr 06, 16:20:17 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Apr 06, 16:20:17 Debug IKE 80700000 00000000 00000000 00000000 Apr 06, 16:20:17 Debug IKE ignore the acquire because ph2 found Apr 06, 16:20:17 Debug IKE === Apr 06, 16:20:17 Debug IKE 360 bytes message received from 192.168.0.220[500] to 192.168.0.202[500] Apr 06, 16:20:17 Debug IKE 152f943f 37bb765a 82a0c6e5 960b3c7c 01100400 00000000 00000168 04000034 Apr 06, 16:20:17 Debug IKE 00000001 00000001 00000028 01010001 00000020 01010000 80010005 80020002 Apr 06, 16:20:17 Debug IKE 80040002 80030001 800b0001 800c7080 0d000084 0f0d72dc 606be9c1 ec45b697 Apr 06, 16:20:17 Debug IKE 2aa873b0 a4ee9911 13047e1a aa28344a c39d2792 51e4618c ec69b354 6af345f1 Apr 06, 16:20:17 Debug IKE 652b12ac f72b550b 1fc9f0c3 c888a710 14dbc636 5eebe9a7 ca885aad b0d0fbf3 Apr 06, 16:20:17 Debug IKE 933552e8 ec9cdbfe 6ec80536 548f9b3b c5917c67 167a2680 73555427 37b5f211 Apr 06, 16:20:17 Debug IKE 92e08bc1 f8f11379 a74be7ba 6e7ccc17 8d3dc51d 82000014 4485152d 18b6bbcd Apr 06, 16:20:17 Debug IKE 0be8a846 9579ddcc 82000018 fe2f1c61 46808848 594cf99a a084781f 31831a0a Apr 06, 16:20:17 Debug IKE 0a000018 ec6f0e75 925e5b1e 682c239f 435d5834 032c003d 05000018 ad2b0f4d Apr 06, 16:20:17 Debug IKE 3cc39629 0196fcaf 0f1711c2 5280ae2f 0d000014 03000000 30303430 31303138 Apr 06, 16:20:17 Debug IKE 36333631 0800000c 404bf439 522ca3f6 00000018 c348eaf2 8063e979 e5df3b17 Apr 06, 16:20:17 Debug IKE 3d890a8b 2f492be1 Apr 06, 16:20:17 Debug IKE begin. Apr 06, 16:20:17 Debug IKE seen nptype=1(sa) Apr 06, 16:20:17 Debug IKE seen nptype=4(ke) Apr 06, 16:20:17 Debug IKE seen nptype=13(vid) Apr 06, 16:20:17 Debug IKE seen nptype=130(nat-d) Apr 06, 16:20:17 Debug IKE seen nptype=130(nat-d) Apr 06, 16:20:17 Debug IKE seen nptype=10(nonce) Apr 06, 16:20:17 Debug IKE seen nptype=5(id) Apr 06, 16:20:17 Debug IKE seen nptype=13(vid) Apr 06, 16:20:17 Debug IKE seen nptype=8(hash) Apr 06, 16:20:17 Debug IKE succeed. Apr 06, 16:20:17 Info IKE received Vendor ID: draft-ietf-ipsec-nat-tike-00 Apr 06, 16:20:17 Debug IKE received unknown Vendor ID Apr 06, 16:20:17 Debug IKE 404bf439 522ca3f6 Re: SonicWall connections by diwa on 2008-04-06 16:31:17 +0200 Apr 06, 16:20:17 Debug IKE hashtype = SHA:SHA Apr 06, 16:20:17 Debug IKE authmethod = pre-shared key:pre-shared key Apr 06, 16:20:17 Debug IKE dh_group = 1024-bit MODP group:1024-bit MODP group Apr 06, 16:20:17 Debug IKE an acceptable proposal found. Apr 06, 16:20:17 Debug IKE hmac(modp1024) Apr 06, 16:20:17 Debug IKE agreed on pre-shared key auth. Apr 06, 16:20:17 Info IKE Selected NAT-T version: draft-ietf-ipsec-nat-tike-00 Apr 06, 16:20:17 Info IKE Hashing 192.168.0.202[500] with algo #2 Apr 06, 16:20:17 Debug IKE hash(sha1) Apr 06, 16:20:17 Info IKE NAT-D payload #-1 verified Apr 06, 16:20:17 Info IKE Hashing 192.168.0.220[500] with algo #2 Apr 06, 16:20:17 Debug IKE hash(sha1) Apr 06, 16:20:17 Info IKE NAT-D payload #0 verified Apr 06, 16:20:17 Info IKE NAT not detected Apr 06, 16:20:17 Debug IKE compute DH's shared. Apr 06, 16:20:17 Debug IKE bab5179f 23f21b7d 0a451794 63586729 19364cdf 824ec5c4 bd6bc3c9 37ff151c Apr 06, 16:20:17 Debug IKE db6ca3ec d525de68 71ca6cbf d738e5db 8ccb7028 951eefcb 44e56113 ecc0aed7 Apr 06, 16:20:17 Debug IKE 57c4ecf1 e3a43504 921734ec 8ef93f5b d8f127b0 f8016084 ed2c3a7a 80b119f5 Apr 06, 16:20:17 Debug IKE 30d6ad5c 71a4c038 5caad69d c487b164 c8b84613 f07398a0 4442ad9e fa242f92 Apr 06, 16:20:17 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Apr 06, 16:20:17 Debug IKE the psk found. Apr 06, 16:20:17 Debug IKE psk: 2008-04-06 16:20:17: DEBUG2: Apr 06, 16:20:17 Debug IKE 4c656e6e 61726439 39 Apr 06, 16:20:17 Debug IKE nonce 1: 2008-04-06 16:20:17: DEBUG: Apr 06, 16:20:17 Debug IKE ce256712 97667fd8 9deaf391 8e9903e2 Apr 06, 16:20:17 Debug IKE nonce 2: 2008-04-06 16:20:17: DEBUG: Apr 06, 16:20:17 Debug IKE ad2b0f4d 3cc39629 0196fcaf 0f1711c2 5280ae2f Apr 06, 16:20:17 Debug IKE hmac(hmac_sha1) Apr 06, 16:20:17 Debug IKE SKEYID computed: Apr 06, 16:20:17 Debug IKE af696726 5a8b7477 7168bc1a f926fd04 cd546421 Apr 06, 16:20:17 Debug IKE hmac(hmac_sha1) Apr 06, 16:20:17 Debug IKE SKEYID_d computed: Apr 06, 16:20:17 Debug IKE 60d88d5f addadb88 29f703ed c950571f 61db2d67 Apr 06, 16:20:17 Debug IKE hmac(hmac_sha1) Apr 06, 16:20:17 Debug IKE SKEYID_a computed: Apr 06, 16:20:17 Debug IKE ffd3212f 9167c672 2666decb 2115b219 f4bfe04c Apr 06, 16:20:17 Debug IKE hmac(hmac_sha1) Apr 06, 16:20:17 Debug IKE SKEYID_e computed: Apr 06, 16:20:17 Debug IKE 4c17b236 dbd6f454 92233793 f54a27aa 91dcbf1d Apr 06, 16:20:17 Debug IKE encryption(3des) Apr 06, 16:20:17 Debug IKE hash(sha1) Apr 06, 16:20:17 Debug IKE len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...) Apr 06, 16:20:17 Debug IKE hmac(hmac_sha1) Apr 06, 16:20:17 Debug IKE compute intermediate encryption key K1 Apr 06, 16:20:17 Debug IKE 00 Apr 06, 16:20:17 Debug IKE 71689e10 67bbc8f4 f659fab4 42669621 9626574c Apr 06, 16:20:17 Debug IKE hmac(hmac_sha1) Re: SonicWall connections by diwa on 2008-04-06 16:32:04 +0200 Apr 06, 16:20:17 Debug IKE HASH (init) computed: Apr 06, 16:20:17 Debug IKE c348eaf2 8063e979 e5df3b17 3d890a8b 2f492be1 Apr 06, 16:20:17 Debug IKE HASH for PSK validated. Apr 06, 16:20:17 Debug IKE === Apr 06, 16:20:17 Debug IKE generate HASH_I Apr 06, 16:20:17 Debug IKE HASH with: Apr 06, 16:20:17 Debug IKE 0e2ce8b4 e7bd1302 a9be84f8 16c827b9 ab07327e e30199a7 efe2cd3c 345b2676 Apr 06, 16:20:17 Debug IKE cf97d6a5 73fcad2c 842e35b7 e9b27f77 03631fbd 112137f8 fd260e80 8a6c8c31 Apr 06, 16:20:17 Debug IKE 53b391fd 63179c33 0605f5a9 6f04b37e aa375613 bf953f87 a1ba5ba7 9d5f956a Apr 06, 16:20:17 Debug IKE a0bee2e3 0be905dd a9d801fb 3b3b45b8 419ac03e c6ed1d3f 5129fda7 d1ddc34d Apr 06, 16:20:17 Debug IKE 0f0d72dc 606be9c1 ec45b697 2aa873b0 a4ee9911 13047e1a aa28344a c39d2792 Apr 06, 16:20:17 Debug IKE 51e4618c ec69b354 6af345f1 652b12ac f72b550b 1fc9f0c3 c888a710 14dbc636 Apr 06, 16:20:17 Debug IKE 5eebe9a7 ca885aad b0d0fbf3 933552e8 ec9cdbfe 6ec80536 548f9b3b c5917c67 Apr 06, 16:20:17 Debug IKE 167a2680 73555427 37b5f211 92e08bc1 f8f11379 a74be7ba 6e7ccc17 8d3dc51d Apr 06, 16:20:17 Debug IKE 152f943f 37bb765a 82a0c6e5 960b3c7c 00000001 00000001 00000028 01010001 Apr 06, 16:20:17 Debug IKE 00000020 01010000 800b0001 800c7080 80010005 80030001 80020002 80040002 Apr 06, 16:20:17 Debug IKE 011101f4 c0a800ca Apr 06, 16:20:17 Debug IKE hmac(hmac_sha1) Apr 06, 16:20:17 Debug IKE HASH (init) computed: Apr 06, 16:20:17 Debug IKE f3a7b6cf 36279e72 6dec6ac3 7fa23fac f00ec507 Apr 06, 16:20:17 Info IKE Adding remote and local NAT-D payloads. Apr 06, 16:20:17 Info IKE Hashing 192.168.0.220[500] with algo #2 Apr 06, 16:20:17 Debug IKE hash(sha1) Apr 06, 16:20:17 Info IKE Hashing 192.168.0.202[500] with algo #2 Apr 06, 16:20:17 Debug IKE hash(sha1) Apr 06, 16:20:17 Debug IKE add payload of len 20, next type 130 Apr 06, 16:20:17 Debug IKE add payload of len 20, next type 130 Apr 06, 16:20:17 Debug IKE add payload of len 20, next type 0 Apr 06, 16:20:17 Debug IKE 100 bytes from 192.168.0.202[500] to 192.168.0.220[500] Apr 06, 16:20:17 Debug IKE sockname 192.168.0.202[500] Apr 06, 16:20:17 Debug IKE send packet from 192.168.0.202[500] Apr 06, 16:20:17 Debug IKE send packet to 192.168.0.220[500] Apr 06, 16:20:17 Debug IKE 1 times of 100 bytes message will be sent to 192.168.0.220[500] Apr 06, 16:20:17 Debug IKE 152f943f 37bb765a 82a0c6e5 960b3c7c 08100400 00000000 00000064 82000018 Apr 06, 16:20:17 Debug IKE f3a7b6cf 36279e72 6dec6ac3 7fa23fac f00ec507 82000018 ec6f0e75 925e5b1e Apr 06, 16:20:17 Debug IKE 682c239f 435d5834 032c003d 00000018 fe2f1c61 46808848 594cf99a a084781f Apr 06, 16:20:17 Debug IKE 31831a0a Apr 06, 16:20:17 Debug IKE compute IV for phase2 Apr 06, 16:20:17 Debug IKE phase1 last IV: Apr 06, 16:20:17 Debug IKE e45ad0b6 44d229a5 bcdf2e11 Apr 06, 16:20:17 Debug IKE hash(sha1) Apr 06, 16:20:17 Debug IKE encryption(3des) Apr 06, 16:20:17 Debug IKE phase2 IV computed: Apr 06, 16:20:17 Debug IKE c6fc9684 98910dcf Re: SonicWall connections by megamiles on 2008-04-06 16:47:07 +0200 Hello Diwa, Thanks for the contribution. I have in fact sent a copy of my full debug log to the Lobotomo support e-mail, as I faced a post log limit. Clearly I could have spanned a few reply posts as you did ;) It would be good to know if OS X 10.5.2 can be made to work with SonicWall Pro devices as this could point to problems with the OS. Other posts seem to imply 10.4.x was OK, and only Leopard users have problems. As stated, VPN Tracker 5 does work, but uses its own XAUTH extended authentication routine, so this is where I suspect problems are for Lobotomo. Only problem now is my evaluation phase on VPN Tracker has finished, so I'm back connecting via a Windows box :( Some relief may be hand, if your SonicWall Pro is connected to a SonicWall SSL Appliance. Firmware version 2.5 (released 22 October 07) allows Mac OS X to also use NetExtender. It would seem the problem can be solved as VPN Tracker does work. If the developers need a SonicWall Pro box to try and connect to, let me know and I will see what can be done. Many thanks, megamiles Re: SonicWall connections by diwa on 2008-04-06 17:10:54 +0200 [quote author=megamiles link=1204842537/0#8 date=1207493227] As stated, VPN Tracker 5 does work, but uses its own XAUTH extended authentication routine, so this is where I suspect problems are for Lobotomo. [/quote] I unmarked the "Use Extended Authentication" box... [quote author=megamiles link=1204842537/0#8 date=1207493227] Some relief may be hand, if your SonicWall Pro is connected to a SonicWall SSL Appliance. [/quote] My SonicWall is connected to a Netgear DG834GB WLAN DSL ROUTER But It doesn't matter. VPN using IPSecuritas is not working if I try to connect from the Internet, nor if I connect the WAN-Port of the sonicwall to my LAN... Ciao Dirk Re: SonicWall connections by megamiles on 2008-04-06 17:36:30 +0200 Hello Diwa, Just comparing my VPN Tracker 5 logs when connection to the company SonicWall Pro, does show that there is an extended authentication phase occurring, so I concluded it is necessary to check this option. The SonicWall SSL Appliance, is another 19" rack unit that sits with the SonicWall Pro Firewall, and hands off the SSL activity to the SSL Appliance box. Its not an attractive solution, and I just don't know why the basic SonicWall Pro's can be updated (firmwave and some $$$) to run IPSec or SSL. It just seems to me the SSL Appliance is away of getting more $$$. Anyway, this does not resolve the Lobotomo connection issues via IPSec to a SonicWall Pro. It would be good to know if anyone has been successful using OS X 10.5.x (10.5.2 ideally) Many thanks, megamiles Re: SonicWall connections by cshander on 2008-04-08 05:20:09 +0200 I am using a Sonicwall Pro 2040 v3.1.5.0-2s firmware with IP Securitas 3.1 on Mac OS 10.5.2 successfully. I found it very difficult to get the right combination of settings for this to work, but have it working so I took screenshots of all the related Sonicwall pages and the IP Securitas config. If you want, you can download the screenshots here: http://idisk.mac.com/cshander/Public/VPN%20Screenshots.zip I hope this helps. Re: SonicWall connections by diwa on 2008-04-08 08:29:37 +0200 [quote author=cshander link=1204842537/0#11 date=1207624809] If you want, you can download the screenshots here: http://idisk.mac.com/cshander/Public/VPN%20Screenshots.zip I hope this helps.[/quote] I am asked to enter a username and password for the zip on mac.com... Thanks Dirk Re: SonicWall connections by megamiles on 2008-04-08 15:16:57 +0200 Hello cshander, Also having the same trouble as Diwa, needing user & password to access... I would be good to understand just what setting you had used. Many thanks, megamiles Re: SonicWall connections by diwa on 2008-04-15 09:33:07 +0200 Sorry for moving this up, without anything new from my side... cshander, could you please provide us the password for your idisk? Or is there anything, I can do to help solving this problem? Thanks Dirk Re: SonicWall connections by megamiles on 2008-04-15 17:58:22 +0200 Hello cshander, Just adding to Dirk's / diwa request to have a look at your config settings. Your iDisk is locked, so neither of us can access. Please if you can shed light on the tricks you used to connect to a SonicWall box it would be very much appreciated. I am sure that both Dirk and I are in the same boat, along with many other SonicWall Pro users ! Many thanks, megamiles Re: SonicWall connections by gofuse on 2008-04-15 20:07:45 +0200 Just adding to this issue. I'm also having similar connection problems connecting to SonicWall 3060 on os 10.5.2. Works fine with VPN Tracker 5. Would be great if we can view the screenshots and recommend a solution. Re: SonicWall connections by diwa on 2008-04-16 22:20:54 +0200 Hi and Guten Abend ;-) I was able to establish a connection to my SonicWALL Pro 320... I changed the "Entfernter Endpunkt" Mode in the "General" Tab from "Network" to host - and put in an IP address from the remote network... The Tunnel is also comming up, if I set the Mode to "Networks" and put in the "real" network, here 192.168.0.0/24 and a not existing one like 192.168.1.0/24... If I remove the non existing one, the tunnel not came up... Ciao dirk Re: SonicWall connections by diwa on 2008-04-17 13:00:28 +0200 I could start crying... :'( Yesterday it worked, but today it doesn't... Needless to say, that I didn't changed anything. Ciao Dirk Re: SonicWall connections by cshander on 2008-05-14 23:51:31 +0200 Thanks to a user emailing me and letting me know I had a password on the screenshots, I went and removed the password. I am sorry to those who tried to download the file - I thought I had set the file as public AND I thought I set my preferences to notify me when replies were posted to this thread... Here is the link again: http://idisk.mac.com/cshander/Public/VPN%20Screenshots.zip One note of caution. My company just installed the latest firmware update for our sonicwall pro 2040 going from v3 to v4 and now these settings do not work. I have been unable to get a connection with the v4 firmware, and tried varying settings with no luck "yet"... Re: SonicWall connections by diwa on 2008-05-15 19:08:57 +0200 [quote author=cshander link=1204842537/15#19 date=1210801891] Here is the link again: http://idisk.mac.com/cshander/Public/VPN%20Screenshots.zip [/quote] Now it worked Thanks. These settings look a little bit different then mine (because of a different sonicwall), but basicly I do have the same settings in encryption/authentication etc. While playing around a little bit, I found, that my parallels installation forces some problems. I have the parallels NAT-Adapter active and set to DHCP. This adapter will keep the ip-address - and if this has been one from the same subnet as my internal one, ipSecuritas cannot establish a tunnel... I have to deactivate the adapter manually to get the tunnel established. Ciao dirk Netgear DG834v2 setup Netgear DG834v2 setup by bergert on 2008-03-09 13:26:24 +0100 hello, Finally, I managed to get a connection to my 834. But the connection only remains up for a few minutes (60 seconds ?) and then stops to work. As soon as I restart IPSecuritas it comes back, but only for a minute or so. I check using PING and TRACEROUTE. NOTE to other Netgear users: - dont try to use SHA-1; it does not work, use MD5 - using FQDN user strings did not work for me; this is why I am using IPs now Can anybody offer suggestions ? thanks, Tom 1) My setup: MacMini on pulic IP (IP securitas) <-- Internet --> DG834v2 (ADSL2+, dyndns IP) 2) DG834 Configuration: Remote IP, single address, MacMini Local subnet, 192.168.1.0 IKE: Initiater and Responder Mode: Main-Mode DH Group: 2 (1024) Local ID: WAN IP Remote IP: IP Address Encryption: DES Authentication: MD5 sa Life time: 28800 PFS Enabled 3) Logs: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Mar 09, 05:01:48 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Mar 09, 05:01:48 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Mar 09, 05:01:48 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Mar 09, 05:01:48 Info IKE Resize address pool from 0 to 255 Mar 09, 05:01:55 Info APP Initiated connection Netgear Mar 09, 05:01:56 Error IKE not support transform-id=9 in ESP. Mar 09, 05:01:56 Error IKE not support transform-id=9 in ESP. Mar 09, 05:01:56 Error IKE not support transform-id=9 in ESP. Mar 09, 05:02:01 Error IKE failed to get sainfo. Mar 09, 05:02:01 Error IKE failed to get sainfo. Mar 09, 05:02:01 Error IKE failed to pre-process packet. Mar 09, 05:02:11 Error IKE failed to get sainfo. Mar 09, 05:02:11 Error IKE failed to get sainfo. Mar 09, 05:02:11 Error IKE failed to pre-process packet. Mar 09, 05:02:31 Error IKE failed to get sainfo. Mar 09, 05:02:31 Error IKE failed to get sainfo. Mar 09, 05:02:31 Error IKE failed to pre-process packet. Log from Netgear DG834 Sun, 2008-03-09 12:01:29 - [USA] initiating Main Mode Feature Request: Setting the MTU on start Feature Request: Setting the MTU on start by next2you on 2008-03-13 11:02:34 +0100 Hi, my VPN will only work reliably when I set the MTU on my airport (en1) to 1400 (instead of 1500). I have to do a sudo ifconfig en1 mtu 1400 every time before starting up the VPN. I haven't found an easy way to make this stick on the OSX level besides the Terminal or writing my own startup script. Would there be a way to incoroprate this into IPSecuritas? Or am I the rare case of MTU performance problem? Christian P.S.: In the consequence I suspect my mobile account freezes after the sudo if the VPN is up and "unreliable" and the computer is already bound to the OSX Server (10.5, OpenDirectory) IPSecuritas reports 'Not Connected to daemon" IPSecuritas reports 'Not Connected to daemon" by rooney1111 on 2008-03-13 22:43:03 +0100 I am running OS 10.5.2 with latest version of IPSec. It works perfectly to 2 separate sites for a day or two then breaks. Now when I launch it it reports "Not connected to daemon" and all I can do is Force Quit. If I uninstall and re-install/setup it works again for a couple of days then breaks again. Is there a command line to re-connect it to the daemon or re-start the daemon, or any other ideas appreciated. When it works it's just great! Linksys WRVS4400N firmware 1.1.03 woes Linksys WRVS4400N firmware 1.1.03 woes by jfippin on 2008-03-14 02:11:39 +0100 Thanks to the wizard, I had been able to set up a VPN tunnel successfully between my MacBook Pro and the Linksys. That is, until I updated the firmware on the Linksys to the current version 1.1.03. Now, I can't get past Phase 1 for love nor money. I completely reset the Linksys to factory defaults after the firmware upgrade, and then manually set up the tunnel, but no joy. I've spent far too many hours on this already, tweaking everything I can think of. Anybody had success with this new firmware? I could revert to 1.0.16, but there are a couple new non-VPN capabilities in the new release that I'd like to hang on to. For the time being, Hamachi is getting me through, but I'd really like to have my Linksys tunnel back! Thanks in advance for any insight. Problems connecting to Draytek 2800 Problems connecting to Draytek 2800 by macfanguy on 2008-03-17 22:10:11 +0100 Okay, 5 hours into it, I'm getting a bit frustrated... I have setup several Drayteks in combination with IPS, specifically 2 2900's and 3 2510's. I recently installed 2 2800's, and guess what... I cannot get VPN to work! For the first time in 4 years... The 2800's are updated with the latest firmware (2.8). I have off course set up the Draytek's the way I have allways done so, and the same goes for IPS. As this didn't work , I re-read the instructions for setup, even though these are for an older FW-version. Used the Wizard instead of manually entering the settings, just in case I missed something, but no go. Downloaded VPN Tracker (Sorry! ;-) ) just to test, and used their wizard, exactly the same problem. There error tells me that it at least gets past Phase one, which I can confirm, as IPS's log gives no time-out waiting for Phase 1. Having traced it to phase 2, I changed all settings, turning things on and off. Having read some post here, tried changing the Endpoint Mode, and turning NAT on and off... No luck. I'm lost! As I am not on site, I have no way of using Draytek's Syslog tools to check the Draytek end of the VPN setup, not even sure if it will show anything worthwhile. Off-course, I have log output, should anybody be interested. I just don't inderstand enough of IPSec's process to figure out where it goes wrong. Any help is greatly appreciated! Re: Problems connecting to Draytek 2800 by macfanguy on 2008-04-17 12:15:11 +0200 Doesn't anybody have ANY clue... :o I'm almost desperate here, and Draytek support is wel, Draytek support. :'( Sonicwall TZ170 Sonicwall TZ170 by mcclint on 2008-03-24 14:39:40 +0100 I'm trying to get IPSecuritas to work with a Sonicwall TZ170. I've gone through the router's VPN setup line by line and every setting is identical to how I have the IPSecuritas connection file setup but every time I try to establish a connection I get "No Proposal Chosen". I've tried using the IPSecuritas connection wizard for the TZ170 but that doesn't work either. As a test I used the demo version of VPNtracker and it actually works! So I compared the settings in VPNTracker to how I have IPSecuritas setup and once again, they are identical. Is there some magic, hidden button I need to click in IPSecuritas to make it work with this router? I have no problems getting it to work with a ZyWall 35. Re: Sonicwall TZ170 by next2you on 2008-04-02 15:03:12 +0200 Just to assure you, IPSecuritas plus TZ170 works fine for me. I've configured the Group VPN with IKE using Preshared Secret, the proposal is group2, 3DES, SHA1, LIfetime 28800 seconds, IPSEc Phase 2 is ESP, 3DES and SHA1, perfect forward secrecy is not enabled and the lifetime is 28800. In the advanced section it is only "Forward packets to removte VPNs checked, I'm also using client authentication using XAuth, but that is probably a few steps later. Christian Re: Sonicwall TZ170 by bertg on 2008-04-14 17:50:10 +0200 Hi, I tried and tried and in the log of the TZ170, I keep getting this: 6 UTC 04/14/2008 15:11:10.048 IKE Responder: IPSec proposal does not match (Phase 2) Pleas see this flash movie for what I did: [URL=http://www.hotshare.net/flash /49209-4764030799.html]IPSecuritas.swf (1.00 MB)[/URL] (right click on video and uncheck "Play" to pause...) DHCP is NOT enabled in the TZ170. As you see in the PNG screenshot below, locally the TZ170 sits on IP address 10.0.0.2: [img]http://i26.tinypic.com/332m8ae.png[/img] What am I doing wrong? I thank you in advance, Bert Re: Sonicwall TZ170 by cnadig on 2008-04-15 08:58:51 +0200 Hello Bert, in the logs you sent me I can see that phase 1 is completed successfully, but phase 2 fails with no proposal chosen (meaning the settings on both sides for phase 2 don't match). Please change the remote network to 10.0.0.0/24 instead of 10.0.0.2/25 and disable PFS in phase 2 in IPSecuritas (or enable it on the firewall and set it to group 1). Hope this helps, Christoph Re: Sonicwall TZ170 by rpc_rodgers on 2008-05-23 01:52:37 +0200 Several colleagues and I have been working with IPSecuritas 3.1 (Build 1860) under Mac OS X 10.5.2, going against a SonicWall TX 170 SP. We have succeeded in connecting, but never with XAUTH enabled. We were particularly helped by the 12 June 2007 posting of sibble-comp. I want to contact him and lobotomo support, but this forum apparently requires at least one posting to allow personal messages to be sent to other members, which prompts this posting. If anyone has pointers to very precise setup instructions for this configuration, or is willing to engage us via email or over the phone, we'd be grateful to hear from you! Good luck to all... Re: Sonicwall TZ170 by sibble-comp on 2008-05-25 00:34:16 +0200 What's the question you have rpc_rodgers? Ironic that I just happened to be checking this forum a day later. Racoon with NAT-T?! Racoon with NAT-T?! by .guru on 2008-03-25 07:42:59 +0100 I am really trying hard to compile racoon by hand from the sources. I am close to breakthrough, but I still have problems with NAT-T support... it does not let me set --enable-natt while compiling? How do you handle this? Help With WatchGuard Firebox... Help With WatchGuard Firebox... by mikemiller on 2008-03-27 17:53:55 +0100 Hi guys, I'm a bit new to OSX and to IPSec in general, so please bear with me being dumb and slow. We're a design/development house in the UK and currently have a mix of OSX and Windows boxes. We bought a new MacBook as the support laptop with the plan being to run Bootcamped Windows and OSX on it. I've used MUVPN in the windows partition to connect to our [b]WatchGuard Firebox Edge X15[/b] using the wgx file that is produced via the Firebox configuration. This works fine. I then stumbled upon IPSecuritas and tried to get this working in the OSX partition. I downloaded the Help PDF and noticed that there is a desktop configuration program being used and not the web interface I am lumped with. I've tried to work through the instructions via the web interface, however it is quite different and I got nowhere, if anyone could offer any help it would be greatly appreciated. Mike. Re: Help With WatchGuard Firebox... by itsm-support on 2008-04-03 14:55:34 +0200 I use MUVPN for Windows, too. I configured IPSecuritas like it was described in the Help PDF. If you change the Mode to "Aggressive" the connection will work. But after 9 minutes the VPN connection disconnect and you must connect again. Maybe anybody can help me with this problem. Here the Log-File: Mar 29, 15:48:33 Info APP IPSec authenticating Mar 29, 15:48:33 Info APP IKE daemon started Mar 29, 15:48:33 Info APP IPSec started Mar 29, 15:48:33 Error IKE Foreground mode. Mar 29, 15:48:33 Info IKE @(#)ipsec-tools CVS (http://ipsec-tools.sourceforge.net) Mar 29, 15:48:33 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Mar 29, 15:48:33 Info IKE Reading configuration from "/Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Mar 29, 15:48:33 Info IKE Resize address pool from 0 to 255 Mar 29, 15:48:33 Info APP Initiated connection Sogeti Mar 29, 15:48:33 Error IKE inappropriate sadb acquire message passed. Mar 29, 15:48:33 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Mar 29, 15:51:32 Error IKE unhandled notify message 32768, no phase2 handle found. Mar 29, 15:54:31 Error IKE unhandled notify message 32768, no phase2 handle found. Mar 29, 15:57:31 Error IKE unhandled notify message 32768, no phase2 handle found. Re: Help With WatchGuard Firebox... by itsm-support on 2008-04-09 12:22:23 +0200 I activate the debug modus and I can see there is something else: Apr 08, 20:36:39 Debug IKE 68 bytes message received from xxx.xxx.xxx.xxx[4500] to 192.168.178.11[4500] Apr 08, 20:36:39 Debug IKE 83859376 97274c48 97a06b3f 69fbb063 08100501 5eb31459 00000044 59f7af51 Apr 08, 20:36:39 Debug IKE 22633302 54ff1026 ce420ca5 299bd048 9c5ee278 d0466696 aa0ed8ff 6d2316fd Apr 08, 20:36:39 Debug IKE d22166ea Apr 08, 20:36:39 Debug IKE receive Information. Apr 08, 20:36:39 Debug IKE compute IV for phase2 Apr 08, 20:36:39 Debug IKE phase1 last IV: Apr 08, 20:36:39 Debug IKE 14465d4d fc06e38c 5eb31459 Apr 08, 20:36:39 Debug IKE hash(sha1) Apr 08, 20:36:39 Debug IKE encryption(des) Apr 08, 20:36:39 Debug IKE phase2 IV computed: Apr 08, 20:36:39 Debug IKE 9b3e8f1b 56a79fb0 Apr 08, 20:36:39 Debug IKE begin decryption. Apr 08, 20:36:39 Debug IKE encryption(des) Apr 08, 20:36:39 Debug IKE IV was saved for next processing: Apr 08, 20:36:39 Debug IKE 6d2316fd d22166ea Apr 08, 20:36:39 Debug IKE encryption(des) Apr 08, 20:36:39 Debug IKE with key: Apr 08, 20:36:39 Debug IKE 898b0884 a7c0c219 Apr 08, 20:36:39 Debug IKE decrypted payload by IV: Apr 08, 20:36:39 Debug IKE 9b3e8f1b 56a79fb0 Apr 08, 20:36:39 Debug IKE decrypted payload, but not trimed. Apr 08, 20:36:39 Debug IKE 0b000018 c0e4c815 102335ab 338e0b64 2aefba42 06bf0b24 0000000c 00000001 Apr 08, 20:36:39 Debug IKE 01008000 00000000 Apr 08, 20:36:39 Debug IKE padding len=1 Apr 08, 20:36:39 Debug IKE skip to trim padding. Apr 08, 20:36:39 Debug IKE decrypted. Apr 08, 20:36:39 Debug IKE 83859376 97274c48 97a06b3f 69fbb063 08100501 5eb31459 00000044 0b000018 Apr 08, 20:36:39 Debug IKE c0e4c815 102335ab 338e0b64 2aefba42 06bf0b24 0000000c 00000001 01008000 Apr 08, 20:36:39 Debug IKE 00000000 Apr 08, 20:36:39 Debug IKE IV freed Apr 08, 20:36:39 Debug IKE HASH with: Apr 08, 20:36:39 Debug IKE 5eb31459 0000000c 00000001 01008000 Apr 08, 20:36:39 Debug IKE hmac(hmac_sha1) Apr 08, 20:36:39 Debug IKE HASH computed: Apr 08, 20:36:39 Debug IKE c0e4c815 102335ab 338e0b64 2aefba42 06bf0b24 Apr 08, 20:36:39 Debug IKE hash validated. Apr 08, 20:36:39 Debug IKE begin. Apr 08, 20:36:39 Debug IKE seen nptype=8(hash) Apr 08, 20:36:39 Debug IKE seen nptype=11(notify) Apr 08, 20:36:39 Debug IKE succeed. Apr 08, 20:36:39 Error IKE unhandled notify message 32768, no phase2 handle found. After 3 times all 3 minutes Apr 08, 20:48:43 Debug Apr 08, 20:48:43 Debug Apr 08, 20:48:44 Debug Apr 08, 20:48:44 Debug Apr 08, 20:48:46 Debug Apr 08, 20:48:46 Debug Apr 08, 20:48:46 Debug Apr 08, 20:48:46 Debug (maybe Entourage checks for emails) i get this: IKE msg 5 not interesting IKE msg 5 not interesting IKE msg 5 not interesting IKE msg 5 not interesting IKE msg 5 not interesting IKE msg 5 not interesting IKE msg 5 not interesting IKE msg 5 not interesting IPSecuritas 3.1 with Fortigate 3.0 IPSecuritas 3.1 with Fortigate 3.0 by edcor123 on 2008-04-01 15:57:11 +0200 Hi all, Did some succeed to connect IPSEcuritas 3.1 to a Fortigate V3.0 IOS release ? I need to connect a couple of users with dynamic IP Adress The Fortigate has a public IP address but I can make it work (even after several tests) I tried to activate Xauth and IPSEC DHCP with no success .... Is someone able to send me back some config ? Thanks Re: IPSecuritas 3.1 with Fortigate 3.0 by edcor123 on 2008-04-01 16:01:04 +0200 ... for a best description; The Fortigate is configured in NAT mode LAN IP address: 192.168.3.1 /24 IP WAN address: 195.115.112.56 /29 Do I need to activate Xauth in the Fortigate? Do I need to configure Xauth-PSK on IPSecuritas? Do I need to force NAT-T since users are behind ADSL routers ? Thanks for any tip. Re: IPSecuritas 3.1 with Fortigate 3.0 by lleung on 2008-05-02 04:56:19 +0200 [quote author=edcor123 link=1207058231/0#1 date=1207058464]... for a best description; The Fortigate is configured in NAT mode LAN IP address: 192.168.3.1 /24 IP WAN address: 195.115.112.56 /29 Do I need to activate Xauth in the Fortigate? Do I need to configure Xauth-PSK on IPSecuritas? Do I need to force NAT-T since users are behind ADSL routers ? Thanks for any tip.[/quote] No, No, Yes. Also something to note. Evidently firmware 3.0 MR5 and MR6 broke xauth compatibility with IP securitas. Linksys WRVS4400N - No connection Linksys WRVS4400N - No connection by ravensolutions on 2008-04-02 04:09:09 +0200 Hi - running 10.5.2, and have tried everything I can to get a working VPN connection. IPSecuritas is my last straw... What's odd is that I was able to connect using the Linksys QuickVPN on the same Mac running Windows Vista under VMWare, so I know that this should work. I chose the Linksys WRVS4400N from the wizard and added what I believed to be the correct settings. Here's the regular log: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Apr 01, 20:01:16 Info APP IPSec authenticating Apr 01, 20:01:16 Info APP IKE daemon started Apr 01, 20:01:16 Info APP IPSec started Apr 01, 20:01:16 Error IKE Foreground mode. Apr 01, 20:01:16 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Apr 01, 20:01:16 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Apr 01, 20:01:16 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Apr 01, 20:01:16 Info IKE Resize address pool from 0 to 255 Apr 01, 20:01:16 Info APP Initiated connection MAHVPN Apr 01, 20:01:16 Error IKE inappropriate sadb acquire message passed. Apr 01, 20:01:23 Info APP Initiated connection MAHVPN Apr 01, 20:01:30 Info APP Initiated connection MAHVPN Apr 01, 20:01:32 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 66.224.240.74[500]->192.168.0.3[500] Apr 01, 20:01:37 Info APP Initiated connection MAHVPN Apr 01, 20:01:37 Error IKE inappropriate sadb acquire message passed. Apr 01, 20:01:39 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 66.224.240.74[500]->192.168.0.3[500] Apr 01, 20:01:44 Info APP Initiated connection MAHVPN Apr 01, 20:01:46 Error IKE phase1 negotiation failed due to time up. 68b4db46769c3ccf:0000000000000000 Apr 01, 20:01:46 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 66.224.240.74[500]->192.168.0.3[500] Apr 01, 20:01:49 Warning APP Connection MAHVPN timed out Apr 01, 20:01:49 Warning APP Giving up Apr 01, 20:01:53 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 66.224.240.74[500]->192.168.0.3[500] Apr 01, 20:02:00 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 66.224.240.74[500]->192.168.0.3[500] Apr 01, 20:02:04 Info APP IPSec stopping Apr 01, 20:02:05 Info APP IKE daemon terminated Apr 01, 20:02:05 Info APP IPSec stopped I'd send the debug log if I had enough space. ANY help would be appreciated. Steve Trying to get set up Trying to get set up by andy on 2008-04-04 14:22:02 +0200 MacbookPro/Core 2duo/Leopard 10.5.2 Local (me) [ch8594]wireless[ch8594] my Local gateway (Netgear DG834G) [ch8594] work remote (Netgear DGFV338) [ch8594] subnet 192.168.0.0/24 The remote gateway has an auto policy setup for a local VPN client When I try to log in I get: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Apr 04, 13:12:08 Info APP IPSec authenticating Apr 04, 13:12:08 Info APP IKE daemon started Apr 04, 13:12:08 Info APP IPSec started Apr 04, 13:12:08 Error IKE Foreground mode. Apr 04, 13:12:08 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Apr 04, 13:12:08 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Apr 04, 13:12:08 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Apr 04, 13:12:08 Info IKE Resize address pool from 0 to 255 Apr 04, 13:12:08 Info APP Initiated connection CHHomer Apr 04, 13:12:08 Error IKE inappropriate sadb acquire message passed. Apr 04, 13:12:15 Info APP Initiated connection CHHomer Apr 04, 13:12:22 Info APP Initiated connection CHHomer Apr 04, 13:12:29 Info APP Initiated connection CHHomer Apr 04, 13:12:29 Error IKE inappropriate sadb acquire message passed. Apr 04, 13:12:36 Info APP Initiated connection CHHomer Apr 04, 13:12:41 Warning APP Connection CHHomer timed out Apr 04, 13:12:41 Warning APP Giving up Am I close or don't I know what I'm doing? :o Anyone's wisdom would be gratefully received Cheers Andy Limit in number of connection Limit in number of connection by fabien.magagnosc on 2008-04-08 19:00:35 +0200 Actually, I'm using IPSecuritas (thanks a lot for this beautiful software) to connect to my company VPN ... but the fact is that we have a lot of VPN ... and actually, after 5 connections within one profile, the lastest connection is always not configured in racoon.conf, and not started (stay in red in the menubar item list) Is there any limitation in term of conccurent VPN running, if no, how can i force IPsecuritas to open more connection as needed ? Thanks a lot, Fabien. cant connect cant connect by Flare on 2008-04-08 19:17:30 +0200 Hello, i have a strange problem. btw im new to mac. i have 2x the same macbookpro.. same model etc. i installed ipsecuritas on one of them and it works fine..i can connect to my branchoffice firewall. on the other macbookpro i got a problem.. i installed and configured it the same way. i taked a look at the protocoll at this is all what i see. nothing more.. the light is red and nothing happens.. whats wrong here.. i take a look at the taskmanager and i see that no ipsecurtasdaemon is running.. very strange .. can someone help me Apr 04, 13:12:08 Info APP IPSec authenticating Apr 04, 13:12:08 Info APP IKE daemon started Apr 04, 13:12:08 Info APP IPSec started Apr 04, 13:12:08 Error IKE Foreground mode. Apr 04, 13:12:08 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Apr 04, 13:12:08 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Apr 04, 13:12:08 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Apr 04, 13:12:08 Info IKE Resize address pool from 0 to 255 greets rene Re: cant connect by Flare on 2008-04-11 07:49:22 +0200 hello, found the problem, there was a vmnet8 interface configured with the same adress as the destinationnetwork. now it works. greets rene Re: cant connect by noidea on 2008-07-23 04:47:20 +0200 Hello Rene, Can you explain how you resolved this issue is a bit more? I am totally new to this and I am having the same problem but I don't know how to fix it. Jul 22, 22:40:50 Info APP IPSec authenticating Jul 22, 22:40:50 Info APP IKE daemon started Jul 22, 22:40:50 Info APP IPSec started Jul 22, 22:40:50 Info IKE Foreground mode. Jul 22, 22:40:50 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 22, 22:40:50 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 22, 22:40:50 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 22, 22:40:50 Info IKE Resize address pool from 0 to 255 XAUTH + RSA Status? XAUTH + RSA Status? by yongel on 2008-04-11 21:16:31 +0200 Hello, as I am currently investigating IPSecuritas to serve as my default MAC OS VPN client, I'm very interested what the implementation status auf XAUTH + RSA is? I found an older thread where you offered a 3.1.1 Prerelease that should be able to handle this szenario correctly. So I downloaded that version and tried to configure it. Sady the required combination of settings is not allowed. When I select "Local Authentication Certificate" & "XAUTH + RSA" & my imported certificate I always get an yellow exclamation mark indicating, that the I my config does not provide an certificate. Switching back to RSA only everything is error free again. Can you tell me what is going wrong here and if I can expect a corrected version. Thanks in advance and best regards. Markus Tunnel Established but cannot Ping or use ARD Tunnel Established but cannot Ping or use ARD by rooney1111 on 2008-04-15 15:32:12 +0200 Am using 10.5.2 and IpSecuritas 3.1. It's just stopped working - I get a Green connection but cannot Ping the remote network nor use ARD. A colleague has no problem with a similar configuration. Re: Tunnel Established but cannot Ping or use ARD by artemide on 2008-04-17 23:58:05 +0200 I am having the same issue. OSX 10.5.2, IPSecuritas 3.1, the tunnel is active on both sides, but I can not ping. The other end is Smoothwall Advanced Firewall 2008. Re: Tunnel Established but cannot Ping or use ARD by rooney1111 on 2008-04-18 11:28:37 +0200 My remote unit is a ZyXEL ZyWALL - it all works fine from my Mac but not my colleagues but as far as we can tell the setup is identical. He has deleted and reinstalled IPSec - still no ping Re: Tunnel Established but cannot Ping or use ARD by artemide on 2008-04-18 15:06:44 +0200 I have a support contract with smoothwall, so I opened a case with them. I think the problem is with IPSecuritas, but they are pretty good at tracking down issues. I'll let you know what they find. Re: Tunnel Established but cannot Ping or use ARD by thorlock on 2008-04-24 12:43:23 +0200 @artemide: could the Smoothwall team help you solve this issue? I'm in a similair situation and it's driving me nuts... Anyone else have any ideas? Thanks a bunch. Re: Tunnel Established but cannot Ping or use ARD by artemide on 2008-04-24 17:34:01 +0200 not yet, they sent me some screen shots they had from someone that did get it working and it was somewhat of a help. It seems like even though both sides think the tunnel is up it is really not. The IPSecuritas side sees an invalid ID. But I can't figure out what the problem is because the tunnel does come up. I just sent the smoothwall teem some screen shots and some log files. I am hoping to hear back from the soon. This is very frustrating. On a different note I sent an email to IPSecuritas and have received no response as of yet. I am even trying the trial version of VPN Tracker .. and that crashes ... joy Re: Tunnel Established but cannot Ping or use ARD by rooney1111 on 2008-04-24 22:29:38 +0200 Don't know if this helps but I have been out of office on client's sites the past couple of days and wasn't even able to 'go green' with IPSecuritas. Now I'm back in my office everything is OK again so could the issue be with the local firewall? Re: Tunnel Established but cannot Ping or use ARD by thorlock on 2008-04-25 09:24:02 +0200 @artemide: Alright, no possibility that you could post those screenshots provided from the Smoothwall team? Thanks. @rooney1111: yeah, I think it might be an issue with some local firewall in some specific cases, but I doubt it is an firewall issue when the connection goes green and everything seems to be up and running according to the logs! Re: Tunnel Established but cannot Ping or use ARD by benjconrad on 2008-04-25 12:21:45 +0200 Specifically with Smoothwall, you should check the Zone Bridging options. You need to allow bi-directional traffic from IPSEC to Green. If you do not, then you get the exact problem you describing - tunnel is up, but no traffic can pass. Re: Tunnel Established but cannot Ping or use ARD by artemide on 2008-04-25 14:59:20 +0200 [quote author=benjconrad link=1208266332/0#8 date=1209118905]Specifically with Smoothwall, you should check the Zone Bridging options. You need to allow bi-directional traffic from IPSEC to Green. If you do not, then you get the exact problem you describing tunnel is up, but no traffic can pass.[/quote] yes I know thank you though. I have about a dozen other connections, ipsec subents and L2TP road warriors all working, the problem is on the IPSecuritas side and with my keys. It seems to be having problems verifying the keys. I will post everything I have. edit: I have a zip file to post of screen shots and log files .. but .. and this is going to sound stupid but .. can I post it here? Or do I need to through it on my web server and give a link? Re: Tunnel Established but cannot Ping or use ARD by artemide on 2008-04-25 23:17:03 +0200 It seems that the Keys need to had the ID value set in them, and the ID has to be the address of the server ( either IP or FQDN, then then also needs to be the ID of the endpoints as well. I am trying with 2 new keys, both with IDs set and I am specifying them on both sides, so I imported both keys on the OSC side . the tunnel comes up and with much less warnings on the SW side. I also get different errors now on the Mac side inappropriate sadb acquire message passed. unknown informational exchange received VPN-1: connect ok, problem: office mode/mode_cfg VPN-1: connect ok, problem: office mode/mode_cfg by marcz on 2008-04-17 13:07:16 +0200 Hi, i am trying to connect a corporate network (Checkpoint VPN-1). I exported the profile from the windows machine. it looks like this: [code](HTTPS_COMPANY :attributes ( :description ("blabla") :read_only (true) ) :options ( :force_udp_encapsulation (false) :support_ip_assignment (true) :support_tcp_ike (false) :sr_route_through_gw (true) :support_tcpt (true) :ps_ha_scheme (no_ha) ) :site (company_blabla) :gateways ( : (somecompany.somenetwork-fwblabla :name (somecompany.somenetwork-fwblabla) :ipaddr (111.111.111.111) :active (true) ) ) :policy_servers ( : (somecompany.somenetwork-fwblabla :name (somecompany.somenetwork-fwblabla) :ipaddr (111.111.111.111) :active (true) ) ) ) [/code] i configured ipsecuritas like this: General: FirewallIP: 111.111.111.111 Local Modus: dropdown is greyed out "MODE-CFG is enabled. lokal ip is retrieved from firewall" Remote Endpoint "Everywhere" Phase 1: 10 min 1024(2) 3DES SHA-1 Main Obey 16 Phase 2: 10 Minutes 768 (1) Enc: DES, 3DES, AES 256, AES 192, AES 128 Auth: HMAC MD5, HMAC SHA-1 ID: Re: VPN-1: connect ok, problem: office mode/mode_c by marcz on 2008-04-19 16:50:21 +0200 Noone able to help? I already had a look at the commercial software vpn tracker, too. but unfortunately vpn tracker supports no mode_cfg/office mode with checkpoint vpn, too. Re: VPN-1: connect ok, problem: office mode/mode_c by marcz on 2008-04-24 20:59:59 +0200 bump One hour timeout One hour timeout by Frank_Renner on 2008-04-21 10:08:24 +0200 Hi, I have a problem with connecting to a client site. Everything works fine, but after exactly one hour the connection does not work anymore. Although I strongly assume that this is a problem with some timeout in the firewall at the client site, I want to know if it is possible that the problem may be caused on my side. I have MacOS X 10.5.2, IP Securitas 3.1 and no firewall enabled on my Mac. Did anyone else experience this behaviour? Thank you, Frank Renner Re: One hour timeout by Cucumber on 2008-04-23 03:59:25 +0200 Howdy, i have the same problem (same version of OSX and IPS). IPS thinks it is still connected (green dot). but all communication abruptly stops after an hour. i'm connecting to a NetScreen 5GT. same thing happens if i use IPS 2.2 \\//_ Re: One hour timeout by Frank_Renner on 2008-04-25 11:23:33 +0200 What can we do? Accept fate? Re: One hour timeout by benjconrad on 2008-04-25 12:19:12 +0200 I had this problem before, connecting IP Securitas on Tiger to a Smoothwall Firewall. On that firewall, where you set up the IPSEC Roadwarriors, there is a "Key Life" setting, which by default was 60 minutes. The key is presumably supposed to be reissued in some way, but I couldn't work out what was wrong, so in the end just increased the key life setting to 360 - 6 Hours being more than enough for the users. Not sure how much this information helps, but there should be a setting on the firewall you are connecting to, rather than on IP Securitas. Re: One hour timeout by kamikaze2112 on 2008-05-08 20:59:18 +0200 I am having the exact same issue. After an hour, everything drops but the tunnel says it's still up. I am running Leopard 10.5.2, IPSecuritas 3.1, and a Linksys RV042 with the latest firmware. I have a pretty good feeling that it's the Phase 2 key that's not being renewed properly. I've bumped the phase 2 key life to 28800 seconds (8 hours) to see if it helps. Hopefully we can get a fix for this issue. Re: One hour timeout by Frank_Renner on 2008-05-08 21:24:16 +0200 To add another weirdness which makes it difficult to convince the client about his firewall doing wrong: others are connection to the same firewall without any problems (with the same version of MacOS, IPSecuritas and the same settings of course). So the issue might have something to do with the Mac settings as well...still not solved on my side. Re: One hour timeout by cnadig on 2008-05-09 12:51:00 +0200 Hello, it is possible that the rekeying is initiated by the firewall shortly before the first key expires after the specified life time (probably one hour). This could be problematic if your client is behind a NAT router or a firewall. Try lowering both life times to a smaller value, say 30 minutes instead of one hour. Hope this helps, Christoph Re: One hour timeout by kamikaze2112 on 2008-05-14 18:20:05 +0200 I tried decreasing the Phase 2 lifetime to 1800 seconds (30 min) but left the phase 1 lifetime at 28800 seconds (8 hours). All this did was caused the traffic to come to a halt after 30 minutes instead of the original hour. I've just tried setting both phases to 30 minutes to see how that affects things, and I'll update this post with my findings. Update: with both phases set for 1800 seconds, the pings stopped after 30 minutes. I don't think this is a problem with my VPN router. it's possible that the NAT router that the client is behind could be the culprit, but I doubt that's the case. Re: One hour timeout by Ingo on 2008-06-06 11:19:39 +0200 I'm seeing exactly the same problem with IPSecuritas 3.1 on Leopard connecting to a Checkpoint VPN-1. This seems to be a Leopard problem, as the same configuration works flawlessly with IPSecuritas 3.1 on Tiger. VPN on only one interface VPN on only one interface by swhitman on 2008-04-29 23:28:52 +0200 I have IPSEC working on the wireless interface. When a cable is attached to the ethernet and the wireless is turned off, networking does not work unless I turn off IPSecuritas. How do I setup IPSecuritas so that it is only active for the wireless interface? Problems with CISCO VPN Problems with CISCO VPN by MBC on 2008-04-30 15:51:25 +0200 Dear friends, I have a big problem using IPSecuritas with my company firewall CISCO. The problem is, that IPSecuritas wanted a preshared secret and my company is not working with this. We are working with a group name and group password and then with personal name and personal password. How can I solve this problem and configurate IPSecuritas? Thanks, Michael Can anyone hand-hold my newbie setup? Can anyone hand-hold my newbie setup? by slightly on 2008-05-02 14:53:05 +0200 Hi I've never set up a VPN before, although I have used IPSecuritas to connect at a previous employer. So, any help or advice would be hugely appreciated! I'm trying to connect my home 10.5 Powerbook running IPSecuritas to a Linksys RVS4000 VPN router/firewall at work. So it's a host-to-network connection. The RVS4000 is at [b]68.167.x.x[/b]. It creates a private network of [b]192.168.1.0/24[/b]. My home Mac is at [b]74.66.y.y[/b]. (Cable internet, dynamic IP, but it should be the same address for a while.) Its private address is [b]192.168.0.103[/b], within a [b]192.168.0.0/24[/b] network. (Served by a D-Link EBR-2310 with IPSec passthrough enabled. L2TP and PPTP are not passed through. I'm also connected to an interim Airport Express, if that makes any difference.) Here's what I have set up on the router's tunnel configuration: [b]Local Security Gateway type: IP Only IP address: 68.167.x.x. Local security group type: IP addr. IP address: 192.168.2.1[/b] First question: is that "192.168.2.1" sane? I'm guessing that what this refers to is the IP address that my Mac will be assigned once within the local network, and I don't want it to clash with the existing subnet. Is that correct? [b]Remote Security Gateway Type: IP Only IP address: 74.66.y.y. Remote security group type: subnet IP address: 192.168.0.103 Mask: 255.255.255.0 Key mode: IKE/preshared Phase1: Encrypt: 3DES Authenticate: MD5 Group: 768-bit Life: 28800 secs Phase2: Encrypt: 3DES Authenticate: MD5 PFS: Enable Key: ******* Group: 768-bit Life: 28800 secs[/b] Now, on IPSecuritas: [b]Remote IPSec device: 68.167.x.x Local Endpoint mode: Host Remote Endpoint mode: Network Phase1: Life: 28800 secs XAuth doesn't honor the IP handed out by server XAuth doesn't honor the IP handed out by server by signal15 on 2008-05-05 21:54:12 +0200 It's sending the packets with a source address of the one physically assigned to my local interface, not the one that I'm handing to it via an IP Pool for XAuth. Is there a way to change this behavior? I noticed I can optionally hard set the IP address under the "General" tab, and I can assign a static to each user in the firewall via Xauth options. This would probably work, however, it would be nice to avoid that extra config especially for multiple users. I am assuming since it's not honoring the IP I'm handing it, it probably doesn't take the DNS servers I'm giving it either. Re: XAuth doesn't honor the IP handed out by serve by Forum Admin on 2008-05-05 22:13:20 +0200 Hello, XAuth doesn't provide a way to handing out IP addresses or other client configuration. Please try enabling MODE_CFG, which was meant for this purpose. Please note that MODE_CFG was never officially released as a RFC, therefore there are many different proprietery implementations. So it might or it might nor work. In the latter case, I'd be very interested to make the necessary software changes to support your firewall's implementation. Let me know. Hope this helps, Christoph Re: XAuth doesn't honor the IP handed out by serve by signal15 on 2008-05-05 22:31:30 +0200 Works! Thanks! FYI, this is on a Juniper SSG5 running ScreenOS 6.0r2. Fortigate-100 Fortigate-100 by anev on 2008-05-06 16:12:20 +0200 Hey, I've been trying to set up a VPN connection to my office with little success. The logs show the following; IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 May 06, 14:35:04 Info APP System wake up event received May 06, 14:36:00 Info APP Network configuration change detected May 06, 14:36:00 Info APP Smart Environment Detection: Off, reconfiguration May 06, 14:58:24 Info APP IPSec authenticating May 06, 14:58:24 Info APP IKE daemon started May 06, 14:58:24 Info APP IPSec started May 06, 14:58:24 Error IKE Foreground mode. May 06, 14:58:24 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) May 06, 14:58:24 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) May 06, 14:58:24 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" May 06, 14:58:24 Info IKE Resize address pool from 0 to 255 And doesn't get much further than that. Does anyone have a config they should send me for a Fortigate-100? If necessary, I can post the details here re our set up. Kind Regards, A Re: Fortigate-100 by cnadig on 2008-05-06 18:06:39 +0200 Hello, this looks like no negotiation is started at all. Do you get a red dot next to the connection name in the main window? If so, what does it say when you hover your mouse pointer over it? Cheers, Christoph Re: Fortigate-100 by anev on 2008-05-06 20:26:47 +0200 When i hover the mouse above it, it says "connection definition error". I'm assuming then I have done something wrong during the configuration process. I can export the connection settings and paste them if if it helps? Re: Fortigate-100 by cnadig on 2008-05-07 11:30:17 +0200 Hello, please open the connection manager and hover the mouse over the exclamation mark symbol next to the connection. This will show a list of things to correct in the connection. Hope this helps, Christoph Problems on Mac OSX V10.4.11 Problems on Mac OSX V10.4.11 by dash on 2008-05-07 14:56:43 +0200 IPSecuritas will connect to our firewall (Juniper SSG-20 with V6.1 firmware) automatically after restarting the Mac, but after closing the connection it will fail when you try to start the connection again. It will work sometimes, but mostly you have to restart the laptop to get it to work. Also, I have the connect on startup checkbox unchecked in the IPSecuritas preferences, but it connects anyway when you restart the Mac. The laptop is a MacBook Pro 15" with Core 2 Duo, 2.16GHz and 1GB memory. Thanks, Darren Re: Problems on Mac OSX V10.4.11 by dash on 2008-05-12 03:21:25 +0200 Anyone else with this problem on Tiger? SHA-2 support for phase 1 negotiation? SHA-2 support for phase 1 negotiation? by hori on 2008-05-07 15:48:00 +0200 Is there any possibility to to manually edit the configuration files that are created by ipsecuritas? I need SHA-2 support during the phase 1 negotiation but ipsecuritas only offers MD5 and SHA-1. As far as I know racoon supports SHA-2. Re: SHA-2 support for phase 1 negotiation? by cnadig on 2008-05-09 12:53:24 +0200 Hello, racoon indeed supports SHA-1 with different hash sizes. I will add support for this (unfortunately I can't see a way to edit the configuration files to support this). What about SHA-2 in phase2 (raccon does support it, not so sure whether MacOS X does as well)? Cheers, Christoph Re: SHA-2 support for phase 1 negotiation? by hori on 2008-05-13 12:08:28 +0200 Hello, I cannot find any information if the Mac OS kernel supports IPSec in conjuction with SHA-2. I hope it does because the userspace tools racoon and setkey do so. And they are delivered by Apple. Regards, Holger Re: SHA-2 support for phase 1 negotiation? by cnadig on 2008-05-13 13:40:02 +0200 Hello, I had a look at the kernel and it offers support for SHA-2 (which are officially called SHA-256, SHA-384, SHA-512, since there are variations with different digest lengths) for phase 2 too. SHA-224 is not supported by neither racoon (phase 1) nor the kernel (phase 2). I will add support for those hashes to both phases. Cheers, Christoph NAT issues NAT issues by rjzzleep on 2008-05-15 10:44:21 +0200 Hello, At work we have a wireless router connected to our internal network. Now when i use ipsecuritas from within my home router everything works fine, however, when i try to connect to the vpn from the public wlan at work i can't connect anymore. I don't have the logs handy but i just wanted to let you know that replacing the racoon version inside the ipsecuritas bundle with the stock 10.5.2 version of racoon solves everything. Also would it be possible to add an option launch the menu item and the daemon whenever i plan to connect to the vpn? Either way thanks for ipsecuritas. IPSecuritas and Smartcard? IPSecuritas and Smartcard? by TauTau on 2008-05-19 12:28:10 +0200 Hi, I will receive my MacBookPro soon, and it will replace a Windows Laptop then. Until now, I used the Checkpoint-1 Client with Nexus Software and a Smartcard containing my certificate to access company network. Is there some way to get this working with IPSecuritas? What would I use to handle the smartcard? Lars Launch2Net, IPSecuritas and Zywall 2 Plus Launch2Net, IPSecuritas and Zywall 2 Plus by winnall on 2008-05-21 02:24:32 +0200 I have managed to get a VPN up and running from my MacBook Pro running Mac OS X 10.5.2 through to my Zywall 2 Plus firewall. I'm using IPSecuritas 3.1 together with Launch2Net, which drives a Novatel Merlin XU870 HSDPA card. I would have liked to have perfectly clean log files, but I get the impression from googling around that certain suspicious-looking log entries in the IPSecuritas log are normal, e.g. [i]Warning IKE ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP <Zywall-IP>[500]-><Laptop-IP>[500] Error IKE inappropriate sadb acquire message passed.[/i] etc. Similarly, I get an error in the Zywall log which is well-documented but doesn't seem to have a solution: [i]Receive IPSec packet, but no corresponding tunnel exists[/i] At the basic TCP/IP level I have a functioning connection from my laptop to my Zywall (as an endpoint). However, IPSecuritas has not set up my local DNS server although I made what I think is an appropriate entry under the DNS tab in the connections dialogue. I am not the first person to report this: is it still a known bug, or should I go back and look at it again? The result is that I have to use IP numbers all the time, which is obviously not nice. I tried adding the address of the DNS server to the Network configuration in System Preferences, but that did not help. Bonjour doesn't seem to work across the VPN either (measured with Bonjour Browser). I have a number of services on my Linux servers advertised with Avahi, which show up in Bonjour on my local Macs but don't make it across the VPN to my laptop. As far as I can tell, the VPN places no restrictions on packets transfered from the LAN to the VPN so I don't understand why Bonjour doesn't work. If anyone can help me with these problems, I'd be very grateful. Other things I want to do later are to make my AFP and NFS mounts visible (using Avahi/Bonjour). I know some of the issues there, but if anyone has an hints, I'd would also apppreciate that. Steve Re: Launch2Net, IPSecuritas and Zywall 2 Plus by winnall on 2008-05-23 13:19:52 +0200 Further research reveals that a VPN will not route multicast packets, so Bonjour will not work without some extra work. This means having something at either end of the VPN which tunnels Bonjour's multicast packets though the VPN. There is something called mtunnel which purports to do this, but it is no longer available at its author's site. Why DNS doesn't work remains a mystery to me. I tried VPN Tracker too, but DNS doesn't work with that either. Steve Connecting MacBook to OpenSwan on CentOs Linux Connecting MacBook to OpenSwan on CentOs Linux by angelocr on 2008-05-22 16:21:59 +0200 Hi to everybody here! I am trying to access an OpenSwan Firewall with an OSX 10.4.11 MacBook (soon to become 10.5.2). Not being so knowledgeable I have made several attempts trying to understand settings and log results to no avail. I get the errors: IKE 508:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 508:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:707: IKE Invalid SIG. IKE none message must be encrypted IKE inappropriate sadb acquire message passed. IKE phase2 negotiation failed due to time up waiting for phase1. ESP 55.113.55.186[4500]->192.168.1.105[4500] Beyond this, I see that IPsesuritas wisely has "suggested settings" for several firewalls. Is there anything like that to connect to an openswan based linux machine? Thanks for any hint, I am eager to learn! Angelo. IPSecuritas IPSecuritas by vdubvr6 on 2008-05-28 15:54:45 +0200 Good Morning, I have been handed a task to help an end user with VPN connectivity. I am not familiar with this software and need some advise. Our typical user uses //shame Windows with a CheckPoint client, anyway this user is on a direct connected connection on a comcast home account. They connect but it automatically puts a red dot next to the connection. What could this mean, I'm sure a lot? Is there a log file or can I enable logging? This is a remote machine so if I could do this from SSH that would be wonderful. If not, is there a supplied manual. -- Thank you Re: IPSecuritas by angelocr on 2008-06-03 00:24:42 +0200 I am no expert, just a beginner glad to be able to help :) 1) The red dot says that the connection had no success. So there is something in the settings to tweak; 2) Yes, you can enable logs and see it through menus. Thay help a lot, in fact! 3) The whole purpose of IPSecuritas is to put an user interface to make racoon (the native IPsec of Mac & BSD) easier. I am quite sure you coud use racoon through SSH, being geeky enough, but not IPSecuritas. 4) Yes, there is a manual included in the product. Disclaimer: See the beginning! How to direct all traffic through the VPN How to direct all traffic through the VPN by consi on 2008-06-05 10:41:33 +0200 I have successfully set up a VPN in host to network mode so that I can reach private IPs in the remote network. All my traffic to websites however still goes out directly instead of going through the router in the remote network. How can I tunnel my traffic through the remote network, either all or selectively, perhaps on a by application basis? Thanks! Re: How to direct all traffic through the VPN by consi on 2008-06-11 00:59:00 +0200 Nobody knows? It is an option in Apple's built-in VPN client... which is lacking in other areas though. How can it be done with IPSecuritas? I don't have to mention that this is vital if you want to protect your web usage from a public hotspot. Re: How to direct all traffic through the VPN by Forum Admin on 2008-06-11 18:47:11 +0200 Hello, select Anywhere for the remote endpoint. However, it very much depends on your firewall and its configuration if this is working. Cheers, Christoph Re: How to direct all traffic through the VPN by consi on 2008-06-12 01:10:13 +0200 Thanks for the tip. Unfortunately with the 'anywhere' setting, my connection lamp stays yellow, DCHP pass-through enabled or not. My os x firewall is set to allow all incoming connections. I suppose I need to open some ports on my router? Which are those? Re: How to direct all traffic through the VPN by consi on 2008-06-18 10:43:44 +0200 A hint from somebody? Certificate request import error Certificate request import error by domodomo on 2008-06-06 22:38:38 +0200 Hello, I am trying to import a DER request file I generated in IPSecuritas's Certificate Manager, into Windows Server Certificate Authority. When I import the submit the request to windows CA I get a 'ASN1 bad tag value met. 0x8009310b (ASN: 267)' error. Does anyone know what this is about? Thanks, Ian Help with Nortel 1800/2800 Help with Nortel 1800/2800 by enygma on 2008-06-07 13:42:47 +0200 Has anyone had any luck setting up a connection (user/pass auth) on a Nortel 1800 or 2800 remote vpn machine? I've been messing with settings for a while now and I can't seem to get it. Any help would be appreciated! Local-Network to Remote-Network Local-Network to Remote-Network by LinkNet on 2008-06-08 03:21:45 +0200 Hi, I have used, very successfully, IPSecuritas to connect a single machine (my MacBook Pro) in host mode to a remote network. Great job, Christoph, and many thanks. I particularly enjoy using an ExpressCard to access the Internet via cellular broadband. I also use Airport to access WiFi broadband. IPSecuritas is working great as an "emulator" of the [b]hardware[/b] Linksys BEFVP41 VPN client that I have used for years and that I hope to be able to leave at home (in honorable retirement) for the rest of its days. Unfortunately, there is one (very important) case that forces me to still travel with the Linksys BEFVP41 VPN client (and to find hotels that have wired Internet access, to be able to connect the Linksys's WAN port to the Internet). If you could please help me solve this challenge, it would be wonderful. Specifically: For local printing via VPN (using a print server at the remote network and an HP LaserJet as a networked printer next to my MacBook Pro), I have not found a way to configure IPSecuritas to connect a local "network" (consisting of the LaserJet, directly connected to the Ethernet port of my MacBook Pro) to the remote network. Please recall that I prefer to use an ExpressCard to access the Internet via cellular broadband (or Airport to access WiFi broadband). So, in these two cases, I have the Ethernet port available for the LaserJet. How can I connect the Ethernet "network" (consisting of just the LaserJet in this case) to the remote network via IPSecuritas (connected to the remote network via an ExpressCard or via Airport)? On page 10, the IPSecuritas Manual does not explicitly say how to connect a local network -- unless I am missing something: ------------------------------------------------------------------------[b]Local Side[/b]: This determines whether you want to connect a single machine (Host), one (Network) or multiple (Networks) local networks to the remote end. Most usually you connect a single machine. In Host mode, you may define a virtual local IP address. All traffic sent to the remote end will have this address as the sender address. If you leave the field empty, the address of the default network interface is used instead. Please clarify this with your system administrator if in doubt. ------------------------------------------------------------------------- How do you define the meaning of "the default network interface"? Thank you. Re: Local-Network to Remote-Network by Forum Admin on 2008-06-09 23:08:19 +0200 Hello, I'm not sure if I understand your setup completely. If I understand you correctly, you are travelling with your printer, which is attached to your MBP's ethernet port. The print server, however, is not on your machine but in the remote network that you access through the VPN (basically, sending the print job through the VPN twice). Is this correct? Cheers, Christoph Re: Local-Network to Remote-Network by LinkNet on 2008-06-18 19:33:24 +0200 [quote author=Forum Admin link=1212888105/0#1 date=1213045699]Hello, ... If I understand you correctly, you are travelling with your printer, which is attached to your MBP's ethernet port. The print server, however, is not on your machine but in the remote network that you access through the VPN (basically, sending the print job through the VPN twice). Is this correct? Cheers, Christoph[/quote] Your interpretation is correct, but the print job does not go through the VPN twice. The print job does not originate on my Mac: It originates on a remote print server, which just blasts it to a given IP address of my choice (which happens to be a printer on the "corporate" network when I am at home, or a printer on my "hotel network" when I am on the road). I issue commands from my MBP to the print server via a specialized variant of the Telnet protocol. Here is a specific example. Let's assume the following addresses, which work great when I specify an Endpoing Mode of "Host" for the [b]local[/b] side: The Cellular broadband ExpressCard assigns some public address to my MBP: 111.122.133.144. My MacBook Pro's VPN IP Address, as specified in "IPSecuritas Connections=>General Local Side Endpoint Mode := Host" is 192.168.202.17. So far, so good. I can connect from my MBP to the remote network via the IPSecuritas VPN tunnel (and any host from the remote network can access my MBP, using 192.168.202.17, via the IPSecuritas VPN tunnel) without any problem. Now, the challenge: If I set "IPSecuritas Connections=>General Local Side Endpoint Mode := Network" (with specifications along the lines of 192.168.202.17 / CIDR 24 -- and I have tried several kinds, including 192.168.202.0) I get a lot of debugging log entries (which I'll be happy to email to you) but no connection ever happens. If I simply change the local endpoint mode back to "Host", IPSecuritas immediately connects and all is well. The printer's manually-configured IP address is 192.168.202.22. I would love to be able to -- somehow -- "include" the printer as part of the VPN tunnel as established by my MBP via IPSecuritas. I use this printer all the time when I travel with the Linksys BEFVP41 VPN client, which connects to the remote network via its WAN port and handles up to 4 local hardwired Ethernet addresses (my MBP, with 192.168.202.17, the printer, with 192.168.202.22, and up to two other machines, if I wish to do so). With the Linksys VPN client, I am forced to use a hardwired Ethernet connection to the Internet. With IPSecuritas, I can use Cellular broadband with my Express card, or I can use WiFi. IPSecuritas is obviously better. Thanks! Juniper Netscreen isg-1000 support Juniper Netscreen isg-1000 support by jarlt on 2008-06-19 01:53:10 +0200 Does ipsecuritas support the Juniper Netscreen isg-1000? I am unable to connect. Here is the log: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Jun 18, 16:23:23 Info APP IPSec authenticating Jun 18, 16:23:23 Info APP IKE daemon started Jun 18, 16:23:23 Info APP IPSec started Jun 18, 16:23:23 Error IKE Foreground mode. Jun 18, 16:23:23 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jun 18, 16:23:23 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jun 18, 16:23:23 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jun 18, 16:23:23 Info IKE Resize address pool from 0 to 255 Jun 18, 16:23:24 Info APP Initiated connection MLML Jun 18, 16:23:24 Error IKE inappropriate sadb acquire message passed. Jun 18, 16:23:24 Warning IKE No ID match. Jun 18, 16:23:24 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Jun 18, 16:23:25 Error IKE fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Jun 18, 16:23:25 Error IKE Message: '] '. Jun 18, 16:23:30 Error IKE fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Jun 18, 16:23:30 Error IKE Message: '] '. Jun 18, 16:23:30 Info APP IPSec stopping Jun 18, 16:23:31 Info APP IKE daemon terminated Jun 18, 16:23:31 Info APP IPSec stopped Jun 18, 16:26:25 Info APP Network configuration change detected Jun 18, 16:26:25 Info APP IKE daemon started Jun 18, 16:26:25 Info APP IPSec starting Jun 18, 16:26:25 Info APP Smart Environment Detection: Start Jun 18, 16:26:25 Error IKE Foreground mode. Jun 18, 16:26:25 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jun 18, 16:26:25 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jun 18, 16:26:25 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jun 18,16:26:25 Info IKE Resize address pool from 0 to 255 Jun 18, 16:26:26 Info APP Initiated connection MLML Jun 18, 16:26:26 Error IKE inappropriate sadb acquire message passed. Jun 18, 16:26:33 Info APP Initiated connection MLML Jun 18, 16:26:40 Info APP Initiated connection MLML Jun 18, 16:26:42 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 205.155.73.9[500]->169.254.237.206[500] Jun 18, 16:26:47 Info APP Initiated connection MLML Jun 18, 16:26:49 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 205.155.73.9[500]->169.254.237.206[500] Jun 18, 16:26:51 Error IKE sendfromto failed Jun 18, 16:26:54 Info APP Initiated connection MLML Jun 18, 16:26:54 Error IKE inappropriate sadb acquire message passed. Jun 18, 16:26:56 Error IKE phase1 negotiation failed due to time up. a3aa741a87214ef9:0000000000000000 Jun 18, 16:26:56 Error IKE phase2 negotiation failed due to time up Re: Juniper Netscreen isg-1000 support by cnadig on 2008-06-19 08:49:21 +0200 Hello, I'd expect it to as I made good experiences with other models and I'd imagine Juniper is using the same IPSec software for all of their models. In the log you attached I can see that the phase 1 proposal is not accepted by the firewall - most probably a detail is different on both sides (like encryption, authentication or ID setting). Please verify the settings of firewall and IPSecuritas exactly. You may also send me a log with log level set to Debug to lobotomo@lobotomo.com and I will probably be able to help you further (please make sure to strip confidential information like IP address and IDs from the log) Cheers, Christoph Re: Juniper Netscreen isg-1000 support by jarlt on 2008-06-20 01:06:39 +0200 I made configuration changes that enabled me to connect: Phase 2 PFS None (was 1024 (2)), and Options disable NAT-T. I can now connect to a single network. Connecting to multiple networks fails with "msg 5 not interesting" IPSecuritas and IPComp (LZS) IPSecuritas and IPComp (LZS) by rodknocker on 2008-06-21 12:16:41 +0200 Hello, i would like to use IPSecuritas with IPCOMP (LZS), but I think in the gui there are no possibilities for settings. Are there ways to use IPCOMP in IPSecuritas? Many thanks in advance ;) Best greetings David Re: IPSecuritas and IPComp (LZS) by cnadig on 2008-06-23 10:35:26 +0200 Hello, the kernel of MacOS X only supports the deflate compression method, LZS and OUI are not supported. IPCOMP deflate is therefore always enabled by IPSecuritas. Cheers, Christoph VPN always "on," would like to be prompted for pwd VPN always "on," would like to be prompted for pwd by blst on 2008-06-24 00:12:25 +0200 IPSecuritas is great, but I can't seem to figure out how to make it ask you for your VPN password rather that your connection always being available. Is this possible? Thanks so much! IPSecuritas, Netgear FVS318v3, AEBS, and NAT-T IPSecuritas, Netgear FVS318v3, AEBS, and NAT-T by filterban on 2008-06-24 05:20:47 +0200 I finally got my Netgear FVS318v3 VPN to work with IPSecuritas 3.1, Leopard, and an Apple Airport Extreme Base Station. My network looks like this: MacBook (IPSecuritas) 10.0.1.2 ---> AEBS ---> |||| INTERNET |||| ---> Netgear FVS318v3 ---> Servers (192.168.0.X) For the most part, the default instructions worked, but I was running into a problem where IPSecuritas would say it was successfully connected (green light) but I was unable to ping my servers. Here's what I found: 1) The client comp has to have a fixed IP behind the AEBS. This is easy to set up in your Airport Settings - just assign a specific IP (in my case 10.0.1.2) to your Mac by DHCP Client ID. 2) Set up everything else as described in the manual, except in IPSecuritas, be sure to DISABLE "NAT-T". Once I did that, everything worked like a charm. Thanks for the great software... this is really neat stuff. One more thing... this was with the latest FVS firmware of 3.0_26. Export connections requests import password Export connections requests import password by jarlt on 2008-07-01 23:34:58 +0200 I have 5 connections. When I exported the first one I was asked for an import password, and put one in. I can not export any additional connections because I now get "Missing Import Password Please enter an import password for the exported connection." This is regardless of what I type in to the the Import password field. -Sidebar- the reason I have 5 connections is because I can not connect with Networks having more than 1 entry. I do not see any docs on Export. Thanks Re: Export connections requests import password by cnadig on 2008-07-03 13:13:00 +0200 Hello, please download a prerelease of 3.2 from here: www.lobotomo.com/products/downloads/IPSecuritas32b1.dmg The included Readme lists the enhancements and new features. Feedback is welcome! Cheers, Christoph Re: Export connections requests import password by jarlt on 2008-07-03 19:35:04 +0200 Thanks. I downloaded and installed. The Export works. The multi networks in connections is buggy. I am connecting to a Juniper ISG-1000. I have networks: 192.190.45.0/24, 198.189.27.0/24, 205.155.73.32/27, 205.155.73.128/27, 205.155.74.0/24 and 205.155.75.0/24. If I just have the 192.190.. and 198.189.. I can connect but if I add all 6 networks the log shows that there are 3 networks configured and I cannot connect them and the status light is red. Here is the log Jul 03, 10:27:09 Debug APP All connections authenticated Jul 03, 10:27:09 Debug APP State change from IDLE to AUTHENTICATING after event START Jul 03, 10:27:09 Info APP IPSec authenticating Jul 03, 10:27:09 Error APP Connection MLML 27-45 is not started because no route to remote host was found Jul 03, 10:27:09 Info APP IKE daemon started Jul 03, 10:27:09 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Jul 03, 10:27:09 Info APP IPSec started Jul 03, 10:27:09 Info IKE Foreground mode. Jul 03, 10:27:09 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 03, 10:27:09 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 03, 10:27:09 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 03, 10:27:09 Info IKE Resize address pool from 0 to 255 Jul 03, 10:27:09 Debug IKE parse successed. Jul 03, 10:27:09 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jul 03, 10:27:09 Debug IKE my interface: fe80::1%lo0 (lo0) Jul 03, 10:27:09 Debug IKE my interface: 127.0.0.1 (lo0) Jul 03, 10:27:09 Debug IKE my interface: ::1 (lo0) Jul 03, 10:27:09 Debug IKE configuring default isakmp port. Jul 03, 10:27:09 Debug IKE 3 addrs are configured successfully Jul 03, 10:27:09 Info IKE ::1[500] used as isakmp port (fd=6) Jul 03, 10:27:09 Info IKE 127.0.0.1[500] used as isakmp port (fd=7) Jul 03, 10:27:09 Info IKE fe80::1%lo0[500] used as isakmp port (fd=8) Jul 03, 10:27:09 Debug IKE get pfkey X_SPDDUMP message Jul 03, 10:27:09 Debug IKE 02120200 02000000 00000000 46080000 Jul 03, 10:27:09 Debug IKE pfkey X_SPDDUMP failed: No such file or directory Re: Export connections requests import password by cnadig on 2008-07-04 13:19:31 +0200 Hello, what does the tooltip say when you hover the mouse over the red dot? Cheers, Christoph Re: Export connections requests import password by jarlt on 2008-07-07 20:14:43 +0200 I connected this morning and the dot is green and the mouse over is connected. When I attempt to connect to a server on the 192.190.45.0/24 network it fails. I'll send you the connection log. Thanks Re: Export connections requests import password by jarlt on 2008-07-07 20:22:19 +0200 I am getting "msg 5 not interesting" when I attempt to connect to servers on the different networks. When I use the connection for the individual network I am able to connect. odd issue odd issue by tmcnicho on 2008-07-02 21:40:01 +0200 I hadn't used IPSecuritas in a while, had since updated to 10.5.3. Went to connect and it just sits there doing nothing. I've found troubleshooting that if change the remote settings from "network" to "anywhere" it connects just fine, but then of course sends ALL my traffic down the tunnel. Any ideas here? I'm connecting a checkpoint vpn. Thanks, Tom Re: odd issue by tmcnicho on 2008-07-02 22:10:47 +0200 OK... maybe my notation is just way off here. I was previously using 172.16.0.0/12 as the remote side. if i define the networks on the other end i need to connect to manually, it works fine. such as. 172.16.19.0/24 172.16.225.0/24... etc.. I have previously used 172.16.0.0/12 without a problem... :| tom Re: odd issue by dbc on 2008-07-03 04:23:48 +0200 172.16.0.0/12 is the same as 172.0.0.0/12, as the /12 specifies a netmask of 255.240.0.0 I suspect you mean 172.16.0.0/16 which would be a netmask of 255.255.0.0 -dave Works wired, fails wireless Works wired, fails wireless by dbc on 2008-07-03 03:33:56 +0200 Search did not turn up any similar problems. IPsecuritas 3.1 on OS X 10.4.11, Netgear FVS318r3 I configured and tested everything perfectly well through the wired Ethernet port. Today I tried with Airport for the first time. IPSecuritas came right up to the "green ball" stage with no hitches. But.. no connectivity either. Could not ping my home network or the router. Yet, I come back to the wired network and IPsecuritas works perfectly. All the time on wireless, IPSecuritas is perfectly happy to start and stop and the log messages are all normal, as far as I can tell. Yet, no pings back to router. Is there something that needs to be configured differently? Clearly from the log messages IPSecuritas is finding the wireless network and is connecting to the Netgear box without any problem. Yet no traffic flows that way. My home network is a 192.168.0.0/24 network, and the wireless network that I was on served a DHCP address from the 192.168.1.0/24 range. So, there should not be a conflict there since both networks use netmask 255.255.255.0. IPSecuritas is configured to tunnel traffic to 192.168.0.0/24 only. All other traffic was going out correctly. Again, IPSecuritas appears to think it is working correctly, but doesn't seem to pass any traffic. Re: Works wired, fails wireless by dbc on 2008-07-04 18:12:20 +0200 Update: This appears to be a problem with the hot spot infrastructure, not ipsecuritas, but hopefully people here can shed some light on what may be happening. After reading the documentation, it seems that when you get a "green ball connect" but no traffic passes that it is a symptom of NAT traversal problems. My original configuration was set for "enable" NAT-T. I created another configuration set for "force" NAT-T. Also, I went to another hot spot to test, and both the "enable" and "force" NAT-T configurations worked perfectly. At the problematic hot spot, both the "enable" and "force" configurations gave a "green ball connect" but would not pass traffic. At this point, I suspect that there is some configuration issue in the hot spot, and would like to help diagnose the problem there. What should I look for? There are several boxes in the path, a wireless access point of course, and also a firewall box. Something somewhere is serving DHCP addresses. What can I do to provide additional diagnosis? Re: Works wired, fails wireless by Forum Admin on 2008-07-05 12:41:17 +0200 Hello, I public hotspots you will usually need NAT-T. IPSec traffic is transported in ESP packets, which is not NAT aware (incoming ESP packets cannot be uniquely assigned to a host in a NATed network, which hotspots usually are. Some NAT routers will send incoming ESP packets to the host that last sent out an ESP paket, problematic if you are not the only user using IPSec in this hotspot. Other router do not pass on ESP at all or it is disabled by its oprator). NAT-T encapsulates the ESP traffic in UDP packets, which is NAT aware and incoming traffic can be assigned to the right host by any router. Please note that the firewall you connect to needs to support NAT-T (not to be confused with IPSec pass-through). The reason why you get the greed dot but cannot connect to any remote host is that the tunnel could be established successfully (the tunnel negotiation is done with UDP as well), but traffic is silently dropped by the hotspot. Hope this helps, Christoph Re: Works wired, fails wireless by dbc on 2008-07-05 18:29:20 +0200 Yes, that helps, it clarifies a lot. I'm still unclear on what may be causing the packets to be dropped by the hot spot. With NAT-T enabled, how does the tunnel negotiation traffic differ from payload traffic? It would seem that the hot spot is dropping the payload UDP packets but passing the negotiation UDP packets. Re: Works wired, fails wireless by Forum Admin on 2008-07-10 10:15:00 +0200 Hello, this depends on the NAT versions that your firewall supports, but basically there is not a lot of differences. In some NAT versions, the UDP port is different between IKE (connection negotiation, ports 500 and 4500) and payload (a free port number agreed on during connection negotiation). If you can establish a connection but payload is blocked, chances are high that no NAT-T was agreed even if NAT-T was forced in IPSecuritas. The best way to check this is to sniff your network traffic with tcpdump, e.g. sudo tcpdump -i en1 (or en0 when connected with Ethernet). If the command only shows ESP traffic going to your firewall, no NAT-T was negotiated and your firewall most probably does not support it. Hope this helps, Christoph Re: Works wired, fails wireless by dbc on 2008-07-11 07:44:10 +0200 OK, very good. I will try that the next time I am at that hotspot. Re: Works wired, fails wireless by uocooper on 2008-11-25 22:01:44 +0100 Similar setup here with the same issues. 10.5.5, IPSecuritas 3.1, Netgear FVS318v3. Airport network is on 172.16.33.x and the VPN is on 192.168.1.x. It works fine if I'm directly connected to my cable modem but if I use an Airport Extreme (802.11 g) with firmware 5.7 it shows that it's connected but nothing actually works. I can't ping an IP on the VPN network. This is the Airport Extreme that looks like a white mushroom. I've tried going through the various NAT-T options in IPSecuritas but no dice. I've also modifying the NAT options of the basestation but it doesn't matter how it's set. Is using this version of the Airport Extreme known to not work with IPSecuritas or is there anything else I can try to get it working? VPN connections with same local and remote netaddr VPN connections with same local and remote netaddr by TStewart on 2008-07-03 20:09:09 +0200 I have a SonicWall Pro 100 at work that I connect to from outside our LAN. The internal private address scheme is 192.168.0.x /24. When I was first setting up my VPN client, I couldn't connect from home, as my home network had a matching network address scheme—192.168.0.x. I then changed the network address to 192.168.1.x, and all has worked fine. However, there are times when I need to connect to my work VPN from remote networks where the local private network address matches the same private network address as work. I have been unsuccessful at coming up with a solution around this? Is there anything I can do? Am I just missing a simple setting? Thanks! TStewart Here are screenshots of my settings: [img]http://www.gigafiles.co.uk/files/2130/Picture%202.jpg[/img] [img]http://www.gigafiles.co.uk/files/2130/Picture%203.jpg[/img] [img]http://www.gigafiles.co.uk/files/2130/Picture%204.jpg[/img] [img]http://www.gigafiles.co.uk/files/2130/Picture%205.jpg[/img] [img]http://www.gigafiles.co.uk/files/2130/Picture%206.jpg[/img] [img]http://www.gigafiles.co.uk/files/2130/Picture%207.jpg[/img] Re: VPN connections with same local and remote net by TStewart on 2008-07-09 01:01:32 +0200 Disregard! This was a kind of stupid question I asked. How can you route between duplicate IP spaces. Doesn't work. . . Tyler Re: VPN connections with same local and remote net by joostvdl on 2008-12-15 08:42:00 +0100 It isn't a stupid question. Because a lot of companies select the same private address range for their local network. So when they need to be connected it gives conflicts. I found that the ZyWALL Firewalls have the option to use NAT over IPSEC (Virtual Address Mapping) to solve this problem. I tried it with IPSecuritas 3.1 but I could get it working. So if anyone has got it working please let me know. Re: VPN connections with same local and remote net by Forum Admin on 2008-12-16 14:56:05 +0100 Hello, there is an option to disable the address collision check altogehter in 3.2 (see latest beta). Please note, however, that using the same network locally and remotely will hide the local network (since all traffic will be routed through the tunnel to the remote side). Therefore, hosts (machines, printers etc.) in the local lan will be unavailable when IPSec is active with such a configuration. Hope this helps, Christoph Run as Non-Admin user Run as Non-Admin user by gibbsjoh on 2008-07-10 11:43:14 +0200 Hi All, We are hoping to deploy IPSecuritas in lieu of VPN Tracker to around 5 remote users. These users are not currently admin users on their company laptops - and I'd prefer to keep it that way. My question: is there any way to run IPSecuritas without needing an admin username and password? I suspect not as it's a racoon issue from what I can see. I've tried using an AppleScript, using "do shell script" with the path to the executable, and the "with administrator privileges" flag with no luck. Any info would be much appreciated. John Re: Run as Non-Admin user by cnadig on 2008-07-16 11:46:16 +0200 Hello, it should work finde for non-admin users, you should need to enter the admin password at first run only. However, if you run it as a non-admin user for the first time, you'll need to reboot the machine afterwards. Otherwise the user will be prompted for the admin password again he logs in for the next time and runs IPSecuritas (this is due to a limitation/bug in MacOS which we have no way to change). Hope this helps, Christoph Network Collision Network Collision by mudiam on 2008-07-17 21:37:07 +0200 Hello, I am trying to setup my vpn to my work and I get a red light when I connect. Here is the log IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Jul 17, 12:21:05 Debug APP State change from IDLE to AUTHENTICATING after event START Jul 17, 12:21:05 Info APP IPSec authenticating Jul 17, 12:21:05 Info APP IKE daemon started Jul 17, 12:21:05 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Jul 17, 12:21:05 Info APP IPSec started Jul 17, 12:21:05 Info IKE Foreground mode. Jul 17, 12:21:05 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 17, 12:21:05 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 17, 12:21:05 Info IKE Reading configuration from "/Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 17, 12:21:05 Info IKE Resize address pool from 0 to 255 Jul 17, 12:21:05 Debug IKE parse successed. Jul 17, 12:21:05 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jul 17, 12:21:05 Debug IKE my interface: ::1 (lo0) Jul 17, 12:21:05 Debug IKE my interface: fe80::1%lo0 (lo0) Jul 17, 12:21:05 Debug IKE my interface: 127.0.0.1 (lo0) Jul 17, 12:21:05 Debug IKE my interface: fe80::217:f2ff:fed4:dab6%en0 (en0) Jul 17, 12:21:05 Debug IKE my interface: 192.168.1.100 (en0) Jul 17, 12:21:05 Debug IKE my interface: fe80::21c:42ff:fe00:0%en2 (en2) Jul 17, 12:21:05 Debug IKE my interface: 10.37.129.3 (en2) Jul 17, 12:21:05 Debug IKE my interface: fe80::21c:42ff:fe00:1%en3 (en3) Jul 17, 12:21:05 Debug IKE my interface: 10.211.55.3 (en3) Jul 17, 12:21:05 Debug IKE configuring default isakmp port. Jul 17, 12:21:05 Debug IKE 9 addrs are configured successfully Jul 17, 12:21:05 Info IKE 10.211.55.3[500] used as isakmp port (fd=7) Jul 17, 12:21:05 Info IKE fe80::21c:42ff:fe00:1%en3[500] used as isakmp port (fd=8) Jul 17, 12:21:05 Info IKE 10.37.129.3[500] used as isakmp port (fd=9) Jul 17, 12:21:05 Info IKE fe80::21c:42ff:fe00:0%en2[500] used as isakmp port (fd=10) Jul 17, 12:21:05 Info IKE 192.168.1.100[500] used as isakmp port (fd=11) Jul 17, 12:21:05 Info IKE fe80::217:f2ff:fed4:dab6%en0[500] used as isakmp port (fd=12) Jul 17, 12:21:05 Info IKE 127.0.0.1[500] used as isakmp port (fd=13) Jul 17, 12:21:05 Info IKE fe80::1%lo0[500] used as isakmp port (fd=14) Jul 17, 12:21:05 Info IKE ::1[500] used as isakmp port (fd=15) Jul 17, 12:21:05 Debug IKE get pfkey X_SPDDUMP message Jul 17, 12:21:05 Debug IKE 02120200 02000000 00000000 ff110000 Jul 17, 12:21:05 Debug IKE pfkey X_SPDDUMP failed: No such file or directory My local network is 192.168.1.xxx and my office network is 10.0.0.0/8 Re: Network Collision by mudiam on 2008-07-18 07:17:01 +0200 Ok, so, I got rid of the interfaces that were conflicting.. as I was running parallels interfaces, I disabled them, as they were in the 10. network as well. Now I am getting a different error, Connection timed out. Here is the debug log.. IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Jul 17, 22:10:52 Debug APP State change from IDLE to AUTHENTICATING after event START Jul 17, 22:10:52 Info APP IPSec authenticating Jul 17, 22:10:52 Info APP IKE daemon started Jul 17, 22:10:52 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Jul 17, 22:10:52 Info APP IPSec started Jul 17, 22:10:52 Debug APP Received SADB message type X_SPDUPDATE not interesting Jul 17, 22:10:52 Debug APP Received SADB message type X_SPDUPDATE not interesting Jul 17, 22:10:52 Debug IKE Foreground mode. Jul 17, 22:10:52 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 17, 22:10:52 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 17, 22:10:52 Info IKE Reading configuration from "/Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 17, 22:10:52 Info IKE Resize address pool from 0 to 255 Jul 17, 22:10:52 Debug IKE lifetime = 28800 Jul 17, 22:10:52 Debug IKE lifebyte = 0 Jul 17, 22:10:52 Debug IKE encklen=0 Jul 17, 22:10:52 Debug IKE p:1 t:1 Jul 17, 22:10:52 Debug IKE 3DES-CBC(5) Jul 17, 22:10:52 Debug IKE SHA(2) Jul 17, 22:10:52 Debug IKE 1536-bit MODP group(5) Jul 17, 22:10:52 Debug IKE XAuth pskey client(65001) Jul 17, 22:10:52 Debug IKE hmac(modp1536) Jul 17, 22:10:52 Debug IKE compression algorithm can not be checked because sadb message doesn't support it. Jul 17, 22:10:52 Debug IKE parse successed. Jul 17, 22:10:52 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jul 17, 22:10:52 Info IKE 192.168.1.100[4500] used as isakmp port (fd=7) Jul 17, 22:10:52 Info IKE 192.168.1.100[500] used as isakmp port (fd=8) Jul 17, 22:10:52 Debug IKE get pfkey X_SPDDUMP message Jul 17, 22:10:52 Debug IKE 02120000 0f000100 01000000 ed130000 03000500 ff080000 10020000 0a000000 Jul 17, 22:10:52 Debug IKE 00000000 00000000 03000600 ff200000 10020000 c0a80164 00000000 00000000 Jul 17, 22:10:52 Debug IKE 07001200 02000100 34000000 00000000 28003200 02020000 10020000 3fe55d05 Jul 17, 22:10:52 Debug IKE 00000000 00000000 10020000 c0a80164 00000000 00000000 Jul 17, 22:10:52 Debug IKE get pfkey X_SPDDUMP message Jul 17, 22:10:52 Debug IKE 02120000 0f000100 00000000 ed130000 03000500 ff200000 10020000 c0a80164 Jul 17, 22:10:52 Debug IKE 00000000 00000000 03000600 ff080000 10020000 0a000000 00000000 00000000 Jul 17, 22:10:52 Debug IKE 07001200 02000200 33000000 00000000 28003200 02020000 10020000 c0a80164 Re: Network Collision by mudiam on 2008-07-18 07:21:03 +0200 well, the main errors are.. Jul 17, 22:10:52 Info APP Initiated connection Vcommerce VPN Jul 17, 22:10:52 Debug IKE get pfkey ACQUIRE message Jul 17, 22:10:52 Debug IKE 02060003 24000000 e9000000 00000000 03000500 ff200000 10020000 c0a80164 Jul 17, 22:10:52 Debug IKE 00000000 00000000 03000600 ff200000 10020000 3fe55d05 00000000 00000000 Jul 17, 22:10:52 Debug IKE 1c000d00 20000000 00030000 00000000 00010008 00000000 01000000 01000000 Jul 17, 22:10:52 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Jul 17, 22:10:52 Debug IKE 80700000 00000000 00000000 00000000 00040000 00000000 0001c001 00000000 Jul 17, 22:10:52 Debug IKE 01000000 01000000 00000000 00000000 00000000 00000000 00000000 00000000 Jul 17, 22:10:52 Debug IKE 80510100 00000000 80700000 00000000 00000000 00000000 000c0000 00000000 Jul 17, 22:10:52 Debug IKE 00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 Jul 17, 22:10:52 Debug IKE 00000000 00000000 80510100 00000000 80700000 00000000 00000000 00000000 Jul 17, 22:10:52 Error IKE inappropriate sadb acquire message passed. Jul 17, 22:10:52 Debug IKE get pfkey ACQUIRE message Jul 17, 22:10:52 Debug IKE 02060003 14000000 e7000000 51130000 03000500 ff200000 10020000 c0a80164 Jul 17, 22:10:52 Debug IKE 00000000 00000000 03000600 ff200000 10020000 3fe55d05 00000000 00000000 Jul 17, 22:10:52 Debug IKE 0a000d00 20000000 000c0000 00000000 00010001 00000000 01000000 01000000 Jul 17, 22:10:52 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Jul 17, 22:10:52 Debug IKE 80700000 00000000 00000000 00000000 02001200 02000200 33000000 00000000 Jul 17, 22:10:52 Debug IKE suitable outbound SP found: 192.168.1.100/32[0] 10.0.0.0/8[0] proto=any dir=out. Jul 17, 22:10:52 Debug IKE sub:0xbffff4fc: 10.0.0.0/8[0] 192.168.1.100/32[0] proto=any dir=in Jul 17, 22:10:52 Debug IKE db :0x308cb8: 10.0.0.0/8[0] 192.168.1.100/32[0] proto=any dir=in Jul 17, 22:10:52 Debug IKE suitable inbound SP found: 10.0.0.0/8[0] 192.168.1.100/32[0] proto=any dir=in. Jul 17, 22:10:52 Debug IKE new acquire 192.168.1.100/32[0] 10.0.0.0/8[0] proto=any dir=out Jul 17, 22:10:52 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) Jul 17, 22:10:52 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-sha) --Jul 17, 22:10:53 Jul 17, 22:10:53 Jul 17, 22:10:53 Jul 17, 22:10:53 ------ Debug IKE Configuration exchange type mode config SET Debug IKE Attribute XAUTH_STATUS Error IKE Xauth authentication failed Debug IKE Sending MODE_CFG ACK Re: Network Collision by mudiam on 2008-07-18 07:26:10 +0200 well, there was too much logging when in debug, so I am just doing info.. PSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Jul 17, 22:23:26 Info APP IPSec started Jul 17, 22:23:26 Error IKE Foreground mode. Jul 17, 22:23:26 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 17, 22:23:26 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 17, 22:23:26 Info IKE Reading configuration from "/Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 17, 22:23:26 Info IKE Resize address pool from 0 to 255 Jul 17, 22:23:27 Info APP Initiated connection Vcommerce VPN Jul 17, 22:23:27 Error IKE inappropriate sadb acquire message passed. Jul 17, 22:23:27 Warning IKE No ID match. Jul 17, 22:23:27 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Jul 17, 22:23:27 Error IKE Xauth authentication failed Jul 17, 22:23:27 Error IKE unknown Informational exchange received. Jul 17, 22:23:27 Error IKE unknown Informational exchange received. Jul 17, 22:23:34 Info APP Initiated connection Vcommerce VPN Jul 17, 22:23:41 Info APP Initiated connection Vcommerce VPN Jul 17, 22:23:43 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 63.229.93.5[0]->192.168.1.100[0] Jul 17, 22:23:48 Info APP Initiated connection Vcommerce VPN Jul 17, 22:23:48 Warning IKE No ID match. Jul 17, 22:23:48 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Jul 17, 22:23:48 Error IKE Xauth authentication failed Jul 17, 22:23:48 Error IKE unknown Informational exchange received. Jul 17, 22:23:48 Error IKE unknown Informational exchange received. Jul 17, 22:23:55 Info APP Initiated connection Vcommerce VPN Jul 17, 22:23:55 Error IKE inappropriate sadb acquire message passed. Jul 17, 22:24:00 Warning APP Connection Vcommerce VPN timed out Jul 17, 22:24:00 Warning APP Suspending for 15 seconds Jul 17, 22:24:04 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 63.229.93.5[0]->192.168.1.100[0] Jul 17, 22:24:16 Warning APP Connection Vcommerce VPN reactivated after suspension Jul 17, 22:24:16 Error IKE such policy does not already exist: "192.168.1.100/32[0] 10.0.0.0/8[0] proto=any dir=out" Jul 17, 22:24:16 Error IKE such policy does not already exist: "10.0.0.0/8[0] 192.168.1.100/32[0] proto=any dir=in" Jul 17, 22:24:19 Info APP Initiated connection Vcommerce VPN Jul 17, 22:24:19 Error IKE inappropriate sadb acquire message passed. Jul 17, 22:24:19 Warning IKE No ID match. Jul 17, 22:24:19 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Jul 17, 22:24:19 Error IKE Xauth authentication failed Jul 17, 22:24:19 Error IKE unknown Informational exchange received. Jul 17, 22:24:19 Error IKE unknown Informational exchange received. Jul 17, 22:24:26 Info APP Initiated connection Vcommerce VPN Jul 17, 22:24:33 Info APP Initiated connection Vcommerce VPN Jul 17, 22:24:35 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 63.229.93.5[0]->192.168.1.100[0] Jul 17, 22:24:40 Info APP Initiated connection Vcommerce VPN Jul 17, 22:24:40 Warning IKE No ID match. Jul 17, 22:24:40 Info IKE couldn't find the proper pskey, try to get one by smb, ssh drops after few minutes smb, ssh drops after few minutes by ejbcommander on 2008-07-18 14:36:57 +0200 Hi, everything here works fine (after 3 days of trial & error) with Ceckpoint SecureClient NGX VPN-1 and IPSecuritas 3.2b1 on 10.4.11 - except smb-shares and ssh-Sessions. Mounted smb-shares are dropped after a few Minutes, same with ssh. Is that a known issue? Is there a solution? I often have to start long running build-processes on remote servers, now I can only complete them by starting them nohup. Thanks in advance, Michael Linksys WVRS4400N - Any Secrets??? Linksys WVRS4400N - Any Secrets??? by Beavis on 2008-07-19 01:52:47 +0200 So I have a Linksys WVRS4400N that I know is set up right because I can connect via QuickVPN with XP from my mac at home. Did the connection wizard with ipsecuritas and no dice : { Been reading posts here but still can't find any detailed instructions to get this working. Even following the advice of setting the Remote Security Group to a specific IP. Am I missing something? Their are still a lot of acronyms and things I don't fully understand, but I know I'm ALMOST there. Does anyone have some detailed instructions. Thanks in advance! Beavis McSleavis :-/ WRVS 4400N Setup WRVS 4400N Setup by Beavis on 2008-07-21 22:51:00 +0200 We have this linksys router with these specs... [img]http://www.boxwrench.net/images/posts/VPN.png[/img] [img]http://www.boxwrench.net/images/posts/Advanced.png[/img] [img]http://www.boxwrench.net/images/posts/General.png[/img] And this is how we have it setup in IPSecuritas... [img]http://www.boxwrench.net/images/posts/Phase_1.png[/img] [img]http://www.boxwrench.net/images/posts/Phase_2.png[/img] [img]http://www.boxwrench.net/images/posts/ID.png[/img] [img]http://www.boxwrench.net/images/posts/DNS.png[/img] [img]http://www.boxwrench.net/images/posts/Options.png[/img] We still can't get a connection. We purchased a static IP thru our ISP and it is correctly set up to passthrough VPN with NAT disabled. Can anyone see what is wrong? Thanks in advance 8-) Re: WRVS 4400N Setup by cnadig on 2008-07-22 15:19:43 +0200 Hello, I helped configuring a WRVS4400N a while ago and found it had a rather peculiar speciality - connecting with a random IP address would not work. We got it working by specifying an IP address for 'Remote Security Group Type' (like 10.10.1.1, please copy this address to the local endpoint IP address field in IPSecuritas). This also means, that you need to setup more than one connections if more than one user wants to connect at the same time. Hope this helps, Christoph Re: WRVS 4400N Setup by Beavis on 2008-07-22 20:40:18 +0200 Thanks Christoph, For clarification, what is the local host IP? Is that the local LAN IP of the departure router from the remote location? Example: I'm at a coffee shop with my laptop, I don't know the local IP of the shops router. This is my remote departure point. I'm attempting to connect to my router at my home office which is behind a statip IP. I know the static IP, DNS, LAN IP, and subnet mask at my office. Again I do not know the coffee shops LAN. Does their router need to have VPN enabled? Is it possible to use IPSecuritas to make an IPSec connection without knowing your departure LAN IP? The connection works fine with the Linksys Quick VPN on a PC in the above scenario. Hoping IPSecuritas will enable my Macbook Pros the same access! Thanks again! :) Re: WRVS 4400N Setup by DistortedLoop on 2008-12-04 18:56:12 +0100 The WRVS4400N is temperamental with Macs and IPSecuritas, but you can establish a working tunnel to get onto your network. I figured this out a couple of years ago and posted settings here on this forum. I also see that the newer versions of IPSecuritas include auto-configuration file for the 4400N. Looking at the particular settings you set, the first thing I see you have set wrong is in the Advanced Settings on the Linksys. Both your local and remote identifiers have to be set to ip address, not name. If you use name, it must be a domain name (ie., www.mydomain.com), and any DNS lookup on that name must resolve to your current ip address on that end of the connection. Also, use Main, not Aggressive. I've found that dissecting the WRVS4400N's VPN log can really help in figuring out what settings you have that are wrong. One caveat about the connection: I've just learned after a couple of years of using IPSecuritas --> WRVS4400N that not all network traffic goes over the VPN (https, mail, chat, etc - they aren't on the VPN). I'm trying to research that right now, which is why I came back to the forum here and ran across your older post. At this point, you've probably given up or figured it out, but maybe my information above will help others who are trying to figure out getting a connection going. Re: WRVS 4400N Setup by DistortedLoop on 2008-12-04 21:49:53 +0100 Oops! Forgot to mention that you have to use Firmware V1.00.16 or earlier. I spent a good 12 hours trying to get the new firmware (V1.03?) working without success. Pretty frustrating. The issue with the new firmware is that you must use a domain name or specific ip address to identify the client; the use of "any" never worked. I verified this by using a Spring Aircard to attempt to VPN while sitting in front of my router. If I put in the dynamic ip address of the Aircard as the remote identifier, connection establishes. This won't work if you're on the road unless you jump through some hoops. One way to do it would be to enable remote administration of your WRVS4400N over the WAN. You could log in via the web interface, and change the VPN settings on the router to match your current ip address. Ugly workaround in my opinion. Another method that might work for the Aircard user, which I haven't tried because I am not interested at this time in upgrading the firmware back to V1.03 to test it out, would be to register an account with DYNDNS.ORG for your laptop/remote system, then use their OS X widget that dynamically updates your ip address on their DNS servers. You would then use the domain name in the remote identifier (i.e. mymobilename.dyndns.org). Should work, but again, I haven't tested it. I may have to if trying to get all network traffic to go over the VPN forces me to try the newer firmware. Re: WRVS 4400N Setup by DistortedLoop on 2008-12-05 16:02:49 +0100 [quote author=DistortedLoop link=1216673460/0#4 date=1228423793] Another method that might work for the Aircard user, which I haven't tried because I am not interested at this time in upgrading the firmware back to V1.1.03 to test it out, would be to register an account with DYNDNS.ORG for your laptop/remote system, then use their OS X widget that dynamically updates your ip address on their DNS servers. You would then use the domain name in the remote identifier (i.e. mymobilename.dyndns.org). Should work, but again, I haven't tested it. I may have to if trying to get all network traffic to go over the VPN forces me to try the newer firmware. [/quote] Desperately trying to figure out another problem, I bit the bullet and upgraded back to Firmware v1.1.03. My method above does work in terms of allowing you to use a domain name as the mobile user's ip address. This is pretty handy if your system is stable with v1.1.03. Unfortunately I had to downgrade back to v1.00.16 because the newer firmware leaves the router in a corrupt state after IPSecuritas connections to it disconnect. ;-( Linksys VS Netgear Linksys VS Netgear by Beavis on 2008-07-22 20:57:26 +0200 I'm having problems with my linksys WRVS4400N, and have been looking into a Netgear FVS336G. Can anyone recommend one over the other while using IPSecuritas? Or any other brand or model for that matter. The Netgear seems to have some better specs. Any advice is appreciated. Thanks! Re: Linksys VS Netgear by mann on 2008-09-09 05:38:59 +0200 I have installed 3 Netgear FVS338's and have had zero problems. Re: Linksys VS Netgear by DistortedLoop on 2008-12-04 18:29:46 +0100 [quote author=Beavis link=1216753046/0#0 date=1216753046]I'm having problems with my linksys WRVS4400N, and have been looking into a Netgear FVS336G. Can anyone recommend one over the other while using IPSecuritas? Or any other brand or model for that matter. The Netgear seems to have some better specs.[/quote] Did you take the plunge? Are you happy with the results? I'm actually looking at the same device to replace/supplement my WRVS4400N right now. The WRVS4400N is a tempermental beast when dealing with Mac IPSEC. [quote author=mann link=1216753046/0#1 date=1220931539]I have installed 3 Netgear FVS338's and have had zero problems.[/quote] Do you actually get all network services routed through the VPN when using your Netgear with IPSecuritas? I've got few problems connecting with my Linksys to access the internal network, but web and email and other protocols are not routed over the Linksys (that will be the subject of a different post, I'm just wondering if the Netgear works properly in that regard. Wizard | Updated Choices Wizard | Updated Choices by NeilMcG on 2008-07-23 02:48:32 +0200 Hi, after experimenting, with mixed success - I think it's time to ask for help. In the wizard, what are the appropriate choices for the FVS338 & FVG318? Given the FVS318 is now obsolete or deleted from Netgears product range could the wizard choices be updated? I'm not sure of the product families for FVS318v3, FVS3128, FVS338, FVS538, etc. Thanks in advance. Netgear FVS338 Netgear FVS338 by NeilMcG on 2008-07-23 02:51:43 +0200 Is the Netgear FVS338 - closer to the FVS318v3 or the FVS328? Is it possible the start a topic (stickie) with updates on the latest hardware available? Thanks in advance. Re: Netgear FVS338 by blue68f100 on 2008-08-19 22:31:48 +0200 The 338 is closer to the 328 but it has a lot of features like a 538 if your using the latest firmware. I'm here seeking help on getting my FVS338 to connect up to my MBP. I did not have time to test before I left and I could not connect. Re: Netgear FVS338 by NeilMcG on 2008-08-30 11:32:46 +0200 I successfully got both an FVS338 & FVG318 to connect, using the latest firmware for each and the 3.2b1 IPsecuritas I generated Connection Wizard Templates and emailed them to lobotomo. Re: Netgear FVS338 by digitalscanner on 2008-09-23 10:40:49 +0200 hallo is it possible to send me the wizard template for the FVS338 cause itґs still not included in the b2 thanx digital Juniper Netscreen wizard hole Juniper Netscreen wizard hole by douger on 2008-07-25 21:01:59 +0200 I am trying to set up a VPN to a Netscreen 5XT from a machine running leopard. I downloaded the instructions for Juniper Netscreen / Juniper SSG and followed them, using the two wizards (IPSecuritas and Netscreen). I fire up the connection, and it doesn't seem to connect - red light. However, I ping the server I am trying to reach and it gets there. Not sure what is going on at this point, but if it is working and the light doesn't turn green so who cares - well, probably my user who will be confused. So I quit and exit the daemon, and still can ping the server. Hmm, maybe something left on - reboot. Try and ping the server again - sure, no problem. ??? OK, something on the firewall - oh here it is. The new policy added for the VPN allows everything in! So I check the document again and there it is, the last line in the configuration from the wizard is: set policy top from "Untrust" to "Trust" "Any" "192.168.215.0/24' Permit This allows all traffic from the untrust port to the trust port. Bad idea. Like having no firewall at all. OK, so what I did that worked was use this document http://kb.juniper.net /kb/documents/public/ApplicationNotes/Technical/ScreenOS%204.0.0 /VPN_Vaporsec.htm and adapt it to the IPSecuritas screens. I had to turn off Nat-T on the IPSecuritas side as I was using a static IP address for testing, may need to turn that back on. I did turn on Nat Traversal on the firewall. I started out to post a question about the VPN working but the red light on, but figured it out and decided to post this one as a warning. Hope it helps - Doug IP Securitas From Mac book Pro to Fortinet 800 IP Securitas From Mac book Pro to Fortinet 800 by Yuseff on 2008-07-31 05:40:41 +0200 Hi everybody, I have an issue with a MAC Book Pro running IPSecuritas. The VPN connection to a Fortigate 800 drops in some cases every 20-30 min but in the mayority of time evey 5 min. I have more MACs running the IPSecuritas and they don't have this problem. Does anybody have a clue to what may be causing this problem? Thank you Re: IP Securitas From Mac book Pro to Fortinet 800 by chris-in-sf on 2008-08-01 23:28:27 +0200 We are having a similar issue, but I'm not sure if it's a Fortigate problem or a VLAN problem on our switch. Also 2 of 3 MacBook Pros are having the issue, but mine has not shown the issue. We are using a Fortigate 300a. Our problem more specifically is the VPN connection itself doesn't seem to drop, but you get disconnected from machines on the LAN after about 30 minutes. Particularly if you are using remote desktop which most of us do. You can't ping those machines on that subnet anymore. Then you have to disconnect VPN connection, and reconnect, and then you can get back to the LAN. The error message that IP Securitas throws up when the LAN drops is: "Jul 28, 23:03:08 Error IKE fatal INVALID-SPI notify messsage, phase1 should be deleted. Jul 28, 23:03:12 Error IKE fatal INVALID-SPI notify messsage, phase1 should be deleted." etc, etc... Any ideas? Fritzbox 3270 VPN problems Fritzbox 3270 VPN problems by ivan on 2008-08-08 11:26:45 +0200 I have a FritzBox 3270 wlan DSL router, NAT, including a VPN gateway. I have configured it as explained here: http://www.avm.de/de/Service/Service-Portale/Service-Portal /VPN_Interoperabilitaet/box_zu_securitas.php On my internal network I have a MacMini with shares and remote screen sharing activated. I connect to the network with a Macbook with IPSecuritas configured as described above. When I connect with my Macbook to the wired network or the Wifi network at home (no VPN) I can see the Mac Mini machine and other shares. When I connect through a foreign (wifi) network with an internal IP I can access the shares of the MacMini if I do "Connect to computer" in the Finder and type the IP, but the Macbook does not see the names of the computers with shares on the local network, neither can it resolve the computername of the MacMini. If I type the computername instead of the IP, it does not get resolved. I cannot do screen sharing either as this relies of the resolution of the computername. Now I know that Macs advertise themselves on the local network with a Mac specific Bonjour protocol, and I guess that for some reason that traffic does not pass through the VPN. Anybody has an idea how to solve this? The only computer I see in Finder with shares is "localhost" which is a loopback to my macbook I guess. I tried to switch the use_nat_t parameter to yes, to check if this has anything to do with NAT translation, but it did not solve the problem (was a shot in the dark anyway) Re: Fritzbox 3270 VPN problems by deltanine on 2008-09-09 00:44:37 +0200 you could try: http://www.macosxhints.com/article.php?story=20080626194901370 << create the illusion that Bonjour works over a VPN >> regards delta Checkpoint VPN-1 connection drops all others Checkpoint VPN-1 connection drops all others by mpdg on 2008-08-08 16:55:57 +0200 I have a work PC and Mac at home. When I connect to my work Checkpoint VPN with IPSecuritas from the mac it kills the VPN connection between the Checkpoint and my work PC (which has checkpoint's software on it). If I connect two PCs with the checkpoint software I can connect to both fine. Anyone had this issue?/knows a way around it? was working, now is not. was working, now is not. by eylisian on 2008-08-12 21:56:01 +0200 Hi, Have a user with OS X 10.5 and IPSecuritas 3.* This was working until approx a month ago, and then the gateway started getting PACKET_MALFORMED messages when he'd try and connect. I figured something got munged and generated a new cert/key pair and installed them. Now the gateway throws different errors and the connection log locally states that IKE cant find certificates or keys. Any ideas? I can and will post some logs, the user had to fly the coop and I'll get him to forward them on. Thanks, Robert Re: was working, now is not. by eylisian on 2008-08-20 23:21:37 +0200 Finally got got the Connection Log from the user IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 <snip> Aug 20, 13:40:14 Debug IKE filename: /Library/Application Support/Lobotomo Software/IPSecuritas/certs /aab01961-75e9-40f0-9c15-2ad51224602d.cert Aug 20, 13:40:14 Error IKE failed to get my CERT. Aug 20, 13:40:14 Error IKE failed to get own CERT. Aug 20, 13:40:14 Error IKE failed get my ID Aug 20, 13:40:14 Error IKE failed to process packet. Aug 20, 13:40:14 Error IKE phase1 negotiation failed. Aug 20, 13:40:14 Debug IKE IV freed Aug 20, 13:40:20 Debug IKE === Aug 20, 13:40:20 Debug IKE 244 bytes message received from *.*.*.*[500] to 192.168.0.18[500] Aug 20, 13:40:20 Debug IKE 3c491ae8 5ab88c4b 7a68aaa4 28e5d263 04100200 00000000 000000f4 0a0000c4 Aug 20, 13:40:20 Debug IKE 82aa60e6 25e77bd5 b25340a0 21ae9410 e15d820d fc6c0f29 3edb2f33 6228871b Aug 20, 13:40:20 Debug IKE 00b930be 9a74d311 64e76c6c 25230920 e2bdaee3 fadfd4cf 7f3a4925 d9d02853 Aug 20, 13:40:20 Debug IKE 2e67ebfc 9c72d332 a2512b6f 8b44ba73 f1f63591 d519ccdf 7dccc4ac d498230e Aug 20, 13:40:20 Debug IKE 3dd7d88f f036ec63 52e894f8 2094dfa0 aeffec47 73bfb8d9 042b702c bd74a54f Aug 20, 13:40:20 Debug IKE 5cd3f40e 0893c14e 65650fe3 2478a200 ebdca70d 75fb8bd9 a40730d8 0d5e382f Aug 20, 13:40:20 Debug IKE 87b87354 61e09c7f 50c68257 237a0419 77f481eb 58ba7e68 c235710d 72afce34 Aug 20, 13:40:20 Debug IKE 00000014 c7deff2a acb9acf7 dc886f3b 5ec5f427 Aug 20, 13:40:20 Debug IKE malformed cookie received or the spi expired. Aug 20, 13:40:21 Info APP Initiated connection Outside of Rulespace Aug 20, 13:40:21 Debug IKE get pfkey ACQUIRE message Aug 20, 13:40:21 Debug IKE 02060003 24000000 06000000 00000000 03000500 ff200000 10020000 c0a80012 Aug 20, 13:40:21 Debug IKE 00000000 00000000 03000600 ff200000 10020000 cea37bcf 00000000 00000000 Aug 20, 13:40:21 Debug IKE 1c000d00 20000000 00030000 00000000 00010008 00000000 01000000 01000000 Aug 20, 13:40:21 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Aug 20, 13:40:21 Debug IKE 80700000 00000000 00000000 00000000 00040000 00000000 0001c001 00000000 Aug 20, 13:40:21 Debug IKE 01000000 01000000 00000000 00000000 00000000 00000000 00000000 00000000 Aug 20, 13:40:21 Debug IKE 80510100 00000000 80700000 00000000 00000000 00000000 000c0000 00000000 Aug 20, 13:40:21 Debug IKE 00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 Aug 20, 13:40:21 Debug IKE 00000000 00000000 80510100 00000000 80700000 00000000 00000000 00000000 Aug 20, 13:40:21 Error IKE inappropriate sadb acquire message passed. Aug 20, 13:40:21 Debug IKE get pfkey ACQUIRE message Aug 20, 13:40:21 Debug IKE 02060003 14000000 12000000 53000000 03000500 ff200000 10020000 c0a80012 Strange connections of Daemon Strange connections of Daemon by abfdx279 on 2008-08-22 00:27:37 +0200 Little Snitch reports on Leopard the following inbound connections for the Daemon. IPSecuritas was is not active. Could this be some kind of "spill over" from remote Skype clients trying to connect? Skype is running at the same time. Verbindungsverlauf fьr: IPSecuritasDaemon (/Library/StartupItems /IPSecuritasDaemon/IPSecuritasDaemon) Gesamt: 0 Bytes gesendet, 0.6kB empfangen ###.netcologne.de (###.###.243.214), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 170 Bytes empfangen ###.hrz.fh-zwickau.de (###.###.72.1), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 56 Bytes empfangen ###.pools.arcor-ip.net (###.###.16.47), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 77 Bytes empfangen ###.adsl.alicedsl.de (###.###.174.3), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 89 Bytes empfangen ###.zaq.ne.jp (###.###.113.26), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 91 Bytes empfangen ###.###.144.95 (###.###.144.95), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 86 Bytes empfangen ###.TU-Berlin.DE (###.###.8.19), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 56 Bytes empfangen Second question: Someone has asked similar question before, but how can you generally route all traffic through the VPN? Do you have to have this feature on both the client (like IPSecuritas) and the server or is that just a feature IPSecuritas could implement (or has already) on its own? Thanks to the developer! The connection works (to some degree) for an AVM Fritz!Box 7170. Though, it would be nice if you could route the websurfing through the VPN. Re: Strange connections of Daemon by cnadig on 2008-08-24 21:55:55 +0200 Hello, this traffic looks strange indeed. IPSecuritas sends ICMP ping packets if the connection surveillance is enabled and only to the configured hosts while connected. The traffic could also be ICMP unreachable replies, but then I could not imagine why they are addresses to IPSecuritasDaemon. Would it be possible to tcpdump the traffic for further analysis (as root, run 'tcpdump -i en0 -s1500 -w ~/Desktop/traffic.pcap' for a while)? Cheers, Christoph Re: Strange connections of Daemon by abfdx279 on 2008-08-25 17:59:35 +0200 Hi again! Just tried MacSniffer (uses tcpdump) together with Little Snitch. After closing down all other programs (including Skype), IPSecuritas' Daemon doesn't seem to get any more inbound connects. Guess I have to look further into that. But Skype will produce significant traffic when launched... In my opinion that has something to do with skype. Could someone try that on his Mac (Leopard)? (running Skype, LittleSnitch as shareware version and just the Deamon without IPSecuritas itself and without any IPSec connection). The IPs look like they are dynamic (for example Alice is a German provider) and Skype uses a decentral system of connections... Re: Strange connections of Daemon by abfdx279 on 2008-08-30 15:03:46 +0200 Has anyone else tested this thing? OS X Leopard - Skype - IPSecuritas - LittleSnitch (or some other monitoring software) Christoph? route add issue route add issue by deltanine on 2008-08-27 19:40:42 +0200 I have successfully established an IPSEC VPN connection from a MacBook Pro to a Draytek Vigor 2820 using IPSecuritas's Wizard. The remote router (net 192.168.10.0) can establish VPN connections to other networks. When using PPTP or L2TP for the same connection I was able to [code]sudo route -n add -net 192.168.30.0 192.168.10.1 255.255.255.0[/code] in order to allow applications on the MacBook to access network 192.168.30.0 via 192.168.10.1 . The same approach fails when using IPSEC with IPSecuritas. Is there a way to make this work? Thanks in advance. Delta MacOS: 10.4.11 IPSecuritas: 3.1 Router: Draytek Vigor 2820 with Firmware 3.2.1_2111112 New 3.2 Beta version released New 3.2 Beta version released by cnadig on 2008-08-31 10:47:36 +0200 Good morning, a new beta version has been release to replace the expiring 3.2b1. Please download it from [url]http://www.lobotomo.com/products/downloads /IPSecuritas32b2.dmg[/url]. The included Readme file contains a list of enhancements and bug fixes. Cheers, Christoph Problem connecting to VPN with Netgear DGFV338 Problem connecting to VPN with Netgear DGFV338 by greyloki on 2008-09-02 17:41:06 +0200 Hey folks, I'm trying to set up a roadwarrior VPN using a Mac laptop connecting to a Netgear DGFV338. I've found a tutorial that I followed (I can't remember the link for it, but the first page shows it's for IPSecuritas 3.x by Lobotomo Software and a Netgear DGFV338, written Oct 15th 2007), but i'm having trouble in connecting - all of the settings in both IPSecuritas and the Netgear appear to be correct, but my log seems to say otherwise, and I get a yellow dot next to my connection's name, too. Here's the log: http://pastebin.com/m4a12da21 Any help would be greatly appreciated :) Edit: The tutorial talks about matching 'local' and 'remote' IKE policy identifiers - on the router, i have the remote identifier set as remote_roadwarrior, since this is theoretically the laptop, and the local identifier is esw_office.com. In IPSecuritas, I have these reversed - local is remote_roadwarrior, and remote is esw_office.com - is that correct? Problem installing IPSecuritas Problem installing IPSecuritas by marconcini on 2008-09-03 00:14:33 +0200 hi all, I'm new to the Mac world and am having trouble loading the IPSecuritas software. I get an error message saying that i am trying to load to a read only file system. I am trying to instal to the applications folder so I don't understand. I'm frustrated :-[ Nortel VPN Nortel VPN by rambling_rebel on 2008-09-05 04:08:39 +0200 just downloaded this vpn software.....I'm trying to get MAC's into my customer base instead of MS based stuff. I have this customer and 4 more behind him all wanting MACS and VPN's. I Favour Nortel VPN's and need to get this working on a contivity. I have the s/w loaded and it sayz its working (IPSEC service started) but I don't ever see it on the contivity trying to connect, and I can't seem to get my head around where to begin to figure out where to look for solving this problem, any suggestions.... Re: Nortel VPN by rambling_rebel on 2008-09-05 04:23:32 +0200 ok, I'm a knucklehead, I found the user guide.....ill read through it, but if anyone has info that could help me, it would be appreciated... Can't Connect to SonicWall Pro Can't Connect to SonicWall Pro by Philodox on 2008-09-09 03:15:03 +0200 Hi all, I'm trying to set up IPSecuritas to give me access to a SonicWall Pro vpn network. I can't connect and unfortunately the logs are rather cryptic so I'm not sure where to look. I'm running this on the latest rev Macbook Pro. [quote] IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Sep 08, 17:59:39 Info APP IPSec authenticating Sep 08, 17:59:39 Info APP IKE daemon started Sep 08, 17:59:39 Info APP IPSec started Sep 08, 17:59:39 Error IKE Foreground mode. Sep 08, 17:59:39 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 08, 17:59:39 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 08, 17:59:39 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 08, 17:59:39 Info IKE Resize address pool from 0 to 255 Sep 08, 17:59:39 Info APP Initiated connection tre Sep 08, 17:59:39 Error IKE inappropriate sadb acquire message passed. Sep 08, 17:59:39 Error IKE delete phase1 handle. Sep 08, 17:59:44 Error IKE delete phase1 handle. Sep 08, 17:59:46 Info APP Initiated connection tre Sep 08, 17:59:49 Error IKE delete phase1 handle. Sep 08, 17:59:53 Info APP Initiated connection tre Sep 08, 17:59:54 Error IKE delete phase1 handle. Sep 08, 17:59:55 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.16.134.55[500]->192.168.1.2[500] Sep 08, 17:59:59 Error IKE delete phase1 handle. Sep 08, 18:00:00 Info APP Initiated connection tre Sep 08, 18:00:00 Error IKE inappropriate sadb acquire message passed. Sep 08, 18:00:02 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.16.134.55[500]->192.168.1.2[500] Sep 08, 18:00:04 Error IKE delete phase1 handle. Sep 08, 18:00:07 Info APP Initiated connection tre Sep 08, 18:00:09 Error IKE phase1 negotiation failed due to time up. 3dfec7ca41ce9d94:0000000000000000 Sep 08, 18:00:09 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.16.134.55[500]->192.168.1.2[500] Sep 08, 18:00:12 Warning APP Connection tre timed out Sep 08, 18:00:12 Warning APP Giving up Sep 08, 18:00:16 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.16.134.55[500]->192.168.1.2[500] Sep 08, 18:00:23 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.16.134.55[500]->192.168.1.2[500] [/quote] [quote]# Racoon configuration created by IPSecuritas log notify; path pre_shared_key "/Library/Application Support/Lobotomo Software/IPSecuritas/psk.txt"; path certificate "/Library/Application Support/Lobotomo Software/IPSecuritas/certs"; padding { maximum_length 20; Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-10 08:18:02 +0200 Edit: I've got a little bit farther, I had my DH group set incorrectly for phase 1. My current log looks like: [quote] IPSecuritas 3.2b2 build 2391, So 31 Aug 2008 10:13:21 CEST, nadig Darwin 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 i386 Sep 10, 00:02:16 Info APP IPSec authenticating Sep 10, 00:02:16 Info APP Connection tre is started Sep 10, 00:02:16 Info APP IKE daemon started Sep 10, 00:02:16 Info APP IPSec started Sep 10, 00:02:16 Info APP Initiated connection tre Sep 10, 00:02:16 Error IKE Foreground mode. Sep 10, 00:02:16 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 10, 00:02:16 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 10, 00:02:16 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 10, 00:02:16 Info IKE Resize address pool from 0 to 255 Sep 10, 00:02:23 Info APP Initiated connection tre Sep 10, 00:02:23 Error IKE ISAKMP mode config exchange with immature phase 1 Sep 10, 00:02:28 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:30 Info APP Initiated connection tre Sep 10, 00:02:33 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:37 Info APP Initiated connection tre Sep 10, 00:02:38 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:39 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP [remote][4500]->192.168.1.2[4500] Sep 10, 00:02:43 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:44 Info APP Initiated connection tre Sep 10, 00:02:46 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP [remote][4500]->192.168.1.2[4500] Sep 10, 00:02:48 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:49 Warning APP Connection tre timed out Sep 10, 00:02:49 Warning APP Giving up Sep 10, 00:02:53 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP [remote][4500]->192.168.1.2[4500] [/quote] I'm using XAuth PSK. If I turn off XAuth PSK I get this log, does anybody know which one is "better"? [quote]IPSecuritas 3.2b2 build 2391, So 31 Aug 2008 10:13:21 CEST, nadig Darwin 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 i386 Sep 10, 00:05:02 Info APP IPSec restarting Sep 10, 00:05:03 Info APP IKE daemon terminated Sep 10, 00:05:03 Info APP IPSec restarting Sep 10, 00:05:03 Info APP Connection tre is started Sep 10, 00:05:03 Info APP IKE daemon started Sep 10, 00:05:03 Info APP IPSec started Sep 10, 00:05:03 Error IKE Foreground mode. Sep 10, 00:05:03 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 10, 00:05:03 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 10, 00:05:03 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 10, 00:05:03 Info IKE Resize address pool from 0 to 255 Re: Can't Connect to SonicWall Pro by cnadig on 2008-09-11 18:01:58 +0200 Hello, I'd try normal PSK first since XAuth isn't strictly standardized and there are many vendor-specific implementations around. In main mode, identification is usually only possible by IP address (you set it to FQDN) and may or may not work for road warriors depending on the implementation of your firewall firmware. For road warriors, aggressive mode is usually the better way, especially if there is more than one user. Please set the log level to Debug to get more detailed information. Hope this helps, Christoph Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-13 03:48:08 +0200 Thanks :) I changed it to address but I'm still getting the same errors. How do I set the log level to debug? I tried doing it through System Preferences/Network but that hasn't seem to have done anything. My current config: [quote]# Racoon configuration created by IPSecuritas log notify; path pre_shared_key "/Library/Application Support/Lobotomo Software/IPSecuritas/psk.txt"; path certificate "/Library/Application Support/Lobotomo Software/IPSecuritas/certs"; padding { maximum_length 20; randomize on; strict_check off; exclusive_tail on; } timer { counter 5; interval 5 seconds; persend 1; phase1 15 seconds; phase2 15 seconds; } # Connection "tre" remote x.x.x.x { verify_cert off; verify_identifier off; initial_contact on; passive off; support_proxy off; generate_policy off; verify_cert off; send_cert on; send_cr on; mode_cfg off; ike_frag on; doi ipsec_doi; situation identity_only; nat_traversal on; exchange_mode main; proposal_check obey; nonce_size 16; my_identifier address; peers_identifier address; proposal { lifetime time 1800 seconds; encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:20:44 +0200 Found the debug log option, it was under preferences :-[ Anyways here's the debug log[quote]IPSecuritas 3.2b2 build 2391, So 31 Aug 2008 10:13:21 CEST, nadig Darwin 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 i386 Sep 14, 16:14:21 Debug APP All connections authenticated Sep 14, 16:14:21 Debug APP State change from IDLE to AUTHENTICATING after event START Sep 14, 16:14:21 Info APP IPSec authenticating Sep 14, 16:14:21 Info APP Connection tre is started Sep 14, 16:14:21 Info APP IKE daemon started Sep 14, 16:14:21 Debug APP State change from AUTHENTICATING to RUNNING after event AUTHENTICATED Sep 14, 16:14:21 Info APP IPSec started Sep 14, 16:14:21 Debug APP Received SADB message type X_SPDUPDATE not interesting Sep 14, 16:14:21 Debug APP Received SADB message type X_SPDUPDATE not interesting Sep 14, 16:14:21 Info IKE Foreground mode. Sep 14, 16:14:21 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 14, 16:14:21 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 14, 16:14:21 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 14, 16:14:21 Info IKE Resize address pool from 0 to 255 Sep 14, 16:14:21 Debug IKE lifetime = 1800 Sep 14, 16:14:21 Debug IKE lifebyte = 0 Sep 14, 16:14:21 Debug IKE encklen=0 Sep 14, 16:14:21 Debug IKE p:1 t:1 Sep 14, 16:14:21 Debug IKE 3DES-CBC(5) Sep 14, 16:14:21 Debug IKE SHA(2) Sep 14, 16:14:21 Debug IKE 1024-bit MODP group(2) Sep 14, 16:14:21 Debug IKE pre-shared key(1) Sep 14, 16:14:21 Debug IKE compression algorithm can not be checked because sadb message doesn't support it. Sep 14, 16:14:21 Debug IKE parse successed. Sep 14, 16:14:21 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Sep 14, 16:14:21 Info IKE 192.168.1.2[4500] used as isakmp port (fd=6) Sep 14, 16:14:21 Info IKE 192.168.1.2[500] used as isakmp port (fd=7) Sep 14, 16:14:21 Debug IKE get pfkey X_SPDDUMP message Sep 14, 16:14:21 Debug IKE 02120000 0f000200 01000000 2e030000 03000500 ff180000 10020000 0a0a0a00 Sep 14, 16:14:21 Debug IKE 00000000 00000000 03000600 ff200000 10020000 c0a80102 00000000 00000000 Sep 14, 16:14:21 Debug IKE 07001200 02000100 08000000 00000000 28003200 02030e00 10020000 18108637 Sep 14, 16:14:21 Debug IKE 00000000 00000000 10020000 c0a80102 00000000 00000000 Sep 14, 16:14:21 Debug IKE get pfkey X_SPDDUMP message Sep 14, 16:14:21 Debug IKE 02120000 0f000200 00000000 2e030000 03000500 ff200000 10020000 c0a80102 Sep 14, 16:14:21 Debug IKE 00000000 00000000 03000600 ff180000 10020000 0a0a0a00 00000000 00000000 Sep 14, 16:14:21 Debug IKE 07001200 02000200 07000000 00000000 28003200 02030d00 10020000 c0a80102 Sep 14, 16:14:21 Debug IKE 00000000 00000000 10020000 18108637 00000000 00000000 Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:22:24 +0200 [quote]Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 20, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 0 Sep 14, 16:14:21 Debug IKE 344 bytes from 192.168.1.2[500] to x.x.x.x[500] Sep 14, 16:14:21 Debug IKE sockname 192.168.1.2[500] Sep 14, 16:14:21 Debug IKE send packet from 192.168.1.2[500] Sep 14, 16:14:21 Debug IKE send packet to x.x.x.x[500] Sep 14, 16:14:21 Debug IKE 1 times of 344 bytes message will be sent to x.x.x.x[500] Sep 14, 16:14:21 Debug IKE 5dd654cd bfed7735 00000000 00000000 01100200 00000000 00000158 0d000034 Sep 14, 16:14:21 Debug IKE 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0708 Sep 14, 16:14:21 Debug IKE 80010005 80030001 80020002 80040002 0d000014 4a131c81 07035845 5c5728f2 Sep 14, 16:14:21 Debug IKE 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014 439b59f8 Sep 14, 16:14:21 Debug IKE ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f 02ec7285 Sep 14, 16:14:21 Debug IKE 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e ed937c65 Sep 14, 16:14:21 Debug IKE 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 0d000014 Sep 14, 16:14:21 Debug IKE cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 Sep 14, 16:14:21 Debug IKE ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014 4485152d Sep 14, 16:14:21 Debug IKE 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 Sep 14, 16:14:21 Debug IKE 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Sep 14, 16:14:21 Debug IKE resend phase1 packet 5dd654cdbfed7735:0000000000000000 Sep 14, 16:14:21 Debug IKE === Sep 14, 16:14:21 Debug IKE 112 bytes message received from x.x.x.x[500] to 192.168.1.2[500] Sep 14, 16:14:21 Debug IKE 5dd654cd bfed7735 59ae89f0 711e7f3e 01100200 00000000 00000070 0d000034 Sep 14, 16:14:21 Debug IKE 00000001 00000001 00000028 01010001 00000020 01010000 80010005 80020002 Sep 14, 16:14:21 Debug IKE 80040002 80030001 800b0001 800c0708 0d00000c 5b362bc8 20f60006 00000014 Sep 14, 16:14:21 Debug IKE 4a131c81 07035845 5c5728f2 0e95452f Sep 14, 16:14:21 Debug IKE begin. Sep 14, 16:14:21 Debug IKE seen nptype=1(sa) Sep 14, 16:14:21 Debug IKE seen nptype=13(vid) Sep 14, 16:14:21 Debug IKE seen nptype=13(vid) Sep 14, 16:14:21 Debug IKE succeed. Sep 14, 16:14:21 Debug IKE received unknown Vendor ID Sep 14, 16:14:21 Debug IKE 5b362bc8 20f60006 Sep 14, 16:14:21 Info IKE received Vendor ID: RFC 3947 Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:23:29 +0200 [quote]Sep 14, 16:14:21 Debug IKE (lifebyte = 0:0) Sep 14, 16:14:21 Debug IKE enctype = 3DES-CBC:3DES-CBC Sep 14, 16:14:21 Debug IKE (encklen = 0:0) Sep 14, 16:14:21 Debug IKE hashtype = SHA:SHA Sep 14, 16:14:21 Debug IKE authmethod = pre-shared key:pre-shared key Sep 14, 16:14:21 Debug IKE dh_group = 1024-bit MODP group:1024-bit MODP group Sep 14, 16:14:21 Debug IKE an acceptable proposal found. Sep 14, 16:14:21 Debug IKE hmac(modp1024) Sep 14, 16:14:21 Debug IKE agreed on pre-shared key auth. Sep 14, 16:14:21 Debug IKE === Sep 14, 16:14:21 Debug IKE compute DH's private. Sep 14, 16:14:21 Debug IKE 6d19d366 249a109c 36b021cd b3107c47 3914824e df5ea643 ef185e07 1823fbe1 Sep 14, 16:14:21 Debug IKE 497aabf9 10104106 5848a852 358c239c a0bdd736 b1019038 08d9de94 e866a799 Sep 14, 16:14:21 Debug IKE 804237ef 5bce8aec 3709d370 5e63c132 c3406398 d0741fc6 40776d07 b6cee87c Sep 14, 16:14:21 Debug IKE 6ca1af6c 87d09681 7218df0f 18be22fb 88320cf3 9c25db6b a43e0c0d 096398e7 Sep 14, 16:14:21 Debug IKE compute DH's public. Sep 14, 16:14:21 Debug IKE 970dd812 1a62895a ab5cb04b 843e04d7 06aabb36 dd897189 a2307b08 ed6b7735 Sep 14, 16:14:21 Debug IKE 7a552f68 d3e7b588 1c4613ad 28a9bf2a 3eebce18 7215c3ad 48e3b5c1 c33f42b1 Sep 14, 16:14:21 Debug IKE 4f7752b5 961f9ba2 1179335e 09fc7e7e 7e664936 016c5444 2e885254 fd76339b Sep 14, 16:14:21 Debug IKE 727cc1cb 70f23bcf e1fee811 17eca979 c3bb190d 8915b374 02ba17a1 0c0f2ad2 Sep 14, 16:14:21 Info IKE Hashing x.x.x.x[500] with algo #2 Sep 14, 16:14:21 Debug IKE hash(sha1) Sep 14, 16:14:21 Info IKE Hashing 192.168.1.2[500] with algo #2 Sep 14, 16:14:21 Debug IKE hash(sha1) Sep 14, 16:14:21 Info IKE Adding remote and local NAT-D payloads. Sep 14, 16:14:21 Debug IKE add payload of len 128, next type 10 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 20 Sep 14, 16:14:21 Debug IKE add payload of len 20, next type 20 Sep 14, 16:14:21 Debug IKE add payload of len 20, next type 0 Sep 14, 16:14:21 Debug IKE 228 bytes from 192.168.1.2[500] to x.x.x.x[500] Sep 14, 16:14:21 Debug IKE sockname 192.168.1.2[500] Sep 14, 16:14:21 Debug IKE send packet from 192.168.1.2[500] Sep 14, 16:14:21 Debug IKE send packet to x.x.x.x[500] Sep 14, 16:14:21 Debug IKE 1 times of 228 bytes message will be sent to x.x.x.x[500] Sep 14, 16:14:21 Debug IKE 5dd654cd bfed7735 59ae89f0 711e7f3e 04100200 00000000 000000e4 0a000084 Sep 14, 16:14:21 Debug IKE 970dd812 1a62895a ab5cb04b 843e04d7 06aabb36 dd897189 a2307b08 ed6b7735 Sep 14, 16:14:21 Debug IKE 7a552f68 d3e7b588 1c4613ad 28a9bf2a 3eebce18 7215c3ad 48e3b5c1 c33f42b1 Sep 14, 16:14:21 Debug IKE 4f7752b5 961f9ba2 1179335e 09fc7e7e 7e664936 016c5444 2e885254 fd76339b Sep 14, 16:14:21 Debug IKE 727cc1cb 70f23bcf e1fee811 17eca979 c3bb190d 8915b374 02ba17a1 0c0f2ad2 Sep 14, 16:14:21 Debug IKE 14000014 9c8ed4a5 d1653546 a7b0d169 82d56448 14000018 bfad97a7 acc7f714 Sep 14, 16:14:21 Debug IKE 1174bbe3 eabd4651 e92c2300 00000018 00360655 a1fd4d3f f68c07a6 29ff959e Sep 14, 16:14:21 Debug IKE 2a842026 Sep 14, 16:14:21 Debug IKE resend phase1 packet Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:24:11 +0200 [quote] Sep 14, 16:14:21 Info IKE KA list add: 192.168.1.2[4500]->x.x.x.x[4500] Sep 14, 16:14:21 Debug IKE === Sep 14, 16:14:21 Debug IKE compute DH's shared. Sep 14, 16:14:21 Debug IKE a397f573 07369726 f5cde748 422998c4 704ace1b bf96c581 9294b1e8 990d0dd7 Sep 14, 16:14:21 Debug IKE b5b6f45c b7adaea9 a2c70199 7e5a8162 88e18344 f1939812 615df1ea bf531d62 Sep 14, 16:14:21 Debug IKE ba03b1a6 1f2a7652 8b3d5224 acc599a3 6012f54b 38ddee03 5eaf86ed 0112d0de Sep 14, 16:14:21 Debug IKE 5a5664ae 2672534b 6cc6fe04 97f0dbb4 37c12eea c095d2ba 905f57be 61589745 Sep 14, 16:14:21 Debug IKE the psk found. Sep 14, 16:14:21 Debug IKE psk: 2008-09-14 16:14:21: DEBUG2: Sep 14, 16:14:21 Debug IKE 45304343 43394338 42394236 38364637 Sep 14, 16:14:21 Debug IKE nonce 1: 2008-09-14 16:14:21: DEBUG: Sep 14, 16:14:21 Debug IKE 9c8ed4a5 d1653546 a7b0d169 82d56448 Sep 14, 16:14:21 Debug IKE nonce 2: 2008-09-14 16:14:21: DEBUG: Sep 14, 16:14:21 Debug IKE 71603fde 2e350ff6 1f9fdf6b 0588c60f 2151080a Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1) Sep 14, 16:14:21 Debug IKE SKEYID computed: Sep 14, 16:14:21 Debug IKE 21425a9a d9d29890 23b41dae bc80c129 6299ebbf Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1) Sep 14, 16:14:21 Debug IKE SKEYID_d computed: Sep 14, 16:14:21 Debug IKE 40a8f852 117dbf35 681434f9 7234ecc2 1301d50d Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1) Sep 14, 16:14:21 Debug IKE SKEYID_a computed: Sep 14, 16:14:21 Debug IKE 56898368 ae8a501c 1a6b4523 133e704b 0025d46b Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1) Sep 14, 16:14:21 Debug IKE SKEYID_e computed: Sep 14, 16:14:21 Debug IKE e8ba7e4e 77ce21be 04e56ddc 8c7094cf 4562e6a1 Sep 14, 16:14:21 Debug IKE encryption(3des) Sep 14, 16:14:21 Debug IKE hash(sha1) Sep 14, 16:14:21 Debug IKE len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...) Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1) Sep 14, 16:14:21 Debug IKE compute intermediate encryption key K1 Sep 14, 16:14:21 Debug IKE 00 Sep 14, 16:14:21 Debug IKE e0f43032 2960130d 4d3c200d 09204dcd 1c4daa82 Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1) Sep 14, 16:14:21 Debug IKE compute intermediate encryption key K2 Sep 14, 16:14:21 Debug IKE e0f43032 2960130d 4d3c200d 09204dcd 1c4daa82 Sep 14, 16:14:21 Debug IKE 5c44252e a8f6897c 4d505519 1c3a78c3 f9a3c728 Sep 14, 16:14:21 Debug IKE final encryption key computed: Sep 14, 16:14:21 Debug IKE e0f43032 2960130d 4d3c200d 09204dcd 1c4daa82 5c44252e Sep 14, 16:14:21 Debug IKE hash(sha1) Sep 14, 16:14:21 Debug IKE encryption(3des) Sep 14, 16:14:21 Debug IKE IV computed: Sep 14, 16:14:21 Debug IKE 76b4a289 4d986ea9 Sep 14, 16:14:21 Debug IKE use ID type of IPv4_address Sep 14, 16:14:21 Debug IKE HASH with: Sep 14, 16:14:21 Debug IKE 970dd812 1a62895a ab5cb04b 843e04d7 Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:25:13 +0200 [quote]Sep 14, 16:14:21 Debug IKE 1 times of 72 bytes message will be sent to x.x.x.x[4500] Sep 14, 16:14:21 Debug IKE 00000000 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 00000044 Sep 14, 16:14:21 Debug IKE a553b0ff d11baa03 0f1b4d4a a393f28c f4e6506e 18c6aebc b5a95620 2c032e4b Sep 14, 16:14:21 Debug IKE 3e0f94ab 847c7586 Sep 14, 16:14:21 Debug IKE resend phase1 packet 5dd654cdbfed7735:59ae89f0711e7f3e Sep 14, 16:14:21 Debug IKE === Sep 14, 16:14:21 Debug IKE 76 bytes message received from x.x.x.x[4500] to 192.168.1.2[4500] Sep 14, 16:14:21 Debug IKE 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 0000004c e7b56bd6 Sep 14, 16:14:21 Debug IKE 5b7dd040 8ebb5c37 1f50211a 1aef5e8b f8e37816 876c612d 7926a0c8 a86e0e7c Sep 14, 16:14:21 Debug IKE 9790da4c 2f789bdc e9b130ad Sep 14, 16:14:21 Debug IKE begin decryption. Sep 14, 16:14:21 Debug IKE encryption(3des) Sep 14, 16:14:21 Debug IKE IV was saved for next processing: Sep 14, 16:14:21 Debug IKE 2f789bdc e9b130ad Sep 14, 16:14:21 Debug IKE encryption(3des) Sep 14, 16:14:21 Debug IKE with key: Sep 14, 16:14:21 Debug IKE e0f43032 2960130d 4d3c200d 09204dcd 1c4daa82 5c44252e Sep 14, 16:14:21 Debug IKE decrypted payload by IV: Sep 14, 16:14:21 Debug IKE 3e0f94ab 847c7586 Sep 14, 16:14:21 Debug IKE decrypted payload, but not trimed. Sep 14, 16:14:21 Debug IKE 08000014 02000000 30303036 42313131 36333838 00000018 70bdb824 15d12217 Sep 14, 16:14:21 Debug IKE 851cf849 61538c22 df7b05fc 00000003 Sep 14, 16:14:21 Debug IKE padding len=4 Sep 14, 16:14:21 Debug IKE skip to trim padding. Sep 14, 16:14:21 Debug IKE decrypted. Sep 14, 16:14:21 Debug IKE 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 0000004c 08000014 Sep 14, 16:14:21 Debug IKE 02000000 30303036 42313131 36333838 00000018 70bdb824 15d12217 851cf849 Sep 14, 16:14:21 Debug IKE 61538c22 df7b05fc 00000003 Sep 14, 16:14:21 Debug IKE begin. Sep 14, 16:14:21 Debug IKE seen nptype=5(id) Sep 14, 16:14:21 Debug IKE seen nptype=8(hash) Sep 14, 16:14:21 Debug IKE succeed. Sep 14, 16:14:21 Error IKE Expecting IP address type in main mode, but FQDN. Sep 14, 16:14:21 Error IKE invalid ID payload. Sep 14, 16:14:26 Debug IKE Adding NON-ESP marker Sep 14, 16:14:26 Debug IKE 72 bytes from 192.168.1.2[4500] to x.x.x.x[4500] Sep 14, 16:14:26 Debug IKE sockname 192.168.1.2[4500] Sep 14, 16:14:26 Debug IKE send packet from 192.168.1.2[4500] Sep 14, 16:14:26 Debug IKE send packet to x.x.x.x[4500] Sep 14, 16:14:26 Debug IKE 1 times of 72 bytes message will be sent to x.x.x.x[4500] Sep 14, 16:14:26 Debug IKE 00000000 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 00000044 Sep 14, 16:14:26 Debug IKE a553b0ff d11baa03 0f1b4d4a a393f28c f4e6506e 18c6aebc b5a95620 2c032e4b Sep 14, 16:14:26 Debug IKE 3e0f94ab 847c7586 Sep 14, 16:14:26 Debug IKE resend phase1 packet 5dd654cdbfed7735:59ae89f0711e7f3e Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:25:55 +0200 [quote]Sep 14, 16:14:28 Debug IKE 02060003 24000000 04000000 00000000 03000500 ff200000 10020000 c0a80102 Sep 14, 16:14:28 Debug IKE 00000000 00000000 03000600 ff200000 10020000 18108637 00000000 00000000 Sep 14, 16:14:28 Debug IKE 1c000d00 20000000 00030000 00000000 00010008 00000000 01000000 01000000 Sep 14, 16:14:28 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Sep 14, 16:14:28 Debug IKE 80700000 00000000 00000000 00000000 00040000 00000000 0001c001 00000000 Sep 14, 16:14:28 Debug IKE 01000000 01000000 00000000 00000000 00000000 00000000 00000000 00000000 Sep 14, 16:14:28 Debug IKE 80510100 00000000 80700000 00000000 00000000 00000000 000c0000 00000000 Sep 14, 16:14:28 Debug IKE 00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 Sep 14, 16:14:28 Debug IKE 00000000 00000000 80510100 00000000 80700000 00000000 00000000 00000000 Sep 14, 16:14:28 Debug IKE get pfkey ACQUIRE message Sep 14, 16:14:28 Debug IKE 02060003 14000000 07000000 73000000 03000500 ff200000 10020000 c0a80102 Sep 14, 16:14:28 Debug IKE 00000000 00000000 03000600 ff200000 10020000 18108637 00000000 00000000 Sep 14, 16:14:28 Debug IKE 0a000d00 20000000 000c0000 00000000 00010001 00000000 01000000 01000000 Sep 14, 16:14:28 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Sep 14, 16:14:28 Debug IKE 80700000 00000000 00000000 00000000 02001200 02000200 07000000 00000000 Sep 14, 16:14:28 Debug IKE suitable outbound SP found: 192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out. Sep 14, 16:14:28 Debug IKE sub:0xbffff67c: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:28 Debug IKE db :0x108b78: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:28 Debug IKE suitable inbound SP found: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in. Sep 14, 16:14:28 Debug IKE new acquire 192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out Sep 14, 16:14:28 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=14:13) Sep 14, 16:14:28 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-sha) Sep 14, 16:14:28 Debug IKE in post_acquire Sep 14, 16:14:28 Debug IKE configuration found for x.x.x.x. Sep 14, 16:14:28 Info IKE request for establishing IPsec-SA was queued due to no phase1 found. Sep 14, 16:14:31 Debug IKE Adding NON-ESP marker Sep 14, 16:14:31 Debug IKE 72 bytes from 192.168.1.2[4500] to x.x.x.x[4500] Sep 14, 16:14:31 Debug IKE sockname 192.168.1.2[4500] Sep 14, 16:14:31 Debug IKE send packet from 192.168.1.2[4500] Sep 14, 16:14:31 Debug IKE send packet to x.x.x.x[4500] Sep 14, 16:14:31 Debug IKE 1 times of 72 bytes message will be sent to x.x.x.x[4500] Sep 14, 16:14:31 Debug IKE 00000000 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 00000044 Sep 14, 16:14:31 Debug IKE a553b0ff d11baa03 0f1b4d4a a393f28c f4e6506e 18c6aebc b5a95620 2c032e4b Sep 14, 16:14:31 Debug IKE 3e0f94ab 847c7586 Sep 14, 16:14:31 Debug IKE resend phase1 packet Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:26:33 +0200 [quote] Sep 14, 16:14:35 Debug IKE 80700000 00000000 00000000 00000000 02001200 02000200 07000000 00000000 Sep 14, 16:14:35 Debug IKE suitable outbound SP found: 192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out. Sep 14, 16:14:35 Debug IKE sub:0xbffff67c: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:35 Debug IKE db :0x108b78: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:35 Debug IKE suitable inbound SP found: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in. Sep 14,