October 30, 2017 | Author: Anonymous | Category: N/A
have you imported the two files as 'own certificate' and does the certificate . Specs of the Sonicwall will be added a&n...
Checkpoint NG Feature Pack 4 Checkpoint NG Feature Pack 4 by Jim Kelly on 2004-03-24 14:20:30 +0100
Are there any configuration instructions for use of IP Securitas with Checkpoint NG FP 4?
Re: Checkpoint NG Feature Pack 4 by Mitch on 2004-03-26 15:28:37 +0100
Hi Jim, Don't have an answer for you yet. Just downloaded the software at work today and will take home and try it out tonight or tomorrow. I had limited success with VPN Tracker and Checkpoint and saved screen shots of my settings in that. I'll try configuring IPSecuritas with those and pass on the info to you. Checkpoint is a real pain in the a** when it comes to working through third-party software, which I wouldn't even bother if they had a Mac version. Stuck with Checkpoint, however, since my office uses it. As long as IPSecuritas can import my .p12 file, I should be able to do it. I've had to use VirtualPC, a no-legged dog when it comes to speed with the Windows version of Checkpoint installed on that.
Re: Checkpoint NG Feature Pack 4 by cnadig on 2004-03-26 17:15:56 +0100
Hello, Have a look at the HOWTO section in the online help. There are some instructions how to configure IPsecuritas for a Checkpoint firewall, some settings might differ, depending of the Checkpoint setting. Since IPSecuritas can't (yet) import PKCS#12, check out the section that describes how to convert them into files in PEM format to import the certificates.
Re: Checkpoint NG Feature Pack 4 by Mitch on 2004-04-11 13:14:21 +0200
I modified my p12 cert the way described in help file and imported into ipsecuritas, but the program still doesn't recognize the pem file when setting up the ID section. It says that there are no certs available. What am I doing wrong?
Re: Checkpoint NG Feature Pack 4 by cnadig on 2004-04-14 07:58:55 +0200
Hello Jim, have you imported the two files as 'own certificate' and does the certificate show up in the certifictates manager window (with the rows private saying yes and CA saying no)? Christoph
Re: Checkpoint NG Feature Pack 4 by Mitch on 2004-04-15 19:39:27 +0200
Still having problems. Importing as own certificate leaves the private column "no" and the ca column "no".
fAntivirus and Firewall by fmorchid on 2004-05-21 12:30:03 +0200
hello, is it possible to install a symantec antivirus with the checkpoint firewall? thnak you
Re: Checkpoint NG Feature Pack 4 by sandra maury on 2004-11-12 13:10:57 +0100
I have same problem. can you have solution ? Thank you very much. Sandra
[quote author=Mitch link=1080134430/0#5 date=1082050767]Still having problems. Importing as own certificate leaves the private column "no" and the ca column "no".[/quote]
NAT-T Support? NAT-T Support? by petro on 2004-03-28 18:50:05 +0200
Does anyone know where implementing NAT-T in the core MacOS IPsec implementation stands? Unfortunately, KAME's web site isn't the easiest to figure this stuff out on. Is apple using the straight KAME implementation? Thanks, -pete
Re: NAT-T Support? by cnadig on 2004-04-14 08:12:18 +0200
Hello Petro, there is NAT-T support in racoon in 10.3 - as for the necessary kernel support I don't know yet. I'm in contact with a few people to get some experience with NAT-T and will keep you updated on any progress! Christoph
Re: NAT-T Support? by NetWhiz on 2004-05-28 18:11:42 +0200
Any further knowledge on this? Testing over a wireless dial-up b/c of a lack of NAT-T support in the Mac OS X kernel really sucks. UPDATE: Just saw teh new client, so tried it and it works wonderfully! Now, is there any way you could post the racoon.conf file (or its location) so that we might see what is being set? I would love to be able to get the built-in L2TP/IPSec client working with NAT-T if at all possible! At least I could test plain IPSec on a NAT'd connection now. Back to dialup for the L2TP support though ... :( Thanks, NetWhiz
Re: NAT-T Support? by cnadig on 2004-06-08 22:54:39 +0200
Hello, IPSecuritas writes its racoon.conf to /tmp/ipsecuritas.conf - only root can read it. Could you elaborate a bit more on your tests with NAT-T? Thanks, Christoph
Re: NAT-T Support? by AaronA1975 on 2004-10-08 04:40:44 +0200
Any news as to whether NAT-T will be available in an upcoming release of IPSecuritas?
error malformed cookie received... error malformed cookie received... by Viny on 2004-03-29 05:15:04 +0200
I use IPSecuritas 1.0.3 on OS X 10.3.3 to a FW-1 NG AI R54 without problem. When using IPSecuritas 2.0, I have this error: Mar 28 22:06:41 xxxx racoon: DEBUG: isakmp.c:519:isakmp_main(): malformed cookie received or the initiator's cookies collide. I don't have error on the firewall. When I come back with 1.0.3, it's OK. And I have deleted 1.0.3 settings before reconfiguring 2.0 without success. Somebody can help me ? Thanks.
Re: error malformed cookie received... by cnadig on 2004-03-30 06:38:48 +0200
Helloy Viny, probably the other end sends a notification, probably to indicate an unexpected situation. This is often done without the remote cookie and therefore you get the error message. The key exchange would probably be aborted anyway. Could you post just the last line before the malformed cookie message, i.e: Mar 24 05:21:01 g4 racoon: DEBUG: plog.c:199:plogdump(): 8fefe5e8 ac9d2d2c 00000000 00000000 0b100500 00000000 00000028 0000000c 00000001 0100001d That would allow to determine the content of the notification and the reason, why it was send (unsupported exchange type in the example above). Christoph
Re: error malformed cookie received... by Viny on 2004-03-30 12:24:34 +0200
Hello Christoph, This is the line: Mar 30 05:18:11 xxxx racoon: DEBUG: plog.c:199:plogdump(): 65dd6250 681660e4 00000000 00000000 0b100500 4ef00f34 00000028 0000000c 00000000 01000012 Thanks
Re: error malformed cookie received... by cnadig on 2004-03-30 23:05:14 +0200
Hello Viny, from the log and your error description I assume you're using a DN as your local identification. IPSecuritas 1.0.3 always treated them as a username with fully qualified distinguished name (a USER_FQDN), which seems to be fine with a number of firewalls/routers. Version 2.0 now makes a strict distinction between a USER_FQDN (normally in the form user@dn) and a FQDN (without the user part and the @). It seems that certain firewalls (including Checkpoint) only accept a USER_FQDN, regardless of the actual value. With 2.0.2 (get it at http://www.lobotomo.com/products/downloads /IPSecuritas202.dmg) you can now force IPSecuritas to use USER_FQDN. Just put a @ sign in front of the username (instead of 'user' enter '@user' into the DN field for your local identifier). It should then work again for you! I'll release an official update that resolves a few more of these smaller issues (also in the documentation) in a few weeks. Christoph
Re: error malformed cookie received... by Viny on 2004-03-31 06:37:44 +0200
Perfect ! It's work ! Thanks ! Viny
Re: error malformed cookie received... by Jeff on 2004-05-15 18:46:23 +0200
I'm getting the same "malformed cookie" error, also with VPN-1. Here is the line before in the log: May 15 12:25:59 Jeffs-Computer racoon: DEBUG: plog.c:199:plogdump(): 3ceb1670 26c898de 00000000 00000000 0b100500 00000000 00000028 0000000c 00000000 0100001d Can you help? Thanks!
IPSecuritas Sonicwall IPSecuritas Sonicwall by Guy van der Kolk on 2004-03-30 11:23:04 +0200
Goodmorning/afternoon/evening ;) I haven an issue with the interoperability between IPSecuritas and a Sonicwall. Specs of the Sonicwall will be added as soon as I get them. We have a succesfull setup using VPNTracker. Off-course, as we are ever aware of the costs, a free/donation program is better, and IPSecuritas looks good. I have set up the connectionsettings just as they are in the Working VPN-Tracker setup. Racoon starts up like a charm, but I do not get past: [i]racoon: ERROR: oakley.c:2053:oakley_skeyid(): couldn't find the pskey[/i] Having tried almost every possible combination (luckily, there aren't that many in the Phase 1 setup) I am at a loss. As a final note: VPN-Trackers log ALSO says it can't find a PSKey, but VPN-Tracker somehow continues and sets a working connection anyway.
Re: IPSecuritas Sonicwall by cnadig on 2004-03-30 11:32:16 +0200
Hello, there are two possibilities that should resolve the issue: 1. Deselect the 'Verify Identity' option in Options tab 2. Set the remote identifier to 'DN' and enter the numerical IP address of the IPSec router into the text field (which of course is only possible if it has a static address). I'm not sure whether racoon (the MacOS X IKE daemon) or the firewall is at fault here - but it rather seems to be in racoon as I has similar reports with different VPN routers. Christoph
Re: IPSecuritas Sonicwall by Guy van der Kolk on 2004-03-30 12:20:56 +0200
Thank you very much! The "Verify Identifier" option did the trick. It now gives the same message as VPN-Tracker, but builds a working connection anyway! We'll be looking at a donation very soon. :)
Re: IPSecuritas Sonicwall by viparre on 2004-04-14 18:37:21 +0200
Hello, I am trying to use a SonicWall too, but with no success :-( - Should I use a separate SA in the SonicWall, or I must use the GroupVPN? - May I use a dynamic IP address when I connect to the SonicWall? - I created a new SA with the following options: * Remote IP address 0.0.0.0 * Aggressive Mode * Group 2 * esp des hmac md5 * dest network: 192.168.10.1/32 - On the Ip Securitas side: * Host To Network * The remote network * a local address 192.168.10.1 * Exchange Mode: Aggressive * Proposal Check: Obey / 16 * Ph 1: Grp 2, DES, MD5 * Ph 2: Grp 1, DES, HMAC MD5 * ID Auth Address, Address * Options: IPSec DOi, SIT_IDE.., Initial Conact, Generate Policy, MIP6 The negotiation starts but the Sonicwall says that the ipsec proposal doesn't match (Phase 1). Unfortunately, I can' find a basic working example to start a trial. Thanks for the help, Vito Parisi
Re: IPSecuritas Sonicwall by David Barnhart on 2004-04-21 18:10:22 +0200
I have just spent a few weeks getting IPSecuritas 2.0 to connect to a Sonic Wall. There are a couple of things you should note. 1. You can use either the GroupVPN or a separate SA. I finally just had the IT guy set me up a separate SA as that made it easier to have a different home network than the one used by the people coming in through the GroupVPN. 2. Setting up IPSecuritas in the network-to-network mode makes the configuration job easier. Just use the network that you local address resides in as the local network. Host to network should work as well, but it does some things differently that were causing me some problems. 3. Make sure that the SonicWall has a route to your home network address/network. This also applies to any routers on the network you are trying to tunnel to. Now, with regard to getting the tunnel established in the first place before worrying about routing, I used a couple of different parameters than you mention. Proposal check: Claim 16 Phase 1: 3DES, SHA1 Phase 1 DH Group: Group 1 Phase 2: ESP 3DES HMAC SHA1 Phase 2 PFS Group: Group 1 As mentioned in one of the messages in this thread, turn off the Verify Identifier option. With all of the above set, I was able to establish a tunnel to our SonicWall, even across a home router (which has IP-Sec passthrough turned on). Obviously, you will have to check that the options match on both sides. Hope this info helps.
Re: IPSecuritas Sonicwall by JIMBOB on 2004-04-23 11:44:32 +0200
I've tried to connect to a sonic wall SOHO3 and cannot seem to manage. it seems to nearly get there, this is the last lines from debug Apr 23 10:20:06 xxxxxx racoon: DEBUG: isakmp.c:1374:isakmp_parsewoh(): succeed. Apr 23 10:20:06 xxxxxx racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Apr 23 10:20:06 xxxxxx racoon: DEBUG: isakmp_inf.c:870:isakmp_info_recv_n(): notification message 14:NOPROPOSAL-CHOSEN, doi=1 proto_id=3 spi=0b0b7bf9(size=4). Apr 23 10:20:06 xxxxxx racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Apr 23 10:20:16 xxxxxx racoon: ERROR: pfkey.c:745:pfkey_timeover(): xx.xx.xx.xx give up to get IPsec-SA due to time up to wait. Apr 23 10:20:16 xxxxxx racoon: ERROR: pfkey.c:745:pfkey_timeover(): xx.xx.xx.xx give up to get IPsec-SA due to time up to wait. Apr 23 10:20:16 xxxxxx racoon: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted. any ideas greatfully received using host to network, Ph1 group 1 des md5, Ph2 group 1 des md5 preshared secret and verify identifier off. os 10.3.3, cable modem, dyn IP (though quite static), local network by airport, port mapping 500 and 4500, local ip 10.0.1.2. J/ :P
Re: IPSecuritas Sonicwall by JIMBOB on 2004-04-23 18:41:57 +0200
Hello again, This is the corrisponding sonic wall log. I'll have a play soon, but any magic ideas welome. 04/23/2004 10:18:20.848 IKE Responder: ESP Perfect Forward Secrecy mismatch xx.xx.xx.xx, xx.xx.xx.xx 04/23/2004 10:18:20.704 IKE Responder: Received Quick Mode Request (Phase 2) xx.xx.xx.xx, xx.xx.xx.xx 04/23/2004 10:18:01.592 IKE Responder: IPSec proposal does not match (Phase 2) xx.xx.xx.xx, xx.xx.xx.xx 10.0.1.2/32 -> 193.112.230.3/24 04/23/2004 10:18:01.592 IKE Responder: ESP Perfect Forward Secrecy mismatch xx.xx.xx.xx, xx.xx.xx.xx 04/23/2004 10:18:01.512 IKE Responder: Received Quick Mode Request (Phase 2) xx.xx.xx.xx, xx.xx.xx.xx 04/23/2004 10:18:00.464 IKE Responder: Aggressive Mode complete (Phase 1) xx.xx.xx.xx, xx.xx.xx.xx DES MD5 Group 1 lifeSeconds=3600 04/23/2004 10:18:00.320 NAT Discovery : Peer IPSec Security Gateway doesn't support VPN NAT Traversal xx.xx.xx.xx, xx.xx.xx.xx thanks.
Re: IPSecuritas Sonicwall by JIMBOB on 2004-04-27 15:34:35 +0200
Well sorted that one easy enough, The sonic wall doesn't support phase 2 DH, so set this to null on sucuritas. ;)
Re: IPSecuritas Sonicwall by Doug Fodeman on 2004-04-28 00:37:17 +0200
Like many others I'm looking for a low cost alternative to VPN Tracker. We have a SonicWall Pro 230 and have turned on VPN services. A PC is able to get in just fine but I haven't been able to tunnel in with my OSX Mac. Below is the log file. Here are the stats: Host to Network operation Phase1: DH Group1, 3DES, SHA1 Phase2: PFS Group2, DES, 3DES, HMAC, SHA1 ID/Authentication: Local is set to address while remote identifier uses the identifying key in the Sonicwall. Preshared secret is entered correctly. Options: Verify Identifier is turned off. Turned on are IPSec_DOI, SIT_Identity, Initial Contact, Generate Policy, MIP6, Establish IKE Immediately. Log reads: Apr 27 18:17:28 Computer IPSecuritas: Racoon is running Apr 27 18:17:28 Computer IPSecuritas: Set kernel keys Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:1357:isakmp_open(): 192.168.xxx.xxx[500] used as isakmp port (fd=6) Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:1357:isakmp_open(): 192.168.xxx.xxx[500] used as isakmp port (fd=6) Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for xxx.xxx.xxx.xx queued due to no phase1 found. Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for xxx.xxx.xxx.xx queued due to no phase1 found. Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.xxx.xxx[500]xxx.xxx.xxx.xx[500] Apr 27 18:17:28 Douglas-Fodemans-Computer racoon: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 192.168.xxx.xxx[500]xxx.xxx.xxx.xx[500] Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Aggressive mode. Apr 27 18:17:28 Computer racoon: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Aggressive mode. Any thoughts or suggestions?? Doug
Re: IPSecuritas Sonicwall by Brian Godden on 2004-08-17 21:30:02 +0200
Hi, I have another case of trying to get IPSecuritas connected to a Sonicwall. The settings are pretty standard for both, os it's likely just my ignorance of what each side requires, hopefully, it's something very obvious. I'm going to list specs, settings and results below, any suggestions on changing the settings for the client or SA would be greatly appreciated! Firewall: SonicWall Pro-VX -------------------------------VPN Summary(these feature are enabled): Enable VPN Enable IKE Dead Peer Detection Dead Peer Detection Interval (seconds): 60 Failure Trigger Level (missed heartbeats): 3 Clean up Active tunnels when Peer Gateway DNS name resolves to a different IP Address SA: GroupVPN IPSec Keying Mode: IKE using pre-shared secret Security Policy: Phase 1 DH Group: Group 1 SA Life time (secs): 28800 Phase 1 Encryption/Authentication: DES & MD5 Phase 2 Encryption/Authentication: Encrypt and Authenticate (ESP DES HMAC MD5) Shared Secret: ---------IPSecutas, version 2.0.6 Mac OS X 10.3.5 General: Mode: Host to Network Remote IPSec Device: (IP Address of firewall) Remote Network: 10.5.1.0 / 24 Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 Phase 1: Lifetime: 28800 DH Group: Mod768(1) Encryption: DES Authentication: MD5 Phase 2: Lifetime: 28800 PFS Group: Mod768 (1) Encryption: DES Authentication: HMAC MD5 Id/Auth: Identifiers set to Address (also tried setting DN of remote to firewall address) Preshared Secret set Options (these are enabled): Compression Deflate IPSec DOI SIT_IDENTITY_ONLY Initial Contact MIP6 DHCP-Passthrough Establish IKE Immediately
Re: IPSecuritas Sonicwall by Brian Godden on 2004-08-17 21:31:10 +0200
Here are my log entries: Here is the log of IPSecuritas in normal mode: Aug 17 12:23:02 powerbookg3 IPSecuritas: Parsing configuration Aug 17 12:23:03 powerbookg3 IPSecuritas: Setting up racoon.conf Aug 17 12:23:03 powerbookg3 IPSecuritas: Setting up setkey.conf Aug 17 12:23:03 powerbookg3 IPSecuritas: Setting up psk.txt Aug 17 12:23:03 powerbookg3 IPSecuritas: Setting up tunnel.conf Aug 17 12:23:03 powerbookg3 IPSecuritas: Parsing configuration done Aug 17 12:23:04 powerbookg3 IPSecuritas: Starting racoon... Aug 17 12:23:04 powerbookg3 IPSecuritas: Racoon is running Aug 17 12:23:04 powerbookg3 IPSecuritas: Set kernel keys Aug 17 12:23:06 powerbookg3 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Aug 17 12:23:06 powerbookg3 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Aug 17 12:23:26 powerbookg3 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Aug 17 12:23:36 powerbookg3 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 64.139.33.26 give up to get IPsec-SA due to time up to wait. Aug 17 12:23:26 powerbookg3 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Aug 17 12:23:36 powerbookg3 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 64.139.33.26 give up to get IPsec-SA due to time up to wait.
And the corresponding log of the firewall: 08/17/2004 12:23:27.064 SENDING>>>> ISAKMP OAK INFO (InitCookie 0x517f043c892f85c1, MsgID: 0x34722540) *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) 64.139.33.26, 500 63.196.31.22, 498
08/17/2004 12:23:27.064 IKE Responder: IPSec proposal does not match (Phase 2) 63.196.31.22 (admin) 64.139.33.26 10.5.10.127/32 -> 10.5.1.0/24
08/17/2004 12:23:27.064 IKE Responder: ESP Perfect Forward Secrecy mismatch 63.196.31.22 (admin) 64.139.33.26
08/17/2004 12:23:26.928 RECEIVEDAnywhere mode because I need to specify my "Local Address". Using host to anywhere doesn't give me this option. Any ideas?
Re: Connecting to multiple networks behind a firew by Fabrice Vincent on 2005-08-03 01:30:20 +0200
[quote author=Doug Weathers link=1081106636/0#0 date=1081106636] I can't figure out how to connect to more than one network behind the firewall. I've configured two tunnels with identical setups, differing only by the destination network. They each work individually, but if I try them simultaneously only the first one seems to work. Anyone have any idea how to fix this? [/quote] Hi, I have precisely the very same need and very same behavior as described above. I browsed through the forum but failed to find any answer to this question. So, is it possible to have more than one tunnels active at the same time? If not, is there any chance that it could work in the near future? I will be happy to do some testing if it can be usefull. My context: I manage our company Firewal and use IPSecuritas to create VPN connexions for roaming users. Our Firewall is an Arkoon A200 appliance, which uses linux swansea as foundation (see http://www.arkoon.net/EN/g_mid.php?menuon=eczone2&#p_38 for details). BTW, thank for this great (and cheap!) tool!!! cheers, Fabrice
Re: Connecting to multiple networks behind a firew by favincen on 2005-08-03 02:25:09 +0200
Some more details: 1) Of course the different subnets I connect to cannot be merged into a bigger subnet... 2) I managed to make this work with the demo version of VPNTracker. I just configured the various subnets into the same VPN connexion and it worked. If VPNTracker is using the same IPsec stack as IPSecuritas then I assume there would be some ways to make IPSecuritas behave the same. Thanks in advance for your help.
Re: Connecting to multiple networks behind a firew by cnadig on 2005-08-04 23:38:14 +0200
Hello Fabrice, I'm happy to announce that the next release of IPSecuritas will finally allow for multiple remote networks (amongst other long awaited extensions). Public alpha/beta versions will presumably be available by the end of August/beginning of September - please drop me a line at
[email protected] if you're interested in an early version. Cheers, Christoph
Re: Connecting to multiple networks behind a firew by favincen on 2005-08-05 13:17:58 +0200
great news. I look forward for the testing.
IPSecuritas with Airport Extreme NAT IPSecuritas with Airport Extreme NAT by TLangley on 2004-04-15 20:00:16 +0200
Hi, I'm using IP Securitas to connect from DSL at home to a Netscreen firewall at the office. From testing at a couple of locations out of the office, I've found that if another box (a Linksys) is doing the NAT and the AEBS is only bridging, IPSec works great. If I take the Linksys out of the setup and have the AEBS do NAT, IPSec stops working. It appears to connect and will ping, but will not support any real traffic, such as a server connection. There's a lot of talk on the Apple Discussion boards about this. On suggestion is to set your VPN software to "Negotiate UDP encapsulation with VPN server for NAT traversal". I'm wondering if there is a way around this problem within IPSecuritas. Thanks.
Re: IPSecuritas with Airport Extreme NAT by cnadig on 2004-04-15 22:20:00 +0200
Hello, there was an issue with older firmware versions of the AEBS (not sure of the exact version anymore, but I think it was 5.1.x) and IP fragmentation, which resulted in the described beahvior (small packets work (ping), real traffic that needs fragmentation fails). I'm using IPSec with AEBS and NAT enabled daily without problems with firmware version 5.3. Christoph
Re: IPSecuritas with Airport Extreme NAT
by Laurens van Hoorn on 2004-11-04 10:04:09 +0100
I have Airport in my home, and also the possibility to connect to my (Thomson) router by dropcable. Airport seems fine at first (no errors in log, and green lights from IPSecuritas) but doesn't work. Connecting by dropcable (and thus going around the Airport) does.
Checkpoint NG AI R55 Checkpoint NG AI R55 by sumpfgottheit on 2004-04-16 11:53:19 +0200
Hi! I try a VPN to my Checkpoint in the Office, but i get the following error: Apr 16 11:43:39 Powerbook racoon: ERROR: isakmp.c:2033:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP -> Any hints? best regards, florian
Re: Checkpoint NG AI R55 by cnadig on 2004-04-16 13:28:27 +0200
Hello Florian, since Phase 1 negotiation fails, there is a timeout for Phase 2 - setting the log level to 'Verbose Debug' will give a better indication. Have a look at the following threads for possible solutions: http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?board=IPSecuritas; action=display;num=1080638584 and http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?board=IPSecuritas; action=display;num=1080530104 If none of this resolves the problem, I'd need a more detailed log (please make sure to remove any confidential information). Christoph
Re: Checkpoint NG AI R55 by Viny on 2004-04-19 02:07:04 +0200
This is my parameters with NG AI R54 and IPSecuritas 2.0.2 http://www.lobotomo.com/products/downloads/IPSecuritas202.dmg I don't know if it's the best configuration but it's work for me. Good luck.... Check Point NG AI R54 and IPSecuritas 2.0.2 Check Point Global Proterties Remote Access VPN - Basic Check: Pre-Shared Secret, Public Key Signatures, Hybrid Mode Check: Gateways support IKE over TCP VPN - Advanced User Encryption Proterties: 3DES, MD5 Check: OKE Security associations proterties: Groupe 2 Resolving mechanism: Enable Securemote/SecureClient ... Check Point Gateway Traditional mode IKE properties Check: 3DES, MD5, Pre_shared Secret, Public Key Signatures, Exportable... Traditional mode IKE properties, Advanced Check: Group 2, Support aggressive mode Renegotiate IKE... : 1440 minutes Renegotiate IPsec... : 3600 Seconds User Properties Encryption Check: IKE Encryption, Edit Specify the password
IPSecuritas 2.0.2 General Mode of Operation: Host to Network Exchange Mode: Aggressive Proposal Check: Claim
Re: Checkpoint NG AI R55 by Jonathan Lundell on 2004-05-24 00:21:51 +0200
Moving to 2.0.2 and adding @ to my user name helped, in that I'm getting quite a bit farther. Now I get this message, repeated: May 23 15:10:05 jlundell racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. May 23 15:10:05 jlundell racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. May 23 15:10:05 jlundell racoon: ERROR: oakley.c:1190:oakley_validate_auth(): HASH mismatched May 23 15:10:05 jlundell racoon: ERROR: oakley.c:1190:oakley_validate_auth(): HASH mismatched (I'm posting in this thread because we're running R55. This is my first time trying IPSecuritas, so I don't have a history of getting it working with earlier CKPT versions.)
Re: Checkpoint NG AI R55 by Jonathan Lundell on 2004-05-24 01:03:16 +0200
Some debug output: May 23 15:53:59 jlundell racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(3des) May 23 15:53:59 jlundell racoon: DEBUG: oakley.c:2519:oakley_newiv(): IV computed: May 23 15:53:59 jlundell racoon: DEBUG: plog.c:199:plogdump(): dfc362ed e12abcc7 May 23 15:53:59 jlundell racoon: DEBUG: oakley.c:1163:oakley_validate_auth(): HASH received: May 23 15:53:59 jlundell racoon: DEBUG: plog.c:199:plogdump(): 30254ef1 792a6d52 ce679ee7 d6bccc13 May 23 15:53:59 jlundell racoon: DEBUG: oakley.c:868:oakley_ph1hash_common(): HASH with: May 23 15:53:59 jlundell racoon: DEBUG: plog.c:199:plogdump(): d368dd02 8801cc92 a7a5a433 c22f14b7 eea5c074 989e23ac b560a021 37f32c7f a40c2447 be9ee589 a9bbb3b6 48416b8b 09fca579 d45055ca c5e5546e 5de46d00 93e63569 268c6fd8 de759484 84cbb44e 7414b5d8 a236db8d 7648741e aa775df4 0c84420a 8021d4f7 1f0e20d6 baf83d05 fdee751b 7a0094be 4dd0ed9f 58b7707a 7ad19f1e 5b2f0eb7 86dee952 4df5e79d 344a9f95 508aa061 4d99d3f2 14a1d245 d4d76c20 55a4d9b3 4e3abe60 3769ec75 e16bf93d 3582e4ab 335d23ec 912ff688 5eb83211 f271d0a6 55509639 730389ce 06275464 023c70b5 7582fe7c 278fd227 b192a39f b3d97707 cba995a3 f83e4c02 bc4d93b1 63a3fa00 292c9b64 b6ab7457 e1c9da6c 4b438d9c 4ea96b0a 5ebba063 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c012c 80010005 80030001 80020001 80040002 01000000 d1ac64a2 May 23 15:53:59 jlundell racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5) May 23 15:53:59 jlundell racoon: DEBUG: oakley.c:878:oakley_ph1hash_common(): HASH computed: May 23 15:53:59 jlundell racoon: DEBUG: plog.c:199:plogdump(): ef6a6f6f 86860528 202a8eff 218e7b07 May 23 15:53:59 jlundell racoon: ERROR: oakley.c:1190:oakley_validate_auth(): HASH mismatched
Re: Checkpoint NG AI R55 by Viny on 2004-05-26 04:53:24 +0200
I use R55 HF02 now I have no problem. I'm sorry, I'm a newbie so I can't help you more.
Re: Checkpoint NG AI R55 by Jonathan Lundell on 2004-05-26 19:51:30 +0200
Viny, thanks, it's a big help just to know that it can work. I assume that I've got a configuration problem. Can you tell me how you're configured? Is your configuration the same as the one you posted for R54? This morning I saw, as usual, May 26 10:39:33 jlundell racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. May 26 10:39:33 jlundell racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. May 26 10:39:33 jlundell racoon: ERROR: oakley.c:1190:oakley_validate_auth(): HASH mismatched May 26 10:39:33 jlundell racoon: ERROR: oakley.c:1190:oakley_validate_auth(): HASH mismatched ...but my net admin claims that nothing at all showed up in the Check Point logs. Seems odd, since the debug log suggestst that there's a significant amount of negotiation necessary to get to that point. Anyway, thanks again, and if anyone (Christoph?) would care to suggest a course of action, I'd be grateful.
Re: Checkpoint NG AI R55 by Viny on 2004-05-28 14:31:58 +0200
Jonathan, It's the same configuration (R54=R55). No modification. Viny
Re: Checkpoint NG AI R55 by Jonathan Lundell on 2004-05-29 06:01:19 +0200
Thanks. I moved to 2.0.5 today, with no change. FWIW, I'm setting my local ID to @jlundell, which is my Check Point user name, plus the magic FQID thing. Other combinations don't seem to get as far, including
[email protected], where mydomain is the domain of the firewall. I need a clue.
Re: Checkpoint NG AI R55
by Viny on 2004-05-29 07:43:32 +0200
I use a certificate now. But if I remember, I used a username like "user", not "
[email protected]" or something else with "@". And in Check Point, the username was the same ("user"). Viny
Exporting/Importing Profiles Exporting/Importing Profiles by Matthew on 2004-04-21 22:41:35 +0200
Is there an easy way to export/import gateway configurations? I want to be able to easily distribute IPSecuritas to users who don't want to go through the process is building (and possibly screwing up) VPN connections. I thought maybe IPsecuritas might create something in /Library/Preferences, but I didn't see anything. Thanks, -matthew
Re: Exporting/Importing Profiles by Matthew on 2004-04-22 05:36:14 +0200
Me again. I found the preferences in ~/Library/Preferences, but just copying the com.lobotomo.IPSecuritas.plist file didn't do it for a system that hadn't previously run IPSecuritas. Does IPSecuritas modify anything else?
Re: Exporting/Importing Profiles by cnadig on 2004-05-05 16:57:24 +0200
Hello Matthew, import/export of a configuration is one of the top requirements for the next release. I'm confident to release an update in a few weeks time. Christoph
Re: Exporting/Importing Profiles by yadda on 2004-10-06 16:49:53 +0200
Any updates on the this issue? Can this be done yet? Thanks.
Re: Exporting/Importing Profiles by cnadig on 2004-10-07 08:18:27 +0200
Hello, unfortunately not yet - I plan to put a considerable amount of effort into IPSecuritas once I have finished MoofMenu 1.5 in a few days Cheers, Christoph
IPSecuritas and Linksys IPSecuritas and Linksys by Ronald Bellamy on 2004-05-07 22:10:05 +0200
I am trying to connect to a Linksys Cable Firewall Router with VPN endpoint (BEFSX41) from home with IPSecuritas. The VPN endpoint has a static IP Address. At home I connect to a Linksys DSL router that has been assigned a address from DHCP. I am using MacOS 10.2.8. Any suggestions as to how to set up the VPN and/or IPSecuritas? I have not worked with VPN setup before and so far I have not been able to connect past phase 1. :-/
Re: IPSecuritas and Linksys by cnadig on 2004-05-11 18:12:28 +0200
Hello Ronald, what is failing after successfully establishing a phase 1 connection (set the log level to Verbose Debug). Also, do you have access to the routers log? Christoph
Re: IPSecuritas and Linksys by Ronald Bellamy on 2004-05-11 20:57:02 +0200
Hi Christopher Not sure if this is helpful. There is a lot of lines in the log that seem to indicate that things are OK. This is where Error lines start appearing: May 11 12:33:10 Ronald racoon: DEBUG: isakmp_inf.c:210:isakmp_info_recv(): hash validated. May 11 12:33:10 Ronald racoon: DEBUG: isakmp.c:1121:isakmp_parsewoh(): begin. May 11 12:33:10 Ronald racoon: DEBUG: isakmp.c:1148:isakmp_parsewoh(): seen nptype=8(hash) May 11 12:33:10 Ronald racoon: DEBUG: isakmp.c:1148:isakmp_parsewoh(): seen nptype=11(notify) May 11 12:33:10 Ronald racoon: DEBUG: isakmp.c:1187:isakmp_parsewoh(): succeed. May 11 12:33:10 Ronald racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. May 11 12:33:10 Ronald racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. May 11 12:33:10 Ronald racoon: DEBUG: isakmp_inf.c:870:isakmp_info_recv_n(): notification message 16:PAYLOADMALFORMED, doi=1 proto_id=3 spi=00000000(size=4). May 11 12:33:16 Ronald racoon: DEBUG: grabmyaddr.c:442:update_myaddrs(): msg 5 not interesting May 11 12:33:30 Ronald racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.111[500] May 11 12:33:30 Ronald racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.111[500] May 11 12:33:30 Ronald racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to 68.150.80.245[500] May 11 12:33:30 Ronald racoon: DEBUG: sockmisc.c:563:sendfromto(): 1 times of 260 bytes message will be sent to 192.168.1.111[500] May 11 12:33:30 Ronald racoon: DEBUG: plog.c:193:plogdump(): 0048766f a2b9058c cfa545f0 8db74490 08102001 4a924fb2 00000104 7ce66c23 ee0f7e87 5d9ee65e fbeaf05e 345fdf59 2b946c43 ad1c46bf 85099a78 c2b20570 33004776 9aa21c82 3cc620ef 1527a9a4 20d547f6 178dba8d 93d2d258 dd7f990a 752281fb 7afee4e5 c26baa19 5f9c196b 0e6c2413 7043fa1b 663d0f4f 35dc100e 664e8b68 6e7fe02f 1a3908d2 1957955c b792a8bf ac418956 d4f47029 274e80dc a616ae69 28ec5aac 93333935 f3f2e311 c5d4c279 20e8297c 1e6c8a84 d34c6b34 59b9f13e 805daa1a ff63a70d 15a0e351 c1407e7d 622a35f9 762bbfc0 25087ff4 0f6b4c0a 5648f37d 90e41bba efe226c2 cdc34189 e1bfbb8c e6d37889 253385e9 15d9ce63 May 11 12:33:30 Ronald racoon: DEBUG: isakmp.c:1496:isakmp_ph2resend(): resend phase2 packet 0048766fa2b9058c:cfa545f08db74490:4a924fb2 May 11 12:33:33 Ronald racoon: DEBUG: grabmyaddr.c:442:update_myaddrs(): msg 5 not interesting May 11 12:33:40 Ronald racoon: ERROR: pfkey.c:738:pfkey_timeover(): 68.150.80.245 give up to get IPsec-SA due to time up to wait. May 11 12:33:40 Ronald racoon: ERROR: pfkey.c:738:pfkey_timeover(): 68.150.80.245 give up to get IPsec-SA due to time up to wait. I do have access to the router logs but not while I am at home. I will try to get that info next time I am out.
Re: IPSecuritas and Linksys by Bryan Derman on 2004-06-05 13:07:12 +0200
From a press release that just got posted: ===== 2004-Jun-01 : Derman Enterprises publishes a set of web pages that outline how to use IPSecuritas (a free VPN-setup utility) and Mac OS X to achieve a Host-to-Network and Network-to-Network secure/VPN connection to the popular and inexpensive LinkSys BEFSX41 Switch/Router /Firewall/VPN appliance. Using this information will allow you to configure a stationary or mobile/dial-up secure tunnel to your small business or home network. See http://www.derman.com/Misc/VPN/Overview.html for the information. ===== Hope this helps, if you hadn't already figured it out.
Re: IPSecuritas and Linksys by Ronald Bellamy on 2004-06-06 23:43:20 +0200
Hi Bryan I found the information helpful and hoped that it would solve the problem but using the settings still doesn't seem to work. I was finally able to get the log info from IPSecuritas and the Linksys. Hopefully somebody can find what I need to change: Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp_inf.c:210:isakmp_info_recv(): hash validated. Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp.c:1121:isakmp_parsewoh(): begin. Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp.c:1148:isakmp_parsewoh(): seen nptype=8(hash) Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp.c:1148:isakmp_parsewoh(): seen nptype=11(notify) Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp.c:1187:isakmp_parsewoh(): succeed. Jun 6 15:21:57 Ronald racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Jun 6 15:21:57 Ronald racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Jun 6 15:21:57 Ronald racoon: DEBUG: isakmp_inf.c:870:isakmp_info_recv_n(): notification message 18:INVALIDID-INFORMATION, doi=1 proto_id=3 spi=0701eb2e(size=4). Jun 6 15:22:02 Ronald racoon: DEBUG: grabmyaddr.c:442:update_myaddrs(): msg 5 not interesting Jun 6 15:22:16 Ronald racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.111[500] Jun 6 15:22:16 Ronald racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.111[500] Jun 6 15:22:16 Ronald racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to 68.150.80.245[500] Jun 6 15:22:16 Ronald racoon: DEBUG: sockmisc.c:563:sendfromto(): 1 times of 252 bytes message will be sent to 192.168.1.111[500] Jun 6 15:22:16 Ronald racoon: DEBUG: plog.c:193:plogdump(): 3b1285f7 05215f04 ae763ee4 2e83205e 08102001 7e6ea993 000000fc 980cf3f9 933bf763 f98a28a0 bb374f0a 5e8f4327 d1a349b1 07266af8 eb36e65d 57dadd9d dfd13515 faf925ae 86185ad7 aaff6ae9 91d7cea8 85e736da 64fa300a 848779ea ecc81fee 9277f735 91fe9215 7693cbd8 56b6da60 22df06ba 03d79b9e 262b81ec bc24bbbf 1967f641 6cb06f56 e1da7e9d 58e6883e 3bbcc170 b4ecd9fe d87271f9 dc51b230 92791738 3163da5e b0d72751 5156b1b3 eb26dba1 1147de86 a5e239b7 bd953863 20ece927 120be189 2e0fef10 fa47d9a1 ab0d5939 473e8c88 71d9b73a 081c8f36 95404fa9 d98c0f54 af232f52 4e48a74c 9cd0f80c 9726c1d1 Jun 6 15:22:16 Ronald racoon: DEBUG: isakmp.c:1496:isakmp_ph2resend(): resend phase2 packet 3b1285f705215f04:ae763ee42e83205e:7e6ea993 Jun 6 15:22:22 Ronald racoon: DEBUG: grabmyaddr.c:442:update_myaddrs(): msg 5 not interesting Jun 6 15:22:26 Ronald racoon: ERROR: pfkey.c:738:pfkey_timeover(): 68.150.80.245 give up to get IPsec-SA due to time up to wait. Jun 6 15:22:24 Ronald racoon: DEBUG: grabmyaddr.c:442:update_myaddrs(): msg 5 not interesting Jun 6 15:22:26 Ronald racoon: ERROR: pfkey.c:738:pfkey_timeover(): 68.150.80.245 give up to get IPsec-SA due to time up to wait. From the Linksys Router 2004-06-06 15:21:51 IKE[6] Rx > DELETE SA : 81.178.250.58 (SPI=5bd07bf6) Thur, 04/29/2004 07:30:34 - FVS318 IPsec:ISAKMP SA expired (LATEST!) Thur, 04/29/2004 07:30:34 - FVS318 IPsec:delete_isa_out() Thur, 04/29/2004 07:30:34 - FVS318 IPsec:[VPNLANPC_tmp20] is removed from the head of conn_list Thur, 04/29/2004 07:30:34 - FVS318 IPsec:Connection [VPNLANPC_tmp20] is deleted from connection table Thur, 04/29/2004 07:31:00 - FVS318 IPsec:find_insa() not found Thur, 0 And this in the log of the client: Apr 29 06:27:32 Alison-Robertss-Computer IPSecuritas: Set kernel keys Apr 29 07:30:34 Alison-Robertss-Computer racoon: ERROR: isakmp.c:662:isakmp_main(): unknown Informational exchange received. Apr 29 07:30:34 Alison-Robertss-Computer racoon: ERROR: isakmp.c:662:isakmp_main(): unknown Informational exchange received. Apr 29 07:30:36 Alison-Robertss-Computer racoon: ERROR: isakmp.c:662:isakmp_main(): unknown Informational exchange received. Apr 29 07:30:36 Alison-Robertss-Computer racoon: ERROR: isakmp.c:662:isakmp_main(): unknown Informational exchange received. Both sides have key life (phase1) at 3600 seconds, and IKE key lifetime (phase 2) at 28,800 seconds. The connection is initiated at the Ipsecuritas end I then have to stop & start IPSec to reconnect Many thanks for any help you can offer Fraser Jopp
Re: unknown informational exchange... by cnadig on 2004-05-10 15:38:11 +0200
Hello Fraser, first of all sorry for not getting back to your e-mail earlier! I'm expecting a Netgear FVS328 this week to arrive and, assuming it has the same or a similar firmware as the 318, I expect to run into the same problems. I'll let you know as soon as I find a solution. From the log you attached it seems that both phase 1 and 2 time out at the same time - what have you set for the exchange mode in IPSecuritas? Cheers, Christoph
Re: unknown informational exchange... by FraserJopp on 2004-05-11 08:15:04 +0200
It's aggressive. The timeout is always 180 seconds after the phase 1 key life (if this helps). As far as I can see, the settings are the same on both sides. Thanks for your help Fraser
Re: unknown informational exchange... by FraserJopp on 2004-05-12 09:33:00 +0200
Cracked it, thanks to a clue in your reply. I had not realised that Phase 1 = IKE SA lifetime, Phase 2 = IPSec Sa lifetime, as different terms are used at the other end. Transposed the two figures, and it works fine.. Thanks for your help Fraser
Re: unknown informational exchange... by jsilk on 2004-06-06 18:19:54 +0200
Hi there, I am hoping you would be so kind to share your working connection details in both IPSecuritas and FVS318 (naturally exluding any IP adresses) . Thanks, Johan
Cisco VPN Client Cisco VPN Client by brichpmr on 2004-05-16 15:59:49 +0200
My company provides a .pcf file to import into the CiscoVPN client app through our Cisco 3000 series VPN concentrator. Does IPSecuritas work with a Cisco .pcf script? Can I import the configuration into your app? I'm running Panther (10.3.3)
IPSecuritas to Zyxel ZyWall 35 IPSecuritas to Zyxel ZyWall 35 by Thomas von Hassel on 2004-05-17 14:34:07 +0200
Hi all I'm trying to connect a 10.3 client with this in my zywall logs:
IPSecuritas to a Zywall 35. I get
Phase 1 IKE SA process done then: !! No proposal chosen Could someone point me in the right direction :)
/thomas
Re: IPSecuritas to Zyxel ZyWall 35 by cnadig on 2004-05-18 16:31:58 +0200
Hello Thomas, according to the Zyxel user manual you have a mismatch of the encryption or authentication parameters, either in pahse 1 or 2, so that no satisfying SA proposal can be found and the tunnel negotiation is aborted. Check the phase 1 and phase 2 settings in IPSecuritas with the ones of the zyxel router. If you change the log level of IPSecuritas to 'Verbose Debug', you should see in more detail what has been offered by your side and the Zyxel router and why the two proposals don't match. Christoph
Re: IPSecuritas to Zyxel ZyWall 35 by Chief_Nerd on 2004-08-25 21:51:58 +0200
I too am trying to get going with a ZyWALL. But in my case, it's 10.2 I'm using. I have AES 256 and SHA1 set.
My verbose debug says: {wonder where the ----'ed line came from; as that's not an IP in use here} Log output from IPSecuritas 2.0.6 Aug 25 15:30:07 Notanumber IPSecuritas: Parsing configuration Aug 25 15:30:07 Notanumber IPSecuritas: Setting up racoon.conf Aug 25 15:30:07 Notanumber IPSecuritas: Setting up setkey.conf Aug 25 15:30:07 Notanumber IPSecuritas: Setting up psk.txt Aug 25 15:30:07 Notanumber IPSecuritas: Setting up tunnel.conf Aug 25 15:30:07 Notanumber IPSecuritas: Parsing configuration done Aug 25 15:30:08 Notanumber IPSecuritas: Starting racoon... Aug 25 15:30:08 Notanumber racoon: INFO: main.c:169:main(): @(#)racoon 20001216 20001216
[email protected] Aug 25 15:30:08 Notanumber racoon: INFO: main.c:169:main(): @(#)racoon 20001216 20001216
[email protected] Aug 25 15:30:08 Notanumber racoon: INFO: main.c:170:main(): @(#)This product linked OpenSSL 0.9.6i Feb 19 2003 (http://www.openssl.org/) Aug 25 15:30:08 Notanumber racoon: INFO: main.c:170:main(): @(#)This product linked OpenSSL 0.9.6i Feb 19 2003 (http://www.openssl.org/) Aug 25 15:30:10 Notanumber IPSecuritas: Racoon is running Aug 25 15:30:10 Notanumber IPSecuritas: Set kernel keys Aug 25 15:30:10 Notanumber racoon: DEBUG2: cfparse.y:1354:cfparse(): parse successed. Aug 25 15:30:10 Notanumber racoon: INFO: isakmp.c:1369:isakmp_open(): 192.168.1.69[500] used as isakmp port (fd=6o) -----------------------------------------^^^^^^^^^ huh? Aug 25 15:30:10 Notanumber racoon: INFO: isakmp.c:1369:isakmp_open(): 192.168.1.69[500] used as isakmp port (fd=6) Aug 25 15:30:10 Notanumber racoon: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey X_SPDDUMP message Aug 25 15:30:10 Notanumber racoon: DEBUG2: plog.c:193:plogdump(): 02120200 00020000 00000000 00000200 Aug 25 15:30:10 Notanumber racoon: DEBUG: pfkey.c:207:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory Aug 25 15:30:10 Notanumber racoon: DEBUG: pfkey.c:192:pfkey_handler(): get pfkey REGISTER message Aug 25 15:30:10 Notanumber racoon: DEBUG2: {.....} isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 25 15:30:31 Notanumber racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 25 15:30:42 Notanumber racoon: ERROR: isakmp.c:1785:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 207.188.193.107->192.168.1.69 Aug 25 15:30:42 Notanumber racoon: ERROR: isakmp.c:1785:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 207.188.193.107->192.168.1.69 Aug 25 15:30:42 Notanumber racoon: INFO: isakmp.c:1790:isakmp_chkph1there(): delete phase 2 handler. Aug 25 15:30:42 Notanumber racoon: INFO:
Replacing CheckPoint SecureClient Replacing CheckPoint SecureClient by Ben on 2004-05-17 15:45:02 +0200
Hi there, I came across IPSecuritas after posting to Apple's support forums. Anyway, here's the gist of my problem. At work, we use Checkpoint's VPN-1 SecureClient for Windows to connect to the company's LAN remotely. My question is how can I do the same thing with my PowerBook. Someone kindly suggested that I try out IPSecuritas, which I installed without any problem. However, the tricky part came when I tried to import the certificate. IPSecuritas wants the certificate to be of the type .pem, whatever that is. At work, we have Entrust certificates that have a .epf suffix. Now, I'm not sure what these different file formats mean (simply changing the suffix didn't do the trick), but I was hoping there would be some sort of conversion utility, or perhaps there is some way to export a certificate from SecureClient as a .pem. Is this even the right approach? Apologies in advance if the above isn't the clearest, but digital certificates and PKI are kind of new to me. Ben
Re: Replacing CheckPoint SecureClient by cnadig on 2004-05-18 16:26:02 +0200
Hello Ben, I found very little information about the Entrust Profile File (.epf), especially conecrning about it's contents and format, so importing them directly won't be possible. I don't know how your company generates the certificate files but I'd expect the software to be able to export it into different format (at least PKCS12, which can be imported into IPSecuritas with a few steps, see the online help). As an alternative (and it probably needs very good connections to the network admin), you could setup an alternative CA: http://www.atsec.com /docs/fw1-openssl.howto.pdf Christoph
Re: Replacing CheckPoint SecureClient by Benjamin So on 2004-05-24 10:50:03 +0200
Hi Christoph, I think the export method seems like the better bet. At present, the utilities supplied by the company don't allow any export function. Are there any conversion apps available that could do this for me? And which file formats does IPSecuritas understand? Ben
Can't setup VPN Can't setup VPN by robbiemurray on 2004-05-18 16:49:20 +0200
I have had 3 days of frustration trying to connect my home network to my colleagues using the VPN software in MAC OS X. Both networks have static IP addresses and are using Netgear DG834 Routers, and Internet/email works fine. I tried configuring both PPTP and L2TP connections, but either got a 'server not responding - check address etc', message, either immediately or after a delay where the icon in the menu bar tried to connect, but gave up after a couple of minutes. (I can however ping from one to the other) Checked with Netgear support, who were unhelpful, but eventually had me open all ports. Still no joy. After a lot of trawling found recommendations for IPSecuritas. Downloaded, installed, configured on both, but no connection - just the red X removed all the Mac VPN configurations, but still no go. Please can anyone help????
Re: Can't setup VPN by cnadig on 2004-05-18 17:51:09 +0200
Hello Robbie, a quick question first: Is NAT (Network Address Translation) enabled on any of the routers? Could you also post the log from IPSecuritas when set to 'Verbose Debug' (in the IPSecuritas preferences). Please remove any confidential information like you static IP addresses. Christoph
Re: Can't setup VPN by robbiemurray on 2004-05-18 23:18:17 +0200
Hi Christoph Thanks for your interest. Yes, both have NAT enabled, as they were set up with the simple login suggested by the ISP-login & password, with all others info provided dynamically by the ISP, (although the both addresses are static) How much of the log do you want, as there are pages & pages,and it seems to loop? I’m new to this site, and don’t want to get in trouble........... I could email it if that's an option Regards Robbie
IPSec startup failed IPSec startup failed by benoit_mikros on 2004-05-20 18:09:47 +0200
Hello Christoph, I've got message "IPSec startup failed" (in the verbose log, nothing than "Log output from IPSecuritas 2.0") The configuration of IPSec should work because it's being used by one of my colleague, Marc, with the same kind of connection (OS 10.3.3 with Netscreen FW). In fact it did work fine once, at my place (home), but I could'nt stop IPSec properly (refused) : I had to quit IPSecuritas and then no more DNS resolve with any app : Safari , Mail, etc... So I found that /etc/resolv.conf was linked to /tmp/IPSecuritas... Then I redo the link to /var/run/resolv.conf and add some DNS names in my OS Network Preferences . So Http and Mail work fine again now... In the meantime, I aslo removed all settings of IPSecuritas (to start from scratch). Then I re-edit IPSecutitas settings and prefs, checked them twice (the same that work for Marc) but IPSecuritas does not want to start...(immediate message : "IPSec startup failed"). I also removed my optional DNS server names in my OS Network Preferences (and anyway I have checked "Replace DNS Settings on IPSec Activation" with my job DNS refs). But it doesn't start ;-( Any idea to work this out?
Re: IPSec startup failed by cnadig on 2004-05-20 23:44:46 +0200
Hello Benoit, at the moment I can only guess, but I think your installation has been corrupted. Please try to remove IPSecuritas completely and re-install it. If you still have trouble, I'll compile a version that logs more detail in such an event. Christoph
Re: IPSec startup failed by benoit_mikros on 2004-05-21 13:05:44 +0200
okay : I removed IPSecuritas and prefs, then reinstalled it completely. Same result ;-( Benoit
more detais for log ...;-) by benoit_mikros on 2004-06-02 01:03:50 +0200
HEllo Chritophe, Did you change the logs with more details in such an event, with V 2.05? I still have the same message. I even try to update my OS to 10.3.4 (never know...) Still the same instantaneous "IPSec startup failed ".
Benoit
Re: IPSec startup failed by cnadig on 2004-06-08 23:20:10 +0200
Hello Benoit, sorry for the late answer - my daytime job is keeping me busy... I did not have the opportunity to get more verbose log in, but a quick question: when you try to start IPSec and it fails, do you get anything in the lgo window (with log level set to verbose debug). Also, if you have teh replace DNS settings options set, do you still need to replace the link to /var/run/resolv.conf after terminating IPSecuritas in order to get normal internet acces sback? Christoph
Re: IPSec startup failed by MacPapy on 2004-09-28 23:55:22 +0200
Hi everybody I would have loved to announce that IPSecuritas is working fine with an Equinet gateway (at least on a host to network basis) but, in my case, its works only with one of my computer (a PowerBook G3, OS 10.2.6) On my iMac (G3, 600 Mhz, 10.2.6) I have directly the "startup has failed" message, and no message in the log window. I've tried for a couple of nights to understand what the differences are, but I do not find any succesfull explanation. Hypothesis : on my initial launch of IPSecuritas, it happens that I was not loged as an "Administrator" for the system. Of course, I've tried to reinstall and relaunch, but no success :'( Another idea : The mac which is not working was initially configured as a gateway with IPSharing (using the MacOs embeded feature) ; I've stopped IPSharing during the testing of IPSecuritas, (and tried to restart, and everything ...) but this doesn't solve the problem Last : on my iMac, there was an previous version of racoon, hidden in an old "Previous system" directory, that was remainig on my disk. I did clean all that stuff after, but could it be a problem linked with that bad config at beginning. Any idea ? Thanks by advance Jean (from France)
Re: IPSec startup failed by Pascal Frey on 2004-10-16 20:43:08 +0200
Same troubles as benoit_mikros and MacPapy : I've tried to estabilish a VPN Connection with IP Securitas, but as soon as I click on "Start IPSec", it answers me "IPSec Startup failed", with nothing at all in the log (even in Verbose Debug mode). I first tried IP Securitas on an other Mac and it seemed to work fine. So I did a clean install on my own Mac and I re-installed IP Securitas. I managed to estabilish connections for about 15 or 20 time, and then, back to the same error message : "IPSec startut failed"... Then I tried to have a look into the IP Securitas.app package. I tried to launch IPSecuritas.app/Contents/MacOS/vpntool sevral times and it didn't answered me anything. BUT, I then relaunched IPSecuritas by invoking IPSecuritas/contents/MacOS /IPSecuritas in the same shell, and it seemed to work fine again. At least I can clik on "Start IPSec" without having the error message. But this time, the connection doesn't work. I haven't changed anything in the config file, but the connection fails to estabilish. That's what the log shows : [i]Log output from IPSecuritas 2.0.6 Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Parsing configuration Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Setting up racoon.conf Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Setting up setkey.conf Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Setting up psk.txt Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Setting up tunnel.conf Oct 16 20:14:02 Ordinateur-de-Famille-Frey IPSecuritas: Parsing configuration done Oct 16 20:14:03 Ordinateur-de-Famille-Frey IPSecuritas: Starting racoon... Oct 16 20:14:03 Ordinateur-de-Famille-Frey IPSecuritas: Racoon is running Oct 16 20:14:03 Ordinateur-de-Famille-Frey IPSecuritas: Set kernel keys add net 192.168.1.0: gateway gif0 Oct 16 20:14:34 Ordinateur-de-Famille-Frey racoon: ERROR: pfkey.c:745:pfkey_timeover(): x.x.x.x give up to get IPsec-SA due to time up to wait. Oct 16 20:14:34 Ordinateur-de-Famille-Frey racoon: ERROR: pfkey.c:745:pfkey_timeover(): x.x.x.x give up to get IPsec-SA due to time up to wait. delete net 192.168.1.0 Oct 16 20:15:26 Ordinateur-de-Famille-Frey IPSecuritas: Flushing kernel keys Oct 16 20:15:26 Ordinateur-de-Famille-Frey IPSecuritas: Stopping racoon... Oct 16 20:15:27 Ordinateur-de-Famille-Frey IPSecuritas: Racoon normally terminated[/i] If somebody understainds what's happening ? ... Meanwhile, I've also tried with VPNTracker and it works fine in any case
Antivirus and Firewall
Antivirus and Firewall by fmorchid on 2004-05-21 19:40:02 +0200
hello, is it possible to install a symantec antivirus with the checkpoint firewall? thnak you
smb query smb query by rnoranbrock on 2004-05-24 23:38:54 +0200
OK, I've got IPSecuritas set up and connecting properly to a SonicWall SOHO3. And I would swear that at least the first time I set it up I was able to connect to shared portions of an Exchange server behind the Sonic; however, currently, I am unable to do the same thing. I try to enter smb://MACHINE/OBJECTS in the Connect to Server dialog, but all I get is "The Finder cannot complete the operation because some data in "smb://MACHINE/OBJECTS" could not be read or written. (Error code -36)." with the option to Try Again or Cancel. If I try to double click the aliases setup for the same share from behind the Sonic, it attempts to connect (I guess) and then asks if I want to fix or delete the alias. And just to add more strangeness on top, Entourage (which is configured to connect as an IMAP client from behind the Sonic) has no problem connecting with the address entered as SECOND_MACHINE.DOMAIN.NAME.COM I can use MS Remote Desktop Connection to connect through the VPN and access the Exchange Server, so that works, but so far no success at specifying an smb address. Any thoughts? Thanks, -Randy
Re: smb query by info.helpdesk on 2007-04-25 14:44:40 +0200
We are having the same problem using version 3.0 of the software on a Mac OS X 10.4 machine. Any ideas?
Re: smb query by rnoranbrock on 2007-04-25 15:18:06 +0200
Sorry, I haven't tried to connect recently as I believe I read in another post that the problem was in the Mac OS. Interestingly though, if I bring up Win XP under Parallels, I can mount any of the drives/machines in Win XP, but not in the Finder. Strange. -Randy
Re: smb query by Dave on 2007-04-26 00:42:07 +0200
Are you using IP addresses for MACHINE in your examples?
Re: smb query by rnoranbrock on 2007-04-26 03:47:02 +0200
Honestly, I don't recall if I tried that or not. The names resolve to the proper IP address in terminal and ping correctly. If I get a chance to try later, I'll post back. -R
OS X 10.3.4 breaks Ipsecuritas OS X 10.3.4 breaks Ipsecuritas by Thomas von Hassel on 2004-05-27 01:40:56 +0200
Well i got Ipsecuritas working with my ZyWall ... but i just installed 10.3.4 and now Ipsecuritas gives me this: Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas: configuration Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas: racoon.conf Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas: setkey.conf Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas: psk.txt Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas: tunnel.conf Jun 27 01:39:43 Thomas-von-Hassels-Computer IPSecuritas: configuration done Jun 27 01:39:44 Thomas-von-Hassels-Computer IPSecuritas: racoon... Jun 27 01:39:44 Thomas-von-Hassels-Computer IPSecuritas: running Jun 27 01:39:44 Thomas-von-Hassels-Computer IPSecuritas: keys ifconfig: SIOCIFCREATE: Invalid argument route: writing to routing socket: No such process delete net 192.168.1.0: not in table ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address Jun 27 01:39:45 Thomas-von-Hassels-Computer IPSecuritas: delete gif0 Jun 27 01:39:45 Thomas-von-Hassels-Computer IPSecuritas: racoon... Jun 27 01:39:46 Thomas-von-Hassels-Computer IPSecuritas: normally terminated Jun 27 01:39:46 Thomas-von-Hassels-Computer IPSecuritas: kernel keys
so 10.3.4 obiusliy breaks something :) /thomas
Parsing Setting up Setting up Setting up Setting up Parsing Starting Racoon is Set kernel
Could not Stopping Racoon Flushing
Re: OS X 10.3.4 breaks Ipsecuritas by Mark Dadgar on 2004-05-27 06:39:47 +0200
Yep - broke my copy, too. :( - Mark
Re: OS X 10.3.4 breaks Ipsecuritas by cnadig on 2004-05-27 08:56:33 +0200
Hello, I can reproduce the problem and am working on a solution, which should be available within days. Christoph
Re: OS X 10.3.4 breaks Ipsecuritas by Mark Dadgar on 2004-05-27 18:58:07 +0200
THANK YOU!! - Mark
Re: OS X 10.3.4 breaks Ipsecuritas by NetWhiz on 2004-05-31 01:33:39 +0200
Any update on the status of the fix for this? ??? NetWhiz
Re: OS X 10.3.4 breaks Ipsecuritas by cnadig on 2004-06-01 14:20:29 +0200
Hello, sorry for the late notification! IPSecuritas 2.0.5 is available for download at [url]http://www.lobotomo.com/products/IPSecuritas/index.html[/url]. See [url]http://www.lobotomo.com/products/IPSecuritas /changes.html[/url] for a list of changes. Christoph
Re: OS X 10.3.4 breaks Ipsecuritas by DarX on 2004-06-01 15:51:37 +0200
[quote author=cnadig link=1085614856/0#5 date=1086092429]Hello, sorry for the late notification! IPSecuritas 2.0.5 is available for download at [url]http://www.lobotomo.com/products/IPSecuritas/index.html[/url]. See [url]http://www.lobotomo.com/products/IPSecuritas /changes.html[/url] for a list of changes. Christoph[/quote] hey, this works! thanks a bunch! .. keep up the good work! /thomas
Re: OS X 10.3.4 breaks Ipsecuritas by NetWhiz on 2004-06-02 23:14:50 +0200
Is ther a version that fixes the problem? This version is the same as from last week and it does not fix my broken issue. Everything worked fine with this version, until I opened and used the built-in Mac OS X IPSec/L2TP client. When I went back to try IPSecuritas, it will not get past: Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Parsing configuration Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Setting up racoon.conf Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Setting up setkey.conf Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Setting up psk.txt Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Setting up tunnel.conf Jun 2 21:11:47 Allison-Baby-3 IPSecuritas: Parsing configuration done Jun 2 21:11:48 Allison-Baby-3 IPSecuritas: Starting racoon... Jun 2 21:11:48 Allison-Baby-3 IPSecuritas: Racoon is running Jun 2 21:11:48 Allison-Baby-3 IPSecuritas: Set kernel keys Jun 2 21:11:48 Allison-Baby-3 racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Jun 2 21:11:48 Allison-Baby-3 racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Jun 2 21:11:55 Allison-Baby-3 IPSecuritas: Flushing kernel keys Jun 2 21:11:55 Allison-Baby-3 IPSecuritas: Stopping racoon... Jun 2 21:11:56 Allison-Baby-3 IPSecuritas: Racoon normally terminated Then it just sits and eventually times out or I get that error. How can this be fixed???? NetWhiz
Re: OS X 10.3.4 breaks Ipsecuritas by NetWhiz on 2004-06-04 05:51:50 +0200
Anyone even watching the board? No one else having this problem? NetWhiz
Re: OS X 10.3.4 breaks Ipsecuritas
by NetWhiz on 2004-06-08 01:56:56 +0200
Just checking in to see if anyone is having this issue or a solution been found???????? NetWhiz
Re: OS X 10.3.4 breaks Ipsecuritas by davehodg on 2004-07-08 17:52:30 +0200
I'm getting this too, trying to connect to an FVL328: Jul 8 16:47:34 Daves-PB syslogd: restart Jul 8 16:47:34 Daves-PB syslogd: restart Jul 8 16:47:35 Daves-PB racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Jul 8 16:47:35 Daves-PB racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Offers?
Re: OS X 10.3.4 breaks Ipsecuritas by Rusty Bias on 2004-09-07 07:57:48 +0200
I've had the same issue... IPsecuritas working fine until messing with built in L2TP/VPN, and even after removing L2TP configs, IPsecuritas won't work...
Support for ... Support for ... by NetWhiz on 2004-05-28 18:28:34 +0200
Will there be support added for DH modp2048 and/or SHA2? Also, will the source code for this app be released? Thanks, NetWhiz
New User New User by Spark on 2004-05-28 19:03:19 +0200
Hello I am a new user that would love to use IPSecuritas! I cannot seem to find a how to on the SF. Is there documintation or a how to page i can be directed to. I am running 10.3.4 wirh the firewall on. I do a ton of file transfers and would like to make them secure. Will this mask my ip address when accessing sites and running my own server? Any help would be greatly appreciated! :)
Version 2.0.5 breaks name resolution Version 2.0.5 breaks name resolution by Russ Marks on 2004-06-02 23:29:16 +0200
IPSecuritas 2.0.5 does not release the "DNS Servers" entry in its Preferences panel. Once IPSecuritas is run, the OS does not revert back to the DNS servers entry listed in the OS X "Network" system preference pane. I am able to fix this by clearing the IPSecuritas "DNS Servers" entry, committing it then exiting. This problem exists on my 10.3.4 & 10.2.8 machines. Regards, Russ Marks
anyone help me? anyone help me? by hopecompany on 2004-06-04 11:30:56 +0200
hi,everybody!my first time here,nice to meet all of you! I have experienced a question:I have 2 Nokia IP530 platforms,which had installed checkpoint NG AI(R55),I configured them running in clusters' environment,and I am sure clusters work well!but a problem occured:when a oracle client connects oracle server behind cluster gateway,the session only remained about 5 to 10 minutes,and the session disconnected,I reseted the connection in oracle client and it worked well again,but disconnectd after 5-10 minutes,I don't know how to settled the problem,anybody help me?looking forward to hearing from you!thanks a lot
Netgear - Phase 2 failing Netgear - Phase 2 failing by 2manysecrets on 2004-06-04 19:42:29 +0200
I am using a netgear FVS318 at my office with a fixed IP and connecting from home (and would like to connect from the road) with IPSecuritas and a dynamic IP. The office and home have two different subnets and I did have this working for a couple of weeks. When it was working the computer at work could not see any of the computers on my home network. But, I could see all of the computers on the office network. Something has changed and I am not sure what it is. The debug log show that phase 1 succeeded, but I keep getting Jun 4 13:28:03 AgentSmith racoon: DEBUG: isakmp.c:1756:isakmp_ph2resend(): resend phase2 packet 42cb18005b4777b4:f3941f0d568a1a16:de4771c6 Jun 4 13:28:12 AgentSmith racoon: ERROR: pfkey.c:745:pfkey_timeover(): 55.55.55.55 give up to get IPsec-SA due to time up to wait. Jun 4 13:28:12 AgentSmith racoon: ERROR: pfkey.c:745:pfkey_timeover(): 55.55.55.55 give up to get IPsec-SA due to time up to wait. Jun 4 13:28:12 AgentSmith racoon: DEBUG: schedule.c:210:sched_scrub_param(): an undead schedule has been deleted. After reading several "guides" on setting up NetGear routers I am now total confused. What parameters are affecting the phase 2 verification? Thanks for your help
Re: Netgear - Phase 2 failing by jsilk on 2004-06-06 18:12:08 +0200
Hi, Any possibility you could share your configuration that worked before you tried to change so you could roam from anywhere including your home? For Phase 2 I have the same configuration as with Phase 1 with the exception of the life time. This seems to work fine, I am not getting any errors like you are seeing. But after what seems like a successful connection at both ends I am unable to access any hosts at work behind the FVS318...
Re: Netgear - Phase 2 failing by jsilk on 2004-06-07 02:21:16 +0200
Hi there I can replicate your message when my Network settings are not matching up between FVS318 and the IPSecuritas settings. Ensure you remote and local network configuration is the same at both ends. Cheers! Johan
Re: Netgear - Phase 2 failing by 2manysecrets on 2004-06-08 18:19:08 +0200
The only way I was able to login from a remote site was to know the public IP and put that into the local address field. This worked from home, but when I was at the hotel it was not a viable solution since I cannot find out the public IP. But since I have been reading more it sounds like that the local address field should be the local machine's IP address. Now I am even more confused since in the NetGear setup I need to specifiy the IP address or range for the remote LAN IP. I know that I am missing something and the was the reason for the original post. Thanks
Re: Netgear - Phase 2 failing by cnadig on 2004-06-08 23:04:12 +0200
Hello, the local address field in IPSecuritas is used to explicitly define the source address of your traffic going through the tunnel - it has no effect on the tunnel itself (its often referred to as virtual local adress because it makes the remote end (machines within the LAN behind the VPN router, not to the VPN router itself) think you have a different IP address. Basically everything works for this field, but it is common to use a private network address like 10.x.x.x or 192.168.x.x. If no local address is specified, your computers default interface's address is used (whatever you get from your ISP or the NAT router). The VPN router normally has rules on how to route packets through which tunnel. So if you define 192.168.1.1 for your local address in IPSecuritas, you should also enter this address for the destination address rule in your Netgear configuration. I don't have a FVS318 but a 328, but I assume the two work quite similarily. I could post a working configuration of my 328, if you like. Cheers, Christoph
Re: Netgear - Phase 2 failing by 2manysecrets on 2004-06-09 03:19:18 +0200
Yep I found that out today. Thanks for the reply. I now have it working and the only unresolved issue is the ability for the computers behind the FVS318 to see my computer. I have a good connection working, but if my laptop goes to sleep while the VPN is connect and the network connection is dropped, I have to sleep the laptop and wake it back up before I can reconnect. Hope that helps.
Re: Netgear - Phase 2 failing
by 2manysecrets on 2004-06-09 03:24:00 +0200
I do have a working configuration FVS318 settings Connection Name : IPSecuritas Local IPSec : FVS318 Remote: Home Tunnel can be accessed from: any local IP Tunnel can access: a subnet of remote addresses Remote LAN start IP Address: 10.0.0.1 Remote LAN IP Subnetmake: 255.255.255.0 Remote WAN IP or FQDN: 0.0.0.0 Secure Association: Aggressive Mode Perfect Forward Secrecy: Enabled Encryption Protocol: 3DES Key Group: Diffie- Hellman Group 2 Preshared Key: 0123456789 Key Life: 28800 IKE Life Time: 86400 NETBIOS Enabled: false IPSecuritas Settings: Mode of Operation: Host to Network Remote IPSec Device: of your VPN router Remote Network: (192.168.1.1 / 24) Local Address: [blank] Exchange Mode: Agressive Proposal Check: Strict Nonce Size 16 Phase 1: Lifetime: 28800 DH group: Mod1024 (2) Encryption: 3DES Authentication: MD5 Phase 2: (least sure about all of these settings, but it works) Lifetime: 28800 PFS Group: Mod1024 (2) Encryption: 3DES, AES192, AES128 Authentication: HMAC MD5, HMAC SHA1 ID/Auth: Local Identifier DN: home Remote Identifier DN: FVS318 Preshared Secret: 0123456789 Options: (where unchanged from default) Everything selected but (Passive, Verify Certificate, and Auto Start) ----------------
Re: Netgear - Phase 2 failing
by Johan Silkenas on 2004-06-09 12:40:03 +0200
Thanks for the configuration. Mine matches it except for the encryption, where I have opted for less security (DES) to get better speed than when using 3DES. About the Local IP, yes what Christoph was saying is certainly what I have found as well. All it is, is a virtual address. As long as your settings are the same in IPSecuritas as in FVS318 for your profile, then you can roam anywhere. Sorry don't know about making your machine visable to the machines behind the FVS318. Cheers! Johan
Re: Netgear - Phase 2 failing by nickb on 2004-06-11 02:44:51 +0200
I've tried building on the config above but get: racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ?
Re: Netgear - Phase 2 failing by 2manysecrets on 2004-06-17 15:52:12 +0200
Double check you configuration. Make sure the exchange mode, DH Group, Encryption and Authentication match between IPSecuritas and your VPN server. Next make sure the Local Identifier and Remote Identifier are correct. If these do not match then you will not make it past phase 1. Hope that helps
Re: Netgear - Phase 2 failing by 2manysecrets on 2004-06-29 15:50:51 +0200
UPDATE This seems to work better than "Tunnel can access: a subnet of remote addresses " Tunnel can access: a single address Remote LAN start IP Address: 10.0.0.12 Remote LAN IP Subnetmake: 255.255.255.0 Remote WAN IP or FQDN: 0.0.0.0
IPSecuritas NetScreen Firewall IPSecuritas NetScreen Firewall by MacJunkie on 2004-06-05 00:56:30 +0200
I configured IPSecuritas to conect with a NetScreen Firewall and i got following log message: Jun 5 00:32:50 Vigor102 racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 000.000.000.000->192.168.1.102 Jun 5 00:32:50 Vigor102 racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for (I deleted the IP-Adress in this Article because of Data Rights). Has any body configured a IPSecuritas to Netscreen connection successfully? How? (With VPNTracker the connection works fine - but I want not to use VPNTracker)
Re: IPSecuritas NetScreen Firewall by cnadig on 2004-06-08 23:10:39 +0200
Hello, could you post a bit more of the log, especially the last 5-10 lines before what you posted already? Also, posting your IPSecuritas settings would be useful (please remove any confidential information!) Thanks, Christoph
IPv6 and IPSecuritas IPv6 and IPSecuritas by Axel on 2004-06-05 22:47:08 +0200
Does Anyone knows if IPSecuritas is interoperable with IPv6 address?
Netgear FVS318 LOG says I am connected..... Netgear FVS318 LOG says I am connected..... by Johan Silkenas on 2004-06-06 17:38:58 +0200
I am confused to why I am not able to access the remote network. My Netgear FVS318 VPN log says: 06/07/2004 01:17:24 - FVS318 IKE:[JohanSilkenas_tmp37] established with 144.132.212.106 successfully. The Netgear VPN status show an Active connection. IPSecuritas LOG confirms connection: Jun 7 01:20:55 jsilkimac racoon: INFO: pfkey.c:1352:pk_recvadd(): IPsec-SA established: ESP/Tunnel [my IP address] -> [VPN Server IP address] spi=3847618502(0xe555ffc6) How ever when I try a telnet to a remote host it just sits there same if a try connecting to a file share. If I use VPN Tracker it works straight away. My configuration is the same in IPSecuritas as with VPN Tracker. My OS is 10.3.4 and I am using IPSecuritas 2.0.5 Is there anyone out there who have successfully got IPSecuritas 2.0.5 to work with Netgear FVS318? Looking forward to creative ideas for getting this great VPN client to successfully allow access to FVS318 protected network. Cheers! Johan
Re: Netgear FVS318 LOG says I am connected..... by cnadig on 2004-06-08 23:08:26 +0200
Hello Johan, do you get a green check mark instead of the red cross in the main window? If so, I suspect a routing problem or a problem with you local IP address did you fill anything into the local address field? Also, could you post a short description of your network setup and the settings in IPSecuritas (please remove any confidential information!) Cheers, Christoph
cant to connect to netscreen, VPN tracker works! cant to connect to netscreen, VPN tracker works! by desktopguy on 2004-06-09 16:26:54 +0200
Hi, I am having trouble connecting to a netscreen firewall via an OS X 10.3.4 workstation. VPN tracker works fine. The log shows; Jun 10 00:02:55 support racoon: WARNING: ipsec_doi.c:3064:ipsecdoi_checkid1(): ID type mismatched. Jun 10 00:02:55 support racoon: WARNING: ipsec_doi.c:3064:ipsecdoi_checkid1(): ID type mismatched. Jun 10 00:02:55 support racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Jun 10 00:02:55 support racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Jun 10 00:02:55 support racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. Jun 10 00:02:55 support racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. Jun 10 00:02:55 support racoon: ERROR: oakley.c:2071:oakley_skeyid(): couldn't find the pskey for X.X.X.X. Jun 10 00:02:55 support racoon: ERROR: oakley.c:2071:oakley_skeyid(): couldn't find the pskey for X.X.X.X. my setting for ID/Auth are; local identifier - DN:
[email protected] remote identifier - DN: netscreen using preshared secret. With identical setting (default) in VPN tracker it works OK. NOTE: the VPN tracker log shows; 2004-06-09 23:23:35: INFO: isakmp.c:1034:isakmp_ph1begin_i(): begin Aggressive mode. 2004-06-09 23:23:35: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID type mismatched. 2004-06-09 23:23:35: WARNING: ipsec_doi.c:3134:ipsecdoi_checkid1(): ID value mismatched. 2004-06-09 23:23:35: NOTIFY: oakley.c:2111:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. 2004-06-09 23:23:35: INFO: isakmp.c:2783:log_ph1established(): ISAKMP-SA established X.X.X.X[500]-X.X.X.X[500] spi:1eddb852701da258:ad5d572683e3bc62 2004-06-09 23:23:36: INFO: isakmp.c:1173:isakmp_ph2begin_i(): initiate new phase 2 negotiation: X.X.X.X[0]X.X.X.X[0] I guess VPN tracker also has problems, but then falls back to another setting which works any help would be appreciated
Re: cant to connect to netscreen, VPN tracker work by cnadig on 2004-06-23 18:22:07 +0200
Hello, try to set the remote identifier to address instead of DN. Cheers, Christoph
Re: cant to connect to netscreen, VPN tracker work by desktopguy on 2004-06-24 02:28:32 +0200
thanks cnadig, that works fine now. It is slower to establish the VPN but it works
xauth xauth by manu sawkar on 2004-06-09 23:27:45 +0200
will ipsecuritas incorporate xauth support? i can't find an os x client that has this feature. I can connect to our sonicwall FW when i turn off xauth, but our group VPN policy requires this and i am not allowed to keep it disabled. any thoughts? thanks, Manu Sawkar
Re: xauth by cnadig on 2004-06-23 18:20:06 +0200
Hello Manu, IPSecuritas is completely dependant on racoon, the IKE daemon which is responsible for the authentication and key exchange. According to their webseit (http://www.kame.net/racoon), theyhave no plans to support XAUTH as it is not an official IETF standard. As soon as racoon supports XAUTH, IPSecuritas will. Cheers, Christoph
Re: xauth by shaddow on 2006-01-19 01:17:34 +0100
Does Tiger support xauth yet? I read here that it did, and was hoping if it was true it would be added to IPsecuritas. http://wiki.openswan.org/index.php/InteroperatingMac I also saw that racoon went to ipsec-tools and I believe ipsec-tools now supports xauth?
Re: xauth by gdanko on 2006-01-30 04:49:13 +0100
How does VPN Tracker implement xauth?
Re: xauth by cnadig on 2006-01-31 00:34:03 +0100
Hello, a beta version of IPSecuritas 3.0 with support for XAUTH is available (not yet public but on request) and I'm looking for testers. If interested, please send me an e-mail to
[email protected]. Christoph
Re: xauth by gdanko on 2006-01-31 19:43:32 +0100
I installed the beta. Here are my settings on both ends. Here are my settings for the SonicWall 5060... [b]General Tab[/b] IPSec Keyring Mode: IKE using Preshared Secret Name: WAN GroupVPN Shared Secret: SomeSharedSecretKey [b]Proposals Tab[/b] [u]IKE (Phase 1) Proposal[/u] DH Group: Group 2 Encryption: 3DES Authentication: SHA1 Life Time (seconds): 28800 [u]Ipsec (Phase 2) Proposal[/u] Protocol: ESP Encryption: 3DES Authentication: SHA1 Enable Perfect Forward Security: Unchecked Life Time (seconds): 28800 [b]Advanced Tab[/b] Enable Windows Networking (NetBIOS) Broadcast: Checked Enable Multicast: Unchecked Management via this SA: HTTP and HTTPS unchecked Default Gateway: 0.0.0.0 (aka None) Require Authentication of VPN Clients via XAUTH: Checked User Group for XAUTH users: Trusted Users Here are my IPSecuritas Settings [b]General Tab[/b] Remote IPSec Device: aaa.bbb.ccc.ddd Local Side Endpoint Mode: Host (IP left empty) Remote Side Endpoint Mode: 10.0.10.0 Network Mask (CIDR): 24 [b]Phase 1 Tab[/b] Life Time: 28800 Seconds DH Group: 1024 (2) Encryption: 3DES Authentication: SHA1 Exchange Mode: Aggressive Proposal Check: Obey (SonicWall tech doesnt know what this is for) Nonce Size: 16 [b]Phase 2 Tab[/b] Lifetime: 28800 Seconds PFS Group: None Encryption: Only 3DES is checked Authentication: Only SHA1 is checked [b]Id/Auth Tab[/b] Local Identifier: Address (SonicWall tech doesnt know what this is for) Remote Identifier: Address (SonicWall tech doesnt know what this is for) Authentication Method: Preshared Key (my key here) [b]Options Tab[/b] The SonicWall tech didn't know what to put here so everything is left
Re: xauth by shaddow on 2006-02-16 04:13:35 +0100
I tried emailing a week or so ago and have heard nothing. I can test this on a router here that supports xauth. [quote author=cnadig link=1086816465/0#4 date=1138664043]Hello, a beta version of IPSecuritas 3.0 with support for XAUTH is available (not yet public but on request) and I'm looking for testers. If interested, please send me an e-mail to
[email protected]. Christoph[/quote]
Re: xauth by ritani on 2006-03-28 16:43:57 +0200
Hi, We are using xauth with RSA and not with pre-shared key, was anyone able to make it work? We are testing revision 3.0 with Netscreen 208 version 5.1.0r4a.0. Thank you, ritani
Re: xauth by ritani on 2006-03-29 15:55:59 +0200
We also tried xauth with preshared keys, but it seems that the Netscreen is not detecting that the client is sending him any password while the client starts Phase 2 negotiations. Below is the log of the Netscreen: 2006-03-29 14:04:26 info IKE: User with ID requested a connection 2006-03-29 14:04:26 info IKE Phase 1: Responder starts AGGRESSIVE mode negotiations. 2006-03-29 14:04:26 info IKE: User with ID requested a connection. 2006-03-29 14:04:26 info IKE Phase 1: IKE responder has detected NAT in front of the local device. 2006-03-29 14:04:26 info IKE Phase 1: IKE responder has detected NAT in front of the remote device. 2006-03-29 14:04:26 info IKE Phase 1: Completed Aggressive mode negotiations with a -second lifetime. 2006-03-29 14:04:26 info IKE Phase 2 msg ID : Responded to the peer's first message. 2006-03-29 14:04:26 info Rejected an IKE packet on loopback.1 from 192.168.136.24:4500 to 192.168.140.2:4500 with cookies d2b2a44cc455b8a0 and 70ac984644c807a1 because a Phase 2 packet arrived while XAuth was still pending. 2006-03-29 14:04:26 info IKE Phase 2 msg ID : Negotiations have failed. 2006-03-29 14:04:32 info IKE: XAuth login was aborted for gateway , username , retry: 0. 2006-03-29 14:04:40 info IKE: XAuth login expired and was terminated for username at . Has any body faced the same? Thanks
IPSec with Bintec Router works fine. IPSec with Bintec Router works fine. by netgoblin on 2004-06-14 10:15:58 +0200
Hello, for information I have tested IPSecuritas with Bintec Router IPsec. - Presahred Key and Certificate works - But in the moment only 3des / AES encryption works. By interest I may send the config form both sides. by netgoblin
Re: IPSec with Bintec Router works fine. by cnadig on 2004-06-23 18:17:45 +0200
Hello Netgoblin, I'd be thankful for a short description that I could add to the online help in IPSecuritas! Thanks, Christoph
Re: IPSec with Bintec Router works fine. by netgoblin on 2004-06-28 09:44:28 +0200
IPSec Config Bintec VPN25: 1. IPSec Main Screen 2. IKE Phase 1 defaults 3. IPsec Phase 2 defaults 4. Peer Config 4.1 Traffic List 5. Certificates 5.1 CA Certificat 5.2 Own Certificat 5.3 Peer Certificat 6. Tips Software Releases: Bintec VPN25: fossie:> show rev Logik : V.1.0 Bootmon : V.7.1.2 Boss : V.7.1 Rev. 2 (Patch 8 ) IPSec V. 2.1.1 from 2004/06/17 00:00:00
1. IPSec Main Screen VPN Access 25 Setup Tool BinTec Access Networks GmbH [IPSEC]: IPsec Configuration - Main Menu fossie _______________________________________________________________________________ Enable IPSec
: yes
Pre IPSec Rules > Configure Peers > Post IPSec Rules > IKE (Phase 1) Defaults *autogenerated* IPsec (Phase 2) Defaults *autogenerated* Certificate and Key Management >
edit > edit >
Advanced Settings > Wizard > Monitoring > SAVE CANCEL _______________________________________________________________________________ 2. IKE Phase 1 defaults: (*autogenerated*) VPN Access 25 Setup Tool BinTec Access Networks GmbH [IPSEC][PHASE1][EDIT] fossie _______________________________________________________________________________ Description (Idx 1) : *autogenerated* Proposal : 2 (DES3/MD5) Lifetime : 7200 Sec (1) Group : 2 (1024 bit MODP) Authentication Method : RSA Signatures Mode : id_protect Heartbeats : none Block Time : 0
Re: IPSec with Bintec Router works fine. by netgoblin on 2004-06-28 09:45:03 +0200
5. Certificates 5.1 CA Certificat VPN Access 25 Setup Tool BinTec Access Networks GmbH [IPSEC][CERTMGMT][OWN]: IPsec Configuration - Certificate Management fossie _______________________________________________________________________________ Flags: 'O'= own cert, 'CA'= CA cert, 'N'= no CRLs, 'T'= cert forced trusted Description Flags SerialNo Subject Names vpn25-fossie O 2 CN=vpn25, OU=Support, O=netgoblin, ST=Bav DOWNLOAD DELETE EXIT _______________________________________________________________________________ 5.2 Own Certificat VPN Access 25 Setup Tool BinTec Access Networks GmbH [IPSEC][CERTMGMT][CAS]: IPsec Configuration - Certificate Management fossie _______________________________________________________________________________ Flags: 'O'= own cert, 'CA'= CA cert, 'N'= no CRLs, 'T'= cert forced trusted Description Chewbacker O=netgoblin
Flags SerialNo CA,N,T 0
Subject Names CN=chewbacker, OU=chewbacker,
DOWNLOAD DELETE EXIT _______________________________________________________________________________ 5.3 Peer Certificat VPN Access 25 Setup Tool BinTec Access Networks GmbH [IPSEC][CERTMGMT][PEERS]: IPsec Configuration - Certificate Management fossie _______________________________________________________________________________ Flags: 'O'= own cert, 'CA'= CA cert, 'N'= no CRLs, 'T'= cert forced trusted Description powerbook
Flags SerialNo Subject Names T 0 OU=pb4, O=netgoblin, ST=Bavaria, C=DE, [n
DOWNLOAD DELETE EXIT ______________________________________________________________________________
8. Watch your time and date on the Bintec specialy when you work with certificates. ( New Bintec Products have not realtime clocks.) Timesync via ntp or isdn. fossie:> date Mon Jun 28 9:33:35 2004
Debug level increment.
IPSecuritas appears to be doing nothing at all IPSecuritas appears to be doing nothing at all by DarkBytes on 2004-06-23 14:58:52 +0200
Hi I have installed & ran the latest version of IPSecuritas on macOS 10.2.8 in an attempt to have it connect through our checkpoint NG firewall. The thing is after configuring the client , & attempting to intialize a connection, My gateway logs are showing no connections from the client at all ? I must be doing something fundementally wrong , but it is as if the IPSecuritas is doing nothing at all. also could someone explain where i can find the logs for the client , or how i run it in verbous mode. I would assume that as long as i have the correct ip of my gateway & roughly the correct settings on the client , i should see some kind of connection attempts on my firewall, be them failed attempts etc. please help Many many thanks
Re: IPSecuritas appears to be doing nothing at all by cnadig on 2004-06-23 18:14:31 +0200
Hello, to open the log window, go to File and select Open Log. The log detail can be increased in the preferences. I would also assume that there should be some activity visible in the firewall's log, as long as the 'Establish IKE' option is enabled in IPSecuritas. I can probably give more hints if you'd post the IPSecuritas log (with log level to debug or verbose debug) - please remove any confidential information. Christoph
Can you use certs and user/pass on same connection Can you use certs and user/pass on same connection by LoopyShane on 2004-06-23 18:14:37 +0200
This may be a unique setup here but my client has just had a BSD based router installed that is setup for incoming L2TP over IPSec connections that use a cert as well as username/password auth. Apple's Internet Connect allows the username/password but no certs. IPSecuritas allows the certs but I can't see that it allows user/pass. Is there a way to use both or get IPSecuritas to add cert auth to the apple connect? Or is there a way to get IPSecuritas to use the user/pass?
Re: Can you use certs and user/pass on same connec
by nbirnbaum on 2004-08-26 21:21:30 +0200
Did you ever figure this out?
Re: Can you use certs and user/pass on same connec by Fernando J. Pereda on 2004-09-08 02:14:35 +0200
I really need this.... If you know how to do it. It'd be great ! Cheers
Stop IPSec keeps GIF1 alive - Route corrupt Stop IPSec keeps GIF1 alive - Route corrupt by mhaury on 2004-06-29 14:02:18 +0200
Hello, Don't know if this is a bug or not, I have two VPN connection setup in parallel, one for our Intranet, another for our DMZ. Both work fine however when I stop IPSec the second connection (to the DMZ) continues to stay active, although apparently IPSec is shutdown. At least the routing table seems wrong and indicates a route via GIF1 (and should be EN0): route to: xxx.aaa.bbb.com destination: 192.168.0.0 mask: 255.255.0.0 interface: gif1 flags: recvpipe sendpipe ssthresh rtt,msec rttvar hopcount mtu expire 0 0 0 0 0 0 1280 0 I'm Running OSX10.3.4 all updates and IPSecurityas 2.0.5 Any ideas, also how can I reset the routes correctly such that things work, 'route flush' does not work, only restart. Thanks for the GREAT Software anyway !!! Matthias
checkpoint userc.C file checkpoint userc.C file by ac7ub on 2004-06-30 11:05:31 +0200
Greetings folks, Does anyone out there know how to extract the pkcs12 certificate from a userc.C file my company gave me for the winblows client and convert it to a format I can import?
Re: checkpoint userc.C file by llllllllllllllllllllllll on 2004-09-30 03:51:32 +0200
Did anyone ever figure this out? I have a userc.C file from windows that I'd like to use to set up IPS on my new Mac. Are these keys linked with hardware in anyway? I'm wondering if there is some Intel chip code that it's looking for.
Using IPSecuritas for a VPN-1 SecuRemote login Using IPSecuritas for a VPN-1 SecuRemote login by mluker on 2004-07-07 00:50:03 +0200
I have an office VPN that is accessed using the standard VPN-1 SecuRemote client on Windows. I have a powerbook at home I would rather use than the corporate laptop I was given. I have tried to get IPSecuritas setup, but I must confess to being complete ignorant of what settings I should use. My HelpDesk only supports the Windows software, and the "settings" they gave me were next to useless (i.e. enter this IP and use your login) when it comes to all the IPSecuritas settings. Does anyone have the standard settings for a CheckPoint firewall that is normally accessed by a SecuRemote client? Any help at all is greatly appreciated :D
Re: Using IPSecuritas for a VPN-1 SecuRemote login by Matthias Haury on 2004-07-08 19:43:08 +0200
Hello, we had the same problem, we have a pretty much standard VPN setup in a Checkpoint NG... so here are the settings for IPSecuritas that work for us: remote device remote network 172.22.0.0/16 (or whatever netmask you choose for access) local mask 32 main shared secret: local IP: mode: aggressive proposal check: claim nounce size: 16 phase 1 lifetime 1440 secondss dh group 2 3des sha1 phase 2 lifetime 3600 seconds pfs group 2 3des hmac_sha1 id local: remote: Here for a couple of commandline tools to see your setup once started in IP Securitas (you need to be root or run as sudo) Diagnosis: ========== See the Current Setup sudo setkey -DP Flush the Current Setup sudo setkey -FP Hope that helps.. we have some problems when stopping the IPSecuritas on OSX 10.3.4 where it sometimes keeps the gif1 Interface active for a second VPN connection that one enters (see my post on this issue), other than that it works great. You can add a special local IP if you wish (i left it empty above), and this helps you to be identified correctly.. however you cannot specify the same network range for local IP as the one behind your Checkpoint FW !!! Best. Matthias
Re: Using IPSecuritas for a VPN-1 SecuRemote login by mluker on 2004-07-08 22:15:47 +0200
Thanks for your reply. Unfortunately it is still not working :-( Here are the settings I currently have: General Mode: Host To NetWork Remote IPSec Device: [address as given to me by support for SecuRemote] Remote Network: [same address sans a byte] / 24 Local Address: Exchange Mode: Aggressive Proposal: Claim Nonce: 16 Phase 1 Lifetime: 1440 DH Group: Mod1024(2) Encryption: 3DES Authentication: SHA1 Phase 2 Lifetime: 3600 PFS Group: Mod1024(2) Encryption: 3DES Authentication: HMAC SHA1 ID/Auth Identificaton: DN: [my username] Remote Identifier: Address Authentication: Preshared Secret: [my password] Options: IPSec/IKE Options: IPSEC DOI, SIT_IDENTITY_ONLY, Initial Contact, Generate Policy, MIP6 General Options: Establish IKE immediately ---Is there something I am missing? From the log file, it appears to be failing on phase 1: [quote] Jul 8 13:03:32 meson racoon: INFO: isakmp.c:1953:isakmp_post_acquire(): IPsec-SA request for checkpoint-ip queued due to no phase1 found. Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:1001:isakmp_ph1begin_i(): === Jul 8 13:03:32 meson racoon: INFO: isakmp.c:1006:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 10.20.20.33[500]checkpoint-ip[500] Jul 8 13:03:32 meson racoon: INFO: isakmp.c:1011:isakmp_ph1begin_i(): begin Aggressive mode. Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:2265:isakmp_newcookie(): new cookie: 9fac4f294e77ce4f Jul 8 13:03:32 meson racoon: DEBUG: ipsec_doi.c:3212:ipsecdoi_setid1(): use ID type of FQDN Jul 8 13:03:32 meson racoon: DEBUG: oakley.c:257:oakley_dh_generate(): compute DH's private. Jul 8 13:03:32 meson racoon: DEBUG: oakley.c:259:oakley_dh_generate(): compute DH's public. Jul 8 13:03:32 meson racoon: DEBUG: isakmp_agg.c:169:agg_i1send(): authmethod is pre-shared key Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:2382:set_isakmp_payload(): add payload of len 48, next type 4 Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:2382:set_isakmp_payload(): add payload of len 128, next type 10 Jul 8 13:03:32 meson racoon: DEBUG: isakmp.c:2382:set_isakmp_payload(): add payload of len 16, next type 5
Re: Using IPSecuritas for a VPN-1 SecuRemote login by Matthias Haury on 2004-07-19 10:40:38 +0200
Hello, well, sorry, might be my mistake, have now some different settings running, but don't remember if this was because of an upgrade of NG... try those: Tab: Phase 1 Lifetime 28800 seconds Group: mod1024(2) Endryption: DES Authentication: SHA1 Tab: Id/Auth Encryption: I have active: DES, AES256, 3DES, AES128 Authenciation: I have HMAC MD5 and HMAC SHA1 Options: I don't have selected "Verify Identifier" Everything else is identical to yours... If this does not work, you have to see with your support what are the settings they hacked into Checkpoint.. maybe they modified the default ones. Also verify that your IP netmask is really /24 Let me know if this helps... M.
Re: Using IPSecuritas for a VPN-1 SecuRemote login by Helmut Peschke on 2004-09-21 17:40:00 +0200
Hi folks, I am using IPSecuritas on Mac OS 10.3.5 with CheckPoint with all the parameters described in the HOWTO, however the Local Identifier in Id/Auth has to be written as name@domain (e.g. the email adress), which in turn has to be the userid in the VPN-1 software, otherwise the contents is not identified as user id. Hope this helps.
Re: Using IPSecuritas for a VPN-1 SecuRemote login by Fabrice on 2004-11-06 18:43:38 +0100
[quote author=Helmut Peschke link=1089154204/0#4 date=1095781200]Hi folks, I am using IPSecuritas on Mac OS 10.3.5 with CheckPoint with all the parameters described in the HOWTO, however the Local Identifier in Id/Auth has to be written as name@domain (e.g. the email adress), which in turn has to be the userid in the VPN-1 software, otherwise the contents is not identified as user id. Hope this helps.[/quote] Can you help me ? I used with success vaporsec 0.9 on panther, but I know that the developer stop this program, and he suggests IPSecuritas. I'm just trying to connect my computer from my home to my network (firewall checkpoint). I can admin the server side. I've got the "green check" on IPSecuritas, but the log give the error : Nov 6 18:12:14 XXXX racoon: NOTIFY: oakley.c:2057:oakley_skeyid(): couldn't find the proper pskey, try to get one by the peer's address. And of course it doesn't work. Is the problem you're talking about ? You mean that in the "local identifier DN" I put my full e-mail ? And on server side, I put the full e-mail ? Where ? Thanks a lot in advance Kind regards
Re: Using IPSecuritas for a VPN-1 SecuRemote login by cnadig on 2004-11-07 01:42:25 +0100
Hello Fabrice, try disabling the 'Verify Identifier' option in IPSecuritas. Let us know how it goes! Cheers, Christoph
Re: Using IPSecuritas for a VPN-1 SecuRemote login by Fabrice on 2004-11-07 10:12:10 +0100
[quote author=cnadig link=1089154204/0#6 date=1099788145]Hello Fabrice, try disabling the 'Verify Identifier' option in IPSecuritas. Let us know how it goes! Cheers, Christoph[/quote] Thanks for your answer. "Verify Identifier" was already disabled.
Re: Using IPSecuritas for a VPN-1 SecuRemote login by fabrice on 2004-11-07 10:47:12 +0100
Difficult to explain, but it works ! The only thing I've changed is in phase 2 in IPSecuritas : I've unchecked DES, AES 128, AES 256 and HMAC MD5. Of course anybody can tell me my settings, if it can help. Thanks for your help.
Using IPSecuritas with NetScreen 208 Using IPSecuritas with NetScreen 208 by joanba on 2004-07-09 19:43:03 +0200
Hi, I'm a completely newbie with VPN questions and I want to know if what is happening to me is normal. We use a NetScreen 208 firewall to protect our company network and I want to access it from Internet using a Mac ( MacOS X 10.3.4 ). The NetScreen is configured to use L2TP, I think that without IPSec. I can connect, but look what I need to do: I've configured Internet Connect, using VPN(L2TP), I write my user/password but in the log appears: Fri Jul 9 19:37:19 2004 : L2TP: starting racoon... Fri Jul 9 19:37:22 2004 : L2TP connecting to server '62.ZZ.XX.YY' (62.ZZ.XX.YY)... Nothing else. But if I run IPSecuritas 2.0.5 ( without any configuration ), the Start IPSec button is disabled and Stop IPSec is enabled. If I press Stop IPSec the connection starts and works fine: Fri Fri Fri Fri Fri Fri Fri Fri Fri Fri Fri Fri
Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul Jul
9 9 9 9 9 9 9 9 9 9 9 9
19:37:26 19:37:26 19:37:26 19:37:26 19:37:26 19:37:26 19:37:26 19:37:26 19:37:26 19:37:53 19:37:53 19:37:53
2004 2004 2004 2004 2004 2004 2004 2004 2004 2004 2004 2004
: : : : : : : : : : : :
L2TP connection established. Using interface ppp0 Connect: ppp0 socket[34:18] Remote message: We welcome you. acsp resetci called local IP address 10.250.250.1 remote IP address 62.ZZ.XX.YY primary DNS address 10.0.0.15 secondary DNS address 10.0.0.16 Terminating on signal 15. Connection terminated. Connect time 0.5 minutes.
And when I close the connection the log also finishes: Fri Jul 9 19:37:53 2004 : Sent 44 bytes, received 0 bytes. Fri Jul 9 19:37:53 2004 : L2TP disconnecting... Fri Jul 9 19:37:53 2004 : L2TP disconnected Any idea or comment ? What I'm doing wrong ? Best regards, Joan B. Altadill
VPN is happy; but can't see remote network VPN is happy; but can't see remote network by twarge on 2004-07-15 06:52:55 +0200
So I've made a connection with the linksys BEFVP41 router in the lab; I have a nice green checkbox and both sides seem to agree that they're happily connected. Now I'm missing something rather serious here: I'm not seeing the remote network. I've tried various computer's IP addresses and get no response. If I look at the computers in the Network folder, I see just the local computers at home like I've always seen. So how do I channel all my traffic through the tunnel? What am I missing? Help is greatly appreciated. Tom Kornack
Re: VPN is happy; but can't see remote network by sbickle on 2004-07-29 16:39:20 +0200
Is this still a problems? It would sound like the IPSEC tunnel doesn't contain the right information for what IP's are on the other side of the remote network...
Re: VPN is happy; but can't see remote network by sfazzina on 2004-08-06 02:43:54 +0200
I HAVE THE SAME PROBLEM :) - EXCEPT - I DO NOT HAVE A CHECKBOX - I HAVE A RED X
Re: VPN is happy; but can't see remote network by Matt Deatherage on 2004-08-06 09:36:43 +0200
I have the same problem, and it's not that the tunnel contains the wrong information. The BEFVP41 reports that the tunnel is connected, and the remote computer correctly reports that traffic to the local area network should be routed through gif0 - but nothing happens. The network on the Linksys end is 192.168.1/24, and the remote computer is trying to connect as 192.168.1.100, but even though the tunnel is up and the routing is right, the remote computer can't reach any machines on the local network or vice-versa. Attempts on the local network to ping 192.168.1.100 are fruitless.
Re: VPN is happy; but can't see remote network by Laurens van Hoorn on 2004-11-04 09:06:41 +0100
I (now) have the same problem, although the VPN used to work fine from another location. Unfortunately, that location is on another continent so going back there is not an option. No indication in the log that anything is wrong: Log output from IPSecuritas 2.0.6 Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:19 PowerBook-G4-Laurens IPSecuritas: done Nov 4 08:50:20 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:20 PowerBook-G4-Laurens IPSecuritas: Nov 4 08:50:20 PowerBook-G4-Laurens IPSecuritas:
Parsing configuration Setting up racoon.conf Setting up setkey.conf Setting up psk.txt Setting up tunnel.conf Parsing configuration Starting racoon... Racoon is running Set kernel keys
So what could be the problem?! Any suggestions greatly appreciated.
Re: VPN is happy; but can't see remote network by Rich on 2004-11-05 12:29:19 +0100
Same trouble. Cannot ping wireless machines from Xserve, cannot see wired Macs in Local on wireless machines. Wireless machines can see each other in Local
Re: VPN is happy; but can't see remote network by JP on 2004-12-02 00:34:27 +0100
I had the same problem if I try to VPN from the corporate network. Turns out they filter just about everything. No ipsec pass-thru, no ESP, etc. Here's how you can test. Dial up to AOL via modem, try to VPN again, now it should work. If you can ping your remote machine, then you know for sure something is being filtered. Hope this helps someone.
Re: VPN is happy; but can't see remote network by Bryan Derman on 2004-12-17 22:22:02 +0100
Y'all might want to have a look at the stuff on [size=13] [url]http://www.derman.com/Misc/VPN/Overview.html[/url][/size]. 'Though it's for a LinkSys [b]BEFSX41[/b], the information also applies to the [b]BEFVP41[/b]. Hope this helps.
FVL328 denial of service? FVL328 denial of service? by davehodg on 2004-07-21 17:11:15 +0200
I've got a Netgear FVL328 merrily conversing with Netgear Windows VPN client software. I've set up IPSecuritas, as far as I can see, identically to the textbook example that Netgear supply. It negotiates the IKE phase1 fine but then the phase 2 just ends up with a bunch of stuff as attached at the end. Seems like it's just lost the plot. Worse still, it seems to knock out the internet-facing interface on the router! Not good. Any ideas?
Jul 21 15:39:26 Daves-PB racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_sha1) Jul 21 15:39:26 Daves-PB racoon: DEBUG: oakley.c:759:oakley_compute_hash1(): HASH computed: Jul 21 15:39:26 Daves-PB racoon: DEBUG: plog.c:199:plogdump(): 571bee24 e446718f 55faeb79 d1d7e435 fad70c7b Jul 21 15:39:26 Daves-PB racoon: ERROR: isakmp_quick.c:1810:get_sainfo_r(): failed to get sainfo. Jul 21 15:39:26 Daves-PB racoon: ERROR: isakmp_quick.c:1810:get_sainfo_r(): failed to get sainfo. Jul 21 15:39:26 Daves-PB racoon: ERROR: isakmp_quick.c:1044:quick_r1recv(): failed to get sainfo. Jul 21 15:39:26 Daves-PB racoon: ERROR: isakmp_quick.c:1044:quick_r1recv(): failed to get sainfo. Jul 21 15:39:26 Daves-PB racoon: ERROR: isakmp.c:1271:isakmp_ph2begin_r(): failed to pre-process packet. Jul 21 15:39:26 Daves-PB racoon: ERROR: isakmp.c:1271:isakmp_ph2begin_r(): failed to pre-process packet. Jul 21 15:39:27 Daves-PB racoon: DEBUG: grabmyaddr.c:454:update_myaddrs(): caught rtm:2, need update interface address list Jul 21 15:39:27 Daves-PB racoon: DEBUG: grabmyaddr.c:454:update_myaddrs(): caught rtm:2, need update interface address list Jul 21 15:39:27 Daves-PB racoon: DEBUG: grabmyaddr.c:454:update_myaddrs(): caught rtm:13, need update interface address list Jul 21 15:39:27 Daves-PB racoon: DEBUG: pfkey.c:196:pfkey_handler(): get pfkey X_SPDFLUSH message Jul 21 15:39:27 Daves-PB racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 16 not interesting Jul 21 15:39:27 Daves-PB racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 15 not interesting Jul 21 15:39:27 Daves-PB racoon: DEBUG: pfkey.c:196:pfkey_handler(): get pfkey FLUSH message Jul 21 15:39:27 Daves-PB racoon: DEBUG: oakley.c:2563:oakley_newiv2(): compute IV for phase2 Jul 21 15:39:27 Daves-PB racoon: DEBUG: oakley.c:2564:oakley_newiv2(): phase1 last IV: Jul 21 15:39:27 Daves-PB racoon: DEBUG: plog.c:199:plogdump(): 9caad0f2 386c356a d0a5d3d3 Jul 21 15:39:27 Daves-PB racoon: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(sha1) Jul 21 15:39:27 Daves-PB racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(3des) Jul 21 15:39:27 Daves-PB racoon: DEBUG: oakley.c:2596:oakley_newiv2():
SonicWall PRO100 SonicWall PRO100 by Peter Pop on 2004-07-21 21:32:36 +0200
Hi, Maybe some of you can tell me whats wrong here: Log output from IPSecuritas 2.0.6 IPSecuritas: Parsing configuration IPSecuritas: Setting up racoon.conf IPSecuritas: Setting up setkey.conf IPSecuritas: Setting up psk.txt IPSecuritas: Setting up tunnel.conf IPSecuritas: Parsing configuration done IPSecuritas: Starting racoon... IPSecuritas: Racoon is running IPSecuritas: Set kernel keys racoon: WARNING: ipsec_doi.c:3064:ipsecdoi_checkid1(): ID type mismatched. racoon: WARNING: ipsec_doi.c:3064:ipsecdoi_checkid1(): ID type mismatched. racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. racoon: WARNING: ipsec_doi.c:920:cmp_aproppair_i(): attribute has been modified. racoon: WARNING: ipsec_doi.c:920:cmp_aproppair_i(): attribute has been modified. In the connection overview the connection has the green checkmark indicating an established connection, so there's nothing wrong with the link.
Netgear FVS318 Cofig Help!! Netgear FVS318 Cofig Help!! by Wayne Sturman on 2004-07-29 02:19:34 +0200
These are the settings I am trying to use to connect from my Powerbook G4 Laptop to my Imac G4 15" behind Netgear FVS318 both running OS x 10.3.4 Static Public IP address of my Netgear 66.93.84.14 Lan IP address of my Imac at the office: 192.168.0.25 Dynamic IP at home from cable modem- Powerbook connected to internet via airport through Asante Freindly Net Router Model #FR3004C. Local Lan IP address is 192.168.123.194 I am including jpgs of configuration settiings for both the netgear and IPSecuritas as well as the Log file for these settings. Please can anyone help!! THIS IS THE MAIN VPN SCREEN FOR NETGEAR [img]http://aquaexperts.com/IPs/Netgear_FVS318Main.jpg[/img] THIS IS THE SETTINGS PAGE FOR NETGEAR [img]http://aquaexperts.com/IPs/Netgear_FVS318settings.jpg[/img] THIS IS THE GENERAL TAB FOR IPSecuritas [img]http://aquaexperts.com/IPs/IPS_general.jpg[/img] THIS IS THE PHASE 1 TAB FOR IPSecuritas [img]http://aquaexperts.com/IPs/IPS_Phase1.jpg[/img] THIS IS THE PHASE 2 TAB FOR IPSecuritas [img]http://aquaexperts.com/IPs/IPS_Phase2.jpg[/img] THIS IS THE ID/AUTH TAB GOT IPSecuritas [img]http://aquaexperts.com/IPs/IPS_ID.jpg[/img] THID IS THE LOG FILE GENERATED BY IPSecuritas when I try to connect [img]http://aquaexperts.com/IPs/IPS_Log.jpg[/img] CAN SOMEONE GIVE ME THE CORRECT SETTINGS SO I CAN CONNECT TO MY OFFICE NETWORK THANKS WAYNE
Re: Netgear FVS318 Cofig Help!! by sbickle on 2004-07-30 17:37:14 +0200
I had a lot of the same problems setting it up... My settings are similiar, but I have aggressive mode selected with 3des, enable perf. and netbios ARE checked. What I found was that in the remote address field I had to specify the IP of my IPSecuritas client and NOT the remote network. Hope that helps. S
Re: Netgear FVS318 Cofig Help!! by cnadig on 2004-08-02 23:23:44 +0200
Hello Wayne, try disabling the 'verify identifier' option or set the remote identification to address instead of DN. Christoph
Re: Netgear FVS318 Cofig Help!! by John Hamann on 2004-08-05 04:56:33 +0200
I think your Proposal Check should be set to Claim, DH Group and PFS Group should be set to Mod1024. I don't have Verify Identifier checked but do have checked IPSec DOI, SIT_IDENTITY_ONLY, Initial Contact, MIP6 and DHCP Pass-Though. Hope this helps.
NETGEAR FVS318 doesn't allow remote network NETGEAR FVS318 doesn't allow remote network by sbickle on 2004-07-29 16:35:37 +0200
After reading through the other messages and playing around with multiple settings I was able to get the FVS318 talking. The problem I found is that for some reason it does not work if I set the remote as a network with a /24 only if I set it as single host and put the private IP of the remote device. Has anyone else seen this? Any ideas what causes this? Thanks in advance S
Import certificate failed Import certificate failed by Yann Borg on 2004-08-03 00:47:07 +0200
Hello, if I receive and download a certificate from Microsoft Entourage v.X or v.2004, IPSecuritas is not able to import it properly: Failed to import xxx_cert.pem. Please make sure the file contains a signed X.509 certificate in PEM format. But if I bounce the mail to Mail.app and download the certificate, then IPSecuritas import it fine. I'm not very ease in UCL but when I make a 'diff file1 file2' the result ist "No newline at end of file". Have a look with BBEdit in the file doesn't help me to find where the new line is in the one file and should be in the second. It seems to be an Entourage bug/whatever, but could IPSecuritas recognize such certificate although? Thanks, Yann
Re: Import certificate failed by Yann Borg on 2004-08-03 14:07:21 +0200
Hi, I've asked our security partner and he tolds that on byte level, an Entourage "Newline" is a 0x0d (Carraige Return) and for Mail.app a 0x0a (Line Feed). Could IPSecuritas be more tolerant to accept those Entourage newlines? Thanks, Yann
Re: Import certificate failed by Yann Borg on 2004-08-03 23:06:44 +0200
Hello again, a helpfull and easy workaround is to open a certificate who was downloaded from Microsoft Entourage with BBEit Lite and to save it with "options" > "Line Break" > "Unix". So IPSecuritas 2.0.6 will import the certificate it could not before, because of the Macintosh line break. Regards, Yann, alone in the forum today? ;-)
having a problem with certificates having a problem with certificates
by sfazzina on 2004-08-04 20:45:07 +0200
IPSecuritas will not allow me to select the use of certificates in the config. All cert. related checkboxes are greyed out and not available - can someone help me get these boxes woken up?
Re: having a problem with certificates by cnadig on 2004-08-04 20:55:59 +0200
Hello, have you already imported the certificates with the Certificates Manager? Christoph
Re: having a problem with certificates by sfazzina on 2004-08-05 04:37:03 +0200
[quote author=cnadig link=1091645108/0#1 date=1091645759]Hello, have you already imported the certificates with the Certificates Manager? Christoph[/quote] Yes - they show up in the Cert Manager -
Re: having a problem with certificates by cnadig on 2004-08-05 07:41:12 +0200
Hello, if you select Certificates instead of Preshared Key for the authentication, the certificates ID radiobuttons stay greyed-out? Or is this button already greyed-out? Christoph
Re: having a problem with certificates by sfazzina on 2004-08-05 15:26:47 +0200
[quote author=cnadig link=1091645108/0#3 date=1091684472]Hello, if you select Certificates instead of Preshared Key for the authentication, the certificates ID radiobuttons stay greyed-out? Or is this button already greyed-out? Christoph[/quote] ALL certificate options are greyed out. here is a screenshot [img]http://www.supersam.com/certt.jpg[/img] I can provide more if you like - just tell me which screens you want to see. Thanx --sam
Re: having a problem with certificates by sfazzina on 2004-08-05 17:01:56 +0200
NEVERMIND - I GOT MY ANSWER...... YOU NEED TO IMPORT A X.509 CERT AND PRIVATE KEY. I DID IMPORT MY KEY - BUT NO PRIVATE KEY - THAT WAS THE PROBLEM. THEN IT LIGHTS UP LIKE A XMAS TREE, LOL THANX ANYWAYS. I WILL PROBABLY HAVE MORE QUESTIONS.
Re: having a problem with certificates by sfazzina on 2004-08-06 02:12:24 +0200
hi again - sdo i finally got this thing to use certs - now it wont connect - i get the following error - any help would be appreciated Mac OS X Version 10.3.4 (Build 7H63) Aug 5 20:05:25 SUPERBOOK syslogd: restart Aug 5 20:05:25 SUPERBOOK syslogd: restart Aug 5 20:05:27 SUPERBOOK racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 5 20:05:27 SUPERBOOK racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 5 20:05:47 SUPERBOOK racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 5 20:05:58 SUPERBOOK racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 209.202.127.66->192.168.1.103 Aug 5 20:05:47 SUPERBOOK racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 5 20:05:58 SUPERBOOK racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 209.202.127.66->192.168.1.103 Aug 5 20:06:07 SUPERBOOK racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 5 20:06:07 SUPERBOOK racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload.
Netgear FVM318 problem, any ideas? Netgear FVM318 problem, any ideas? by John Hamann on 2004-08-05 04:48:55 +0200
Hello, I have a VPN set up with a Netgear FVM318 router and it works fine...except that I cannot connect to certain computers (OS X) on the office network. Others can connect with no problem. All I can decern is that the IP I am connecting to is not on the primary NIC but on a secondary one. This is no problem locally, the IP can be pinged all day but through the tunnel, it doesn't respond. Other computers, both OS 9 and OS X, ping OK and can be connected to through Appleshare. Does anybody have any idea what could be going on? ??? I've been banging my head with this one for days now, any ideas would be much appreciated.
Re: Netgear FVM318 problem, any ideas? by 2manysecrets on 2004-08-16 19:15:26 +0200
I have not been able to connect from home using Mac OSX with a subnet specified in the FVM318 settings. The only way was to specify an IP address. I could see the entire network behind the FVM318, but so far they cannot see me. This has not been a problem since I am normally the one connecting to the office to get files. I have not had any difficulty connecting to any of the computers behind the FVM318. I might have to input the computer's IP address manually, but it will always connect. I have not been able to locate most of the computer with network browser. Not sure what is causing the problem. Steve
SonicWall VPN tunnel up, no network SonicWall VPN tunnel up, no network by Brian Godden on 2004-08-18 21:10:48 +0200
Sorry for opening a new topic if this isn't appropriate, just thought my messages in the other SonicWall topic might be fairly buried. Thanks for any help!! I have been able to establish a successful host to network connection from IPSecuritas to a SonicWall, but can't get access to the remote network. Here are my current settings: Firewall: SonicWall Pro-VX -------------------------------VPN Summary(these feature are enabled): Enable VPN Enable IKE Dead Peer Detection Dead Peer Detection Interval (seconds): 60 Failure Trigger Level (missed heartbeats): 3 Clean up Active tunnels when Peer Gateway DNS name resolves to a different IP Address SA: GroupVPN IPSec Keying Mode: IKE using pre-shared secret Security Policy: Phase 1 DH Group: Group 1 SA Life time (secs): 28800 Phase 1 Encryption/Authentication: DES & MD5 Phase 2 Encryption/Authentication: Encrypt and Authenticate (ESP DES HMAC MD5) Shared Secret: ---------IPSecutas, version 2.0.6 Mac OS X 10.3.5 General: Mode: Host to Network Remote IPSec Device: (IP Address of firewall) Remote Network: 10.5.1.0 / 24 (Also have tried setting local address) Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 Phase 1: Lifetime: 28800 DH Group: Mod768(1) Encryption: 3DES Authentication: SHA1 Phase 2: Lifetime: 28800 PFS Group: None Encryption: 3DES Authentication: HMAC SHA1 Id/Auth: Identifiers set to Address Preshared Secret set Options (these are enabled): Compression Deflate IPSec DOI SIT_IDENTITY_ONLY Initial Contact
Netgear FVS318 setup Netgear FVS318 setup by Brian Nichols on 2004-08-19 06:22:48 +0200
Can someone be so kind as to give the setup of their FVS318 and IPSecuritas that WORK? I have been successfully using VPN Tracker but would rather use IPSecuritas but I can't get a connection with the FVS318 settings as they are. I would rather just use the settings on the FVS318 that work for someone else (minus the shared key, etc.) rather than play with my settings as that has become very frustrating for a newbie to VPN. Thanks!
Re: Netgear FVS318 setup by Brian Nichols on 2004-08-21 21:45:13 +0200
Never mind. It's actually quite easy to match the settings in IPSecuritas with the FVS318. Thanks to the developer for this great app!
Re: Netgear FVS318 setup by edy piro on 2004-09-10 15:30:35 +0200
can you (or anyone else0 help me with config???? i have a netpilot as well, but i cannot make it work! please help :-) thanks edy
Re: Netgear FVS318 setup by edy piro on 2004-09-10 15:33:53 +0200
SORRY i have a NETPILOT not a NETGEAR...any ideas? thanks anyway edy
Re: Netgear FVS318 setup by Greg on 2004-10-21 03:58:24 +0200
[quote author=Brian Nichols link=1092889368/0#1 date=1093117513]Never mind. It's actually quite easy to match the settings in IPSecuritas with the FVS318. Thanks to the developer for this great app![/quote] I'm glad to hear that someone got it working... I've played with it all day still to no avail.... Would you or anyone else mind posting your settings so the rest of us can see something that's working? Thanks Greg
Re: Netgear FVS318 setup by Mike Johnson on 2004-11-23 12:49:27 +0100
Does anyone have a configuration that works with the FVS318?
IPSecuritas 2.0.6 problems IPSecuritas 2.0.6 problems by Paul van der Laan on 2004-08-26 12:06:41 +0200
I'm trying for several days now to get a 'host to network' connection to work, but so far my attempts were unfruitfull. I'm using Panther 10.3.5 in combination with a Vigor 2200E router to connect to the internet. When I start IPSecuritas there's a red cross in the name of my configuration indicating that no connection can be established. The worrying thing is that when I stop and quit IPSecuritas my entire network connection is dead: no e-mail, web or anything. I can only revive it again by rebooting the system. This is what the logfile reads: Log output from IPSecuritas 2.0.6 Aug 25 19:14:40 Vigor10 IPSecuritas: Parsing configuration Aug 25 19:14:40 Vigor10 IPSecuritas: Setting up racoon.conf Aug 25 19:14:40 Vigor10 IPSecuritas: Setting up setkey.conf Aug 25 19:14:40 Vigor10 IPSecuritas: Setting up psk.txt Aug 25 19:14:40 Vigor10 IPSecuritas: Setting up tunnel.conf Aug 25 19:14:40 Vigor10 IPSecuritas: Parsing configuration done Aug 25 19:14:41 Vigor10 IPSecuritas: Starting racoon... Aug 25 19:14:42 Vigor10 IPSecuritas: Racoon is running Aug 25 19:14:42 Vigor10 IPSecuritas: Set kernel keys route: writing to routing socket: File exists add net 192.168.1.0: gateway gif0: File exists Aug 25 19:14:43 Vigor10 racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Aug 25 19:14:43 Vigor10 racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Aug 25 19:14:43 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv(): invalid ID payload. Aug 25 19:14:43 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv(): invalid ID payload. Aug 25 19:14:58 Vigor10 racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Aug 25 19:14:58 Vigor10 racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Aug 25 19:14:58 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv(): invalid ID payload. Aug 25 19:14:58 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv(): invalid ID payload. Aug 25 19:15:13 Vigor10 racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 80.127.72.35->192.168.1.10 Aug 25 19:15:13 Vigor10 racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 80.127.72.35->192.168.1.10 Aug 25 19:15:13 Vigor10 racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Aug 25 19:15:13 Vigor10 racoon: WARNING: ipsec_doi.c:3086:ipsecdoi_checkid1(): ID value mismatched. Aug 25 19:15:13 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv(): invalid ID payload. Aug 25 19:15:13 Vigor10 racoon: ERROR: isakmp_agg.c:384:agg_i2recv(): invalid ID payload. delete net 192.168.1.0 Aug 25 19:15:17 Vigor10 IPSecuritas: Flushing kernel keys Aug 25 19:15:17 Vigor10 IPSecuritas: Stopping racoon... Aug 25 19:15:18 Vigor10 IPSecuritas: Racoon normally terminated Any help would be greatly appreciated.
Cheers,
Re: IPSecuritas 2.0.6 problems by netgoblin on 2004-08-27 13:27:26 +0200
Hello Paul, can you check ID/Auth parameters, see log > ID value mismatched cu netgoblin
Re: IPSecuritas 2.0.6 problems by tom lafleur on 2004-08-28 06:15:39 +0200
I also am having problems with 2.06 and osx 10.3.5 into a Zyxel Zwall10... using VPN tracker works fine on the same system...
IPSecuritas crashes FVL328, VPNTracker works! IPSecuritas crashes FVL328, VPNTracker works! by davehodg on 2004-08-26 12:43:41 +0200
Hi - revisiting connecting to and FVL328. VPNTracker just went through a major version bump so I've been able to re-test connecting to my FVL328. Using exactly the same parameters as the Netgear VPN client recommends (3DES/SHA-1/1024 in both phases), VPNtracker works perfectly and I can see the internal network. Loading up IPSecuritas, it sees the identical parameters (with most of the option flags in phase 2 turned off), connects, the router's VPN status sees a well-made connection but I can't see the internal LAN. Furthermore, the LAN users stop being able to see the Internet! It looks like we'll have to grudgingly fork out for VPNTracker licenses...
OS X 10.3.5 Server lost connection to IN OS X 10.3.5 Server lost connection to IN by Frogstar on 2004-08-29 19:22:30 +0200
Hi, for a VPN Test i install IPsecuritas on my Webserver on an other location. After start IPsecuritas and config a Setup i lost the connection to my server over ARD (Apple Remote Desktop). Then, i can't connect to my server over ssh or anything. The last chance for me, to connect to my server ist to connect to another Computer in that location und connect via Timbuktu in the local Subnet onto the server. The firewall Setup is unchangend an i test it with turning the Firewall off, too. But the Problem is the same. If i'm in the local Network i can connect to the Server. If i'll try to connet over the Internet the answer is "Connection refused" My Server cannot connetct to the Internet after that. Any Idea? PS: Sorry about my english. Im from Germany and my english is not the best. :-)
Nortel Problems Nortel Problems by rbrugman on 2004-09-04 22:26:59 +0200
Hello, I am trying to connect to my schools VPN with my Mac. There is a PC client, but Netlock wants to charge me $95 for their official nortel client. The main problem is that the universities VPN switch is set to use Group Password Authentication. I know the group username and password, but that's it. I also know that the encryption is "3DES" and MD5 is mentioned. That's pretty much all I can find out. If there's some way to get into Netlocks config file, I could possibly tell more, but prefs.db just is a bunch of text. I tried putting the settings in IPSecuritas, and this is what I got as an output: (Edit: Too long, so I put it as a .rtf file) http://hosted.reaktor6.net/ipsec_error.rtf
I hope someone can help me decipher. Robert
Re: Nortel Problems by rbrugman on 2004-09-04 23:10:31 +0200
I found out some more information that I hope helps. I installed the VPN client for Windows on my desktop and made a log file, and I also took a screenshot. Here they are: Log file from PC: http://hosted.reaktor6.net/vpn_pc.txt Screenshot from PC: http://hosted.reaktor6.net/vpn_pc_ss.jpg I seriously hope that can help someone help me. Robert
Re: Nortel Problems by rbrugman on 2004-09-07 04:17:01 +0200
I have more information. The creators of VPN tracker say that at least in my case, the Nortel VPN switch is using an IPSec extension called mod_cfg. Does anyone know if IPSecuritas has this feature? Thanks, Robert
Any issues re recent Security Update 9-7? Any issues re recent Security Update 9-7? by rnoranbrock on 2004-09-08 15:28:06 +0200
Is there any reason to hold off applying this Security Update? Any effect on IP Securitas? Thanks, -Randy
IPSecuritas and NAT-T support, routing issues IPSecuritas and NAT-T support, routing issues by seano on 2004-09-09 03:54:08 +0200
Hi all, I checked out IPSecuritas after finding out VPN Tracker doesn't have NAT-T support. I'm using OS 10.3.4. Seems I can establish a tunnel ok, but two things are wrong: 1.) On a NAT'ed network, I can't actually communicate to a host over the tunnel. I've verified our firewall (isakmpd/pf on openbsd) is correctly allowing ESP traffic. Seems NAT-T support is not working. 2.) When tunnels are created, I don't see a route created in the routing table. Is this normal? thanks, Sean
Re: IPSecuritas and NAT-T support, routing issues by seano on 2004-09-14 22:36:13 +0200
does anyone have an idea or am i just out of luck for support?
Re: IPSecuritas and NAT-T support, routing issues by Grant Janssen on 2004-09-16 07:09:06 +0200
:P Me too, I feel your pain. I can establish a "Host To Network" connection. Keys exchange fine, but I can't stuff anything over the tunnel. When I move my laptop on the other side of the router (no NAT), this runs perfectly. I've seen VPN client software function with NAT, so I know this can work, as long as you don't try to establish multiple tunnels from the same NATed network to the same destination firewall. All my other clients are PCs running the SafeNet SoftRemote product [url]http://www.safenet.biz/prod/software/software_a.asp[/url]. This supports NAT, and has run well for us, but is PC only. Is there some setup detail I've missed? ???
Cookies Colliding using IPSecuritas to SOHO 6tc Cookies Colliding using IPSecuritas to SOHO 6tc by Graeme Rae on 2004-09-22 01:58:52 +0200
Trying to connect from a 192.168.1.# network via net and SOHO 6tc to a 192.168.146.# network. Using a Mac OSX10.3.5 All security settings are identical on each side (checked many times) Getting this error:
Sep 21 16:32:32 graemes-g4 racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.56[500] Sep 21 16:32:32 graemes-g4 racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.56[500] Sep 21 16:32:32 graemes-g4 racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to 64.7.211.227[500] Sep 21 16:32:32 graemes-g4 racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 112 bytes message will be sent to 192.168.1.56[500] Sep 21 16:32:32 graemes-g4 racoon: DEBUG: plog.c:199:plogdump(): fc7dfa15 5b5d18bf 00000000 00000000 01100100 00000000 00000070 05000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 80010005 80030001 80020001 80040001 0a00000c 011101f4 c0a80138 00000014 e2e59147 a73c03ce 319df5da 5dd11fdf Sep 21 16:32:32 graemes-g4 racoon: DEBUG: isakmp.c:1718:isakmp_ph1resend(): resend phase1 packet fc7dfa155b5d18bf:0000000000000000 Sep 21 16:32:32 graemes-g4 racoon: DEBUG: isakmp.c:233:isakmp_handler(): === Sep 21 16:32:32 graemes-g4 racoon: DEBUG: isakmp.c:234:isakmp_handler(): 68 bytes message received from 64.7.211.227[500] Sep 21 16:32:32 graemes-g4 racoon: DEBUG: plog.c:199:plogdump(): fc7dfa15 5b5d18bf 00000000 00000000 0b100500 00000000 00000044 00000028 00000001 01000004 fc7dfa15 5b5d18bf 00000000 00000000 01100100 00000000 00000070 Sep 21 16:32:32 graemes-g4 racoon: DEBUG: isakmp.c:531:isakmp_main(): malformed cookie received or the initiator's cookies collide. Sep 21 16:32:52 graemes-g4 racoon: ERROR: isakmp.c:1706:isakmp_ph1resend(): phase1 negotiation failed due to time up. fc7dfa155b5d18bf:0000000000000000 Sep 21 16:32:52 graemes-g4 racoon: ERROR: isakmp.c:1706:isakmp_ph1resend(): phase1 negotiation failed due to time up. fc7dfa155b5d18bf:0000000000000000
Any ideas? Please Help!!! Using Phase 1/Mod768/3Des/MD5 Phase 2/No PFS/3Des/Md5 Local ID DN: graeme Remote ID: Address Auth: Pre-shared secret (checked many times)
Problems with PPP Problems with PPP by strandoo on 2004-09-22 14:08:30 +0200
I've been able to use IPSecuritas from my home via an ADSL account, but can't get it to work when I use a modem/ppp dial-up account. Any ideas about what I'm doing wrong? Thanks.
racoon: must be root to invoke this program racoon: must be root to invoke this program by cdant on 2004-09-29 04:01:32 +0200
I'm having an error with starting up a connection, getting an error from racoon that I must be root to invoke it. I've tried setting racoon to suid root but that didn't resolve the issue. Here's my log: Log output from IPSecuritas 2.0.6 Sep 28 21:30:27 localhost IPSecuritas: Parsing configuration Sep 28 21:30:27 localhost IPSecuritas: Setting up racoon.conf Sep 28 21:30:27 localhost IPSecuritas: Setting up setkey.conf Sep 28 21:30:27 localhost IPSecuritas: Setting up psk.txt Sep 28 21:30:27 localhost IPSecuritas: Setting up tunnel.conf Sep 28 21:30:27 localhost IPSecuritas: Parsing configuration done Sep 28 21:30:27 localhost IPSecuritas: Could not create /etc/syslog_ipsecuritas_orig.conf Sep 28 21:30:27 localhost IPSecuritas: Starting racoon... racoon: must be root to invoke this program. Sep 28 21:30:27 localhost IPSecuritas: Failed to start racoon Sep 28 21:30:27 localhost IPSecuritas: Stopping racoon... Sep 28 21:30:27 localhost IPSecuritas: Racoon normally terminated Sep 28 21:30:27 localhost IPSecuritas: Flushing kernel keys pfkey_open: Operation not permitted pfkey_open: Operation not permitted
from scratch from scratch by love on 2004-10-05 00:35:00 +0200
Hi folks! I am a real newbie on this i being trying to figure ut how to set up a VPN connection, but its just to many different parameters to set to figure put my self ! this is what it looks like ------------------------------Office Network Zywall10 set to NAT LAN IP: 192.168.3.0~ Config in Zywall10 Menu 27.1.1 - IPSec Setup Index #= 1 Name= test Active= Yes Keep Alive= No Nat Traversal= Yes Local ID type= IP Content= My IP Addr= 213.xxx.xxx.xxx Peer ID type= IP Content= 0.0.0.0 Secure Gateway Address= 0.0.0.0 Protocol= 0 Local: Addr Type= RANGE IP Addr Start= 192.168.3.1 End/Subnet Mask= 192.168.3.99 Port Start= 0 End= N/A Remote: Addr Type= N/A IP Addr Start= N/A End/Subnet Mask= N/A Port Start= N/A End= N/A Enable Replay Detection= No Key Management= IKE Edit Key Management Setup= No ------------------------------------------------------------------------
Menu 27.1.1.1 - IKE Setup Phase 1 Negotiation Mode= Main PSK= keykeykey Encryption Algorithm= DES Authentication Algorithm= MD5 SA Life Time (Seconds)= 28800 Key Group= DH1 Phase 2 Active Protocol= ESP Encryption Algorithm= DES Authentication Algorithm= SHA1 SA Life Time (Seconds)= 28800 Encapsulation= Tunnel Perfect Forward Secrecy (PFS)= None -----------------------------------------------------------------this is what i want to achieve static ip on wan DHCP on wan Officenetwork--officerouterNAT--internet--airportexpressNAT--
Re: from scratch by cnadig on 2004-10-07 08:32:04 +0200
Hello, I'd propose the following to start with for IPSecuritas' configuration: General: Host to Network mode Remote IPSec device: 213.xxx.xxx.xxx (the public IP address of the Zyxel 10) Remote Network: 192.168.3.0/24 Local Address: Leave empty Exchange Mode: Main Propopsal Check: Obey Nonce Size: 16 Phase 1: Lifetime: 28800 DH Group: Mod768 (1) Encryption: DES Authentication: MD5 Phase 2: Lifetime 28800 PFS Group: None Encryption: Enable DES, disable all others Authentication: Enable HMAC SHA1, disable all others Id/Auth: Local Identifier: Address Remote Identifier: Address Authentication: Preshared key, enter keykeykey (and change this once everything is working :-) ) Options: Leave all on defaults.
From experience I know that Zyxel is very picky about the network mask settings - it might be necessary to change the remote addr type to subnet with a netmask of 24. Please make sure to increas IPSecuritas' log level and post the log output if it is not working. CAUTION: Please remove any confidential information like your public IP address! And change the preshared key before posting the log! Cheers, Christoph
Trying to set up IPSec between two Macs Trying to set up IPSec between two Macs by Lee Kilpatrick on 2004-10-05 03:55:48 +0200
I want to use IPSecuritas in the "host to anywhere" mode so I can have encrypted traffic when I am using a public WiFi network. I do not have a VPN gateway product, but would like ot use another Mac as the secure endpoint at my house. The documentation is not clear on how you set up this configuration, and I am trying to set up simple configurations just to see if I can get it working (since debugging it remotely from a coffee shop would be pretty difficult). I don't have a lot of equipment to test with, so I am trying to create a tunnel between two Macs on the same ethernet. Is this possible, or will there be routing/interface problems? Do I need another network interface on both machines in order to have a private address to try and access over the tunnel? I set up both with another interface -- one with an Airport, and one with an IP over Firewire. How should I set up IPsecuritas? From reading the online documentation, I have gathered that I should set up the server as "network to network", and my laptop as "host to anywhere". Is this correct? The two machines are connected to an ethernet through the hub/router which is a linksys BEFR41. I have set the router to "IPSec pass through". In general, I'm not even sure that that setting has any effect if you are communicating through two LAN ports on it. When I start IPSec on both machine, the chekmark never becomes green, but stays as a red "X". In the IPSecuritas log, I get this on one machine (the "client"): Oct 4 20:54:47 Scarlet IPSecuritas: Oct 4 20:54:47 Scarlet IPSecuritas: Parsing configurationParsing configuration Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Setting up racoon.confSetting up racoon.conf Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:48 Scarlet IPSecuritas: Oct 4 20:54:49 Scarlet IPSecuritas: Starting racoon...Starting racoon...
Setting up setkey.conf Setting up psk.txt Setting up tunnel.conf Parsing configuration done Setting up setkey.conf Setting up psk.txt Setting up tunnel.conf Parsing configuration done Oct 4 20:54:49 Scarlet IPSecuritas:
Oct 4 20:54:49 Scarlet IPSecuritas: Oct 4 20:54:49 Scarlet IPSecuritas: Racoon is runningRacoon is running Oct 4 20:54:49 Scarlet IPSecuritas: Oct 4 20:54:49 Scarlet IPSecuritas: Set kernel keys
I then tried to ping the private address on the other machine (the server) and got no response. After a while, the log showed: Oct 4 20:55:37 Scarlet racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase 2 negotiation failed due to time up waiting for phase1. ESP 10.0.0.4->10.0.0.100
Re: Trying to set up IPSec between two Macs by cnadig on 2004-10-07 08:16:44 +0200
Hello Lee, I'd try the following: Client Side: Host to anywhere is fine, other settings on their default values Server Side: Use Host to Host (Tunnel), with the local IP address of the Ethernet interface and the laptop's IP as remote IP. Please also set the passive option on the server side. Then first start the server side IPSec, once it says running, you can start the client (laptop) IPSec. Please increase the log level in IPSecuritas beforehand (in Preferences) to 'Verbose debug' - the log output then contains much more information. If you want to access other machines (or the internet) through the server Mac, you will need a second interface on that machine (although you probably can get around with aliased interfaces, but I would need to figure this out first - let me know if you need it). Let us know how it goes! Cheers, Christoph
zywall 10II zywall 10II by andrew on 2004-10-10 03:17:20 +0200
Hi, Wondering if anyone has a setup for IPSecuritas for a ZyWall 10II with something flexible enough on various locations? I connect often from behind a school firewall (cisco pix) but with real ips and sometimes from locations behind a standard RFC1918 (adsl router - no control over it) and othertimes on the road from a dialup ip.. My internal LAN is 192.168.1.0/24 Thanks.
FVS318 now working, but no Network Browsing FVS318 now working, but no Network Browsing by Greg on 2004-10-21 20:53:10 +0200
So after playing with it all day I finally bagged the VPN tracker settings I was trying to get into the IP Securitas, and instead used the VPN Wizard that is available in newer firmware versions of the FVS318. At the end, it offered the proper settings to put into the VPN client... once those were inputed... away it went no problems connected rightup. One setting it had added was the Enable NetBios for network browsing... I couldn't find a setting in IPSecuritas however to allow me to enable network browsing... does anyone know how I can enable that. As I'd like to be able to browse the network rather then needing to go in and find each IP address and type it in manually. And this will make printing and using some other network functions alot easier.... Thanks in advance.. Greg
Re: FVS318 now working, but no Network Browsing by AaronA1975 on 2004-10-21 22:01:03 +0200
NetBIOS is a non-routable protocol that Windows uses for file and print sharing, and it usually transmits data via broadcasts. The checkbox allows NetBIOS broadcasts to be sent over the VPN connection. If you're using Windows, this setting is convenience, but since NetBIOS tends to be a chatty protocol, some people would rather not have that traffic sent over the WAN. Checking that box means nothing to your Mac because it does not use NetBIOS. Macs use SLP (Service Location Protocol) to discover network services, which can be enabled in the Directory Access app. If you're unable to browse the network you're connected to via VPN, the NetBIOS checkbox is not your problem.
Re: FVS318 now working, but no Network Browsing by Greg on 2004-10-21 22:16:02 +0200
Thanks for the info.... so I've gone and looked the SLP is turned on in direcoty access, any ideas on how to make sure that the VPN tunnel is allowing it. Or is that even possible to browse a Mac Network via a VPN using SLP or any other method for that matter? Thanks, Greg
Re: FVS318 now working, but no Network Browsing by AaronA1975 on 2004-10-22 23:08:14 +0200
It's entirely possible to browse a Mac network over your VPN connection - I do it with mine all the time. There should be no reason why your firewall would disallow SLP unless you've somehow expressly instructed it to.
Re: FVS318 now working, but no Network Browsing by GaryS on 2004-11-01 23:18:03 +0100
I have the same router and have the same experience... I'm unable to browse the office network remotely, yet SLP is enabled and I'm running the latest version of IPSecuritas and the NetGear firmware for the router. Aargh...
Connecting to Linksys 10/100 8port router Connecting to Linksys 10/100 8port router by oolong on 2004-10-23 04:24:30 +0200
Hi everyone I'm attempting to connect to this Linksys 10/100 8-port VPN router via IPSecurita (no VPN router on my side). So far, it doesn't work and I haven't found anybody talk about this combination either. If you happen to have this connection established, please share the config on both Linksys and IPSecurita. My current IPSecurita log goes on and on for a while, but here are the highlights: (At early stage it says...) IPSecuritas: Racoon is running IPSecuritas: Set kernel keys route: writing to routing socket: File exists add net 172.137.2.0: gateway gif0: File exists racoon: DEBUG2: cfparse.y:1365:cfparse(): parse successed. (Towards the end it says...) racoon: DEBUG: grabmyaddr.c:454:update_myaddrs(): caught rtm:2, need update interface address list racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 1 not interesting And then it eventually shuts down after not finding phase1 nor 2. As I have no idea at this point, I appreciate any help!! Thank you.
Autostart Autostart by Rich Eaton on 2004-10-26 16:37:11 +0200
OS X.3.5 IPsecuritas autostart does not appear to work on boot up. Once manually started it works fine.
Re: Autostart by Rich on 2004-10-29 12:37:32 +0200
I should add, it does autostart but the connection fails. Starting by hand after login works fine. Using Airport to conect to IPsec device. Is this an OS X startup problem ?
FQDN in phase 2 FQDN in phase 2 by Daniel Cini on 2004-10-29 11:52:36 +0200
Hi, I currently have a host to network configuration. My remote IPSec device expects the phase 2 proposal to contain my FQDN instead of the IP address. Is it possible to configure IPSecuritas to do so? Also, does IPSecuritas support NAT traversal? Thanks in advance for any help, Daniel Cini
Re: FQDN in phase 2 by GaryS on 2004-11-01 23:27:36 +0100
I do this for my office connections... simply select the "DN" radio button in the ID/auth tab (instead of the "Address" button), and enter your FQDN in the blank field.
Unstable VPN Connection to FVS318 Unstable VPN Connection to FVS318 by GaryS on 2004-11-01 23:24:18 +0100
I recently upgraded to the latest firmware for the NetGear FVS318 (v.2.4) in the hopes that I would be able to browse my office network, but to no avail. Anyways, since the upgrade, the router runs much better... except for my VPN connections using IPSecuritas. IPSec starts successfully, and my connection shows the little green arrow. But, whereas I used to be able to mount any office Mac quickly, now the mounting times out regularly, and even a Mac that I've mounted doesn't respond properly all the time. The log shows the following: Nov 1 13:53:49 THUNDERDOME IPSecuritas: Parsing configuration Nov 1 13:53:49 THUNDERDOME IPSecuritas: Setting up racoon.conf Nov 1 13:53:49 THUNDERDOME IPSecuritas: Setting up setkey.conf Nov 1 13:53:50 THUNDERDOME IPSecuritas: Setting up psk.txt Nov 1 13:53:50 THUNDERDOME IPSecuritas: Setting up tunnel.conf Nov 1 13:53:50 THUNDERDOME IPSecuritas: Parsing configuration done Nov 1 13:53:51 THUNDERDOME IPSecuritas: Starting racoon... Nov 1 13:53:51 THUNDERDOME IPSecuritas: Racoon is running Nov 1 13:53:51 THUNDERDOME IPSecuritas: Set kernel keys Nov 1 13:53:54 THUNDERDOME racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Nov 1 13:53:54 THUNDERDOME racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Nov 1 13:53:54 THUNDERDOME racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Nov 1 13:53:54 THUNDERDOME racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Nov 1 13:55:34 THUNDERDOME IPSecuritas: Flushing kernel keys Nov 1 13:55:34 THUNDERDOME IPSecuritas: Stopping racoon... Nov 1 13:55:35 THUNDERDOME IPSecuritas: Racoon normally terminated My settings on the router are identical now as how they were prior to the upgrade, and I don't understand the "trns_id mismatched" error in the log. Any help would be appreciated. BTW, I'm running OSX 10.3.5.
VPN with dynamic IP on both sides? VPN with dynamic IP on both sides? by mandarax on 2004-11-02 15:12:10 +0100
I'm trying to figure out, wether it is possible to connect to networks or even Macs, both connected to the internet via DSL. Both sides receive dynamic IP adresses when logging in. Is it possible to use a domain name offered by a service like DynDNS instead of a known IP adress in the "General Settings" section when setting up a new connection? Any help appreciated. Thanks, Hans
Re: VPN with dynamic IP on both sides? by cnadig on 2004-11-03 07:24:12 +0100
Hello Hans, you can enter a hostname into the remote IPSec device field. The hostname is then translated into an IP address every time you start IPSec. Christoph
Netgear FVS328 Netgear FVS328 by sgljungholm on 2004-11-04 14:58:15 +0100
I have set up the Netgear box and tested with other clients that seem to work. When I try IPSecuritas I get a message that says EROOR:isakmp_inf.c:848:isakmp_info_recv_n():unknown notify message, no phase2 handle found. Any ideas? Thanks
Re: Netgear FVS328 by cnadig on 2004-11-07 01:46:59 +0100
Hello sgljungholm, please find a working example setup at [url]http://www.lobotomo.com /products/IPSecuritas/howtoUpdates.html[/url] Cheers, Christoph
Re: Netgear FVS328 by sgljungholm on 2004-12-26 13:57:51 +0100
I have gotten this working to a point. I now am connected but I cannot see any of the computers on the remote network. I noticed this in the logs. Any idea? Dec 26 07:54:40 Svens-Computer racoon: NOTIFY: isakmp.c:267:isakmp_handler(): the packet is retransmitted by 138.88.162.101[500]. Dec 26 07:54:53 Svens-Computer racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 5 not interesting Dec 26 07:56:31 Svens-Computer racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 5 not interesting Dec 26 07:57:25 Svens-Computer racoon: INFO: isakmp.c:1785:isakmp_ph1expire(): ISAKMP-SA expired 192.168.168.102[500]-138.88.162.101[500] spi:25c51c4f8287898b:25b94c4b38c99f17 Dec 26 07:57:25 Svens-Computer racoon: INFO: isakmp.c:1785:isakmp_ph1expire(): ISAKMP-SA expired 192.168.168.102[500]-138.88.162.101[500] spi:25c51c4f8287898b:25b94c4b38c99f17 Dec 26 07:57:26 Svens-Computer racoon: INFO: isakmp.c:1833:isakmp_ph1delete(): ISAKMP-SA deleted 192.168.168.102[500]-138.88.162.101[500] spi:25c51c4f8287898b:25b94c4b38c99f17 Dec 26 07:57:26 Svens-Computer racoon: INFO: isakmp.c:1833:isakmp_ph1delete(): ISAKMP-SA deleted 192.168.168.102[500]-138.88.162.101[500] spi:25c51c4f8287898b:25b94c4b38c99f17 Dec 26 07:57:35 Svens-Computer racoon: DEBUG: grabmyaddr.c:448:update_myaddrs(): msg 5 not interesting
Re: Netgear FVS328 by sgljungholm on 2005-02-05 23:24:36 +0100
This is still not working. I am now testing with another unit and I still can't make it work. Can anyone help. I set the VPN as the site suggested but nothing.
Watchguard Firebox X15 Edge Watchguard Firebox X15 Edge by Raggamax on 2004-11-04 16:46:51 +0100
Hi Everyone... i am using IPSecuritas on my Mac to connect to a Watchguard Firebox X15 Edge without any success. I tried different settings but i always get the following Error: isakmp.c:2045:isakmp_chkph1there(): phase 2 negotiation failed due to time up waiting for phase 1. Can anyone help me with that? Any idea what goes wrong? I am wondering if i have to change the settings on my box or on the client. From a PC with installed MUVPN-Client (Provided by watchguard) everything goes just fine. I can connect via VPN to the remote Network without any problem. Thank you in advance for your help...
Re: Watchguard Firebox X15 Edge by swamphopper on 2005-01-28 05:14:11 +0100
I seem to have the same problem. Using VPN Tracker, I've got a VPN between my Mac and Firebox X1000, but IPSecuritas doesn't work. Can anyone suggest a solution? Thanks.
Automatically dial VPN ? Automatically dial VPN ? by bwinter on 2004-11-05 12:29:32 +0100
Hi - I have a user who I need to have to the IPSecuritas VPN automatically dial, say upon login. I have added IPSecuritas to the startup items in the users account settings. I would like to be able to have it all happen automatically. Also, is there anyway to have a dial up connection dial an internet connection automatically before the VPN connection is attempted ?????? Thanks
New Sample Configurations Available New Sample Configurations Available by cnadig on 2004-11-07 01:44:46 +0100
Hello, please find sample configurations for Netgear FVS328, Netpilot VPN and Linksys BEFSX41 at [url]http://www.lobotomo.com/products/IPSecuritas /howtoUpdates.html[/url] Cheers, Christoph
router and ipsecuritas router and ipsecuritas by Fabrice on 2004-11-13 00:23:37 +0100
Hi, I need your help again. I'm using IPSecuritas on my powerbook to connect via ADSL to my professionnal network (so "Host to network") with success. I've just received my freebox, an ADSL modem with NAT properties. No way to connect to my network. The ckeck comes finally green, but I can't ping my network. I've hard fixed my local IP in my local network. I use the following IP forwarding : Port: 2746 - Protocole: tcp - Destination: 192.168.0.1 - Port: 2746 Port: 2746 - Protocole: udp - Destination: 192.168.0.1 - Port: 2746 Is that correct ? Should I use or not IP DMZ option ? I've tried to modify IPSecuritas with "Network to network", with : Remote Network : 172.23.0.0 / 16 (the network mask is 255.255.0.0) Local network : 192.168.0.0 / 24 (the network mask is 255.255.255.0) But it's not better. Thanks in advance Fabrice
Re: router and ipsecuritas by cnadig on 2004-11-14 00:04:24 +0100
Hello Fabrice, do you know the manufacturere and model of the router? Some router require to enable IPSec passthrough explicitely or don't allow IPSec with NAT. also, as it seems that the tunnel can be established successfully, a dump from tcpdump could be useful (tcpdump -i en0 for Ethernet or tcpdump -i en1 for Airport). Cheers, Christoph
Re: router and ipsecuritas by Fabrice on 2004-11-14 14:51:00 +0100
[quote author=cnadig link=1100301817/0#1 date=1100387064]Hello Fabrice, do you know the manufacturere and model of the router? Some router require to enable IPSec passthrough explicitely or don't allow IPSec with NAT. also, as it seems that the tunnel can be established successfully, a dump from tcpdump could be useful (tcpdump -i en0 for Ethernet or tcpdump -i en1 for Airport). Cheers, Christoph[/quote] Thanks for your response. I'm waiting for more informations on the freebox, but it's a specific modem of my provider (Free). Some people say i't's pass-through, some other not. A person said just me "option priority must be on "legacy" and not on "normal" to not cut udp packets, but I don't find this option in IPSecuritas. I've juste seen the "DHCP Pass-through" option in IPSecuritas ; should I check it ? For more informations, I give a link to a picture of the on-line web page given by my provider to modify the NAT table : http://kerlienes.free.fr/freebox.jpg About tcpdump, can you please explain me ? I don't undersand at all, sorry. Thanks a lot in advance. Fabrice
Re: router and ipsecuritas by akerem on 2005-01-09 12:38:10 +0100
Hi, If you use CheckPoint firewall remotely, you should make sure that its vpn domain includes the ip addresses you are trying to connect. (The 172.23.0.0/16 block) That may be the problem.
Nortel and local bind issue Nortel and local bind issue by djb on 2004-11-13 06:54:54 +0100
hi, I am attempting to connect to a Nortel Contivity but can barely start the connection when the log spits this out : Nov 13 00:23:03 JDAB IPSecuritas: Racoon is running Nov 13 00:23:03 JDAB IPSecuritas: Set kernel keys Nov 13 00:23:03 JDAB racoon: ERROR: isakmp.c:1532:isakmp_setup_socket(): failed to bind (Address already in use). Nov 13 00:23:03 JDAB racoon: ERROR: isakmp.c:1532:isakmp_setup_socket(): failed to bind (Address already in use). Nov 13 00:23:03 JDAB racoon: ERROR: isakmp.c:1616:isakmp_open(): no address could be bound. Nov 13 00:23:03 JDAB racoon: ERROR: isakmp.c:1616:isakmp_open(): no address could be bound.
lsof says that the other process holding the isakml port is something called INM. any thoughts or fixes? I cannot kill teh inm proc for some reason. thanks derek
Re: Nortel and local bind issue by cnadig on 2004-11-14 00:05:49 +0100
Hi Derek, do you have any more information on this process - I did a Google search but could not find anything. What happens if you create another user and log in as him - is the process still running? Christoph
Re: Nortel and local bind issue by djb on 2004-11-15 05:20:19 +0100
this is the result of root
363 0.0 0.1
ps -aux | grep inm 28068
296 ?? S
10:21PM 0:00.20 inm -p9165
the proc is run at startup ... thanks derek
Re: Nortel and local bind issue by Grant McChesney on 2006-03-01 23:08:26 +0100
Do you by chance have the Netlock Contivity VPN Client from Apani installed? I do, and I get the same error. In fact, I get this error when I load the Netlock VPN after installing Securitas: Connection to the switch dropped due to an IKE/ISAKMP Error. This is probably the cause of the error. Trying uninstalling the Netlock vpn client.
Classic Applications (Outlook2001) over VPN Classic Applications (Outlook2001) over VPN by alhinds on 2004-11-16 20:20:49 +0100
Does anyone know if IPSecuritas will support applications running in Classic environment (under OSX) over IPSec VPN? Main use required is Outlook2001 (as Entourage just doesn't seem to be up to scratch yet). Thanks...
network to network network to network by Fabrice on 2004-11-17 11:43:08 +0100
Hello everybody, Does anyone use the protocol "network to network" ? In that case, thanks in advance to give me the configuration for ipsecuritas. Should I modify anything on the server side (I use Checkpoint firewall) ? Thanks a lot Fabrice
Can't assign requested Address (Ipsecuritas 2.06) Can't assign requested Address (Ipsecuritas 2.06) by AndreasF on 2004-11-25 10:02:49 +0100
Hello! I am trying to connect to my office. But I keep getting this message in the log. I have used the same configuration before (and it worked). Does anybody understand what could be the possible error? "Log output from IPSecuritas 2.0.6 Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Parsing configuration Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Setting up racoon.conf Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Setting up setkey.conf Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Setting up psk.txt Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Setting up tunnel.conf Nov 25 09:08:19 Andreas-Fredrikssons-dator IPSecuritas: Parsing configuration done Nov 25 09:08:20 Andreas-Fredrikssons-dator IPSecuritas: Starting racoon... Nov 25 09:08:20 Andreas-Fredrikssons-dator IPSecuritas: Racoon is running Nov 25 09:08:20 Andreas-Fredrikssons-dator IPSecuritas: Set kernel keys The result of line 7: File exists. The result of line 8: File exists. add net 192.168.1.0: gateway gif0 [b]ifconfig: SIOCSIFPHYADDR: Can't assign requested address add net 192.168.100.0: gateway gif1 ifconfig: interface gif2 does not exist[/b] delete net 192.168.1.0 delete net 192.168.100.0 route: writing to routing socket: No such process delete net 192.168.100.0: not in table ifconfig: interface gif2 does not exist Nov 25 09:08:21 Andreas-Fredrikssons-dator IPSecuritas: Could not delete tunnel gif2 192.168.1.1 192.168.100.0/24 ifconfig: interface gif2 does not exist Nov 25 09:08:21 Andreas-Fredrikssons-dator IPSecuritas: Could not delete gif2 Nov 25 09:08:21 Andreas-Fredrikssons-dator IPSecuritas: Stopping racoon... Nov 25 09:08:22 Andreas-Fredrikssons-dator IPSecuritas: Racoon normally terminated Nov 25 09:08:22 Andreas-Fredrikssons-dator IPSecuritas: Flushing kernel keys Log output from IPSecuritas 2.0.6" Regards Andreas
IPSEcuritas and zywall1 IPSEcuritas and zywall1 by gbuma on 2004-11-25 15:45:34 +0100
Hello, I am trying to create a connection between a distant laptop (dynamic IP) and the office firewall (dynamic ip, can be found with dyndns.org). I keep on getting the "couldn't find the pskey for OFFICE_IP " error. Auth is done with email for local and remote. Using pre-shared key. On ipsecuritas, mode is "host to network".
Sonicwall Pro 230 Sonicwall Pro 230 by Jim Collis on 2004-11-28 00:41:28 +0100
Has anybody successfully gotten IPSecuritas running on OSX 0.3.6 to work with a Sonicwall Pro 230? If so, can you provide complete configuration info?
Verified working with IpCop Verified working with IpCop by gloin on 2004-11-30 22:16:13 +0100
Am short on time, but will create a sample configuration page on my blog as soon as I can. Just so you know, it works both with certificate and PSK. Sorry for the tease...
Re: Verified working with IpCop by gloin on 2004-12-14 21:05:16 +0100
Well, that took way too long, but I had some things come up at home here that really needed my attention. Here's the link (which will hopefully change if some Benificient Admin deigns to relieve my burgeoning bandwidth bill by mirroring the sample configurations: http://www.taupehat.com/vpn/ Enjoy!
Re: Verified working with IpCop by Rob D on 2005-03-25 20:19:30 +0100
[quote author=gloin link=1101849373/0#1 date=1103054716]Well, that took way too long, but I had some things come up at home here that really needed my attention. Here's the link (which will hopefully change if some Benificient Admin deigns to relieve my burgeoning bandwidth bill by mirroring the sample configurations: http://www.taupehat.com/vpn/ Enjoy![/quote] Hi gloin / all I've been unable to connect to IPCOP 1.4.2 from my 10.3.8 iBook. My log file is below. Any ideas? Log output from IPSecuritas 2.0.6 Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Parsing configuration Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up racoon.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up setkey.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up psk.txt Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up tunnel.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up resolv.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Parsing configuration done Mar 25 19:08:25 Rob-Dykes-Computer IPSecuritas: Starting racoon... Mar 25 19:08:26 Rob-Dykes-Computer IPSecuritas: Racoon is running Mar 25 19:08:26 Rob-Dykes-Computer IPSecuritas: Set kernel keys line 3: Unknown error at [192.168.0.0] line 3: Unknown error at [192.168.10.3] line 4: Unknown error at [192.168.10.3] line 4: Unknown error at [192.168.0.0] Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(80.46.98.226,500): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(80.46.98.226,500): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.0.0,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.0.0,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,500): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,500): resolved to multiple address, taking the first one Mar 25 19:08:29 Rob-Dykes-Computer racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Mar 25 19:08:29 Rob-Dykes-Computer racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Mar 25 19:08:48 Rob-Dykes-Computer racoon: ERROR:
Re: Verified working with IpCop by gloin on 2005-03-26 19:58:49 +0100
Not entirely sure, but it does look like someone's multihoming. You probably want to start with the simplest case possible and then add in extra interfaces once things are working.
Re: Verified working with IpCop by Rob - D on 2005-03-28 23:30:24 +0200
[quote author=gloin link=1101849373/0#3 date=1111863529]Not entirely sure, but it does look like someone's multihoming. You probably want to start with the simplest case possible and then add in extra interfaces once things are working.[/quote] Gloin... someone = who? my local iBoook is not multihomed...only interface UP and with IP is WLAN. WLAN is connected to AP routing to INTERNET to remote/IPCOP f/w. I can understand why you are saying that though... the 'resolved to multiple address' in the log file made me think something similar... Yet... I get all the way to phase 2 authentication. And then I am unable to make phase 2. It would seem that isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. is the crucial part of the problem.....
Re: Verified working with IpCop by robd on 2005-03-29 22:48:39 +0200
Some further testing. Right. I've verified that all is working on the IPCOP side as I have successfully setup a net-to-net VPN connection to the IPCOP. Gotta work out whats going on on the client side for my host-to-net roadwarrior connection.
FreeS/WAN (X.509) connection fails FreeS/WAN (X.509) connection fails by petschni on 2004-12-02 09:32:40 +0100
Hello, i am trying to access the network in my university but unfortunatley i get an error (see end of the message). The Gateway runs on a Debian/LINUX and IPSec is implemented with Openswan. The Data Connection is secured with ESP (Encapsulated Security Payload RFC 2406). In Openswan is the 3DES Encryption used. Authentification works with X.509-Certificates. I got it to work in VPN Tracker but in IPSecurtitas I get the error when i trys to connect. I don't know if it is of any interest, but if you start VPN Tracker and IPSecurtitas at the same time and establish the connection with VPN Tracker the button in IPSecurtitas turns green also, but if IPSecurtitas has to do it on its own it stays red. Do you got any idea what I can do? greetings and thanks peter Log output from IPSecuritas 2.0.6 Dec 2 09:02:43 wlanbzw25 IPSecuritas: Parsing configuration Dec 2 09:02:43 wlanbzw25 IPSecuritas: Setting up racoon.conf Dec 2 09:02:43 wlanbzw25 IPSecuritas: Setting up setkey.conf Dec 2 09:02:43 wlanbzw25 IPSecuritas: Setting up psk.txt Dec 2 09:02:43 wlanbzw25 IPSecuritas: Setting up tunnel.conf Dec 2 09:02:43 wlanbzw25 IPSecuritas: Parsing configuration done Dec 2 09:02:44 wlanbzw25 IPSecuritas: Starting racoon... Dec 2 09:02:44 wlanbzw25 IPSecuritas: Racoon is running Dec 2 09:02:44 wlanbzw25 IPSecuritas: Set kernel keys Dec 2 09:03:26 wlanbzw25 racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 141.76.18.225->141.76.18.34 Dec 2 09:03:26 wlanbzw25 racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 141.76.18.225->141.76.18.34
Sidewinder Sidewinder by Chris Coyne on 2004-12-02 21:42:41 +0100
Hi Has anyone set up ipsecuritas to work with Sidewinder G2?? I am very confused as to how to do this. Any help would be great! Thanks Chris
Re: Sidewinder by Chris Creighton on 2005-03-08 19:14:12 +0100
Yes, it's pretty easy. They now have an unsupported document explaining how to do this. Contact Secure Computing. However I am having a problem with the Mac in this regard, not the IPSEC configuration that is stopping my Mac from beginning the negotiation. I think the problem is what IPSecuritas is doing to set up the IPSEC connection, but since the error messages are vague to say the least, I can't tell what the problem is. See my other post. I have connected to the Sidewinder using FQDN, and fixed IP, both with shared secrets. I have not yet got the certificates to work, but I was working with 5.2.1.10, not 6.1, which may generate the files in the format that IPSecuritas will accept, i.e. *.pem format. Good luck ... Chris
VPN to Sonicwall TZ-170 VPN to Sonicwall TZ-170 by Doug Smart on 2004-12-13 22:51:05 +0100
Can ipsecuritas be used to create a VPN connection to a sonicwall tz170 using domain authentication? I have a group VPN policy set up that grants Access using a pre shared secret and the domain log in credentials. I have not found anything about passing domain user and password credentials In the ipsecuritas online help or in the forum which is why I am submitting a new topic. I have a few home a Mac users (including myself) and I think you would be great for them to be able to connect using ipsecuritas. I have the ability to create new SA’s, so if I can’t use domain authentication I can use just about any method That works. Thanks. Doug
connecting to Fortinet VPN: "invalid ex connecting to Fortinet VPN: "invalid ex by Michael Hanisch on 2004-12-22 23:55:58 +0100
Hi everyone, I'm out of luck trying to connect my Mac to a VPN (host to network setup). The remote endpoint is a Fortinet 200 firewall w/ VPN. The log contains lots of debug messages, but also some errors, the first being: Dec 22 23:51:20 Vigor11 racoon: DEBUG: plog.c:199:plogdump(): 7025a13e a4e13035 6fe41458 7991664e 08100601 ebfef208 0000004c c7fcbfb8 5681de4a f247e6e3 6c5f2990 685b48bc aa605eb6 c55a8fd4 a325ac70 7613fc0d d1dad56d 53f688e5 d6050555 Dec 22 23:51:20 Vigor11 racoon: ERROR: isakmp.c:759:isakmp_main(): Invalid exchange type 6 from X.X.X.X[500]. Dec 22 23:51:23 Vigor11 racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.11.11[500] These error messages are repeated multiple times.
Can anyone shed some light on this? I can adapt the firewall's config if necessary, but at the moment I don't have any idea where to start... I can provide more info if necessary.
Startup - IPsec failed Startup - IPsec failed by taniwha on 2004-12-29 05:33:15 +0100
Apple Mac. When trying to establish the VPN I get the error message "Startup IPsec failed" instantly. Any ideas anyone.
Re: Startup - IPsec failed by sdls on 2004-12-30 21:01:00 +0100
I had the same problem I'm still testing, but i ran it as root and it got passed the ipsec failed try it as root SDLS :)
Netscreen Xauth Netscreen Xauth by XAuth on 2005-01-07 21:31:19 +0100
Will IPSECURITAS support the authentication method Xauth or is that a Netscreen proprietary standard? Thanks!
Re: Netscreen Xauth
by tji on 2005-06-08 23:17:32 +0200
Xauth is not a Netscreen proprietary thing.. it was on the standards track, with a draft RFC. But, I don't think it was ever ratified (though I don't know for sure). While there are Xauth patches available for KAME / racoon, I don't think Apple has integrated that support into the Apple code. So, as far as I know, you cannot use Xauth with MacOS today. Also, I am not sure if one could get Xauth support by just updating the racoon binary in MacOS, or if the IPSec support in the kernel needs to be updated. If only racoon needs updating, it could be pretty easy.
MacOS can be made to work with netscreen, via standard pre-shared keys. But, the config is a lot more convoluted than the Xauth config. equinux / VPN Tracker has a good dock on configuring Netscreen to work with their client config software.
Re: Netscreen Xauth by tji on 2005-07-08 19:55:21 +0200
I tried Xauth with a Netscreen gateway using the "VPN Tracker" demo, and I was able to connect. "VPN Tracker" is not free, but if you need Xauth, it's the only game going right now.
I have a sample config for CheckPoint I have a sample config for CheckPoint by akerem on 2005-01-09 11:23:00 +0100
Hi people, I have at last configured my Checkpoint NG R55 and my Powerbook with IPSecuritas 2.0.6 with certificates. The VPN connection works perfectly. I saw that, in the online help of IPSecuritas, using certificates is missing (and the online help says that it should be updated) so I would like to be the one who updates it. Also in the online help, there are some problems with certificate importing, so I would also like to correct those. Can somebody send me instructions about how to do this? So I can be some help to people ;D Cheers, Kerem
Re: I have a sample config for CheckPoint by Don on 2005-02-11 06:13:48 +0100
Could you please provide a sample of your configuration as well as the process you went through to get it to work. For example did you need to make any changes to the CheckPoint side to get things working or was it just a case of getting all the IPSecuritas settings right? I've worked through all the settings with the CheckPoint firewall manager but have been unable to get things to work. I still don't know how to set the "Proposal Check" in the general tab or the "Local Identifier" or "Remote Identifier" in the Identification section of the ID/Auth tab. Any help would be appreciated. Thanks . . . Don
Symantec Security Gateway with IPsecuritas Symantec Security Gateway with IPsecuritas by matteth on 2005-01-13 10:27:47 +0100
Has anyone been able to use IPSecuritas for VPN with the Symantec 360R, or any other in the 300-series firewalls? Thanks! /Mats
Re: Symantec Security Gateway with IPsecuritas by Chris Liddle on 2005-02-19 02:13:33 +0100
I have the same issue; IPSecuritas Symantec 360R - ? if anyone has this working.
Re: Symantec Security Gateway with IPsecuritas by R Teller on 2005-08-16 19:35:24 +0200
Here is a symantec article on how to set up a 200 series device using vaporsec. I spoke with symantec and they said a few helpful things such as the username should be formatted as an email address and you should have firmware build 922 before starting. Here's the article http://service1.symantec.com/SUPPORT/ent-gate.nsf /6c5cd071f100c71888256ccd0050d548 /3bc9eaa31908580888256e3e004a1d6c?OpenDocument&src=bar_sch_nam As an alternative you may visit http://www.symantec.com/search and type in the following document number 2004021808393554 I will be trying some of the "procedure" today, although from the look of it, they are not alike, lots of digging.
Re: Symantec Security Gateway with IPsecuritas by RT on 2005-08-30 22:37:17 +0200
Tried the Procedure listed on the site and adjusted for differences, but it will not connect, this are the log entries I get when connecting to the firewall [DATE TIME] Connection name - Responding to Aggressive Mode from Remote Peer *CLIENT IP ADDRESS* [DATE TIME] Connection name - ERR:preshared secret disappeared! [DATE TIME] Connection name - STATE_AGGR_R1: AUTHENTICATION_FAILED [DATE TIME] Connection name - state transition function for STATE_AGGR_R0 failed: AUTHENTICATION_FAILED [DATE TIME] Connection name - Sending ISAKMP OAK INFO (Notification IKE SA) [DATE TIME] Connection name - Terminating connection [DATE TIME] Connection name - Terminating connection Am I missing something? I need some assistance on this please. Thank you
Re: Symantec Security Gateway with IPsecuritas by RT on 2005-09-20 22:11:52 +0200
Has anyone had any luck with this, Symantec is most definitely less than helpful. 360 R from tiger, supposedly it worked with vaporware on panther
Re: Symantec Security Gateway with IPsecuritas by RT on 2005-09-26 17:41:55 +0200
Finally broke down and called symantec tech support, wasn't able to get it to work, they finally got to the point where they said "sorry, can't help you" . So, if anyone has any idea how to make this work, It keeps saying the preshared secret has dissapeared in the device log file, and have been able to connect using Symantec's client, please let me know. Thank you.
Re: Symantec Security Gateway with IPsecuritas by ron on 2005-10-10 23:35:12 +0200
use mac ids for this
Re: Symantec Security Gateway with IPsecuritas by jc on 2006-01-29 23:26:09 +0100
Document ID:2005021009270354
Re: Symantec Security Gateway with IPsecuritas by pmossip on 2006-03-16 17:05:20 +0100
The Symantec 200R standard firmware only supports the "keyid" type of client identifier. The Documents on symantec's website where it worked with VAPORSEC were a private 1.7I firmware build where they supported user_fqdn. This user_fqdn support was never added to the regular released firmware updates that are generally available. Currently 1.8F. I have been able to use IPSecuritas to create a skeleton racoon config & then manually switch to using "keyid". -Paul Mossip
Certificate Manager Certificate Manager by Jose on 2005-01-16 04:47:47 +0100
Could any one tell me where is the Certificate Manager. I need to import a watchguard certificate but can't find that manager. Thanks for all your help
Re: Certificate Manager by akerem on 2005-02-02 16:54:56 +0100
You can open Certificate Manager from File > Open Certificates Manager
Source code Source code by Leif Larsson on 2005-02-02 20:21:22 +0100
Hi, Out of curiosity, is the source code available for IPSecuritas ? Cheers, /Leif
Re: Source code by cnadig on 2005-02-10 22:43:27 +0100
It's not... :)
Re: Source code by Ty on 2005-05-06 18:12:42 +0200
If I wanted to help donate features that I wanted (in terms of coding them myself), can I arrange to get the source and do some work on it? I am not interested in releasing the product, but I would like some features and I would be willing to code them myself and then hand them back to you for the next release.
Insert pauses, alternate proxy port, and l2tpd. Insert pauses, alternate proxy port, and l2tpd. by sj7trunks on 2005-02-03 23:22:51 +0100
Hi there, Going through the configs and getting an understanding of whats going on, I see a couple things that work on a Linux machine and not on the OS X. cat ipsecuritas_setkey.conf flush; spdflush; spdadd 1.1.1.1/32 2.2.2.2/32 any -P in ipsec esp/transport /1.1.1.1-2.2.2.2/require; spdadd 2.2.2.2/32 1.1.1.1/32 any -P out ipsec esp/transport /2.2.2.2-1.1.1.1/require; I set the proxy port on the Linux box to [1701] and the connection works fine. spdadd 1.1.1.1[1701] 2.2.2.2 any -P in ipsec esp/transport/1.1.1.1-2.2.2.2 /require; spdadd 2.2.2.2 1.1.1.1[1701] any -P out ipsec esp/transport /2.2.2.2-1.1.1.1/require; ----------It'd be nice to maybe pause the startup so you can manually edit the config and put some configuration variables. Or if you specify MIP6 to ungrey an area where you can specify a UDP proxy port. I've also been able to upgrade the racoon binary but I run into the problem of MIP6 being outdated, another great place to insert a pause to do a replacement of MIP4 to proxy. This might also lead to getting NAT-T working for OS X. On the case of l2tpd, it seems to be running within the client. Is there a way to run this program in stages? I'm only curious because it would help with a lot of debug problems where you can't get further than the limited GUI interface. Any help here is greatly appreciated! Thanks, Benjamin
Re: Insert pauses, alternate proxy port, and l2tpd by cnadig on 2005-02-10 22:56:57 +0100
Hello Benjamin, please get in touch with me on
[email protected] as I'm working on the next release of IPSecuritas and I'd like to discuss ways to integrate your proposals. Christoph
Set kernel keys Problem ? Set kernel keys Problem ? by fmusso on 2005-02-07 20:46:58 +0100
Hi everybody, No way to start a VPN Connection with version 2.06 and MAC OS 10.3.7 here is my log Log output from IPSecuritas 2.0.6 Feb 7 20:43:16 Titanium IPSecuritas: Parsing configuration Feb 7 20:43:16 Titanium IPSecuritas: Setting up racoon.conf Feb 7 20:43:16 Titanium IPSecuritas: Setting up setkey.conf Feb 7 20:43:16 Titanium IPSecuritas: Setting up psk.txt Feb 7 20:43:16 Titanium IPSecuritas: Setting up tunnel.conf Feb 7 20:43:16 Titanium IPSecuritas: Parsing configuration done Feb 7 20:43:17 Titanium IPSecuritas: Starting racoon... Feb 7 20:43:17 Titanium IPSecuritas: Racoon is running Feb 7 20:43:17 Titanium IPSecuritas: Set kernel keys And no more message... I am sure of my VPN configuration. But it is strange : no error message. Any idea ?
Re: Set kernel keys Problem ? by fmusso on 2005-02-07 22:02:04 +0100
does VPN TRACKER make change in my system ?
SonicWALL TZ170W Works SonicWALL TZ170W Works by Eric Kaiser on 2005-02-08 18:12:02 +0100
Here is my current setup. PowerBook G4 10.3.7 and SonicWALL TZ170W with SonicOS Enhanced 2.6.0.4-42e. The connection is through the airport/wireless interface. SonicWALL settings: General: IKE using Preshared Secret on the WLAN GroupVPN
Proposals: IKE (Phase 1) DH Group 2 Encryption 3DES Authentication SHA1 Life Time 28800 seconds Ipsec (Phase 2) Protocol ESLP Encryption 3DES Enable Perfect Forward Secrecy checked DH Group 2 Life Time 28800 seconds Advanced All boxes unchecked Default Gateway 192.168.225.193 (Which is my LAN Gateway) Allow Unauthenticated VPN Client Access: All Interface IP Client Allow Connections to: Split Tunnels Set Default Route as this Gateway checked All other boxes unchecked
IPSecuritas Settings: General Mode Host to Network Remote Ipsec Device 192.168.225.161 (My WLAN gateway) Remote Network 192.168.225.192/27 (My LAN network address/subnet) Local Adress Blank Exchange Mode: Aggressive (only one checked) Proposal Check: Obey Nonce Size: 16 Phase 1 Same settings as on SonicWall Phase 2 Same settings as on SonicWALL Only 3DES checked Id/Auth Local Identifier: Address Remote Identifier: DN (Put the Uniqe Firewall Identifier from the SonicWALL in this box) Preshared Secret: Obviously the Preshared Secret from the SonicWALL Options Check the following Compression Deflate
Re: SonicWALL TZ170W Works by Simon T on 2005-02-10 04:56:01 +0100
Where you using RADIUS auth for this? Is so how do you use the username and password?
Re: SonicWALL TZ170W Works by Eric Kaiser on 2005-02-20 16:24:03 +0100
I was not using Radius Auth. or Xauth for the VPN. However, I do use WPA-EAP for wireless authentication.
Sonicwall 4060 Pro connection problem via DSL Sonicwall 4060 Pro connection problem via DSL by jharris on 2005-02-08 23:46:11 +0100
We are remotely connecting to our network via a Sonicwall 4060 Pro using IPSecuritas v. 2.0.5 in Mac OS X 10.3.x. I can successfully connect to the network from our Comcast Internet connection at work as well as mine from home. We have two remote properties that have an Earthlink DSL connection as a backup solution. We keep getting a "no hash payload" error during the Phase 1 negotiation. All Macs are using the same config settings. They are: General: Host to Network, Aggressive exchange mode, and Claim proposal check, nonce size is 16 Phase 1: Lifetime=9600 seconds, Group 1, Encryption=DES, Authentication=MD5 Phase 2: Lifetime=3600 seconds, PFS Group=None, Encryption=3DES, Authentication=HMAC SHA1 ID/AUTH: Local ID=Address, Remote ID= DN + Sonicwall Unique ID, Authentication by Preshared Secret Options: IPSec/IKE Options enabled-IPSec DOI, Generate Policy, SIT_IDENTITY_ONLY, MIP6, Initial Contact, and DHCP Pass-Through; General Options are Establish IKE immediately I would post a full log, but each time I do I get an error that the message is too long. I will be happy to email the full log if needed. For now only what appears to be the relevant portion is included: Feb 8 16:47:20 user-vc8f15a racoon: DEBUG: isakmp.c:1718:isakmp_ph1resend(): resend phase1 packet 3e2ca792b4de9801:0000000000000000 Feb 8 16:47:20 user-vc8f15a racoon: DEBUG: isakmp.c:233:isakmp_handler(): === Feb 8 16:47:20 user-vc8f15a racoon: DEBUG: isakmp.c:234:isakmp_handler(): 92 bytes message received from 207.59.138.242[500] Feb 8 16:47:20 user-vc8f15a racoon: DEBUG: plog.c:199:plogdump(): 3e2ca792 b4de9801 8cf63ebd ff806252 0b100500 00000000 0000005c 00000040 00000000 0110000e 3e2ca792 b4de9801 8cf63ebd ff806252 00060004 00000000 00040018 0000004e 6f207072 6f706f73 616c2069 73206368 6f73656e Feb 8 16:47:20 user-vc8f15a racoon: DEBUG: isakmp_inf.c:115:isakmp_info_recv(): receive Information. Feb 8 16:47:20 user-vc8f15a racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Feb 8 16:47:20 user-vc8f15a racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Any assistance that can be offered in solving this dilemma would be greatly appreciated. All that the support at Sonicwall can tell me is the the problem is in the Phase 1 configuration. That doesn't seem likely as these settings are working via cable modem.
Sonicwall Enhanced OS using radius Sonicwall Enhanced OS using radius by simon t on 2005-02-10 05:02:43 +0100
Question, I see that the client works with sonicwall enhanced OS group connection; however, does it work with this when you have the user authenticate? If not are their any step by step solutions: i.e. setting up another SA on enhanced OS and allowing the client to connect? In advance, thanks for your help. P.S. great client.
Re: Sonicwall Enhanced OS using radius by Eric Kaiser on 2005-02-20 16:33:36 +0100
Are you referring to using Xauth? If you are, then you have to establish the appropriate user group which will authenticate against the SonicWALL (Local Users and Local Groups) or an external Radius server. This is assuming that IPSecuritas supports Xauth.
Connecting to Linksys RV082 Connecting to Linksys RV082 by Orb on 2005-02-17 00:59:24 +0100
I've been fiddling all day trying to get my Powerbook to connect to my remote RV082. I can connect via PPTP, but getting IPSec to work is not going well. Anyone have a config that works that I can play with. Thank.
Re: Connecting to Linksys RV082 by apelsin on 2005-03-25 19:39:25 +0100
Hi i too have an RV802 i cant get anything to work, Which firmware are you using? Could you send me your settings for pptp? I'll let you know if i can get ipsec to work. Thanks
Netgear FVS318 flakey Netgear FVS318 flakey by Troy Virojana on 2005-02-17 19:07:53 +0100
Hi. I am able to connect to the router, but it stops after 2 to 3 minutes. I have used the same settings as a VPN Tracker client, who doesn't have this problem. It will connect, and I'm in the middle of doing something, and just stop talking. The green checkmark is still there, and no errors come up in the log at that time. The only issue I get when I log on is this. Feb 17 12:01:38 Dhole IPSecuritas: Starting racoon... Feb 17 12:01:38 Dhole IPSecuritas: Racoon is running Feb 17 12:01:38 Dhole IPSecuritas: Set kernel keys line 3: Unknown error at [192.168.1.0] line 3: Unknown error at [10.1.2.3] line 4: Unknown error at [10.1.2.3] line 4: Unknown error at [192.168.1.0] Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(X.X.X.X,500): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(X.X.X.X,500): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(10.1.2.3,0): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(10.1.2.3,0): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.1.0,0): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.1.0,0): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(10.69.69.101,500): resolved to multiple address, taking the first one Feb 17 12:01:38 Dhole racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(10.69.69.101,500): resolved to multiple address, taking the first one add net 192.168.1.0: gateway gif0 as I said, it works, but only for a few minutes. I copied the settings from VPN Tracker, and I used the setup guide from Equinux. The VPN Tracker client has no issue. I moved the key life from 3600 (recommended by Equinux) to 28800 to see if that would help, but it did not. Any ideas? I don't want to buy VPN Tracker if I don't need to, but it seems like that is the only one that works well ALL the time. By the way, I have no problems with IPSecuritas connecting to a sonicwall TZ170 at all.
Re: Netgear FVS318 flakey by Roger Meador on 2005-03-21 15:35:17 +0100
hey, I am having trouble with a 318 as well. Have you had any luck? Roger
VPN established - unable to pass traffic VPN established - unable to pass traffic by Kirk Paulsen on 2005-02-20 06:04:40 +0100
We are trying to establish a VPN between a PowerBook G4 running 10.3.7 and a Netscreen 5GT. This is the only Mac in the organization and I will admit that I know very little about them. We have established the tunnels using Netscreen Remote on the Windows XP laptops and they all work as expected. I have been able to establish the tunnel between the PowerBook and the Netscreen (both logs show the tunnel connected and green checkmark in IPSecuritas) however when I try to ping anything on the LAN behind the firewall - there is complete loss. Is there some special setting for the Mac to know that the traffic is bound for the VPN? These are the settings I currently have for IPSecuritas: General Mode of Operation: Host to Network Remote IPSec Device: 64.x.x.x Remote Network: 192.168.14.0/24 Local Address: 192.168.14.140 (also have tried leaving this blank - same result) Exchange Mode: Aggressive Proposal Check: Obey Nonce Size: 16 Phase 1 Lifetime: 28800 seconds DH Group: Mod1024 (2) Encryption: 3DES Authentication: SHA1 Phase 2 Lifetime: 28800 seconds PFS Group: Mod1024 (2) Encryption: 3DES Authentication: HMAC SHA1 Id/Auth Local Identifier: DN @
[email protected] (found in an article online to preface with @ since we were having trouble in the beginning even establishing the tunnel because the firewall didn't recognize the peer Remote Identifier: blank Preshared Secret: ******** Options Compression Deflate checked (greyed out) IPSec DOI checked SIT_IDENTITY_ONLY checked Initial Contact checked MIP6 checked DHCP Pass-through checked Establish IKE immediately checked all other options unchecked Thanks in advance for any help.
Re: VPN established - unable to pass traffic by Kirk Paulsen on 2005-02-20 21:27:32 +0100
An update for anyone that is trying to do a similar configuration. Took the PowerBook home and everything worked fine when behind a Linksys router. At the office, we were behind our Netscreen and even though none of our PC's had a problem something with the PowerBook and our Netscreen was causing traffic not to be routed or passed correctly. Another note, found while home that the configuration worked best with the Local Address left blank.
Re: VPN established - unable to pass traffic by KJ on 2005-04-14 22:19:20 +0200
I had the same problem with a PowerMac G5 and a bigger Netscreen as well, we solved it with turning on reverse-nat on our VPN policy at the netscreen.
Re: VPN established - unable to pass traffic by Paul on 2005-06-22 02:54:31 +0200
Reverse-Nat? Do you mean nat traversal or incoming NAT translation? Regards, Paul.
Isakmp.c 1361: failed2bind(address already in use) Isakmp.c 1361: failed2bind(address already in use) by Chris Creighton on 2005-03-08 01:22:38 +0100
I am baffled by this as I am clueless as to what address it is referring to. My internal Ethernet address is not the same address that I am trying to reach. But I get this message quickly and it fails to even begin to talk to the remote IKE server. Any ideas? I am behind on a project just because of this simple problem. I am assuming it's simple. This is not an issue of how IPSEC is configured with IPSecuritas, as at times, it works, but at times, I get these errors and it just stops trying, quickly. thanks much ... Chris Mar 2 00:08:40 Chris racoon: DEBUG2: cfparse.y:1354:cfparse(): parse successed. Mar 2 00:05:31 Chris racoon: ERROR: isakmp.c:1361:isakmp_open(): failed to bind (Address already in use). Mar 2 00:05:31 Chris racoon: ERROR: isakmp.c:1361:isakmp_open(): failed to bind (Address already in use). Mar 2 00:05:31 Chris racoon: ERROR: isakmp.c:1384:isakmp_open(): no address could be bound. Mar 2 00:05:31 Chris racoon: ERROR: isakmp.c:1384:isakmp_open(): no address could be bound.
Error Messages Error Messages by Jeremy Brown on 2005-03-09 06:10:11 +0100
Hello, I am trying to connect to a Sidewinder G2 using IPSecuritas. I have received the document from Secure Computing on how to set this up and followed the directions. I am using self-signed certificates, imported in PEM format. I am directly connected to the Internet (not behind a firewall/NAT) and have full outgoing access. I have tested this VPN on Windows with their supplied SoftRemote program and confirmed that the server configuration is correct. I'm stumped, particularly at the messages saying it's resolved to multiple addresses. Any help on this would be *greatly* appreciated. I have google'd for help and come up dry. Here is a log dump (IP's have been censored): Log output from IPSecuritas 2.0.6 Mar 8 21:02:09 jbrown IPSecuritas: Parsing configuration Mar 8 21:02:09 jbrown IPSecuritas: Setting up racoon.conf Mar 8 21:02:09 jbrown IPSecuritas: Setting up setkey.conf Mar 8 21:02:09 jbrown IPSecuritas: Setting up psk.txt Mar 8 21:02:09 jbrown IPSecuritas: Setting up tunnel.conf Mar 8 21:02:09 jbrown IPSecuritas: Parsing configuration done Mar 8 21:02:10 jbrown IPSecuritas: Starting racoon... Mar 8 21:02:11 jbrown IPSecuritas: Racoon is running Mar 8 21:02:11 jbrown IPSecuritas: Set kernel keys line 3: Unknown error at [] line 3: Unknown error at [] line 4: Unknown error at [] line 4: Unknown error at [] Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(,500): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(,500): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(,0): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(,0): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(,0): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(,0): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(,500): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(,500): resolved to multiple address, taking the first one Mar 8 21:02:11 jbrown racoon: ERROR: isakmp_ident.c:237:ident_i2recv(): ignore the packet, received unexpecting payload type 7. Mar 8 21:02:11 jbrown racoon: ERROR: isakmp_ident.c:237:ident_i2recv(): ignore the packet, received unexpecting payload type 7. Mar 8 21:02:42 jbrown racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP ->
Netgear FVL328 configuration same as FVS328? Netgear FVL328 configuration same as FVS328? by Eric Kelly on 2005-03-18 18:50:22 +0100
Anybody know if the optimal configuration for the FVL328 would be the same as for the FVS328? Thanks, Eric
How To Read Log File How To Read Log File by GLC on 2005-03-19 05:58:00 +0100
If I could understand the log file messages, I would not post a note that says "I tried everything and it still does not work.! I am trying to tunnel in to a Fortigate. I finally have a green checkmark, but when I run Remote Desktop, it cannot see anything. The log file has lots of info, but I do not understand it. Is there a "How to Read The Log File" FAQ somewhere? Thanks!
Re: How To Read Log File by robd on 2005-03-26 14:14:09 +0100
What do these error messages mean? I agree GLC we need some more help so we can help ourselves! Can we get a IPsecuritas wiki? I'd be keen to help.
10.3.80 to IPCOP 1.4.2 10.3.80 to IPCOP 1.4.2 by Rob on 2005-03-25 20:15:25 +0100
I've been following this HOWTO http://www.taupehat.com/vpn/ to get my 10.3.8 machine to connect to an IPCOP firewall v1.4.2 My log output is below. Anyone got any ideas as to why it is going wrong? Log output from IPSecuritas 2.0.6 Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Parsing configuration Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up racoon.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up setkey.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up psk.txt Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up tunnel.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Setting up resolv.conf Mar 25 19:08:24 Rob-Dykes-Computer IPSecuritas: Parsing configuration done Mar 25 19:08:25 Rob-Dykes-Computer IPSecuritas: Starting racoon... Mar 25 19:08:26 Rob-Dykes-Computer IPSecuritas: Racoon is running Mar 25 19:08:26 Rob-Dykes-Computer IPSecuritas: Set kernel keys line 3: Unknown error at [192.168.0.0] line 3: Unknown error at [192.168.10.3] line 4: Unknown error at [192.168.10.3] line 4: Unknown error at [192.168.0.0] Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(80.46.98.226,500): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(80.46.98.226,500): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.0.0,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.0.0,0): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,500): resolved to multiple address, taking the first one Mar 25 19:08:26 Rob-Dykes-Computer racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.10.3,500): resolved to multiple address, taking the first one Mar 25 19:08:29 Rob-Dykes-Computer racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Mar 25 19:08:29 Rob-Dykes-Computer racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Mar 25 19:08:48 Rob-Dykes-Computer racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Mar 25 19:08:48 Rob-Dykes-Computer racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Mar 25 19:08:58 Rob-Dykes-Computer racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.46.98.226 give up to get IPsec-SA due to
Re: 10.3.80 to IPCOP 1.4.2 by Matt Hodson on 2005-04-15 12:20:24 +0200
Any luck on your problem? I have just got a mac and trying to use securitas to connect as an l2tp road warrior to a smoothwall network, but I get the same errors in the log i.e. line 3: Unknown error at [192.168.111.0] line 3: Unknown error at [192.168.111.31] line 4: Unknown error at [192.168.111.31] line 4: Unknown error at [192.168.111.0] add net 192.168.111.0:gateway gif0 Apr 15 09:39:03 Junta racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo( etc ...... using osx 10.3.8 ipsecuritas 2.0.6 Regards Matt
Re: 10.3.80 to IPCOP 1.4.2 by Tsathul on 2005-04-22 19:26:06 +0200
Similar problems here with OS X 10.3.8 and IPSecuritas 2.0.6. Tried changing to dialup and back to network (read somewhere that this resets some network settings that can get corrupted in OS X 10.3) but that had no effect. So, used the recent combo updater to OS X 10.3.9 and hey! It actually started negotiating with the ZyWALL router at headquarters. Some configuration debugging and then the link was up. IPSecuritas has been out for awhile so it must have worked with earlier versions of OS X 10.3. However there may be something faulty added in 10.3.8 that was fixed in 10.3.9? Or maybe just rebooting solved the problem and the update is a red herring. Regardless, all is not perfect, my connection dropped this morning and now I can't seem to restore it. If it's not one thing it's another.
alias IP address on the Mac alias IP address on the Mac by Thomas on 2005-03-31 12:03:07 +0200
Hi I have successfully managed to get VPN Tracker to work with my Linksys rv082 router despite the fact that my client machine resides behind a NAT firewall. To do this I had to set a virtual ip in VPN Tracker. Does anyone know if a virtual ip adress can be set in IPSecuritas? And if so how?
Strangeness with port 9 at startup... Strangeness with port 9 at startup... by NickBoz on 2005-04-01 06:36:44 +0200
I'm curious about the usage of port 9 by IPSecuritas. When starting the latest version of the application, it immediately tries to contact the various IPSec tunnel destination via port 9 (aka Discard protocol). Since the IPsec destination address is to my firewall's built in IPSec VPN Server, it immediately closes down the socket and blocks the outside IP address I was using. I have the firewall's intrusion detection system turned on. As a result of the close, IPSecuritas fails immediately and contains nothing in its log. Now, I can turn all of this firewall blocking off, but what I don't understand is why this would ever work. Who is going to have a system available on the Internet that will respond to queries on port 9? It is unsafe and clearly not part of the standard specs I have been reading. Furthermore, it prevents IPSecuritas from working at all. If I try the same configuration in VaporSec, I can at least get to the negotiation stage of phase 1. Anyone have any ideas as to why port 9 is used? Can it be turned off? Thanks, Nick
Re: Strangeness with port 9 at startup... by cnadig on 2005-04-11 00:22:24 +0200
Hello Nick, a UDP packet to port 9 is sent to start the key exchange by racoon without this packet, racoon will only start the key exchange and thus establish the tunnel with the first user traffic for the remote network. You can switch this off by disabling the 'Establish IKE immediatly' option in your connection definition. In this case, you need to access the remote network manually to start IKE. Christoph
Tiger compatibility
Tiger compatibility by AaronA1975 on 2005-04-04 19:10:51 +0200
Is the current version of IPSecuritas compatible with Tiger, or will there be an update issued?
Re: Tiger compatibility by Andreas Ley on 2005-04-27 16:04:08 +0200
Seems to work fine on 10.4, Build 8A428. But the Finder still stops responding whenever a connected AFP volume doesn't respond fast enough, which is a pain, but nothing to blame Lobotomo for. :)
Re: Tiger compatibility by jayk on 2005-04-30 09:41:17 +0200
There is a minor incompatibility that I noticed. The 'replace DNS' settings option in preferences no longer works under tiger. It does put the info in the /etc/resolv.conf - but apparantly Tiger ignores that now. I think it has to go into netinfo or something for it to be effective.
Re: Tiger compatibility by UncleRobin on 2005-05-01 01:11:11 +0200
Without a doubt, IPSecuritas is the best VPN client I have used, by far. However it seems like Tiger has crippled it. It works, but it is very sluggish. Ping packets that where taking 40ms to return are now typically 500ms and more if they return. UR
Re: Tiger compatibility by Influence on 2005-05-01 17:02:00 +0200
I've noticed the same issue as UncleRobin: Since upgrading to tiger the latacy went up from 100ms to 1000ms rendering my vpn connection basically unusable (at the very least for interactive applications like ssh). Any idea what's the problem? Thanks, Influence
Re: Tiger compatibility by RotundRanter on 2005-05-02 03:47:42 +0200
I am seeing the same thing, seems connections still work but are really slow, to the point of being unusable. I've noticed it with Windows shares and ssh/sftp. Anyone have a workaround? I could provide Ethereal output if that helps.
NAT-T work ? NAT-T work ? by befek-18 on 2005-04-12 09:49:15 +0200
Hallo, short question. Is here someone with a working nat-traversal enviroment. (Ipsecuritas behind a NAT Router over UDP/4500).
Uwe
Re: NAT-T work ? by Sander on 2005-04-22 22:46:10 +0200
I had the same question and I e-mailed Lobotomo about it. At this moment Mac OS X does not support NAT-T. It will come with Mac OS X Tiger but it only supports one implementation of NAT-T which is probably not compatible with most routers/vpn servers.
Connect to D-Link DFL-200 Connect to D-Link DFL-200 by Essington on 2005-04-23 02:52:50 +0200
I am trying to connect to a D-Link DFL-200, and am getting an error: Invalid exchange type 6 from xxx.xxx.xxx.xxx any idea where I should start mucking around to alleviate this? Any ideas would be most helpful Thanks -jason
Re: Connect to D-Link DFL-200 by dkreutz on 2005-08-20 18:40:46 +0200
I use Ipsecuritas to connect to a DLink DFL-700. On the firewall configure a VPN of roaming-type. Enter local network and preshared secret key. Do not change any of the advanced settings. Ipsecuritas configuration as following: General - Exchange mode: main, Proposal check: claim, Nonce size 16 Phase1 - Lifetime 28800, DH group: Mod1024 (2), Encryption: AES 128, Authentication: MD5 Phase1 - Lifetime 28800, PFS group: Mod1024 (2), Encryption: DES/3DES/AES 128, Authentication: HMAC MD5/HMAC SHA1 ID/Auth - Local identifier: Address, Remote identifier: Address, enter preshared secret key (same as above) Options: Initial contact, Generate policy, MIP6, Establish IKE immediately
IPSecuritas SonicWall Pro 230 IPSecuritas SonicWall Pro 230 by stewymac on 2005-05-01 15:39:12 +0200
Hi folks, I am having troubles getting IPSecuritas 2.0.6 to work with my SonicWall Pro 230 and Mac OS X 10.3.9. I have tried creating a seperate SA and tried using the GroupVPN, but no luck. I was hoping someone could post their Client and firewall config. I have been through the Forums and have tried all the suggestions....any help would be really great. Thanks stewymac
Re: IPSecuritas SonicWall Pro 230 by Guest on 2005-07-28 20:32:07 +0200
Bump to this having same issue with Sonicwall Firmware upgrade 3.1
Tiger Compatibility Tiger Compatibility by cnadig on 2005-05-01 22:22:59 +0200
Hello, there have been a number of user reports on IPSecuritas on Tiger. So far, the following problems have been reported to us: a. Tunnel establishes normal, but throughput is very bad, packet round-trip times (ping) between 500 and 1000ms (on connections with approx 50ms before). This seems to be a bug in the MacOS kernel. b. DNS replacement does not work anymore - the settings are ignored. c. In one case, the tunnel could not be established at all. We are working on problems b. and c., while only Apple can resolve a. At the moment we don't recommend to update to Tiger if you rely on VPN connectivity. More user feedback (positive or negative) is highly appreciated - please include a short summary of your setup (peer device, mode of operation etc.) Any progress will be made public on [url]http://www.lobotomo.com[/url] and in this forum. Thanks, Christoph
Re: Tiger Compatibility by Kevin on 2005-05-02 02:51:47 +0200
I've been hit by a & b. My ping times are 1000ms range (slightly over actually.) For the DNS issue, my resolv.conf does change, but the settings in it are ignored. Kevin
Re: Tiger Compatibility by frogmella on 2005-05-03 13:00:18 +0200
Using IPSecuritas to connect to a CheckPoint SecuRemote VPN. The good news is that IPSecuritas does actually create the connection (this was not working in earlier betas of Tiger). But yes, (a) is a problem although I can SSH to servers within my company, it's slow, and mail.app fails connecting to our Exchange server. I don't use (b) - yet - and haven't done enough testing to see if (c) occurs. Thanks for the excellent work!
Re: Tiger Compatibility by J Mitchell on 2005-05-03 14:39:42 +0200
I can confirm the 1000ms ping time. The tunnel to a gnatbox GB-1000 is established but performance is very poor. Mac OS X 10.4 dual 500. Thanks Jonathan
Re: Tiger Compatibility by Matthias on 2005-05-03 16:42:53 +0200
Same problem here 2.06 with OSX 10.4 Various Macs connection to Checkpoint FW1 Tunnel seems to be working Ping >1000 DNS replacement seems to work because on the commandline the nslookup or dig do work ok, however the Browser does not seem to pickup the DNS Settings. Hope that helps, can provide more details if anybody wants... thanks for the great app, and letґs hope weґll solve this fast... Matthias
Re: Tiger Compatibility by Terry Katz on 2005-05-03 23:14:02 +0200
Same issues here. 1000ms ping times, mostly unuseable. OSX 10.4 on a PM G5 Dual 2.5ghz, and a 17" PB 1ghz connecting to various SonicWall devices. -Terry
Re: Tiger Compatibility by Cid Matrix on 2005-05-04 16:10:39 +0200
Upgraded my PB to Tiger. I'm having issue "c" while attempting to connect to my corporate Sonicwall firewall.
Re: Tiger Compatibility by Andreas Ley on 2005-05-05 00:30:00 +0200
Etablishing a "Host To Network" tunnel to a monowall (http://m0n0.ch/wall) works fine, but I too have the problem with high pings (>1000ms). I thought my WLAN was the cause, but apparently it isn't...
Re: Tiger Compatibility by Craig on 2005-05-05 01:28:35 +0200
Also seeing the (a) & (b) problems connecting from a test system (old 600 mhz G3 iBook) to a Netgear FVX538 in a Host-To-Network configuration. In testing, I noticed that the DNS for "host myserver.mydomain.com" worked most of the time (with the occasional ";; connection timed out; no servers could be reached" because of the lag time.) But when pinging that same name, you get a "ping: cannot resolve myserver.mydomain.com: Unknown host". Thought there might be an issue with lookupd overriding resolv.conf, but the configuration looks the same as in Panther: -------% lookupd -configuration ConfigSource: default LookupOrder: Cache NI DS MaxIdleServers: 4 MaxIdleThreads: 2 MaxThreads: 64 TimeToLive: 43200 Timeout: 30 ValidateCache: YES ValidationLatency: 15 _config_name: Global Configuration LookupOrder: Cache FF DNS NI DS _config_name: Host Configuration LookupOrder: Cache FF NI DS _config_name: Service Configuration LookupOrder: Cache FF NI DS _config_name: Protocol Configuration LookupOrder: Cache FF NI DS _config_name: Rpc Configuration TimeToLive: 60 ValidateCache: NO _config_name: Group Configuration TimeToLive: 300 ValidateCache: NO _config_name: Initgroup Configuration LookupOrder: Cache FF DNS NI DS _config_name: Network Configuration -------A "lookupd -flushcache" didn't help. -ch
Re: Tiger Compatibility
by Craig on 2005-05-05 01:48:37 +0200
Looks like my suspicion about lookupd being the culprit is correct: -------% lookupd -d > hostWithName: myserver.mydomain.com nil > hostWithName: mydomain.com Dictionary: "DNS: host mydomain.com" _lookup_DNS_domain: org _lookup_DNS_server: 192.168.2.1 _lookup_DNS_time_to_live: 3600 _lookup_DNS_timestamp: 1115249859 _lookup_agent: DNSAgent _lookup_info_system: DNS interface: 5 ip_address: 99.99.99.99 name: mydomain.com + Category: host + Time to live: 43200 + Age: 38 (expires in 43162 seconds) + Negative: No + Cache hits: 1 + Retain count: 3 > quit -------192.168.2.1 is the IP address of the wireless router I'm testing with (my host was assigned an IP of 192.168.2.8 ). The 99.99.99.99 is the public address of mydomain.com, not the one returned by the DNS server that sits behind the firewall. The nil response for the server explains why ping isn't happy. Hope this information is helpful. -ch
Re: Tiger Compatibility by Todd I on 2005-05-07 02:00:25 +0200
I am seeing the same thing, with Tiger IPSec through a Linksys WRV54G gateway. PING 10.10.10.9 (10.10.10.9): 56 data bytes 64 bytes from 10.10.10.9: icmp_seq=0 ttl=63 64 bytes from 10.10.10.9: icmp_seq=1 ttl=63 64 bytes from 10.10.10.9: icmp_seq=2 ttl=63 64 bytes from 10.10.10.9: icmp_seq=3 ttl=63 64 bytes from 10.10.10.9: icmp_seq=4 ttl=63
time=293.814 ms time=1093.747 ms time=1095.896 ms time=816.548 ms time=1093.376 ms
Are there any other general MacOS X forums, or Apple www sites, where we should be submitting information about this?
Re: Tiger Compatibility by David on 2005-05-07 07:07:39 +0200
Yup, same here. Ping times are about 1020 ms from a Powerbook G4 to OpenBSD 3.6 gateways running isakmpd. The high delay breaks virtual clients like VNC and Remote Desktop Connection.
Re: Tiger Compatibility by Amanda Walker on 2005-05-10 21:03:00 +0200
Interestingly enough, I'm not seeing any performance difference under 10.4 talking to either FreeBSD 5.3 or a Netscreen firewall. Seems to work fine, with round trip times indistinguishable from running under 10.3.8.
Re: Tiger Compatibility by andreast on 2005-05-11 17:05:57 +0200
Apple can be notified of this bug here: http://www.apple.com/macosx/feedback/ If many of us send them a message, maybe they will do something.
Re: Tiger Compatibility by filipp on 2005-05-14 22:36:22 +0200
Same problem here. Running IPSecuritas on 10.4 to Netgear FVS338 Ping is pretty much exactly 1000 msec over usual (1035 instead of normal 35) Interesting, when i simultaniously ping the Internet IP of the Netgear, the ping times are down to 550, then go back up to 1035 when I stop pinging the public address. / filipp
Re: Tiger Compatibility by atze on 2005-05-16 11:36:02 +0200
i get this on stopping ipsec - the app still runs, seems to be a subprocess: 2005-05-16 11:35:01 +0200 EXC_BAD_ACCESS (0x0001) KERN_INVALID_ADDRESS (0x0001) at 0xc000429b Thread 0 Crashed: 0 removedir + 168 1 removecerts + 52 2 performstop + 52 3 main + 320 4 _start + 380 5 start + 48
Re: Tiger Compatibility by Scott Hander on 2005-05-16 20:28:03 +0200
I upgraded to 10.4 before finding there was a problem with IPSecuritas and 10.4, but I was able to use it with Apple Remote Desktop. The connection was a little odd (it was a little slower than usual and there were several disconnects, but it did work). The connection was a 10.4 system to a remote SonicWall firewall and a server on the other side of the firewall. I thought I would mention this in response to the comments about VNC and MS RDC.
Re: Tiger Compatibility by bluemeanie on 2005-05-17 02:09:22 +0200
It looks like 10.4.1 does nothing to fix the issue. I'm still getting no VPN connection to our OpenBSD server (not even a 1000ms response time). I miss my VPN. :'(
Re: Tiger Compatibility by Draven Weston on 2005-05-17 03:48:39 +0200
I just updated to 10.4.1 and I am seeing a vast improvement in performance with IPSec. Ping times are down to about 20 ms from 1000+ms
Re: Tiger Compatibility by RotundRanter on 2005-05-17 07:26:37 +0200
10.4.1 fixes my problems connecting to a GTA Gnatbox. Pings are back down to 35mS and files transfers once again fill the T1 pipe at work. w00t!
Re: Tiger Compatibility by Matt on 2005-05-17 15:40:58 +0200
Anyone tried this with 10.4.1? Apparently the update has fixed problems with VPNTracker, so fingers crossed... http://www.macnn.com/print/29256
Re: Tiger Compatibility by Dan on 2005-05-17 21:12:10 +0200
Howdy, These ping times are from 10.4.1... 192.168.253.0/24[any] x.x.x.x[any] any in ipsec esp/tunnel/x.x.x.x-x.x.x.x/require spid=16 seq=1 pid=904 refcnt=1 x.x.x.x[any] 192.168.253.0/24[any] any out ipsec esp/tunnel/x.x.x.x-x.x.x.x/require spid=17 seq=0 pid=904 refcnt=1 dhcp-248:~ dan$ ping 192.168.253.2 PING 192.168.253.2 (192.168.253.2): 56 data bytes 64 bytes from 192.168.253.2: icmp_seq=0 ttl=64 time=38.098 64 bytes from 192.168.253.2: icmp_seq=1 ttl=64 time=35.874 64 bytes from 192.168.253.2: icmp_seq=2 ttl=64 time=39.370 64 bytes from 192.168.253.2: icmp_seq=3 ttl=64 time=39.581 64 bytes from 192.168.253.2: icmp_seq=4 ttl=64 time=40.872 64 bytes from 192.168.253.2: icmp_seq=5 ttl=64 time=40.179 64 bytes from 192.168.253.2: icmp_seq=6 ttl=64 time=39.722 64 bytes from 192.168.253.2: icmp_seq=7 ttl=64 time=37.892 64 bytes from 192.168.253.2: icmp_seq=8 ttl=64 time=39.310 64 bytes from 192.168.253.2: icmp_seq=9 ttl=64 time=39.321
ms ms ms ms ms ms ms ms ms ms
Looks like no more latency in 10.4.1
Re: Tiger Compatibility by evilmeanie on 2005-05-18 05:53:39 +0200
Well, I fixed my problem. It was the encryption algorithm used in quick-mode (Phase 2). Out of AES, only AES-128 will allow packets to pass now. Blowfish doesn't work, either. 3DES does work. I didn't try anything else. It seems odd. Why would some algorithms just stop working in Tiger? Should I stick with AES or go 3DES? Or Cast?
Re: Tiger Compatibility by Jayk on 2005-05-18 21:16:57 +0200
Hi all, I have stumbled onto the 'no connection' solution. With IPSecuritas 2.1 and Tiger 10.4.1 - I can get my VPN working again - although I had to adjust my settings a little. I had to disable all but AES128 on the 'phase 2' screen. Prior to Tiger, AES 256 would work, as would blowfish. With 10.4 - having AES 256 enabled would result in no functional connection - IPSecuritas would show the green check, but packets would not pass. Now, AES 128 works and the others do not. Disabling everything but AES 128 worked for me. Hope this helps others get their VPN working again. Jay
Re: Tiger Compatibility by Henrik on 2005-05-23 14:50:25 +0200
Hello, I still have problems with IPsecuritas 2.1 and OS X 10.4.1, connecting to a Linux FreeS/WAN box. The connection has always been established without problems, but when trying to access any machines, it will not. If I ping my VPN IP (that ifconfig states) it just says no route to host. Very strange... Any ideas? Henrik
Watchgaurd Firebox X500 VPN Watchgaurd Firebox X500 VPN by Ben Thomas on 2005-05-13 00:18:10 +0200
Hi, I have been trying for a few months now to connect to a Firebox X500 VPN using VPN Tracker but have had no luck. Are there any particular issues i should be on the lookout for concerning the Firebox X500 and settings in IP Securitas, VPN Tracker or OSX 10.3.9 in general? I am able to connect using the Watchgaurd VPN client using a PC on my existing Airport Wireless network. I have the BSD Subsystem installed and have triple checked passwords and all settings to make sure they are accurate. Thanks for any help, Ben
Re: Watchgaurd Firebox X500 VPN by cnadig on 2005-05-13 23:18:28 +0200
Hello Ben, please send me the ouput from the log window to
[email protected] with the log level set to verbose debug (in IPSecuritas' settings). Please make sure to remove all confidential information like firewall IP address. Christoph
Re: Watchgaurd Firebox X500 VPN by ben on 2005-05-14 03:44:40 +0200
Hi, I sent you a PM but not sure if it went through, is there an email address I can send my log file to? Thanks again, Ben
Re: Watchgaurd Firebox X500 VPN by ben on 2005-05-18 16:45:33 +0200
Hi, Just wondering what the status of my support request is and if you have the time to help me out.. Thanks again
Re: Watchgaurd Firebox X500 VPN by david on 2006-07-04 15:21:37 +0200
Hi all, I'm trying to configure a VPN network with my firebox 500, but i cannot access to Policy Manger->Network->Remote User ! :-( And when i use VPN Wizard, it says "VPN module is not loaded onto the firebox!" I need help, thanks in advance for your help, you can contact by mail
[email protected]
IPSEC vulnerability: advice? IPSEC vulnerability: advice? by tiffert on 2005-05-13 04:16:27 +0200
Having read the NISCC advisory on IPSEC vulnerability, a newbie like me is a little unclear on what to do about it. http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en I wonder if someone could offer configuration advice for IP Securitas that addresses the vulnerability. I have a Linksys BEFVP41 (vers. 1) router. What configuration options should I look at there? TIA!
Re: IPSEC vulnerability: advice? by cnadig on 2005-05-13 23:13:55 +0200
Hello, the advisory describes a possible vulnerability for configurations that don't use encryption and/or authentication. In order to prevent such a configuration, disable Null encryption and Null authentication on the Phase 2 tab in IPSecuritas. These options are meant for debugging purposes of a connection only and I'm thinking of removing them in future releases. Cheers, Christoph
Tiger 10.4.1 OK Tiger 10.4.1 OK by UncleRobin on 2005-05-17 01:49:24 +0200
It appears, at least on my computer, the 10.4.1 update fixes the problem with latency. My ping times are back to normal. :) UR
Re: Tiger 10.4.1 OK by jonathan mitchell on 2005-05-17 10:45:55 +0200
I can confirm that the 10.4.1 update restores the ping time. VNC and RDP client performance back to normal. Jonathan
Juniper Netscreen 25 working config Juniper Netscreen 25 working config by Robert on 2005-05-18 04:57:28 +0200
In case anyone is interested, I got Ipsecuritas to work with my Netscreen 25. I used the documentation on the vpntracker.com site and configured the vpn for use this vpntracker client (tested with the demo version) then simply duplicated most of the settings with ipsecuritas (and did some trial and error for settings that were not shown in vpntracker). Hope this helps someone. Here is the info: I followed the steps in this document to setup the netscreen using the single user setup. http://www.equinux.com/cms_components/us/products/vpntracker/media /files/HowTo_Netscreen_Rev_4.0.pdf General Host to Network Remote Ipsec Device Remote Network Exchnage Mode Aggressive Proposal Check Claim Nonce Size 16 Phase 1 Lifetime 3600 DH Group Mod1024(2) Encryption 3DES Authentication SHA1 Phase 2 Lifetime 28800 PFS Group None Encryption DES and 3DES checked Authentication HMAC MD5 and HMAC SHA1 checked Id/Auth Local Identifier DN Remote Identifier Address Preshared Secret Options Compression Deflate grayed out but checked IPSec DOI not checked SIT_IDENTITY_ONLY checked Verify Identifier not checked Initial Contact checked Passive not checked Generate Policy not checked MIP6 checked Verify Certificate not checked DHCP Pass-through checked Establish IKE immediately checked Auto Start not checked
Re: Juniper Netscreen 25 working config by Andre Knudsen on 2005-12-15 14:23:35 +0100
Thanks I've been looking for this for connection to a few 5GT's and 5XP's
Administrator rights at first startup? Administrator rights at first startup? by Michael Kussmaul on 2005-05-18 21:28:46 +0200
I like IPSecuritas, it works quite well! I only have a quick question, I have not found an answer so far: When I first startup IPSecuritas, it asks me to enter my administrator password, for what operation does it need it? (E.g. which file(s) does it install/alter on the system) many thanks Michael
Re: Administrator rights at first startup? by cnadig on 2005-05-24 12:12:03 +0200
Hello Michael, certain operations require administrator's priviledges (such as changing the routing tables, adding security associations to the kernel and running racoon, the IKE daemon). All of these operations are performed by a background process called vpntool, which needs to have these priviledges in order to acquire them, the administrator's password is queried the first time it runs (please note that this is part of the authentication and authorisation framework of MacOS X - the password is not stored by nor is it even visible to IPSecuritas). Christoph
D-Link DI-804HV Compatability? D-Link DI-804HV Compatability? by hammer32 on 2005-05-20 14:45:58 +0200
Does anyone have any tips for configuring ISSecuritas with a D-Link DI-804HV router? Thanks! -Sean
Re: D-Link DI-804HV Compatability? by Mikael on 2005-10-18 14:27:01 +0200
Had a try, but didn't make it. Does not say it doesn't work, but it is, apparently, not a straightforward setup. I will be trying something else...
Re: D-Link DI-804HV Compatability? by hammer32 on 2005-10-18 15:24:12 +0200
I tried VPNTracker, they didn't have one to test, but I was able to set it up and have used it while on the road for several months. So far so good!
Re: D-Link DI-804HV Compatability? by Randall on 2006-02-11 06:51:32 +0100
[quote]Does anyone have any tips for configuring ISSecuritas with a D-Link DI-804HV router?[/quote] Has anybody found a setup since? I feel like I'm close, but it's not working..
Re: D-Link DI-804HV Compatability? by Randall on 2006-02-19 00:18:31 +0100
[quote author=Randall link=1116593158/0#3 date=1139637092] Has anybody found a setup since? I feel like I'm close, but it's not working.. [/quote] I got mine working (with two different DI-804HV's, actually). I think I had the remote network address and subnet a little mixed up and that was preventing success. Everything's good now, with a Rev A1 box with FW 1.40 and and a Rev C1 box with FW 1.42. If anyone needs help, post here and I'll try to provide a little writeup. Randy
Re: D-Link DI-804HV Compatability? by Red on 2007-01-09 20:49:06 +0100
I have an 804 at home and an 808 at the office, I would like to use them with IPSecuritas. Your setup tips would be very much appreciated. The D-Link docs are worthless. I had a Trendnet VPN router before and it had MUCH better documentation and configuration. Fairly easy to set up with IPSecuritas. The Trendnet just didn't jive with the Riverstone/Lucent fiber-backbone router we connect to and finally went nuts. We have a SonicWall Firewall/VPN appliance in the server room, also no problems with IPSecuritas on that. Great app.
AH Only configuration using ipsecuritas? AH Only configuration using ipsecuritas? by Terr-Oz on 2005-05-31 21:47:38 +0200
Has anyone been able to configure ipsecuritas for this setkey policy? ah/transport/src-dst/require; ? IPSecuritas appears to only configure racoon for esp.
Re: AH Only configuration using ipsecuritas? by cnadig on 2005-06-07 08:37:45 +0200
Hello, IPSecuritas does not support AH at the moment as I thought it was pretty much obsolete. However, if the demand for AH is here, I think about implementing it in the next major release. Christoph
Re: AH Only configuration using ipsecuritas? by tji on 2005-07-08 20:02:53 +0200
Terr-Oz: Many VPN devices don't support AH.. Instead, they use ESP with NULL encryption, effectively achieving the same thing as AH. One of the major reasons AH is not used is because Network Address Translation (NAT), used on just about every broadband gateway, breaks AH. ESP works through NAT, so more people use it.
IPSecuritas connectivity to SonicWall TZW IPSecuritas connectivity to SonicWall TZW by George Zervakos on 2005-06-03 15:43:14 +0200
Hello, I was wondering if anyone has been successful in setting up a VPN tunnel from Mac OS X with IPSecuritas to a SonicWall TZW or something similar? I have been successful in getting the tunnel negotiation to succeed (at least that's what logs on both ends would lead me to believe); I get a green arrow in the IPSecuritas interface after hitting start ipsec, and I also see a green icon LED in the SonicWall's GUI and a log entry stating that Phase 2 has been successfully completed. The problem comes in when I want to ping something (from the Mac) that is on the LAN interface of the SonicWall. It seems that packets are not getting sent through the tunnel at all. I see no entries in the SonicWall's logs. I have put the SonicWall LAN subnet as the destination network in IPSecuritas. I might add that the Mac is behind a firewall and has a private IP that gets NATted to a public IP. Will this scenario work with the NAT or does the Mac need to have the private IP making it the edge device? Does anyone have any troubleshooting ideas or places where I could look for some help? Thanks, George
Re: IPSecuritas connectivity to SonicWall TZW by cnadig on 2005-06-07 08:46:03 +0200
Hello, most modern NAT routers support IPSec-Passthrough of at least one IPSec tunnel, so this is probably not your problem - of course a direct connection to the internet at least for tests would rule this out. Another problem might be an address conflict between your local addresses and the network your trying to reach - is your local address within the remote network range? Another problem could be that the remote firewall will not route private addresses (other than the ones configured), so you might want to try entering a different IP address into the Local Address field on the General tab in IPSecuritas (your machine will then appear at this address for the remote machines - if the field is empty, your default interface's address is used instead). There's also some problems with the new AES implementation in Tiger, I'd recommend 3DES for best compatibility. Christoph
Re: IPSecuritas connectivity to SonicWall TZW by George Zervakos on 2005-06-09 22:58:20 +0200
Hello, I did a tcpdump on the Mac OS X and I see that traffic bound for the remote network is getting encapsulated in ESP. The thing is, I'm running Mac OS X on a PC in a program called PearPC. In order to get networking in PearPC, I had to share my PC's LAN connection and assign a private IP to the Mac OS X. What happens is the Mac OS X has a 192.168.0.0 IP and my PC has a 10.0.0.0 IP. While I can access the Internet from PearPC using Safari for example, ESP packets are not getting passed along from my PC out to the internet. The Mac IP is getting NATted by my PC whose IP is in turn getting NATted by my firewall. There are no address conflicts with the VPN domains; these are distinct subnets. Geirge
Immediate Red X Immediate Red X by Kevin Mader on 2005-06-03 16:43:05 +0200
I am trying to setup a connection to a SonicWALL TZ 170 -SP Wireless and I think I know all the correct settings, but when I put them in a red X apears next to my connection icon before I even have time to connect. The log is empty because all I have done is edit the connection. Thank you
Checkpoint and IPSecuritas Checkpoint and IPSecuritas by Art_of_Noise on 2005-06-04 21:42:14 +0200
Hi everybody, I'm trying to connect to my work network (firewall : Checkpoint). I'm using a powerbook with Mac OS 10.4.1. My preferences are "host to network" and the authentification is by address and preshared key. The light becomes green, but I can't check my network. Here are the last of the log. All seems to be okay, but when I test the connection (for example making a traceroute), the text "msg 4 not interesting" is added in the log. Can anybody help me ? Thanks a lot in advance. Jun 4 21:18:28 Ordinateur-de-MY racoon: DEBUG: pfkey.c:1117:pk_recvupdate(): pfkey UPDATE succeeded: ESP/Tunnel 217.167.X.X->82.227.X.X spi=147717185(0x8cdfc41) Jun 4 21:18:28 Ordinateur-de-MY racoon: INFO: pfkey.c:1124:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 217.167.X.X->82.227.X.X spi=147717185(0x8cdfc41) Jun 4 21:18:28 Ordinateur-de-MY racoon: DEBUG: pfkey.c:1162:pk_recvupdate(): === Jun 4 21:18:28 Ordinateur-de-MY racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ADD message Jun 4 21:18:28 Ordinateur-de-MY racoon: DEBUG2: plog.c:199:plogdump(): Jun 4 21:18:28 Ordinateur-de-MY racoon: INFO: pfkey.c:1351:pk_recvadd(): IPsec-SA established: ESP/Tunnel 82.227.X.X->217.167.X.X spi=2149506554(0x801eddfa) Jun 4 21:18:28 Ordinateur-de-MY racoon: DEBUG: pfkey.c:1356:pk_recvadd(): === Jun 4 21:19:22 Ordinateur-de-MY racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 4 not interesting
Re: Checkpoint and IPSecuritas by cnadig on 2005-06-07 08:35:09 +0200
Hello, are you by any chance using AES256 or AES192 for encryption? The AES encryption in 10.4 is not compatible wuith checkpoint's implementation anymore. Use 3DES for best compatibility (AES128 seems to work in some cases, so you might want to try this as well). Christoph
Re: Checkpoint and IPSecuritas by Art_of_Noise on 2005-06-07 08:54:00 +0200
[quote author=cnadig link=1117914134/0#1 date=1118126109]Hello, are you by any chance using AES256 or AES192 for encryption? The AES encryption in 10.4 is not compatible wuith checkpoint's implementation anymore. Use 3DES for best compatibility (AES128 seems to work in some cases, so you might want to try this as well). Christoph[/quote] Thanks for your response. But I'm already using 3DES for encryption in phase 1 and phase 2.
Re: Checkpoint and IPSecuritas by tji on 2005-07-08 19:59:12 +0200
There are also dependancies on the gateway configuration.. If the administrator has enabled the client integrity checking features (where it checks to make sure the host OS is patched up to date, antivirus is running, etc.) it will only work with the Check Point client (SecureClient). If the administrator turns that feature off, IPSecuritas will work fine.
Also, Check Point (finally) released their MacOS X VPN client not too long ago. So, you may want to try that one out instead.
Re: Checkpoint and IPSecuritas by MikeyG_U2 on 2005-07-12 18:42:42 +0200
I don't mean to jack your thread, I'm just hoping that by posting my problem in your thread we might both find a solution... I've also been having trouble accessing our Checkpoint VPN. I'm running Tiger so the SecureClient doesn't work for me yet. I've followed all the setup guides for both IPSecuritas and the Checkpoint firewall itself, but still can't create a connection. The little red 'X' is all I get. I'm using IPSecuritas 2.1(on Mac OS 10.4.1) and I've tried enabling only the security protocols mentioned earlier in this topic. I admit that I am new to IPSecuritas, only attempting to make it work after I upgraded to Tiger and broke the SecureClient. So I've never had IPSecuritas working. If anyone has any suggestions, I would greatly appreciate it. In case it helps, here is my most recent connect log, I'm not getting nearly as far as Art_of_Noise...
Log output from IPSecuritas 2.1 Jul 12 11:15:06 mailman IPSecuritas: Parsing configuration Jul 12 11:15:06 mailman IPSecuritas: Setting up racoon.conf Jul 12 11:15:06 mailman IPSecuritas: Setting up setkey.conf Jul 12 11:15:06 mailman IPSecuritas: Setting up psk.txt Jul 12 11:15:06 mailman IPSecuritas: Setting up tunnel.conf Jul 12 11:15:06 mailman IPSecuritas: Parsing configuration done Jul 12 11:15:07 mailman IPSecuritas: Starting racoon... Jul 12 11:15:08 mailman IPSecuritas: Racoon is running Jul 12 11:15:08 mailman IPSecuritas: Set kernel keys Jul 12 11:15:08 mailman racoon: DEBUG2: cfparse.y:1413:cfparse(): parse successed. Jul 12 11:15:08 mailman racoon: DEBUG: isakmp.c:1592:isakmp_open(): 192.168.69.69[500] used as isakmp port (fd=8) Jul 12 11:15:08 mailman racoon: DEBUG: isakmp.c:1610:isakmp_open(): 192.168.69.69[4500] used as nat-t isakmp port (fd=9) Jul 12 11:15:08 mailman racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message Jul 12 11:15:08 mailman racoon: DEBUG2: plog.c:199:plogdump(): Jul 12 11:15:08 mailman racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory Thanks in advance for any assistance. -Mike
Re: Checkpoint and IPSecuritas by Art_of_noise on 2005-07-29 10:20:32 +0200
Hi everybody, Finally I got the green check... The Smartdashboard configuration was not correct (checkbox agressive not checked). In the Smartdashboard tool, open the line of your extern access, click on the left on VPN, then on the "traditional mode configuration button". Be sure checking all the option to match the options choosen in IPSecuritas (don't forget the "advanced" button"). Hope this help Kinds regards
Re: Checkpoint and IPSecuritas by Art_of_noise on 2005-08-01 19:29:03 +0200
Well, another point of study ! All is currently OK in direct access, but I would use the routing functionnality on my modem. When I active this functionnality, I get the green check, but I can't ping anything. I currently use the "network to network" mode of operation. Here are the router properties, I'm not sure of these ports (IP of my computer : 192.168.0.1 ; IP of the modem : 192.168.0.254) : Port: 500 - Protocole: udp - Destination: 192.168.0.1 - Port: 500 Port: 500 - Protocole: tcp - Destination: 192.168.0.1 - Port: 500 Port: 264 - Protocole: tcp - Destination: 192.168.0.1 - Port: 264 Port: 265 - Protocole: tcp - Destination: 192.168.0.1 - Port: 265 Port: 266 - Protocole: tcp - Destination: 192.168.0.1 - Port: 266 Port: 3389 - Protocole: tcp - Destination: 192.168.0.1 - Port: 3389 Port: 9 - Protocole: udp - Destination: 192.168.0.1 - Port: 9 Port: 9 - Protocole: tcp - Destination: 192.168.0.1 - Port: 9
Can anybody help me ? Thanks in advance for any help. P.S. The Tiger version of the Checkpoint VPN client will not arrive before 6 months, dixit the Checkpoint support !!!
Re: Checkpoint and IPSecuritas by VPNmac on 2005-08-06 23:05:30 +0200
I am also trying to get IPSecuritas 2.1 on Mac OS X at home to work with CheckPoint VPN at my University. After configuring and clicking the Start IPSec button, I get: IPSec startuo failed. The log just says: Log output from IPSecuritas 2.1 Could someone post screen captures of a configuration that works with CheckPoint? Any help most appreciated.
Re: Checkpoint and IPSecuritas by VPNmac on 2005-08-07 02:14:10 +0200
OK, I can get IPSecuritas to start now, but the connection gets a red cross on the right. The log says: ----------------Log output from IPSecuritas 2.1 Aug 7 02:09:22 Mac IPSecuritas: Parsing configuration Aug 7 02:09:22 Mac IPSecuritas: Setting up racoon.conf Aug 7 02:09:22 Mac IPSecuritas: Setting up setkey.conf Aug 7 02:09:22 Mac IPSecuritas: Setting up psk.txt Aug 7 02:09:22 Mac IPSecuritas: Setting up tunnel.conf Aug 7 02:09:22 Mac IPSecuritas: Parsing configuration done Aug 7 02:09:23 Mac IPSecuritas: Starting racoon... Aug 7 02:09:23 Mac IPSecuritas: Racoon is running Aug 7 02:09:23 Mac IPSecuritas: Set kernel keys Aug 7 02:09:23 Mac racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. Aug 7 02:09:23 Mac racoon: ERROR: isakmp_inf.c:142:isakmp_info_recv(): ignore information because the message has no hash payload. ----------------------Any feedback most welcome.
Re: Checkpoint and IPSecuritas by VPNmac on 2005-08-07 02:16:44 +0200
More from the log: -----------Aug 7 02:09:55 Mac racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 150.214.231.234->172.26.0.2 Aug 7 02:09:55 Mac racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 150.214.231.234->172.26.0.2 Aug 7 02:11:23 Mac racoon: ERROR: isakmp.c:1706:isakmp_ph1resend(): phase1 negotiation failed due to time up. 3c45f68e73644412:f9fbeadda5cbbeda Aug 7 02:11:23 Mac racoon: ERROR: isakmp.c:1706:isakmp_ph1resend(): phase1 negotiation failed due to time up. 3c45f68e73644412:f9fbeadda5cbbeda ---------------------
Re: Checkpoint and IPSecuritas by VPNmac on 2005-08-24 22:59:38 +0200
This is what I get with IPSecuritas 2.1 on Mac OS X 10.4.2: A red cross and the following log. Any help most appreciated. -------Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Parsing configuration Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Setting up racoon.conf Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Setting up setkey.conf Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Setting up psk.txt Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Setting up tunnel.conf Aug 24 22:55:16 peters-power-mac-g4-agp-graphics IPSecuritas: Parsing configuration done Aug 24 22:55:17 peters-power-mac-g4-agp-graphics IPSecuritas: Starting racoon... Aug 24 22:55:17 peters-power-mac-g4-agp-graphics IPSecuritas: Racoon is running Aug 24 22:55:17 peters-power-mac-g4-agp-graphics IPSecuritas: Set kernel keys Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG2: cfparse.y:1413:cfparse(): parse successed. Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG: isakmp.c:1592:isakmp_open(): 192.168.1.2[500] used as isakmp port (fd=8) Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDADD message Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG2: plog.c:199:plogdump(): Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff980: 192.168.1.2/32[0] 150.214.110.0/24[0] proto=any dir=out Aug 24 22:55:17 peters-power-mac-g4-agp-graphics racoon: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306568: 150.214.110.0/24[0] 192.168.1.2/32[0] proto=any dir=in Aug 24 22:56:18 peters-power-mac-g4-agp-graphics IPSecuritas: Flushing kernel keys Aug 24 22:56:18 peters-power-mac-g4-agp-graphics IPSecuritas: Stopping racoon... Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDFLUSH message Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG2: plog.c:199:plogdump(): Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: INFO: session.c:331:check_sigreq(): caught signal 15 Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey FLUSH message Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG2: plog.c:199:plogdump(): Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: INFO: session.c:331:check_sigreq(): caught signal 15 Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey FLUSH message Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG2: plog.c:199:plogdump(): Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: INFO: session.c:331:check_sigreq(): caught signal 15 Aug 24 22:56:18 peters-power-mac-g4-agp-graphics racoon: DEBUG:
Only two connection at a time? Only two connection at a time? by Alexander Barton on 2005-06-07 20:32:15 +0200
Hi! I'm using IPSecuritas 2.1 on Mac OS X 10.4.1 and it works great! Thank you guys! But I'm only able to establish at least two simultanous connections at a time, if I select more IPSecuritas fails. All individual connections do work ok. Am I doing something wrong or is this is limitation of IPSecuritas and/or Mac OS X? Thanks! Alex
How to get connected through a Trustgate How to get connected through a Trustgate by Thomas Hoffmann on 2005-06-08 11:52:42 +0200
Hello YABBs I' ve the problem How To Connect to a Trustgate 232R I'd tried everything but it dind't work. I cannot pass Phase I The Trustgate Config VPN Peers Peer Name ( Remote ID): 192.168.200.203 Public IP Address : 0.0.0.0 Dynamic IP : empty - Pre-Shared-Key - ID Type : Domain Name - Encryption Algo. : AES - Hash Algo : SHA1 - Deffie-Hell.: 2 (1024 bits) - Perfect Forward Sec.: On IPSecuritas Config General - Mode of Op. : Host to Network - Remote IPsec Device: Public IP of the Trustgate - Remote network: 192.168.5.0 / 24 - Local Address: 192.168.200.203 - Exchange Mode: Main - Proposal Check : Claim Nonce Size 16 PH1 - Lifetime : 28800 sec - DH Droup: Mod1024 (2) - Encryption: AES 128 - Authentication: SHA1 PH2 - Liftime: 28800 sec - PFS Group: Mod1024 (2) - Encryption: AES128 - Authentication: HMAC SHA1 Id/Auth - Local Identifier: DN 192.168.200.203 - Remote Identifier: Address - Authentication: Pre-Shared-Secret (Filled in as ASCII) Options - IPSec DOI: Y - SIT_IDENTITIY_ONLY:Y - Verify Identifier: N - Initial Contact: Y - Passive: N - Generate Policy: N - MIP6: Y - Verify Certificate: N - DHCP-Pass-Through:Y - Establish IKE Immediatly: Y - Auto Start: N
Re: How to get connected through a Trustgate by Thomas Hoffmann on 2005-06-08 22:15:50 +0200
:) :) :) :) :) If got the Solution iv any one has Problems Connection Mac though Trustgate ask me ;D
IpSecuritas and Zyxel P334WT IpSecuritas and Zyxel P334WT by jayjhunski on 2005-06-10 08:56:02 +0200
is there anyone out there that has successfully established a VPN connection using IPsecuritas and a Zyxel P-334WT wireless router. I'm using Mac OSX 10.3.9. In particular, I'm in need of configuration pointers for both the router and IPSecuritas. I have a static IP address assigned to my router and a 2nd one mapped using NAT to a private IP address on one computer in the office. any help would be greatly appreciated! :)
Re: IpSecuritas and Zyxel P334WT by DDA on 2006-01-31 23:34:58 +0100
I'd love an answer to this, too. I just got a P-334wt and have been totally unsuccessful in getting any kind of VPN going. :-(
Re: IpSecuritas and Zyxel P334WT by DDA on 2006-02-13 16:10:35 +0100
I *was* able to get a connection to the P-334wt when I hung it off my local LAN for testing. I used Host-to-Host (Tunnel), Aggressive with the WAN IP of the p-334wt as Remote IPSexc device and the LAN IP of the P-334wt for Remote Address in General, 3DES, SHA1 and DH2 for Phase 1, 3DES, SHA1 no PFS for Phase 2 and DN (email address) for Authentication with Preshared Secret. The tunnel terminated in the LANIP for the P-334wt and I was able to connect and use the web interface to verify the tunnel. When I tried it with my Mac behind NAT, it failed, leading me to believe that the NAT-T part of OS X is not working (as others have claimed). But I didn't try very hard because the single LANIP tunnels of the P-334wt aren't really what I want; I'm replacing it with a Netgear FWG114p. I've set that up on the local LAN and tested it with Host-to-Network and it works fine. Next I'll try it from work behind NAT routers and see how that goes. I hope this helps.
netgear fvs318 NAT-T and Tiger netgear fvs318 NAT-T and Tiger by waldo on 2005-06-11 07:38:03 +0200
has anyone had any luck using ipsecuritas 2.1 on 10.4.1 to connect to a netgear fvs318 with nat traversal? if yes, feel like sharing the recipe? if no, any suggestions? thanks!
Re: netgear fvs318 NAT-T and Tiger by Cameron Wilhelm on 2005-07-05 21:25:08 +0200
I'm trying to essentially do this same thing, and I can't seem to get it to connect. I'm relatively new to VPN and I've tried everything I can think of from allowing just me to connect, to attempting to allow the world to connect. Worse, I can seem to get any useful info from any logs. Nothing shows in the IPSecuritas log This is all that shows on the 318 side: [2005-07-05 11:22:45]**** RECEIVED FIRST MESSAGE OF AGGR MODE **** [2005-07-05 11:22:45] PAYLOADS: SA [2005-07-05 11:22:45]SENDING NOTIFY MSG: [2005-07-05 11:22:45]INVALID_ID_INFORMATION [2005-07-05 11:22:45]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE **** [2005-07-05 11:22:45] PAYLOADS: NOTIFY Anyone have any ideas? Thanks. -Cameron Wilhelm
Re: netgear fvs318 NAT-T and Tiger by jmizoguchi on 2006-01-29 19:51:37 +0100
if your FVS318 v2.4 then I have soluton at vpncasestudy.com
moving IPsecuritas configuration around moving IPsecuritas configuration around by maq on 2005-06-15 14:23:20 +0200
HI, I'm using IPSECURITAS with Netscreen 25. Works fine and really easy to configure. My question iis what iis the quickest and easiest way to move a config from one computer to another? Is there a way to export the config into one file? Or maybe copy the configuration files to the other computer? Where are the configuration files? Thanks for your help
Mounting samba share over VPN connection w/ Tiger Mounting samba share over VPN connection w/ Tiger by Mike on 2005-06-15 17:04:49 +0200
The latest version of IPSecuritas + Tiger 10.4.1 seems to have fixed the ping time issues. Has anyone else had issues with attempting to browse shares on the network after connecting to the VPN? Previous to Tiger I had no issues with browsing file shares on the remote system (Apple Server 10.3), now I get spinning beachballs when attempting to browse shares. Thanks in advance. Mike
Re: Mounting samba share over VPN connection w/ Ti by Jim Collis on 2005-06-30 21:17:04 +0200
I have experienced the same issue. I had the same issue when I upgraded to Tiger and was directly connected to my network. I cleared that issue by deleting my keychain containing the server password. I tried that over my VPN and unfortunately that did not work.
Re: Mounting samba share over VPN connection w/ Ti by tji on 2005-07-08 19:52:17 +0200
I have manually connected to samba file shares via VPN with tiger. But, I have not browsed networks.. I believe the SMB browsing relies on broadcasts on a local LAN, which would not work over a VPN (broadcasts don't go beyond subnets). But, you may be able to configure a WINS server in the samba config, to point to the samba "name server" and find hosts over the VPN (I've never tried that, but it might be worth checking out).
Re: Mounting samba share over VPN connection w/ Ti by rnoranbrock on 2005-07-28 07:14:47 +0200
Any tips on how to "configure a WINS server . . . " I'm not sure I understand what you've suggested. Previous to 10.4.2, at least, I was able to connect to a Windows 2000 file server and mount shares over the VPN. Now, spinning beachballs. The share appears to mount to the desktop, but then it never shows any files and just hangs the Finder. -Randy
Re: Mounting samba share over VPN connection w/ Ti by Derek on 2005-08-25 15:19:37 +0200
[quote author=Mike link=1118847889/0#0 date=1118847889]The latest version of IPSecuritas + Tiger 10.4.1 seems to have fixed the ping time issues. Has anyone else had issues with attempting to browse shares on the network after connecting to the VPN? Previous to Tiger I had no issues with browsing file shares on the remote system (Apple Server 10.3), now I get spinning beachballs when attempting to browse shares. Thanks in advance. Mike [/quote]
Browsing shares is apparently a known issue. If you check your console.log when this happens, you'll see tons of error messages, with an additional note that you should report it as a bug, similar to these: bug: ecnt = 33, but m_len = 0 and m_next = 0 (please report) I emailed the makers of VPNTracker (Equinux) a few weeks ago and they confirmed the problem to me with their product, so it's not restricted to IPSecuritas. Apple has received at least two bug reports on the issue (one from me, one from Equinux), so hopefully this finally gets resolved with the next update...
Re: Mounting samba share over VPN connection w/ Ti by Jim Collis on 2005-09-03 08:03:44 +0200
I have been told by the tech support folks at Equinux that this is a know bug in Tiger 10.4.2 in how SMB handles packets over the vpn. Until apple fixes this problem there is no way around it. They said the entire SMB stack was rewritten for Tiger and all the issues with Microsoft networking aren't fixed. They were hopeful, but not encouraging, that this might be fixed in 10.4.3 or 10.4.4. Not an exciting answer.
Re: Mounting samba share over VPN connection w/ Ti by rnoranbrock on 2005-11-01 05:59:20 +0100
Any word on whether the 10.4.3 update corrects the above problem? -Randy
Re: Mounting samba share over VPN connection w/ Ti by Brian on 2005-11-01 15:54:53 +0100
10.4.3 did not fix the issue on our systems. >:( We get the same 'please report' errors.
Re: Mounting samba share over VPN connection w/ Ti by Tsathul on 2006-01-20 02:32:40 +0100
Problem appears still to be there under 10.4.4. Lots of "kernel[0]: bug: ecnt = 32, but m_len = 0 and m_next = 0 (please report)" entries in /var/log /system.log, and the Finder hangs repeatedly necessitating relaunch. How long can this go on?
Re: Mounting samba share over VPN connection w/ Ti by chuck_theobald on 2006-02-09 21:11:18 +0100
Yes, I can confirm this problem under 10.4.4 with VPN Tracker 2.2.6. Supposedly, this version of VPN Tracker does not work with Tiger, but it works for me. I am able to get all sorts of connectivity except SMB browsing, either through the Finder, or trying to see the contents of a volume mounted with mount_smbfs. Waiting for the next apple to drop...
Re: Mounting samba share over VPN connection w/ Ti by rnoranbrock on 2006-05-10 00:09:04 +0200
Any happiness with browsing SMB shares over VPN connection under 10.4.6? Will this ever be fixed? -R
Re: Mounting samba share over VPN connection w/ Ti by chuck_theobald on 2007-12-24 20:01:28 +0100
I can confirm that this is still broken in 10.4.11 using IPSecuritas 3.0, build 1693. Connecting (Cmd-K) to a Samba server through the VPN connection allows authentication and selection of the share, but Finder then goes out to lunch with the pinwheel of death. I can still browse to a Windows-based SMB server within my own network (not through the VPN) and all works fine. I found a message on the Samba site (http://lists.samba.org/archive/samba /2005-July/108903.html) that seems to indicate that this is limited to the Tiger-Samba-VPN combination (note that this would include the Samba-based OS X SMB server). I do not have a Windows-based SMB server on the other side of the VPN to test this for myself, though. In my system.log I get some 24 messages each second: Dec 24 10:38:05 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:05 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 33, but m_len = 0 and m_next = 0 (please report) Dec 24 10:38:06 chuck-theobalds-powerbook-g4 32, but m_len = 0 and m_next = 0 (please report)
kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt = kernel[0]: bug: ecnt =
CPU and memory usage? CPU and memory usage? by Me Here on 2005-06-17 21:52:37 +0200
Using IPSecuritas 2.1 on Mac OS X 10.3.9 on a 1GHz powerbook connecting via Airport to an IPCop box. Top lists CPU usage as at least 50%, usually closer to 70%+ just sitting idle (no network activity besides IPSec stuff itself), and RSIZE of 96M and VSIZE of 960M when IPSecuritas is up for any length of time. Needless to say, system slows to a crawl, and it may literally take over a minute to switch applications or close applications with alot of disk swap activity. Anyone else experience something similar? Any suggestions? Thanks.
Re: CPU and memory usage? by Me Again on 2005-06-17 23:06:41 +0200
I think I found the answer to my own problem. Posting just in case someone makes the same mistake... It seems that I changed the log level in IPSecuritas to DEBUG about a week ago when I was initially setting it up, and never changed it back. Well my system.log was up to nearly 3GB :o and IPSecuritas didn't play well because of that. Turned it back to Normal logging and cleared system.log and all seems well. 0% CPU and RSIZE of 16M. I'll let it run for a while and see how it goes, but it seems all better.
IPSecuritas and Smoothwall IPSecuritas and Smoothwall by paschke on 2005-06-21 00:52:44 +0200
Hi, Has anyone had any success getting IPSecuritas and Smoothwall VPN to talk to each other? I am using IPSecuritas 2.1 on Tiger (10.4.1) and trying to talk to a Smoothwall 3.1 VPN gateway. Using certificates for authentication... I successfully loaded the certificates and get some progress in the logs, but it always seems to die with the following two lines in the log: Jun 20 18:49:28 ashnazg racoon: ERROR: isakmp_inf.c:847:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Jun 20 18:49:28 ashnazg racoon: DEBUG: isakmp_inf.c:869:isakmp_info_recv_n(): notification message 9:INVALIDMESSAGE-ID, doi=1 proto_id=1 spi=(size=0). Does anyone have any clues? Thanks! Matt Paschke
Newbie looking for help Newbie looking for help by Tacitus on 2005-06-22 10:21:46 +0200
Hi all, I am a newbie to VPN and am trying to connect from home using a PBk G4 running 10.3.9 (D-Link 504 with VPN passthrough) to a small office network. The office fortunately runs on Macs also with 10.3.9. Sorry this ia a bit long but here goes http://www.lobotomo.com/yabb/YaBBImages /smiley.gif IP securitas on PBk details: General Mode of Operation: Host to Network Office IPSec Device (Router/firewall): 64.x.x.x Office Network: 192.168.1.1/24 Local Address (in office): 192.168.1.21 Exchange Mode: Main Proposal Check: Claim Nonce Size: 16 Phase 1 Lifetime: 28800 seconds DH Group: Mod768 (1) Encryption: DES Authentication: MD5 Phase 2 Lifetime: 3600 seconds PFS Group: None Encryption: DES & 3DES Authentication: HMAC SHA1 & HMAC MD5 Id/Auth Local Identifier: 192.168.1.21 (This is the machine in the office) Remote Identifier: blank Preshared Secret: *** Options Compression Deflate checked (greyed out) IPSec DOI checked SIT_IDENTITY_ONLY checked Initial Contact checked MIP6 checked DHCP Pass-through checked Establish IKE immediately checked all other options unchecked IP Sec appears to be running but I can’t raise the office machine. Here’s part of the PBk log: Freds-Computer racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Freds-Computer racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Freds-Computer racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Freds-Computer racoon: ERROR: proposal.c:490:cmpsatrns(): trns_id mismatched: my:2 peer:3 Freds-Computer IPSecuritas: Flushing kernel keys Freds-Computer IPSecuritas: Stopping racoon... Freds-Computer IPSecuritas: Racoon normally terminated Sorry this is so long, but thanks to anyone who can help.
10.2 Incompatibility and "Can't connect twice 10.2 Incompatibility and "Can't connect twice by Nat! on 2005-06-24 18:23:05 +0200
1. When I try to start IP Securitas on 10.2.8 I get a crash and the following entry in the Console: [font=Courier]dyld: /Volumes/Users/Applications /IPSecuritas.app/Contents/MacOS/IPSecuritas can't open library: /usr/lib /libcrypto.0.9.7.dylib (No such file or directory, errno = 2)[/font] 2. When I use it under 10.4 I can sucessfully connect once to the firewall at the remote site, but I can't connect a second time (doesn't matter if I just quit IP Securitas, "properly Stop IPSEC" or even reboot my machine). The sysadmin "over there" says, that the first session was not properly closed and that their software therefore doesn't allow a second session to be opened. The timeout on their machine appears to be greater than a day ::) This might not be a problem of IP Securitas, but I figure it doesn't hurt to ask, if this is a known problem with possibly a known solution :)
Re: 10.2 Incompatibility and "Can't connect t by cdmaris1 on 2005-08-13 05:45:02 +0200
Were you ever able to resolve your problem with 10.2.8? I am get the sam eerror message so would be very interested in finding out if there is a fix for this. thanks
Re: 10.2 Incompatibility and "Can't connect t by David on 2005-11-03 16:58:02 +0100
I'm just looking for any confirmation on whether IPSecuritas 2.1 is incompatible with 10.2.8 ? I get a crash log written when it fails to start up.
Static Routes setup with IPSecuritas? Static Routes setup with IPSecuritas? by Mike E on 2005-06-28 19:04:32 +0200
One of our developers is using IPSecuritas to VPN (host to network) onto our subnet (10.191.2.0/24). He is setup to look like 10.191.1.140 (local address). He needs to be able to route 38.160.70.118 traffic through 10.191.2.34 on our subnet, so I had him create a static route. But it doesn't work. Any ideas? Notice how the static route be binding to en0? seems like it should have bound to gif0?
On Jun 27, 2005, at 2:02 PM, John wrote: Here is the situation after "sudo route add 38.160.70.118 10.191.2.34" Destination Gateway Flags Refs Use Netif Expire default 10.0.1.1 UGSc 71 11 en0 10.0.1/24 link#4 UCS 2 0 en0 10.0.1.1 0:d:93:25:3c:40 UHLW 72 1322 en0 1094 10.0.1.2 0:3:93:70:28:4e UHLW 0 122 en0 331 10.0.1.17 127.0.0.1 UHS 6 1065 lo0 10.191.2.0 10.191.1.140 UH 0 1 gif0 10.191.2/24 gif0 USc 6 1354 gif0 38.160.70.118 10.191.2.34 UGHS 0 2 en0 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 20 245677 lo0 169.254 link#4 UCS 0 0 en0 Johns-Laptop:$ ping 38.160.70.118 PING 38.160.70.118 (38.160.70.118): 56 data bytes ping: sendto: Cannot allocate memory
DHCP DHCP by Scott Hander on 2005-06-30 01:49:06 +0200
I am trying to get a VPN setup that will have remote machine request an IP via DHCP from our firewall. We are using a Sonicwall 2040, and I can't seem to get it to work. I can get everything to work with a good connection, just no DHCP. I can assign a specific ip to the computer on the other end, but the connection will not pass any traffic through to that address. Does anyone have any thoughts or insights for this? Thanks, Scott Hander
10.4.1, packets gets lost inside kernel
10.4.1, packets gets lost inside kernel by Henrik on 2005-07-04 21:20:18 +0200
Hi, The VPN with OpenSWAN worked great with OS X 10.3.x. Upgraded to 10.4.1 and now nothing works (I even installed it from scratch). I can create a successfull VPN connection (Host to Network), so IPSEC SA is established and ESP packets are flowing to both directions (checked with ethereal). The downside is the the ESP packets seems somehow to be discared after they are received. The same happens with and without NAT. Any help is greatly apprechiated, since I'm leaving on holyday on saturday and I *don't* want to change the a PC because of this. Thanks, Henrik Finland
Re: 10.4.1, packets gets lost inside kernel by cnadig on 2005-07-05 09:56:15 +0200
Hello Henrik, are you by any chance using AES256 or AES192 in phase 2 - the implementation has changed from 10.3 to 10.4 and leads to incompatibilities. I recommend using 3DES for best compatibility with other devices. Hope this helps, Christoph
Re: 10.4.1, packets gets lost inside kernel by Henrik on 2005-07-05 11:44:22 +0200
Hi Christoph, It worked! Actually the last thing I tried yesterday was 3DES, but at the same time I broke my NAT when tweaking it, so no connection at all was established. Thanks! Best regrads, Henrik
Watchguard X-15 Edge Watchguard X-15 Edge by dd on 2005-07-08 13:31:07 +0200
hi Has anyone successfully connected a VPN using IPSecuritas to a watchguard X15 Edge? I have PC MUVPN working successfully and a number of Edge to Edge tunnels working, but dont seem to be able to succed with IPSecuritas. If any body out there has got things to work with the X15, and feels like sharing howto do it, it would save me having to lug a laptop pc as well as my iBook around! Many Thanks ???
Feature Requests: multiple subnets, dynamic PSK Feature Requests: multiple subnets, dynamic PSK by tji on 2005-07-08 20:17:07 +0200
IPSecuritas is a great tool. Thanks for providing such a nice piece of software for free! If/when you guys update it, could you look into the feasability of implementing a few enhancements? - Multiple Subnets: My office network has several /24 subnets, protected by a Netscreen VPN device. I can define each subnet as a seperate configuration, and enable each one of them individually. But, I cannot enable multiple subnets at the same time (only the first subnet actually gets negotiated). Defining all the available subnets in one VPN config should allow them to be all negotiated in one IKE session. - Dynamic PSK -- external command/script: I set up a Linksys WRV54G at my parents house, and I use that to connect back to their systems for remote tech support. The quirky thing about the WRV54G is that they have an HTTPS front end that is used to authenticate users and dynamically generate the PSK before the IPSec/IKE session starts. I have put together a script to pull that PSK, and generate the IPSec config files. But, being able to call a command/script from within IPSecuritas would be a better solution. (There are probably some other authentication systems that operate similarly (like S/Key). So, this feature would allow IPSecuritas to work with more VPN gateways.) - XAuth -- The updated IPSec tools project supports Xauth authentication (and NAT-Traversal). Apple includes an older version of racoon, which does not. Including an updated racoon binary would allow IPSecuritas to support XAuth authentication.
m0n0wall ? m0n0wall ? by Sean McGrath on 2005-07-11 19:48:57 +0200
I can't get a connection to m0n0wall 1.1 or 1.2b9. The error message in the log is "racoon: ERROR: isakmp_inf.c:193:isakmp_info_recv(): ignore information due to hash length mismatch". The server logs show this happens during phase 2. MD5 and SHA1 hashes both fail. Any success stories? Thanks
Re: m0n0wall ? by stephenb on 2005-07-15 05:42:37 +0200
I got it up and running. I sent the settings to Christoph but he's probably been too busy to post. email me and I'll send you screen shots. stephenbatmacdotcom
Sonicwall TZ170 failing phase 2 Sonicwall TZ170 failing phase 2 by spectre51 on 2005-07-12 06:07:27 +0200
Okay so I got my ibook setup with ipsecuritas and my netscreen 5gt at home so I decided to hook it up to my sonicwall tz170 at work. I am trying to use the GroupVPN option on the sonicwall which is on the latest SonicOS Standard firmware. We are making it through phas 1 no problem but the vpn continues to fail at phase 2. I'm wondering does the sonicwall have to be the enhanced version? What should I put in the ID/Auth section under Identification for local and remote identifier?
Re: Sonicwall TZ170 failing phase 2 by w_grace on 2006-02-21 19:02:23 +0100
Are you getting what I am getting? My post... Phase-1 Group 1 3DES MD5 28000 Phase-2 ESP 3DES MD5
Feb 21 16:31:35 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:31:35 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:31:54 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:32:04 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Feb 21 16:31:54 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:32:04 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Feb 21 16:33:49 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:33:49 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:34:10 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:34:19 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Feb 21 16:34:10 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:34:19 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait.
Re: Sonicwall TZ170 failing phase 2 by cnadig on 2006-02-21 23:37:42 +0100
due
due
due
due
Hello, do you have access to the log of the Sonicwall? Changing the log level of IPSecuritas to 'Verbose Debug' will give you additional information about the unknown notification sent by the firewall. Cheers, Christoph
Re: Sonicwall TZ170 failing phase 2 by Tim Pipes on 2006-03-02 21:27:45 +0100
We had been making a connection to our TZ170 without fail for a while there. Upgraded to 10.4.4 and IPSecuritas stopped working. It also says that it's failing at Phase 2 but none of the settings changed. We have thought about setting up a new SA but instead have decided to delve into this a little more as it was working. IKE using preshared secret Phase 1 DH Group: Group 1 Encryption: 3DES Authentication: MD5 Lifetime: 28800 Phase 2 Protocol: ESP Encryption: 3DES Authentication: MD5 Enable Perfect Forward Secrecy: Unchecked Advanced Enable Windows Networking Broadcast: checked that's it in Advanced. Client Cache XAUTH: never Virtual Adaptor: DHCP Lease Allow Connections to: Split Tunnels nothing else checked. As I said, it had been working flawlessly and now I have messed with just about every setting in IPSecuritas and have not been able to make the connection. I believe I am getting the same error output as w_grace (no phase 2 handle found) Any setup that works for anyone? Please fill me in. cheers, Tim
IPsecuritas and Linksys RV042 IPsecuritas and Linksys RV042 by jprsa on 2005-07-13 01:23:54 +0200
I have a linksys RV042 and having issues establishing a tunnel. I previoulsy had a different Linksys vpn router model and that worked great. I decided to upgrade to the new and improved router. Linksys is of no help Can anyone help me?
Re: IPsecuritas and Linksys RV042 by Mike O'Reilly on 2005-09-12 00:58:02 +0200
I just figured out the Linksys RV042 and RV082 with IPSecuritas and figured that some other people might be having the same issues... It seems that Linksys removed to the "connect from any" option in their routers, but it's really still there! Set up your tunnels just like you would have before (with another router) but use the option "Dynamic IP + E-mail Addr.(USER FQDN) Authentication" Input an email address (real or not, just a unique identifer) in the router for the tunnel. The magic is buried in the IPSecuritas help: 2. Domain Name (DN): This can either be a fully qualified distinguished name (FQDN, e.g. lobotomo.com) or a user fully qualified distinguished name (USER_FQDN, e.g.
[email protected]). This means just put that same email address in the Id/Auth dialog box under the "DN" option for the Local Identifier and your connection should work. I hope this helps someone out there, if anyone needs screenshots of the RV042 and IPSecuritas screens I can try and post them. Just reply to this post...
Re: IPsecuritas and Linksys RV042 by Alan H on 2005-09-20 17:11:20 +0200
Could you provide the screen shots please. Thanks
Re: IPsecuritas and Linksys RV042 by Glenn Dallas on 2005-10-21 03:31:57 +0200
I'm trying to setup a vpn tunnel to a mobile user also and can't find any good documentation. Could you send me the screenshots also. Thanks.
Re: IPsecuritas and Linksys RV042 by Dave Story on 2005-11-12 05:03:17 +0100
Thanks for offering, could you send the screen shots along to me as well.
Re: IPsecuritas and Linksys RV042 by Some Pinoy on 2005-11-16 01:57:26 +0100
Please send some pics that would be awesome! We just updated to the RV016
Re: IPsecuritas and Linksys RV042 by BJS on 2005-11-30 16:42:26 +0100
I would also appreciate the screenshots. Thanks!
Re: IPsecuritas and Linksys RV042 by Cbo on 2005-12-30 22:27:08 +0100
Could you send me the screenshot also. Thanks a lot !
Re: IPsecuritas and Linksys RV042 by Jonathan Steuer on 2006-01-02 12:49:54 +0100
screen shots most appreciated! also firmware version of router, if you please. i assume this should work identically with the RV082? -j-
Re: IPsecuritas and Linksys RV042 by Mike O'Reilly on 2006-01-04 04:56:22 +0100
Well, it looks like my post from Sept. 12 has sparked some discussion... After a long testing period and some time in front of a graphics editor I finally got the screenshots everyone has been asking for! It looks like I can't post them directly in the forum here, so I'm going to put them in a Yahoo! photo gallery: http://pg.photos.yahoo.com/ph/mike_b_oreilly/album?.dir= /8802&.src=ph&.tok=ph7NeMEBjUPy0h8U If that URL is too long, try this TinyURL: http://tinyurl.com/74e82 ...and now for the description of what you're looking at: IPSecuritas #1 "General" tab The red box is over the public IP address of my RV042, this could be a public DNS name. I'm using DynDNS without any issues. #2 "Phase 1" tab The info here needs to match what you set on the router. #3 "Phase 2" tab The info here also needs to match what you set on the router. #4 "ID/Auth" tab This is where it got tricky; Use the "Local Identifier" "DN" Option. (For those of you in the know, you know that this is the Domain Name... Not here!) This is the email address that you will use to establish the tunnel. The email address is the fully qualified address but doesn't need to be a real address; Only the address needs to match what you set on the router! This is also where you set the "preshared secret"; This is the VPN key that you use as the password between IPSecuritas and the RV042. #5 "Options" tab I don't remember changing anything here, but who knows at this point. Just follow the example and things should work for you. #6 RV042 VPN Summary This is a bit difficult to see, but it's the overview of how the tunnels are set up. The red box on the left is the name of the tunnel (this could be anything, name it something that helps you to identify the tunnel!) The green box on the right will automagically populate with the email adress entered when you set up the tunnel (this will match the address in image #4). Don't worry about the black boxes, that's just to protect the users of my VPN. #7 Tunnel Summary Overview This is where the actual tunnel details are set. The first red box is where the tunnel name goes, this helps to identify who is connecting. The second red box is not avaliable to edit, this is the IP address of the router. The 3rd and 4th red boxes are the email address that is used to identify the tunnel between IPSecuritas and the RV042, this is the same email address entered in image #4. Finally the 5th red box is the "preshared key" that is the password between the router and VPN client. #8. This is just the summary of what the VPN log should look like on the RV042. I blocked off my tunnel's email address so that I can try to avoid
UMTS / GPRS UMTS / GPRS by lganzetti on 2005-07-16 18:00:43 +0200
IPSECURITAS not work with connection by UMTS or GPRS. The VPN start without error, but when try to user VPN not work. I try with modem56k and work correctly, but with PHONE Nokia UMTS or GPRS not work. Please Help me
Problem 2.1: Cannot change Nonce size Problem 2.1: Cannot change Nonce size by Andrea on 2005-07-18 13:40:24 +0200
This looks like a GUI problem... In IPSecuritas 2.1 (MacOS 10.4.1) I cannot edit the Nonce size field. The default is 16, I can add a third digit then remove it but I cannot set it to 64 as I wish!
Thank you for your attention! Andrea
Re: Problem 2.1: Cannot change Nonce size by cnadig on 2005-07-21 22:34:49 +0200
Hello Andrea, I confirm that this is a bug - i will make an update available fixing the bug in a few days. Thank you very much, Christoph
IPSecuritas not working on PB, but does on another IPSecuritas not working on PB, but does on another by Sean McNamara on 2005-07-26 00:21:21 +0200
Hi folx, I've successfully gotten IPSecuritas connecting to a Netgear FVS318 VPN router using the instructions [url]http://www.aaronadams.net/index.php /2004/12/20/establishing_a_vpn_with_ipsecuritas_and[/url]. This PB was using Panther originally, and now uses Tiger (we've had to use 128 bit for Tiger, but otherwise all the same). My client's PB running Panther and Tiger doesn't want to work, even if I copy my IPSecuritas configuration. I've finally gotten him to send me a log from IPSecuritas, so I'm hoping someone can point me in the right direction: Log output from IPSecuritas 2.1 Jul 26 07:53:53 dewG4laptop IPSecuritas: Parsing configuration Jul 26 07:53:53 dewG4laptop IPSecuritas: Setting up racoon.conf Jul 26 07:53:53 dewG4laptop IPSecuritas: Setting up setkey.conf Jul 26 07:53:53 dewG4laptop IPSecuritas: Setting up psk.txt Jul 26 07:53:53 dewG4laptop IPSecuritas: Setting up tunnel.conf Jul 26 07:53:53 dewG4laptop IPSecuritas: Parsing configuration done Jul 26 07:53:54 dewG4laptop IPSecuritas: Starting racoon... Jul 26 07:53:54 dewG4laptop IPSecuritas: Racoon is running Jul 26 07:53:54 dewG4laptop IPSecuritas: Set kernel keys add net 192.168.0.0: gateway gif0 Jul 26 07:53:54 dewG4laptop racoon: DEBUG2: cfparse.y:1413:cfparse(): parse successed. Jul 26 07:53:54 dewG4laptop racoon: DEBUG: isakmp.c:1592:isakmp_open(): 192.168.1.5[500] used as isakmp port (fd=8) Jul 26 07:53:54 dewG4laptop racoon: DEBUG: isakmp.c:1610:isakmp_open(): 192.168.1.5[4500] used as nat-t isakmp port (fd=9) Jul 26 07:53:54 dewG4laptop racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:12, need update interface address list Jul 26 07:53:54 dewG4laptop racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting Jul 26 07:53:55 dewG4laptop racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:14, need update interface address list Jul 26 07:53:55 dewG4laptop racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting Jul 26 07:53:55 dewG4laptop racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message Jul 26 07:53:55 dewG4laptop racoon: DEBUG2: plog.c:199:plogdump(): Jul 26 07:53:55 dewG4laptop racoon: DEBUG: pfkey.c:1551:pk_recvacquire(): suitable outbound SP found: 10.0.0.3/32[0] 192.168.0.0/16[0] proto=any dir=out. Jul 26 07:53:55 dewG4laptop racoon: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff970: 192.168.0.0/16[0] 10.0.0.3/32[0] proto=any dir=in Jul 26 07:53:55 dewG4laptop racoon: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306618: 192.168.0.0/16[0] 10.0.0.3/32[0] proto=any dir=in Jul 26 07:53:55 dewG4laptop racoon: DEBUG: pfkey.c:1567:pk_recvacquire(): suitable inbound SP found: 192.168.0.0/16[0] 10.0.0.3/32[0] proto=any dir=in. Jul 26 07:53:55 dewG4laptop racoon: DEBUG: pfkey.c:1606:pk_recvacquire(): new acquire 10.0.0.3/32[0] 192.168.0.0/16[0] proto=any dir=out Jul 26 07:53:55 dewG4laptop racoon: DEBUG: proposal.c:826:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
Re: IPSecuritas not working on PB, but does on ano by sean McNamara on 2005-07-26 00:22:34 +0200
...log continued... Jul 26 07:53:55 dewG4laptop racoon: DEBUG: oakley.c:260:oakley_dh_generate(): compute DH's private. Jul 26 07:53:55 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:53:55 dewG4laptop racoon: DEBUG: oakley.c:262:oakley_dh_generate(): compute DH's public. Jul 26 07:53:55 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp_agg.c:169:agg_i1send(): authmethod is pre-shared key Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 52, next type 4 Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 96, next type 10 Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 16, next type 5 Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 13, next type 13 Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 16, next type 0 Jul 26 07:53:55 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.5[500] Jul 26 07:53:55 dewG4laptop racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.5[500] Jul 26 07:53:55 dewG4laptop racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to xxx.xxx.xxx.xxx[500] Jul 26 07:53:55 dewG4laptop racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 241 bytes message will be sent to 192.168.1.5[500] Jul 26 07:53:55 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:53:55 dewG4laptop racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 618d997594493356:0000000000000000 Jul 26 07:53:57 dewG4laptop racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 16 not interesting Jul 26 07:53:57 dewG4laptop racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 15 not interesting Jul 26 07:54:01 dewG4laptop racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 16 not interesting Jul 26 07:54:02 dewG4laptop racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 15 not interesting Jul 26 07:54:15 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.5[500] Jul 26 07:54:15 dewG4laptop racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.5[500] Jul 26 07:54:15 dewG4laptop racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to xxx.xxx.xxx.xxx[500] Jul 26 07:54:15 dewG4laptop racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 241 bytes message will be sent to 192.168.1.5[500] Jul 26 07:54:15 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:54:15 dewG4laptop racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 618d997594493356:0000000000000000 Jul 26 07:54:26 dewG4laptop racoon: ERROR: isakmp.c:2120:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP xxx.xxx.xxx.xxx->192.168.1.5 Jul 26 07:54:26 dewG4laptop racoon: INFO: isakmp.c:2125:isakmp_chkph1there(): delete phase 2 handler. Jul 26 07:54:35 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.5[500] Jul 26 07:54:35 dewG4laptop racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.5[500] Jul 26 07:54:35 dewG4laptop racoon: DEBUG: sockmisc.c:425:sendfromto():
Re: IPSecuritas not working on PB, but does on ano by Sean McNamara on 2005-07-26 00:23:37 +0200
...last bit... Jul 26 07:54:36 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:54:36 dewG4laptop racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 618d997594493356:0000000000000000 Jul 26 07:54:56 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.5[500] Jul 26 07:54:56 dewG4laptop racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.5[500] Jul 26 07:54:56 dewG4laptop racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to xxx.xxx.xxx.xxx[500] Jul 26 07:54:56 dewG4laptop racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 241 bytes message will be sent to 192.168.1.5[500] Jul 26 07:54:56 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:54:56 dewG4laptop racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 618d997594493356:0000000000000000 Jul 26 07:55:16 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.5[500] Jul 26 07:55:16 dewG4laptop racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.5[500] Jul 26 07:55:16 dewG4laptop racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to xxx.xxx.xxx.xxx[500] Jul 26 07:55:16 dewG4laptop racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 241 bytes message will be sent to 192.168.1.5[500] Jul 26 07:55:16 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:55:16 dewG4laptop racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 618d997594493356:0000000000000000 Jul 26 07:55:36 dewG4laptop racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.5[500] Jul 26 07:55:36 dewG4laptop racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 192.168.1.5[500] Jul 26 07:55:36 dewG4laptop racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to xxx.xxx.xxx.xxx[500] Jul 26 07:55:36 dewG4laptop racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 241 bytes message will be sent to 192.168.1.5[500] Jul 26 07:55:36 dewG4laptop racoon: DEBUG: plog.c:199:plogdump(): Jul 26 07:55:36 dewG4laptop racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 618d997594493356:0000000000000000 Jul 26 07:55:56 dewG4laptop racoon: ERROR: isakmp.c:1772:isakmp_ph1resend(): phase1 negotiation failed due to time up. 618d997594493356:0000000000000000 delete net 192.168.0.0 Jul 26 07:56:40 dewG4laptop IPSecuritas: Flushing kernel keys Jul 26 07:56:40 dewG4laptop racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:2, need update interface address list Jul 26 07:56:40 dewG4laptop racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:2, need update interface address list Jul 26 07:56:40 dewG4laptop racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:13, need update interface address list Jul 26 07:56:40 dewG4laptop IPSecuritas: Stopping racoon... Jul 26 07:56:40 dewG4laptop racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDFLUSH message Jul 26 07:56:40 dewG4laptop racoon: DEBUG2: plog.c:199:plogdump(): Jul 26 07:56:40 dewG4laptop racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey FLUSH message
Lucent IPSec Lucent IPSec by Bob on 2005-07-26 11:49:56 +0200
Hi I was wondering if anyone has tips for getting IPSecuritas working with the Lucent IPSec implementation. The standard Lucent client works with Windows only and I'd love to get access on my Mac. BTW, it does ask for a username and password. I've read that some IPSec implementations use something called xauth which I believe allows proprietory authentication though I don't really understand the in's and out's of how all this works. Can someone please provide me with some advice or point me in a suitable direction for more information? I've been searching google for weeks trying to find a solution but haven't had any luck so far. Thanks
Tiger, IPSecuritas, Sonicwall 2040 and NAT Trversl Tiger, IPSecuritas, Sonicwall 2040 and NAT Trversl by miles on 2005-08-01 19:38:18 +0200
we've been using IPSecuritas for some time, but suddenly it's stopped working for all OS X users in my office. We did recently upgrade the fw to SonicOS 3.1, but all windows users are still able to VPN so we're wondering if this is tied to OS X 10.4.2 update last week In the client logs we see NO PROPOSAL CHOSEN for phase 2, and in the firewall logs we see that NAT Traversal is failing on the client any ideas? did something change in OS X? thanks in advance
Re: Tiger, IPSecuritas, Sonicwall 2040 and NAT Trv by David Chamberlin on 2005-08-16 02:04:06 +0200
I've been trying to setup IPSecuritas to a SonicWall 2040 as well with the latest 3.1.7.x firmware and can't get past phase 2. It always gives a NO-PROPOSAL-CHOSEN error. We are trying to connect to our group vpn policy using preshared keys. Strangely, I tested using IPSecuritas (racoon) on both 10.4.2 and 10.3.9 OS X with same result. Same result if I used the other VPN clients that utilize racoon. So, I don't think it's related to racoon version, unless you upgraded from much earlier OS X. Any ideas?
Re: Tiger, IPSecuritas, Sonicwall 2040 and NAT Trv by miles on 2005-08-18 08:23:51 +0200
hey David, I've come to the conclusion it must be sonicos. just renewing our support with sonicwall so I'll podt what I find out may have to roll back to 2.1
IPSecuritas and SonicWall Pro 2040 IPSecuritas and SonicWall Pro 2040 by zervakos on 2005-08-02 15:39:17 +0200
Hello, I have been successful in getting IPSecuritas to work with a SonicWall TZW, and now I'm trying to get IPSecuritas to work with a SonicWall Pro 2040. The problem I'm seeing is this in the logs of IPSecuritas: Aug 2 06:26:41 vpnclient racoon: ERROR: ipsec_doi.c:2993:ipsecdoi_checkid1(): Expecting IP address type in main mode, but FQDN. Aug 2 06:26:41 vpnclient racoon: ERROR: ipsec_doi.c:2993:ipsecdoi_checkid1(): Expecting IP address type in main mode, but FQDN. Aug 2 06:26:41 vpnclient racoon: ERROR: isakmp_ident.c:668:ident_i4recv(): invalid ID payload. Aug 2 06:26:41 vpnclient racoon: ERROR: isakmp_ident.c:668:ident_i4recv(): invalid ID payload. Aug 2 06:26:52 vpnclient racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP sonicwall_ip->192.168.1.110 Aug 2 06:26:52 vpnclient racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP sonicwall_ip->192.168.1.110 Aug 2 06:26:52 vpnclient racoon: INFO: isakmp.c:2050:isakmp_chkph1there(): delete phase 2 handler.
In the logs of the SonicWall, I see that phase I successfully completes, but I also get this: Warning Received packet retransmission. Drop duplicate packet public_ip_vpnclient_hides_behind 0.0.0.0 -
Has anyone come across this perhaps?
Re: IPSecuritas and SonicWall Pro 2040 by Mike on 2005-08-11 22:40:16 +0200
Bump on this but I get a different error message with mine. Here is what mine is saying. Also Sonicwall is running latest firmware update version 3.1.0.6-75s Sonicwall output IKE Responder: IPSec proposal does not match (Phase 2) IPsecuritas Output Log output from IPSecuritas 2.1 Aug 11 13:39:35 Michael-Palfreys-Computer-2 configuration Aug 11 13:39:35 Michael-Palfreys-Computer-2 racoon.conf Aug 11 13:39:35 Michael-Palfreys-Computer-2 setkey.conf Aug 11 13:39:35 Michael-Palfreys-Computer-2 psk.txt Aug 11 13:39:35 Michael-Palfreys-Computer-2 tunnel.conf Aug 11 13:39:35 Michael-Palfreys-Computer-2 configuration done Aug 11 13:39:36 Michael-Palfreys-Computer-2 racoon... Aug 11 13:39:36 Michael-Palfreys-Computer-2 running Aug 11 13:39:36 Michael-Palfreys-Computer-2 The result of line 5: File exists. The result of line 6: File exists.
IPSecuritas: Parsing IPSecuritas: Setting up IPSecuritas: Setting up IPSecuritas: Setting up IPSecuritas: Setting up IPSecuritas: Parsing IPSecuritas: Starting IPSecuritas: Racoon is IPSecuritas: Set kernel keys
netgear fvs318 vpn setup netgear fvs318 vpn setup by mike on 2005-08-03 18:14:35 +0200
I set up a netgear fvs318 in a branch office that is using dsl to the internet. I am trying to setup vpn connections from the computers in the branch office back to the main office. We are using a cisco concentrator at the main office and the cisco vpn client on the pc's in the branch office. I am able to connect one computer back to the main office. when I attempt to connect a second computer the first computer loses connection. from what i understand the ng fvs318 is supposed to do nat'ing(one to many), says so on the box. where in the web interface do i config nat and/or do i need config seperat vpn tunnels for each pc. I only have one ip from my isp. thanks mike
Re: netgear fvs318 vpn setup by cnadig on 2005-08-04 23:33:02 +0200
Hello Mike, having multiple IPSec clients in a NAT'ed private network talking to the same remote won't work unless you used NAT-T for all clients (the NAT router cannot distinguish incoming IPSec traffic and will just send it on to the last known client - resulting in the behaviour you described). In your situation I'd recommend to permanently connect the two LANs (branch office and main office) by the FVS318 itself - so instead of having an individual tunnel for each PC, there is only one between the FVS318 and the Cisco concentrator, tunneling the traffic for all PCs. Hope this helps, Christoph
Resolved Multiple Addresses Resolved Multiple Addresses by MikeyG_U2 on 2005-08-03 20:25:53 +0200
I'm in the process of configuring IPSecuritas to access a Checkpoint VPN-1 but have run into many problems. The one that is currently throwing me is that it reports that it's resolving multiple addresses... Here is my log: Aug 3 13:02:45 Panther IPSecuritas: Parsing configuration Aug 3 13:02:45 Panther IPSecuritas: Setting up racoon.conf Aug 3 13:02:45 Panther IPSecuritas: Setting up setkey.conf Aug 3 13:02:45 Panther IPSecuritas: Setting up psk.txt Aug 3 13:02:45 Panther IPSecuritas: Setting up tunnel.conf Aug 3 13:02:45 Panther IPSecuritas: Parsing configuration done Aug 3 13:02:46 Panther IPSecuritas: Starting racoon... Aug 3 13:02:46 Panther IPSecuritas: Racoon is running Aug 3 13:02:46 Panther IPSecuritas: Set kernel keys line 3: Unknown error at [192.168.1.0] line 3: Unknown error at [192.168.69.69] line 4: Unknown error at [192.168.69.69] line 4: Unknown error at [192.168.1.0] Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(204.253.2.254,500): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(204.253.2.254,500): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.69.69,0): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.69.69,0): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.1.0,0): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.1.0,0): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.69.69,500): resolved to multiple address, taking the first one Aug 3 13:02:46 Panther racoon: ERROR: sockmisc.c:738:str2saddr(): getaddrinfo(192.168.69.69,500): resolved to multiple address, taking the first one Aug 3 13:09:42 Panther racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 204.253.2.254->192.168.69.69 Aug 3 13:09:42 Panther racoon: ERROR: isakmp.c:2045:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 204.253.2.254->192.168.69.69 Aug 3 13:10:42 Panther IPSecuritas: Flushing kernel keys Has anyone seen this issue? I can't figure out what is causing it. Oh, 192.168.69.69 is my internal IP (behind a Linksys router with IPSec passthrough enabled) and 192.168.1.0 is the remote network and netmask I'm connecting to. Thanks for any insight. -Mike
Re: Resolved Multiple Addresses by VPNmac on 2005-08-07 10:12:37 +0200
More issues with Check Point here: http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?board=IPSecuritas; action=display;num=1117914134
IPSecuritas behind FW to Bintec VPN25 ? IPSecuritas behind FW to Bintec VPN25 ? by avalon_s_de on 2005-08-14 16:48:08 +0200
Hello all, i try to get a working connection to a funkwerk (afka Bintec) VPN Access 25. The VPN Phase1 and Phase2 are established correctly, but i cannot ping any host in the remote network. I set up a Host-Network connection. I use the following setup-details: Phase1: 3des/MD5 Phase2: PFS 3des/MD5 Preshared key remote-auth: adress local-auth: fqdn I get the VPN up, but reaching the remote-hosts dowsn't work any hints / ideas ? connection with VPN Tracker works correctly... thx stefan
Re: IPSecuritas behind FW to Bintec VPN25 ? by Florian on 2006-03-29 17:24:45 +0200
Hi Stefan, how did you get your VPN to work? Thanks a lot florian
Re: IPSecuritas behind FW to Bintec VPN25 ? by Stefan Dietz on 2006-03-30 10:15:37 +0200
Florian, i got the vpn working by setting up the traffic settings correctly ;) there where some entries missing. send an email when you have further questions. regards, -stefan
Re: IPSecuritas behind FW to Bintec VPN25 ? by netgoblin on 2006-05-17 11:19:47 +0200
Hey Florian, see this Link http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?board=IPSecuritas; action=display;num=1087200958 for more Info about Bintec / IPSecuritas write a EMail. -thorsten
GB OS 3.7 Mac 10.4.2 GB OS 3.7 Mac 10.4.2 by Ryan.Haller on 2005-08-24 19:13:15 +0200
Hello, GB-500 with GB OS 3.7 using a Mac 10.4.2 Client and IPSecuritas. Anyone else have this setup? Still in the testing stage but I can not seem to get it to work. Check box goes green, I show authenticated user and Active VPN but I can not get anywhere on the local network. IPsecuritas seems to be ignoring the getmyaddr response message.... possibly because I put it in during configuration. it is msg #4 and or #5 If anyone has any insight, please help? -Ryan
IPSecuritas 2.1 mysterious failure IPSecuritas 2.1 mysterious failure by Olaf Mьller-Michaels on 2005-09-12 19:32:06 +0200
Until today IPSecuritas worked great with the Bintec router in our firm. Starting today, I cannot connect to the internal network anymore. Nothing was changed on the company side. I also tried the same settings with VPN Tracker and everything still works fine. However, with IPSecuritas I can connect fine to the router, and it seems to establish a tunnel, but when I try to ping our internal server, it does not work. Maybe I can do a total reinstall of IPSecuritas, but I do not know where all the settings sit; simply deleting IPSecuritas from the Applications folder is not enough. Any other ideas? On request, I can send the debug output. I do not want to change to VPN Tracker, please ... ;D
Re: IPSecuritas 2.1 mysterious failure by Olaf Mьller-Michaels on 2005-09-12 22:51:53 +0200
Intermittently it worked again, but very unreliable. This is what seems to cause the problem, I get this message repeatedely: Sep 12 22:49:28 Powerbook-OMM racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting Olaf
Mac Gateway Assistant Mac Gateway Assistant by mitchellzone on 2005-09-12 19:59:04 +0200
Anyone have any luck setting up a VPN that can be accessed by machines behind a Mac OS X internet gateway, or know how this can be done? The VPN appears to work fine on the gateway machine itself, but I can't get any machines BEHIND the gateway to see the VPN. Sure there's a routing trick that can make this work, but the route table looks okay already, so not sure what's happening there... /mike
IPSecuritas and SonicWALL SOHO3 IPSecuritas and SonicWALL SOHO3 by Louis Gephardt on 2005-09-13 22:10:45 +0200
I'm trying to connect to a SonicWALL SOHO3 device at a remote office and I keep getting this in the log and it won't connect: Sep 13 16:08:27 Mozart racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet be12e283176fab00:0000000000000000 Sep 13 16:08:27 Mozart racoon: DEBUG: isakmp.c:238:isakmp_handler(): === Sep 13 16:08:27 Mozart racoon: DEBUG: isakmp.c:239:isakmp_handler(): 208 bytes message received from 66.159.77.44[500] Sep 13 16:08:27 Mozart racoon: DEBUG: plog.c:199:plogdump(): Sep 13 16:08:27 Mozart racoon: DEBUG: isakmp.c:539:isakmp_main(): malformed cookie received or the initiator's cookies collide. Sep 13 16:08:47 Mozart racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.0.0.102[500] Sep 13 16:08:47 Mozart racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.0.0.102[500] Sep 13 16:08:47 Mozart racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to xxx.xxx.xxx.xxx[500] Sep 13 16:08:47 Mozart racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 112 bytes message will be sent to 10.0.0.102[500] Sep 13 16:08:47 Mozart racoon: DEBUG: plog.c:199:plogdump(): Sep 13 16:08:47 Mozart racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet be12e283176fab00:0000000000000000 Sep 13 16:08:47 Mozart racoon: DEBUG: isakmp.c:238:isakmp_handler(): === Sep 13 16:08:47 Mozart racoon: DEBUG: isakmp.c:239:isakmp_handler(): 208 bytes message received from xxx.xxx.xxx.xxx[500] Sep 13 16:08:47 Mozart racoon: DEBUG: plog.c:199:plogdump(): Sep 13 16:08:47 Mozart racoon: DEBUG: isakmp.c:539:isakmp_main(): malformed cookie received or the initiator's cookies collide. Sep 13 16:09:07 Mozart racoon: ERROR: isakmp.c:1772:isakmp_ph1resend(): phase1 negotiation failed due to time up. be12e283176fab00:0000000000000000 Any ideas? I'm running 10.4.2 on my Mac and the SOHO3 has the latest firmware.
known good sonicwall pro 230 settings known good sonicwall pro 230 settings by nunya biznas on 2005-09-17 16:58:14 +0200
I just got a sonicwall pro 230 work, here are my settings. omitted items are blank or unchecked.
:General host to network static ip at work first three numbers of work network with a zero on the end (192,168.1.0) 24 blank main and agressive checked obey 16 :Phase 1 28000 mod768(1) 3des sha1 :phase 2 28800 none des 3des hmac sha1 :id/auth address address preshared secret from sonicwall :options ipsec doi sit_identity_only initial contact generate policy dhcp pass-through establish ike immediatly :sonicwall groupvpn ike using pre-shared secret group 1 28800 3des &sha1 strg enc and auth (esp 3des hmac sha1) shared secret :advanced all unchecked group 1 0.0.0.0 lan (after changing items on this menu you must hit update on main screen for items to take effect)
Re: known good sonicwall pro 230 settings by nunya biznas on 2005-09-17 17:07:05 +0200
oops am using Mac OS X 10.4.1
known good sonicwall tz 170 settings known good sonicwall tz 170 settings by nunya biznas on 2005-09-17 17:04:28 +0200
I just got a sonicwall tz 170 work, here are my settings. omitted items are blank or unchecked. :General host to network static ip at work first three numbers of work network with a zero on the end (192,168.1.0) 24 blank main and agressive checked obey 16 :Phase 1 28000 mod768(1) 3des sha1 :phase 2 28800 none des 3des hmac sha1 :id/auth address address preshared secret from sonicwall :options ipsec doi sit_identity_only initial contact generate policy dhcp pass-through establish ike immediatly :sonicwall groupvpn ike using pre-shared secret :proposals group 2 3des sha1 28800 esp des md5 group 1 28800 :advanced forward packets 0.0.0.0 lan :Client split tunnels
Re: known good sonicwall tz 170 settings by nunya biznas on 2005-09-17 17:06:24 +0200
oops. Am using Mac OS X 10.4.1
Re: known good sonicwall tz 170 settings by w_grace on 2006-02-21 19:06:01 +0100
Hello, Thats using the default settings on the Sonicwall, is it possible to change anything from the default settings and still keep it working? It seems strange that you can not change it from the default settings.
Re: known good sonicwall tz 170 settings by Uptimejeff on 2006-03-08 17:19:30 +0100
No go for me... OS X 10.4.5 Sonicwall TZ170 3.1.0.12-86s I am able to make ipSEC connection to several Linksys devices, but have not had any success connecting to a Sonicwall (tried several) On the Sonicwall, I tried the defaults of the Group VPN with the settings as described in this thread. It's not possible for me to be sure that all the settings are the same because not all fields are listed. Screen shots might be more accurate (and faster). If anyone has a similar config running, I would be willing to email screen shots of my ipSecuritas and Sonciwall setup or receive screenshots of your working configuration. Thanks Jeff
Re: known good sonicwall tz 170 settings by xrub on 2006-06-04 18:52:20 +0200
Doesn't work for me either with exact settings. OS X 10.4.6 Firmware SonicOS Standard 3.1.0.15-95s on TZ170W I spent 3 hours trying to get this to work without success. Then I downloaded VPN Tracker and set it up in 5 minutes. Is it worth the money? Depends how much your time is worth. Personally, I think spending time setting up a VPN connection is a gross waste of time. I'll gladly pay for a good solution.
Re: My working TZ170 settings by northben on 2006-07-29 06:31:15 +0200
I finally have this working except for dns. I can ping an ip address but it apparently isn't getting the dns server (our Domain Controller, not the Sonicwall). I opened up the sonicwall config page and copy the settings to IP Securitas. If anyone has questions, I'd be glad to help with what I can. email/IM me at
[email protected]. If anyone has any suggestions for dns, I'd be glad to know about it.
Troubles while installing certs Troubles while installing certs by Dennis on 2005-09-20 18:36:49 +0200
While installing the certs according to dividedsky.net/~equate/vpn/ I am told to do the follwing: openssl pkc12 -in RoadCert.p12 -nodes -nokeys -clcerts -out x509gate.pem for extracting in PEM format. openssl pkcs12 -nodes -nocerts -in RoadCert.p12 -out private.pem for extracting the private key. After that I try to import these files by using the Certificate Manager. First the foreign, but while importing the private key I get this message: "Failed to import priv.pem. Please make sure the file contains a signed X.509 certifcate in PEM format." Any hints?
VPN Broken in Mac OS X 10.4.2 ? VPN Broken in Mac OS X 10.4.2 ? by nunya biznas on 2005-10-06 03:53:56 +0200
For some reason I have a 10.4.1 laptop that works from home with a sonicwall at work, yet my 10.4.2 G5 tower from home does not. Identical settings in IPSecuritas. Anyone know if I should post my log file and try to solve or just wait for 10.4.3? thanks for any insight.
Re: VPN Broken in Mac OS X 10.4.2 ? by jt on 2005-10-09 16:52:50 +0200
Wow, not a single reply. I'd a thought someone would let me know if 10.4.2 is or isn't broken. I have other problems with it as well, it broke some networking features in Virtual PC. ;) Here's my log output from a known good configuration with a sonicwall. Again, I have a 10.4.1 laptop that, with the same configuration has no problem connecting. Log output from IPSecuritas 2.1 Oct 9 09:44:23 gtower IPSecuritas: Parsing configuration Oct 9 09:44:23 gtower IPSecuritas: Setting up racoon.conf Oct 9 09:44:23 gtower IPSecuritas: Setting up setkey.conf Oct 9 09:44:23 gtower IPSecuritas: Setting up psk.txt Oct 9 09:44:23 gtower IPSecuritas: Setting up tunnel.conf Oct 9 09:44:23 gtower IPSecuritas: Parsing configuration done Oct 9 09:44:24 gtower IPSecuritas: Starting racoon... Oct 9 09:44:25 gtower IPSecuritas: Racoon is running Oct 9 09:44:25 gtower IPSecuritas: Set kernel keys Oct 9 09:44:25 gtower racoon: DEBUG2: cfparse.y:1413:cfparse(): parse successed. Oct 9 09:44:25 gtower racoon: DEBUG: isakmp.c:1592:isakmp_open(): 10.0.1.4[500] used as isakmp port (fd=8) Oct 9 09:44:25 gtower racoon: DEBUG: isakmp.c:1610:isakmp_open(): 10.0.1.4[4500] used as nat-t isakmp port (fd=9) Oct 9 09:44:25 gtower racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message Oct 9 09:44:25 gtower racoon: DEBUG2: plog.c:199:plogdump(): Oct 9 09:44:25 gtower racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory
Re: VPN Broken in Mac OS X 10.4.2 ? by jt on 2005-10-09 16:54:33 +0200
for completeness, this is my log
Re: VPN Broken in Mac OS X 10.4.2 ? by jt on 2005-10-09 16:59:31 +0200
for completeness, this is my log off 10.4.2 to a different sonicwall. This configuration also works fine off the 10.4.1 laptop. Oct 9 09:53:56 gtower IPSecuritas: Parsing configuration Oct 9 09:53:56 gtower IPSecuritas: Setting up racoon.conf Oct 9 09:53:56 gtower IPSecuritas: Setting up setkey.conf Oct 9 09:53:56 gtower IPSecuritas: Setting up psk.txt Oct 9 09:53:56 gtower IPSecuritas: Setting up tunnel.conf Oct 9 09:53:56 gtower IPSecuritas: Parsing configuration done Oct 9 09:53:57 gtower IPSecuritas: Starting racoon... Oct 9 09:53:57 gtower IPSecuritas: Racoon is running Oct 9 09:53:57 gtower IPSecuritas: Set kernel keys add net 172.16.10.0: gateway gif0 Oct 9 09:53:57 gtower racoon: DEBUG2: cfparse.y:1413:cfparse(): parse successed. Oct 9 09:53:57 gtower racoon: DEBUG: isakmp.c:1592:isakmp_open(): 10.0.1.4[500] used as isakmp port (fd=8) Oct 9 09:53:57 gtower racoon: DEBUG: isakmp.c:1610:isakmp_open(): 10.0.1.4[4500] used as nat-t isakmp port (fd=9) Oct 9 09:53:57 gtower racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message Oct 9 09:53:57 gtower racoon: DEBUG2: plog.c:199:plogdump(): Oct 9 09:53:57 gtower racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory Oct 9 09:53:58 gtower racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:12, need update interface address list Oct 9 09:53:58 gtower racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting Oct 9 09:53:58 gtower racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:14, need update interface address list Oct 9 09:53:58 gtower racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting Oct 9 09:53:58 gtower racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message Oct 9 09:53:58 gtower racoon: DEBUG2: plog.c:199:plogdump(): Oct 9 09:53:58 gtower racoon: DEBUG: pfkey.c:1551:pk_recvacquire(): suitable outbound SP found: 10.0.12.1/32[0] 172.16.10.0/24[0] proto=any dir=out. Oct 9 09:53:58 gtower racoon: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbffff970: 172.16.10.0/24[0] 10.0.12.1/32[0] proto=any dir=in Oct 9 09:53:58 gtower racoon: DEBUG: policy.c:185:cmpspidxstrict(): db :0x306778: 172.16.10.0/24[0] 10.0.12.1/32[0] proto=any dir=in Oct 9 09:53:58 gtower racoon: DEBUG: pfkey.c:1567:pk_recvacquire(): suitable inbound SP found: 172.16.10.0/24[0] 10.0.12.1/32[0] proto=any dir=in. Oct 9 09:53:58 gtower racoon: DEBUG: pfkey.c:1606:pk_recvacquire(): new acquire 10.0.12.1/32[0] 172.16.10.0/24[0] proto=any dir=out Oct 9 09:53:58 gtower racoon: DEBUG: proposal.c:826:printsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) Oct 9 09:53:58 gtower racoon: DEBUG: proposal.c:860:printsatrns(): (trns_id=DES encklen=0 authtype=1) Oct 9 09:53:58 gtower racoon: DEBUG: proposal.c:860:printsatrns(): (trns_id=DES encklen=0 authtype=2) Oct 9 09:53:58 gtower racoon: DEBUG: proposal.c:860:printsatrns(): (trns_id=3DES encklen=0 authtype=1) Oct 9 09:53:58 gtower racoon: DEBUG: proposal.c:860:printsatrns(): (trns_id=3DES encklen=0 authtype=2) Oct 9 09:53:58 gtower racoon: DEBUG: remoteconf.c:118:getrmconf():
Re: VPN Broken in Mac OS X 10.4.2 ? by cnadig on 2005-10-10 08:38:34 +0200
Hello, I'm not aware of any problems with 10.4.2. From what I can see in your log, it seems that the remote router/firewall does not send an answer on your side's request. Do you have access to the router's log? Christoph
Re: VPN Broken in Mac OS X 10.4.2 ? by nunya biznas on 2005-10-27 02:44:52 +0200
Got it working on my G5. Turns out all I had to do was completely delete the settings I had been working with out of the IPSecuritas menu and start over. Started working first try.
RV042 Setup Needed RV042 Setup Needed by johnnj on 2005-10-14 19:08:40 +0200
I've got to say this router as driven me nuts! I can't get it to work with any of our Mac OS X users. I just want to set up 3 connections with mobile users. All using Mac OS X (Hey OS X helps cut down on IT work for the mobile users). I have read through most of the postings on this site for linksys routers and only a few have stated that they have gotten it to work but don't supply sufficent information. LinkSys claims that Mac OS X VPN software only works with the Cisco routers. (Which is BS because I have to use a Cisco VPN Client for their routers) If anyone could please provide me with some help, links, advice, etc... Thanks JohnNJ
Re: RV042 Setup Needed by Rand on 2005-12-09 06:45:56 +0100
Has anyone been succesful creating a VPN connection to a RV042/RV042? Any help would be appreciated.
Re: RV042 Setup Needed by Heston on 2006-01-05 20:20:18 +0100
Hey - any joy with this?? I'm thinking of getting some RV042/RV082 for an all mac environment - gulp. Thanks
Re: RV042 Setup Needed by macmouse on 2006-03-31 15:15:20 +0200
If anyone has gotten this to work an you please post the settings? Thank you!
VPN/IPSec to LANCOM Routers VPN/IPSec to LANCOM Routers by Heiko Amft on 2005-10-17 00:47:58 +0200
Does anyone have success with vpn-IPSec-connection between Mac (10.4.2) and a LANCOM-Router with preshared keys, especially LANCOM DSL/I-1611 or the new 1611+ ? I'm testing for a few days, it seems to be the ipsec-tunnel starts up but no traffic in- or outgoing. any ideas ? greetings Heiko
Re: VPN/IPSec to LANCOM Routers by Erik Roderwald on 2006-02-06 09:44:13 +0100
Hi Heiko! First of all, do you have access to a windows machine? If you have you should install the Lancom software which includes the Lancom Monitor. That tool is very helpfull for looking up what's going wrong with your VPN connection. Also the assistants are not bad. I just made it for a client. Two things went wrong: First of all make sure that there is for each VPN connection an entry in configure (Konfigurieren), PPP connections (PPP-Verbindungen; I hope that I retranslate it correctly; your name sounds german, so I gave you the german items in the brackets). If there isn't an entry add one which contains only the name of the wanted connection. You may activate IP forwarding and NetBIOS over IP. The rest you leave blank. The other thing which went wrong was the local and remote identifier. I tried it with a full qualified user name which didn't work even though I found it in several online documents to be configured like that. I changed it to domain name and it worked fine. The router I named like router.network.local and the clients like user1.network.local. Well, I also called the Lancom hotline which is quite expensive but very helpfull. They sent me a step by step help file (pdf; german). Unfortunately it is not public. So I cannot give you an URL or send it to you. I'm sorry, you have to call them and ask for it. HTH Erik
Tiger 10.4.2 and IPSecuritas 2.1 Problems Tiger 10.4.2 and IPSecuritas 2.1 Problems by Nick Rigby on 2005-10-18 14:03:26 +0200
Hi, I'm having problems with my VPN (IPSecuritas 2.1) and Tiger 10.4.2. I can create a connection with my work network, and can connect to a couple of the server. However, some servers cause finder to hang and then stop responding. It appears that it's only the servers with a large amount of folders on them that I can't connect to. Does anyone know of a problem, or the solution. Thanks, Nick
Re: Tiger 10.4.2 and IPSecuritas 2.1 Problems by Nick Rigby on 2005-11-09 12:59:30 +0100
Still having problems, even with the 10.4.3 update. It certainly appears that connecting to servers with a large amount of data (folders) causes finder to crash.
AEBS setup examples? AEBS setup examples? by Sig on 2005-10-18 21:12:16 +0200
Can anyone help with a sample config or settings for an AEBS? I'm trying to use IP2sec from a Powerbook, through the AEBS firewall (most likely have to open ports, though I have no idea which one, guessing 24), and out to the Internet. I would assume this would bypass all firewall settings without some customization. A good and bad thing, though not real risky on OS X. Thanks much in advance.
Acquiring IP address from Cisco 3000? Acquiring IP address from Cisco 3000? by WD40 on 2005-10-19 20:40:05 +0200
I just recently got IPSecuritas to connect to a Cisco 3000 Concentrator VPN. One area that doesn't seem to be working, though, is that IPSecuritas (racoon?) won't acquire an IP address from the Cisco unit. If I leave "local address" blank, ifconfig shows "gif0" with no address, and the VPN for the most part doesn't work. However, if I manually enter a local address, the ipsec stuff works fine. How can I set up IPSecuritas to request and use an IP address from the remote IPSec device? Thanks!
Early Replacement Of Name Servers Early Replacement Of Name Servers by goldharv on 2005-10-21 01:23:17 +0200
I love IPSecuritas, but I've run into a problem implementing it. I've defined a default domain name and 2 name servers that are visable only when connected to my VPNs. However, /etc/resolv.conf gets replaced immediately after IPSecuritas starts IPSec. Unfortunately, my ISP changes my IP address occasionally and I have to use a dynamic DNS service. My VPNs are defined to use the fully qualified domain name of my home firewall. The net result is that if my VPN does not come up soon enough, my access to DNS servers is gone. I'm mainly posting this as a warning to others. I spent an hour or two trying to figure out what was going on. It would be great if IPSecuritas waited until the VPN was established before switching resolv.conf, and if it switched it back if the connection drops. To be really snazzy, you should be able to tell if the DNS server is accessible based on the network address of the VPN. For example, if I've entered 192.168.0.1 and 192.168.2.1 as name server addresses and if one of my VPNs connects to 192.168.0.0 and the other connects to 192.168.2.0, it should be obvious which connections have to be up before modifying resolv.conf. Harry
IPSecuritas Auto Start with certificates (10.3.9) IPSecuritas Auto Start with certificates (10.3.9) by SomeUser on 2005-10-27 22:24:21 +0200
IPSecuritas Auto Start in 10.3.9 is broken if you use certificates... IPSecuritas stores certificates and config files in /private/tmp when you click "Auto Start". Mac OS X runs /etc/rc.cleanup after boot, which deletes all files in /private/tmp. Solution: 1) Lobotomo could save the config/cert files somewhere more sensible like /etc 2) Edit /etc/rc.cleanupto spare deletion of your config/cert files: e.g. (line 43)[code] # Clean out /private/tmp. if [ -d /private/tmp ]; then # blow away any _tmp_ in case it exists as well if [ -f /private/_tmp_ ]; then chflags -R nouchg /private/_tmp_ && rm -rf /private/_tmp_ fi echo -n " /private/tmp" + mkdir -m 1777 /private/_tmp_ + find /private/tmp/* ! -name ipsecuritas\* -maxdepth 0 -exec mv {} /private/_tmp_ \; + find /private/tmp/.[^.]* -maxdepth 0 -exec mv {} /private/_tmp_ \; - mv /private/tmp /private/_tmp_ (chflags -R nouchg /private/_tmp_ && rm -rf /private/_tmp_) & fi - mkdir -m 1777 /private/tmp [/code]
Netgear FVS124G Netgear FVS124G by David on 2005-11-01 17:47:26 +0100
I can connect to the likes of Netgear FVS318 just fine but this new FVS124G is more complex - anyone else connecting to it?
Re: Netgear FVS124G by Daniel Loewus-Deitch on 2006-01-19 22:25:21 +0100
I also am having no luck connecting to a Netgear FVS124G. If possible, can anyone explain all the settings necessary on both the router and IPSecuritas in order to make this VPN connection work? I am really frustrated and I am hoping to avoid spending an exorbant amount of money to buy VPN Tracker, just because Netgear is too lazy to support Macs with their own VPN client. If anyone has IP
Re: Netgear FVS124G by danlode on 2006-01-19 22:35:07 +0100
To finish my post above: If anyone has been able to get IPSecuritas to work with the Netgear FVS124G, please post here or contact me at
[email protected]. Thank you so much!! Regards
Re: Netgear FVS124G by grep on 2006-05-10 03:55:14 +0200
I have recently purchased the FVS124g router to replace my linksys router with service from verizon.dsl. Nope doesn't work, so I took it back to the store and got another one. Nope it doesn't work either. Then called tech support in India, level one was quite good but couldn't make it work, Level 2 was so so, but couldn't make it work, now level 3 is working on it but with no luck so far. My fix at the moment is to unplug the netgear and plug the linksys back in, works almost instantly and works fine. My current opinion of Netgear is probably not very good. Grep
Re: Netgear FVS124G by rogerm on 2007-04-09 19:05:21 +0200
Greetings, I was able to get this to work. As others did I looked at how VPN tracker configured itself and adapted from there. Below is the info. (please note the formatting got a bit messed up) --------------------------------------------------------------Setting up IPSecuritas and FVS124G router. Configuration of FVS124G VPN. Log into your FVS124G router 1.Create and name a new IKE policy. 1.Direction Type : Responder 2.Exchange Mode: Aggressive. 3.Local. Select Local Gateway. Select Wan1, or Wan2 depending on which port this policy will be active on. 1.Local Identity Type: FQDN – Fully Qualified Domain Name 2.Local Identity Data: netgearrouter.local. This can be anything you want and will be used in the client configuration as well. 4.Remote. Remote Host Configuration Record : None 1.Remote Identity Type: FQDN – Fully Qualified Domain Name 2.Remote Identity Data: thevpncleint.com. This can be anything you want and will be used in the client configuration as well. 5.IKE SA Parameters. 1.Encryption algorithm: 3DES 2.Authentication Algorithm: SHA1 3.Authentication Method: Select Pre-Shared Key 1.Enter the pre-shared key. 4.Diffle Hellman (DH) Group: Group 2 (1024 Bit) 5.SA Life Time: 3600 6.Select Apply to save the configuration. 2.Create a new VPN Policy. 1.IKE Policy: Select the name of the IKE Policy that you just created. 2.Remote VPN End Point: 1.Address Type: IP Address 2.Address Data: 0.0.0.0 3.SA Life Time 1.Seconds: 3600 2.Kbytes: 0 4.Check Box: IPSec PFS – no check. 1.PFS Key group: Ignored as step 4 contains no check. 5.Traffic Selector 1.Local IP: Subnet Address ( you will need to adjust this section with your IP info) 1.Start IP Address: 192.168.254.0 2.Finish IP Address: 3.Subnet Mask: 255.255.255.0 2.Remote IP: Single Address 1.Start IP Address: 192.168.252.100 2.Finish IP Address 3.Subnet Mask: 3.AH Configuration 1.Check Box: Enable Authentication – no check 2.Authentication Algorithm. ignored with no check in section 3.1 4.ESP Configuration 1.Check Box: Enable Encryption – Check 1.Encryption Algorithm: 3DES 2.Check Box: Enable Authentication – Check 1.Authentication Algorithm: SHA-1 5.Select apply to save the configuration.
Re: Netgear FVS124G by mpilch on 2007-04-15 01:30:08 +0200
rogerm: I tried to mimic your configuration but still without success. Which firmware do you have in your FVS124G ? I have 1.1.38. Also looks like you are not using "VPN wizard" to set your "IKE Policies" and "VPN Policies". So I have question: How did you set "VPN Client Policy". I assume this is one you are using in your walkthrough? There is no way (at list I can not find it) to add new "VPN Client Policy". Manualy I can add only "VPN Policy". Only using "VPN Wizard" I can add entry to "VPN Client Policy" and later edit it. I also assumed you are using IPSecuritas v3 in your guide. thanks, Marek
Re: Netgear FVS124G by mpilch on 2007-04-15 06:27:50 +0200
It works now. ;D Thanks for great walk through. Good work. Marek
Mac VPN Client using IPSecuritias Case Study is av Mac VPN Client using IPSecuritias Case Study is av by jmizoguchi on 2005-11-06 20:13:51 +0100
FYI
http://www.xtreme-racing-team.com/casestudy.html
Re: Mac VPN Client using IPSecuritias Case Study i by jmizoguchi on 2006-01-29 19:48:25 +0100
New site is vpncasestudy.com
Zyxell Zywall 2 and IPsecuritas Zyxell Zywall 2 and IPsecuritas by tota on 2005-11-10 16:52:50 +0100
Did someone ever have luck to set up a Zyxell Zywall 2 and IPSecuritas that way that both are working together? For your information I give you the actual settings of the Zywall 2 as shown below. Hope someone may able to give me some advice. Name: VPN-Test Key Management: IKE Negotiation Mode: Main Local Address Type : Subnet Starting IP Address: 192.168.2.0 Ending IP Address / Subnet Mask: 255.255.255.0 Remote Address Type : Single Address Starting IP Address: 0.0.0.0 Ending IP Address / Subnet Mask: 0.0.0.0 DNS Server (for IPSec VPN): 0.0.0.0 Authentication Method Pre-Shared Key: securekey Local ID Type: IP Content: 130.60.32.95 Peer ID Type: IP Content: 0.0.0.0 My IP Address : 0.0.0.0 Secure Gateway Address: 0.0.0.0 Encapsulation Mode: Tunnel Encryption Algorithm: DES Authentication Algorithm: SHA1 Phase 1 Negotiation Mode: Main Encryption Algorithm: DES Authentication Algorithm: MD5 SA Life Time (Seconds) : 28800 Key Group: DH1 Phase 2 Active Protocol: ESP Encryption Algorithm: DES Authentication Algorithm: SHA1 SA Life Time (Seconds): 28800 Encapsulation : Tunnel Perfect Forward Secrecy(PFS): None Best regards for anyone's help and advice and tipps. Greetings from Switzerland Thomas Thaler
IPSecuritas & OpenBSD? IPSecuritas & OpenBSD? by Iggy on 2005-11-14 07:24:00 +0100
I was wondering if any has had sucess getting isakmpd work well with mobile IPSecuritas clients. If you have I'd appreciate it if you can let me take a looke at your isakmpd.conf and policy files as an example.
Re: IPSecuritas & OpenBSD? by Iggy on 2005-11-14 07:47:08 +0100
Or even examples from Freebsd isakmpd.conf/policy will be great.
Re: IPSecuritas & OpenBSD? by rical on 2006-01-14 19:05:46 +0100
for isakmpd on OBSD 3.6 to 3.8: isakmpd.conf [General] Listen-on= 82.58.73.130 Policy-file= /etc/isakmpd/isakmpd.policy Default-phase-1-lifetime= 1800,360:28800 Default-phase-2-lifetime= 1800,360:28800 Retransmits= 3 [Phase 1] Default=
company-Nomades
[Phase 2] Connections= [Iniflux-Nomades] Phase= Transport= Local-address= Address= Configuration= ID= Authentication= [company-gw] ID-type= Address= [IPsec-Nomades] Phase= ISAKMP-peer= Configuration= Local-ID= Remote-ID=
IPsec-Nomades
1 udp 82.58.73.130 0.0.0.0 Default-main-mode company-gw good-password
IPV4_ADDR 82.58.73.130
2 company-Nomades Default-quick-mode Internal Nomades
[Internal] ID-type= Network= Netmask=
IPV4_ADDR_SUBNET 192.168.1.0 255.255.255.0
[Nomades] Id-type= Address=
IPV4_ADDR 0.0.0.0
[Default-main-mode] DOI= EXCHANGE_TYPE= Transforms=
IPSEC ID_PROT 3DES-SHA
[Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE
policy:
Re: Can't connect to Netgear FVS338 Re: Can't connect to Netgear FVS338 by Cryobat on 2005-12-21 14:19:11 +0100
I have the exact same problem on the exact same hardware! Did you have any success in this? It seems like the Netgear router doesn't like IPSecuritas to define the remote network or something? The router can't find the SPD for this client... I had the exact same messages in the log on the router from the beginning when trying to configure the Netgear IPSec client for Windows machines, but that was because I used the VPN Wizard instead of doing the "mode config" by hand. Does anyone know how to make IPSecuritas go through this last step?
Re: Can't connect to Netgear FVS338 by Ken Anderson on 2006-01-31 16:15:19 +0100
That makes three of us! Has anyone ever solved this?
Re: Can't connect to Netgear FVS338 by Ted Mittelstaedt on 2006-03-01 10:49:19 +0100
Hi All, Yes there is a solution to this. Your all going to hate it but it works. The problem is the Netgear's view of what an IPSec VPN is, is basically a classical LAN2LAN IPSec VPN. The so-called "VPN Client Policies" in the Netgear's VPN Policies that appears to be usable for a single client to VPN in with, is actually a nasty hack that was worked out with the old Secure ID IPSec client, and nothing other than this client interoperates with it. You can get a Mac (or other UNIX) system to connect in to the Netgear, but you MUST use the standard VPN Policies, not the VPN Client policies, and you must define it by hand. Also, most importantly, you MUST USE a STATIC ip address. This is due to a bug in the Netgear's firmware which when you define a Fully Qualified Domain Name as a peer, the Netgear DOES NOT do a DNS lookup of that and substitute the remote peer IP address. Instead it just substitutes 0.0.0.0 which makes the VPN code in the netgear fall back to the borked Secure ID client method. Basically what is going on here is we are defining a static peer on the Netgear side and a static peer on the Mac side and they must be mirror images of each other. So, in summary - your going to have to pay extra to your DSL providers for a static IP. Also, I do NOT think this will work if the client is BEHIND a NAT router. Here are the setup instructions. This is on Panther (MacOS X 10.3) running the current MacOS patches and version 2.1 of IPSecuritas. The Netgear is running firmware version V1.6.47 Have phun with it! :-) 1) Setup your Mac client with a static IP number. In this case I'll use IP address 75.75.97.32 Login into the Netgear admin interface and click on IKE Policies on the left, then click Add. Here is the policy: Policy Name: macattack Direction Type: Responder Exchange Mode: Agressive Mode Local Identity Type: WAN IP Address Locl Identity Data: leave blank! Remote Host Configuration Record: None Remote Identity Type: Remote WAN IP Remote Identity Data: leave blank for now! IKE SA Encryption Algorithm: DES Authentication Algorithm: MD5 Authentication Method: Preshared Key Preshared Key: freebsdkicksass DH Group: Group 1 SA Life Time: 28800 X Authentication: None Click Apply
Re: Can't connect to Netgear FVS338 by Cryobat on 2006-03-01 12:21:57 +0100
Ouch.... I wish it would work better somehow... how often do you have a static IP when you're out working at another location.... Ohh well, I think setting up a PPTP server behind the firewall and playing with port forwardning might be a better solution for Mac users then. Thanks for your reply tho! That was a really good answer with precise information on how to solve the problem! Thank you!
Re: Can't connect to Netgear FVS338 by Ted Mittelstaedt on 2006-03-04 08:55:03 +0100
Well, actually all you have to do is enable remote access on the Netgear, then when your at a location, just obtain your IP address from www.whatismyip.com or some such, then access the Netgear's administrative page, change the IP addresses in the VPN policy and isakmp policy, and your in business. Obviously this is tiresome and certainly not an answer that you would want to give to your regular users! Might be doable for system administrators, though. As for setting up a PPTP server behind the Netgear, another possibility is running a Linux/FreeBSD system in parallel with the Netgear, and running poptop on that. I can confirm MacOSX Panther pptp will successfully connect to that if you use 128bit encryption, since that is what we do. One of our Tiger users claims it only works if encryption is switched off on Tiger. One of these days I'm going to have to test that.
Re: Can't connect to Netgear FVS338 by Nathan Hilderman on 2006-05-06 21:32:10 +0200
I haven't got a FVS338, but I've had success with both an FVL328 and FVX338. I've noticed between the FVL and FVX familly a few differences, but did get both to work. My main problem was with the 'ID/Auth' part in IPSecuritas I made the local and remote names 'fvx_host.com' on both IPSecuritas and in the local/remote FQDN (Fully Qualified Domain Name) within Netgear's IKE policy. Next hurdle (for me, anyways) was the IP settings - in IPSecuritas the 'Remote Network' uses the slash notiation (i.e. /24) notation, while Netgear wants a subnet address. To let it use your whole subnet (e.g. 10.0.0.0 /24), you have to set the subnet to 255.255.255.0 (e.g. 10.0.0.0 as start IP, 255.255.255.0 as subnet address). You can use whatever subnet you want - but unless both sides are EXACTLY THE SAME you won't ever get a proper connection. In fact, it seems there are VERY few settings (SA Lifetimes, for example) that don't have to be identical for it to work. Also, in case you haven't figured it out, when you connect take a look at the VPN status to determine where your bad settings are. If you can't establish Phase 1 even, then something in your IKE policy is wrong. If you can't establish Phase 2, the problem is in your VPN Policy. Oh, and I don't know about the FVS family, but on the FVX I also had to make sure my VPN Policy was a 'VPN Policy' as opposed to a 'VPN Client Policy', if that makes a difference. Keep at it, you'll eventually get it to work.
Re: Can't connect to Netgear FVS338 by William Kyngesburye on 2006-05-13 01:42:06 +0200
Well, the FVS338 has been commandeered for a host-to-host VPN off our main internal network (and thru a different ISP) all this time (just a few Windoze computers there), so I haven't had a need to pursue this. Until now. I'm getting ready to put it back on our main network and ISP and decided to try it again. I doubled-checked settings on the FVS338 and in IPSecuritas. One thing I noticed on my IPSec config was that the remote subnet setting was 192.168.1.1/24. From Nathan's last post I got the idea to try 192.168.1.0/24. Now it's working - VPN connection made. I'm sure I tried this before. Maybe some OSX update since then affected something. I didn't update the FVS firmware. I'm at home now and don't have my notes, but I'll post a summary later. I haven't been able to test file sharing yet - nothing really on the other end right now - but I could ping the firewall's local IP. The real test will be when I get the FVS on the main internal network, where the server, printers and Macs are. I can say that the FVS338 works with fvs_local.com and fvs_remote.com for the identifiers, just as the FVS docs say. And the VPN policy vs. VPN client policy distinction seems to be automatic, or something odd. I had a client policy and host-host policy generated from the wizard, then deleted the client policy that wasn't working. But when I added a policy, it automatically became a client policy. There can only be one client policy it's used for the 50 client limit on the FVS338 (100 on the FVL328 and 200 on the FVX538) - and any more policies become the 'VPN Policies' (and then the FVS became a little confused). That didn't make much sense, but the VPN Client Policy works, I didn't need to make it a VPN Policy.
Re: Can't connect to Netgear FVS338 by kb on 2006-06-15 12:02:34 +0200
try with "A remote VPN client" option in VPN Wizard along with NG VPN client installed in your windows, that must solve the problem
Re: Can't connect to Netgear FVS338 by pristine on 2006-06-15 12:35:09 +0200
has anyone tried Extended authentication in FVS338, have any one tried modeconfig, any inputs for configuring modeconfig in FVS338 would be appreciated.
IPSecuritas & Checkpoint IPSecuritas & Checkpoint by fiddelm3742 on 2005-11-23 07:12:54 +0100
I'm having some issues with my IPSecuritas/Checkpoint setup. I've got all of the default IPSecuritas settings in as suggest via the forums and the example. I do not have a key being my corporation has a managed firewall(thank you quest :-/) Anywho, perhaps i'm missing a step. Anywho my logs wont help anyone I"ve stopped and started IPsec via ipsecuritas but my log doens't report anything usefull, Just Log output from IPSecuritas 2.1 Nov 23 00:11:16 iBook IPSecuritas: Parsing configuration Nov 23 00:11:16 iBook IPSecuritas: Setting up racoon.conf Nov 23 00:11:16 iBook IPSecuritas: Setting up setkey.conf Nov 23 00:11:16 iBook IPSecuritas: Setting up psk.txt Nov 23 00:11:16 iBook IPSecuritas: Setting up tunnel.conf Nov 23 00:11:16 iBook IPSecuritas: Parsing configuration done Nov 23 00:11:17 iBook IPSecuritas: Starting racoon... Nov 23 00:11:17 iBook IPSecuritas: Racoon is running Nov 23 00:11:17 iBook IPSecuritas: Set kernel keys No real connection info. Now, with the windows client I just attempt to connect to something on our network (206.99.156.0/24) and it then prompts me for the User/Pass (which I already have setup in the software Am I missing something here?
Re: IPSecuritas & Checkpoint by fiddelm3742 on 2005-12-08 20:52:03 +0100
No one knows ehh?
Re: IPSecuritas & Checkpoint by trs80 on 2005-12-15 16:45:14 +0100
You have to use Aggressive Mode under the phase 1 settings, and the rest of the config has to match whatever's in the checkpoint policy (should be able to get that info from the admins). You also must have a user account in what's called the "Internal DB" (again, the admins will know what that is), in the form of an email address.
Netgear FVS318V3 Netgear FVS318V3 by Tony on 2005-12-06 19:48:20 +0100
I see a lot of people were able to get IPSecuritas to work with the FVS318. This wouldn't by any chance be V3 of the router would it? I have an FVS318V3 that simply refuses to cooperate with IPSecuritas (my understanding is that V3 is essentially a completely different router than V1 & V2).
Re: Netgear FVS318V3 by jmizoguchi on 2006-01-29 19:47:50 +0100
I think so too.FVS318, FVX538 doesn't seems to run. newer router has IKE and VPN seperate and old V1,2.4 was differenent setup. I go to work on v2.4. that is on my site at vpncasestudy.com. if someone has done FVS318v3~ to work please submit your story to
[email protected]
compatible with FORTIGATE compatible with FORTIGATE by Sepp maier on 2005-12-13 11:54:00 +0100
IPSECURITAS works well with the fortinet Firewalls (IPSEC with fixed or dynamic IP) GREAT APP.
Re: compatible with FORTIGATE by Gary S on 2005-12-14 21:53:41 +0100
I am trying to get that setup myself, but I don't have any experience with fortigates. I don't think I am setting up the gateway right. Is there any advice you could give me on getting this setup?
Re: compatible with FORTIGATE by Sebastien on 2006-01-02 14:21:33 +0100
Hi, I tried to set up IP Securitas but I am not able to connect to the VPN gateway F50A. I will provide logs this evening if somebody could help me. Sebastien.
Re: compatible with FORTIGATE by stephan on 2006-01-03 13:34:09 +0100
hi, i'm just trying to connect to our fortigate 400. i can't see anything in its logs, i don't even know if my mac tries to connect to it. are there any logs i could look for errors in on the mac side? haven't found any...
Re: compatible with FORTIGATE by sebastien on 2006-01-10 08:19:01 +0100
I got invalid exchange type 6, any idea ? Log output from IPSecuritas 2.1 Jan 10 08:15:33 sunnyday IPSecuritas: Parsing configuration Jan 10 08:15:33 sunnyday IPSecuritas: Setting up racoon.conf Jan 10 08:15:34 sunnyday IPSecuritas: Setting up setkey.conf Jan 10 08:15:34 sunnyday IPSecuritas: Setting up psk.txt Jan 10 08:15:34 sunnyday IPSecuritas: Setting up tunnel.conf Jan 10 08:15:34 sunnyday IPSecuritas: Setting up DNS configuration Jan 10 08:15:34 sunnyday IPSecuritas: Parsing configuration done Jan 10 08:15:35 sunnyday IPSecuritas: Starting racoon... Jan 10 08:15:36 sunnyday IPSecuritas: Racoon is running Jan 10 08:15:36 sunnyday IPSecuritas: Set kernel keys Jan 10 08:15:36 sunnyday racoon: DEBUG2: cfparse.y:1413:cfparse(): parse successed.\n Jan 10 08:15:36 sunnyday racoon: DEBUG: isakmp.c:1592:isakmp_open(): 10.70.1.100[500] used as isakmp port (fd=8)\n Jan 10 08:15:36 sunnyday racoon: DEBUG: isakmp.c:1610:isakmp_open(): 10.70.1.100[4500] used as nat-t isakmp port (fd=9)\n Jan 10 08:15:36 sunnyday racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey X_SPDDUMP message\n Jan 10 08:15:36 sunnyday racoon: DEBUG2: plog.c:199:plogdump(): \n02120200 00020000 00000000 00000395\n Jan 10 08:15:36 sunnyday racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:36 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n add net 192.168.1.0: gateway gif0 Jan 10 08:15:37 sunnyday IPSecuritas: Setting ip-label.com|192.168.0.3 Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:12, need update interface address list\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:346:update_myaddrs(): caught rtm:14, need update interface address list\n Jan 10 08:15:37 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting\n
Re: compatible with FORTIGATE by sebastien on 2006-01-10 08:21:04 +0100
next ... Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2278:oakley_skeyid_dae(): SKEYID_d computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n2f74bea4 1d9d45d0 59b513c1 fa7e59af\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2307:oakley_skeyid_dae(): SKEYID_a computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n7f9756d6 71e1a348 d92dca61 ec3c22ce\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2336:oakley_skeyid_dae(): SKEYID_e computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n130facfb a8d233e5 9f0f3758 41719485\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2478:oakley_compute_enckey(): final encryption key computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n130facfb a8d233e5\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2589:oakley_newiv(): IV computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n2d2fb498 79fe1ee8\n Jan 10 08:15:40 sunnyday racoon: DEBUG: ipsec_doi.c:3238:ipsecdoi_setid1(): use ID type of IPv4_address\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:871:oakley_ph1hash_common(): HASH with:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \nef3561d9 f0900c3e 029593fb 25841dd0 594e3fcd d5fe1b58 efe1df7c 08c9c8fd\n29b35525 9cb6f812 879bae26 ed82f54e c5eb274f 218b23eb 1f2d45ef 0dc9bc14\nd7763a03 4079501e d72bca21 3b3510e0 ff751e4d ccbf2f04 ff67e2ad fceb1f9a\n56585bbe 55a48b2f af8596b7 ad5123b2 11762332 bb616f81 23b97c83 ef2da978\n2023db40 7cb9aace 919d4f1c ce0aa8c6 bdac3f1d 5aa3135c 4e2902c6 66288852\n3ae66d81 de6a179b f52962b0 17a65f1e ba74a423 1e9044e4 f04cb396 8f867c65\naba97d0c c961d04b aa6c9521 fd2e762c 429e876c 03078ebb 6bfb6a60 2373be69\n42f79b97 1464ef99 76a9d436 3c3761fe b01a6cfb b9d5ff4e fc74f5df d0f4a49b\nf79acfe3 3dc85eea 0bea0204 079f0db2 ecde9573 baad6157 f4435c0a cc0fc10f\nbcb0c6ae 998f0c93 f7855faf 89e0dc05 686f787a 98e3a555 76e3baa7 4e40401c\n69a05ea7 bd751de4 2e1fe8cf e1be51d4 f9162b4b 23ec04d2 61f4ab22 1a70da86\n28bbbc8e 041d5253 70af87da 66c5c9b4 da9870a1 80574be5 050ed0a8 d7f067b7\n6f42de18 bdfa477e a83c25fb 8b970626 00000001 00000001 00000028 01010001\n00000020 01010000 800b0001 80 Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:881:oakley_ph1hash_common(): HASH computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump():
Re: compatible with FORTIGATE by sebastien on 2006-01-10 08:21:26 +0100
Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n0800000c 011101f4 0a460164 00000014 123027b8 5e8928cd 11cbdddf 36911daa\n00000000 00000008\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2883:oakley_do_encrypt(): with key:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n130facfb a8d233e5\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2891:oakley_do_encrypt(): encrypted payload by IV:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n2d2fb498 79fe1ee8\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2898:oakley_do_encrypt(): save IV for next:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \ndd836560 cb31998b\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2915:oakley_do_encrypt(): encrypted.\n Jan 10 08:15:40 sunnyday racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 10.70.1.100[500]\n Jan 10 08:15:40 sunnyday racoon: DEBUG: sockmisc.c:423:sendfromto(): send packet from 10.70.1.100[500]\n Jan 10 08:15:40 sunnyday racoon: DEBUG: sockmisc.c:425:sendfromto(): send packet to 62.160.52.119[500]\n Jan 10 08:15:40 sunnyday racoon: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 68 bytes message will be sent to 10.70.1.100[500]\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n6f42de18 bdfa477e a83c25fb 8b970626 05100201 00000000 00000044 b748f5c3\n3d61547d d39260d9 9620820e 4f7dfcb3 096ffa0f 887ea505 810acc28 dd836560\ncb31998b\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:1784:isakmp_ph1resend(): resend phase1 packet 6f42de18bdfa477e:a83c25fb8b970626\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:238:isakmp_handler(): ===\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:239:isakmp_handler(): 60 bytes message received from 62.160.52.119[500]\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n6f42de18 bdfa477e a83c25fb 8b970626 05100201 00000000 0000003c a016f50c\n60d392c7 245425dd b460723d ddb226d6 9eb4ce3c e5d6dbef 3a509b07\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2709:oakley_do_decrypt(): begin decryption.\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2723:oakley_do_decrypt(): IV was saved for next processing:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump():
Re: compatible with FORTIGATE by sebastien on 2006-01-10 08:23:54 +0100
Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \nb34d0bdb 03fd6f25 f40ce451 8b0125cb\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:871:oakley_ph1hash_common(): HASH with:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \naba97d0c c961d04b aa6c9521 fd2e762c 429e876c 03078ebb 6bfb6a60 2373be69\n42f79b97 1464ef99 76a9d436 3c3761fe b01a6cfb b9d5ff4e fc74f5df d0f4a49b\nf79acfe3 3dc85eea 0bea0204 079f0db2 ecde9573 baad6157 f4435c0a cc0fc10f\nbcb0c6ae 998f0c93 f7855faf 89e0dc05 686f787a 98e3a555 76e3baa7 4e40401c\n69a05ea7 bd751de4 2e1fe8cf e1be51d4 f9162b4b 23ec04d2 61f4ab22 1a70da86\n28bbbc8e 041d5253 70af87da 66c5c9b4 da9870a1 80574be5 050ed0a8 d7f067b7\nef3561d9 f0900c3e 029593fb 25841dd0 594e3fcd d5fe1b58 efe1df7c 08c9c8fd\n29b35525 9cb6f812 879bae26 ed82f54e c5eb274f 218b23eb 1f2d45ef 0dc9bc14\nd7763a03 4079501e d72bca21 3b3510e0 ff751e4d ccbf2f04 ff67e2ad fceb1f9a\n56585bbe 55a48b2f af8596b7 ad5123b2 11762332 bb616f81 23b97c83 ef2da978\n2023db40 7cb9aace 919d4f1c ce0aa8c6 bdac3f1d 5aa3135c 4e2902c6 66288852\n3ae66d81 de6a179b f52962b0 17a65f1e ba74a423 1e9044e4 f04cb396 8f867c65\na83c25fb 8b970626 6f42de18 bdfa477e 00000001 00000001 00000028 01010001\n00000020 01010000 800b0001 80 Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:881:oakley_ph1hash_common(): HASH computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \nb34d0bdb 03fd6f25 f40ce451 8b0125cb\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:1197:oakley_validate_auth(): HASH for PSK validated.\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp_ident.c:695:ident_i4recv(): peer's ID: Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n01000000 3ea03477\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:838:ph1_main(): ===\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2633:oakley_newiv2(): compute IV for phase2\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2634:oakley_newiv2(): phase1 last IV:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \ne5d6dbef 3a509b07 705fe9e2\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2666:oakley_newiv2(): phase2 IV computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n424f2cb7 f670fab8\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:752:oakley_compute_hash1(): HASH with:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n705fe9e2 0000001c 00000001 01106002 6f42de18 bdfa477e a83c25fb 8b970626\n Jan 10 08:15:40 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:762:oakley_compute_hash1(): HASH computed:\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n266ad6a8 f6e45dc4 5fb596ec 7d0e1603\n Jan 10 08:15:40 sunnyday racoon: DEBUG: oakley.c:2832:oakley_do_encrypt(): begin encryption.\n
Re: compatible with FORTIGATE by sebastien on 2006-01-10 08:24:14 +0100
Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp_inf.c:705:isakmp_info_send_common(): sendto Information notify.\n Jan 10 08:15:40 sunnyday racoon: INFO: isakmp.c:2756:log_ph1established(): ISAKMP-SA established 10.70.1.100[500]-62.160.52.119[500] spi:6f42de18bdfa477e:a83c25fb8b970626\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:885:ph1_main(): ===\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:238:isakmp_handler(): ===\n Jan 10 08:15:40 sunnyday racoon: DEBUG: isakmp.c:239:isakmp_handler(): 68 bytes message received from 62.160.52.119[500]\n Jan 10 08:15:40 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n6f42de18 bdfa477e a83c25fb 8b970626 08100601 532c13ae 00000044 fd7cc74d\nd84776b2 a5f0dc47 fd531bdd 431b17ae 96b7eab9 e371d10a 5daa0397 2c6e4af7\n4aa76e10\n Jan 10 08:15:40 sunnyday racoon: ERROR: isakmp.c:767:isakmp_main(): Invalid exchange type 6 from 62.160.52.119[500].\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:40 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:41 sunnyday racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 5 not interesting\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:1153:isakmp_ph2begin_i(): ===\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:1154:isakmp_ph2begin_i(): begin QUICK mode.\n Jan 10 08:15:41 sunnyday racoon: INFO: isakmp.c:1158:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 10.70.1.100[0]62.160.52.119[0]\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:2633:oakley_newiv2(): compute IV for phase2\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:2634:oakley_newiv2(): phase1 last IV:\n Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \ne5d6dbef 3a509b07 766e76a7\n Jan 10 08:15:41 sunnyday racoon: DEBUG: algorithm.c:252:alg_oakley_hashdef(): hash(md5)\n Jan 10 08:15:41 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:2666:oakley_newiv2(): phase2 IV computed:\n Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \na39303c3 e9f82df6\n Jan 10 08:15:41 sunnyday racoon: DEBUG: pfkey.c:795:pk_sendgetspi(): call pfkey_send_getspi\n Jan 10 08:15:41 sunnyday racoon: DEBUG: pfkey.c:808:pk_sendgetspi(): pfkey GETSPI sent: ESP/Tunnel 62.160.52.119->10.70.1.100 \n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp_quick.c:129:quick_i1prep(): pfkey getspi sent.\n Jan 10 08:15:41 sunnyday racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey GETSPI message\n Jan 10 08:15:41 sunnyday racoon: DEBUG2: plog.c:199:plogdump(): \n02010003 000a0000 00000001 00000396 00020001 01d84e96 00000001 00000014\n00030005 ff200000 10020000 3ea03477 00000000 00000000 00030006 ff200000\n10020000 0a460164 00000000 00000000\n Jan 10 08:15:41 sunnyday racoon: DEBUG: pfkey.c:879:pk_recvgetspi(): pfkey GETSPI succeeded: ESP/Tunnel 62.160.52.119->10.70.1.100
Re: compatible with FORTIGATE by sebastien on 2006-01-10 08:24:30 +0100
Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n764e1119 daad3630 d773ca44 7d163814 fd735244 bcf3b18a 4c7b78ae 2c3e225d\n1bcdab8f 1a9e3c2f f57e513f fb2add11 073ce657 5bfddfeb f25d0c67 811edbc5\n45848390 3e4b9762 8e1b8ce3 7c639985 3d8cbe40 7089edb4 6fd50f19 47f2256d\n0a39e2d7 ee6ae265 02ea18b7 f057b4e7 18ff5fcc 68f93184 8c95904a 4d93753d\n8361dec0 5365272d 005298e5 7e85860d 3283b3f5 50c31319 7f02ad7d 1a22eab2\na0b073be f6ee8ad1 58420fe6 e1aa6bfb 41c9dbd7 20e0b0f0 382ada9c 6fc3d6a0\n Jan 10 08:15:41 sunnyday racoon: DEBUG: ipsec_doi.c:3374:ipsecdoi_setid2(): use local ID type IPv4_address\n Jan 10 08:15:41 sunnyday racoon: DEBUG: ipsec_doi.c:3419:ipsecdoi_setid2(): use remote ID type IPv4_subnet\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp_quick.c:206:quick_i1send(): IDci: Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n01000000 0a010364\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp_quick.c:208:quick_i1send(): IDcr: Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n04000000 c0a80100 ffffff00\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 76, next type 10\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 16, next type 4\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 192, next type 5\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 8, next type 5\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 12, next type 0\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:752:oakley_compute_hash1(): HASH with:\n Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n766e76a7 0a000050 00000001 00000001 00000044 01030402 01d84e96 0300001c\n01020000 80010001 80020708 80040001 80050001 80030005 0000001c 02020000\n80010001 80020708 80040001 80050002 80030005 04000014 8cff85b9 59ed4658\nf8bd2bf5 24cba9cb 050000c4 764e1119 daad3630 d773ca44 7d163814 fd735244\nbcf3b18a 4c7b78ae 2c3e225d 1bcdab8f 1a9e3c2f f57e513f fb2add11 073ce657\n5bfddfeb f25d0c67 811edbc5 45848390 3e4b9762 8e1b8ce3 7c639985 3d8cbe40\n7089edb4 6fd50f19 47f2256d 0a39e2d7 ee6ae265 02ea18b7 f057b4e7 18ff5fcc\n68f93184 8c95904a 4d93753d 8361dec0 5365272d 005298e5 7e85860d 3283b3f5\n50c31319 7f02ad7d 1a22eab2 a0b073be f6ee8ad1 58420fe6 e1aa6bfb 41c9dbd7\n20e0b0f0 382ada9c 6fc3d6a0 0500000c 01000000 0a010364 00000010 04000000\nc0a80100 ffffff00\n Jan 10 08:15:41 sunnyday racoon: DEBUG: algorithm.c:322:alg_oakley_hmacdef(): hmac(hmac_md5)\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:762:oakley_compute_hash1(): HASH computed:\n Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n9c2c2ffc 9af360c2 8193a055 d306a357\n Jan 10 08:15:41 sunnyday racoon: DEBUG: isakmp.c:2457:set_isakmp_payload(): add payload of len 16, next type 1\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:2832:oakley_do_encrypt(): begin encryption.\n Jan 10 08:15:41 sunnyday racoon: DEBUG: algorithm.c:382:alg_oakley_encdef(): encription(des)\n Jan 10 08:15:41 sunnyday racoon: DEBUG: oakley.c:2848:oakley_do_encrypt(): pad length = 8\n Jan 10 08:15:41 sunnyday racoon: DEBUG: plog.c:199:plogdump(): \n01000014 9c2c2ffc 9af360c2 8193a055 d306a357 0a000050 00000001
Known Good Sonicwall TZ130 Settings Known Good Sonicwall TZ130 Settings by nunya biznas on 2005-12-31 17:42:53 +0100
If you have trouble, try removing the connection settings in IPSecuritas, quit the application and start over by creating a New Connection. I do this whenever I hit "Start IPSEC" in IPSecuritas and see "X_SPDDUMP failed: No such file or directory" in the IPSecuritas log or nothing at all in the sonicwall log, (they tend to happen at the same time). I just got a sonicwall tz 170 to work with IPSecuritas on 10.4.3, here are the settings. Omitted items are blank or unchecked. ------IPSECURITAS-----:General host to network / static ip at work first three numbers of work network plus a zero (192.168.1.0) 24 / ip address of IPSecuritas machine / main / obey / 16 :Phase 1 28000 / mod1024(2) / 3des / sha1 :phase 2 28800 / mod768(1) / des / hmac md5 :id/auth address / address preshared secret from sonicwall :options ipsec doi / sit_identity_only / initial contact generate policy / dhcp pass-through / establish ike immediatly ------SONICWALL-----:general ike using pre-shared secret groupvpn your secret here :proposals :phase1 group 2 / 3des / sha1 / 28800 :phase2 esp / des / md5 / group 1 / 28800 :advanced forward packets / 0.0.0.0 / lan :Client always / this gateway only / use dhcp
IPSecuritas & Checkpoint VPN-1 Pro R60 IPSecuritas & Checkpoint VPN-1 Pro R60 by perezcr1 on 2006-01-03 19:58:07 +0100
I have manage to connect to the VPN, I can even connect to the VPN web console. But If i try to do a ping Remote desktop , the firewall gets the packet but doesn't let it pass. Have any one been able to work with this configuration. I have OSX 10.4.3 and the latest version of IP Securitas. Any help will be greatly appreciated.
ANN: 10.4.4 Update Broke IPSecuritas 2.1? ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Lawrence Bean on 2006-01-12 17:33:16 +0100
I have been using IPSecuritas with 5 IPCop firewalls happily for a number of months. Great product. I just this morning installed the 10.4.4 update from Apple. Now when I start IPSecuritas, it says everything is OK and I get green chechmarks, but I get no connectivity. I cannot ping anything on the network. Even more distressing, even with IPSecuritas quit I cannot ping the IPCop firewall at its public address. I can ping the gateway to all 5 buildings, but trying to ping the firewalls results in 100% packet loss. On another computer right beside this one that does not have IPSecuritas and has never used VPN but it otherwise *exactly* the same including the 10.4.4 update, I can ping both the gateway and the firewall happily. On this machine, I can ping anywhere else on the network except my five firewall addresses. As it happened to all five firewalls in very physically separated buildings, that pretty much rules out the firewalls being the trouble, and as it works on a computer next to this one that pretty much rules out the network between here and there, leaving the problem with this machine. My suspicion is that a config file somewhere has blown up, but I'm not sure where to even begin looking. My next step will be an uninstall/reinstall of IPSecuritas. In the meantime, and suggestions of how else to "clean house" would be greatly appreciated.
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Flo Wagner on 2006-01-13 11:48:40 +0100
I have the very same problem as Lawrence. After installing the 10.4.4 update I cannot reach any client in the network after establishing an IPSec connection with IPSecuritas 2.1 (the firewall is IPCop, too). Yet, I can ping the firewall when IPSec ist stopped. Last entry in the IPCop log is "IPSec SA established". So it may be some kind of routing error?! Any hint would be greatly appreaciated. Regards, Flo
Re: 10.4.4 Update Broke IPSecuritas 2.1?
by LBean on 2006-01-13 16:13:24 +0100
Update: Complete uninstall of IPSecuritas including pref files followed by reboot set things back to "right" as far as normal, non-vpn functions are concerned. I can now ping the public side of everything and get the firewall web interfaces. Reinstall and reconfiguration of IPSecuritas vpn with certificates to a single firewall gave green checkmarks on both my side and the firewall side. Both logs look correct as a normal establishment of a vpn. However, no joy being able to ping any device on the remote Green network, even the private side of the firewall, no ability to "lookup" any hardcoded FQDN of a private host in Green, and traceroute to the private side of the firewall times out without yeilding any useful information. I am now officially in over my head. Good news: OpenVPN (tunnelblick) is now working where it wasn't before uninstall/reinstall of IPSecuritas.
Re: 10.4.4 Update Broke IPSecuritas 2.1? by cnadig on 2006-01-16 17:32:55 +0100
Hello, I could not find any problems after upgrading to 10.4.4 - but this might be very depending on the specific configurations used. In order to investigate, could you please give a descripton of you settings and of your network setup. Also, please supply the ouput of the following commands while IPSec is running (the green check mark is visible): sudo setkey -DP sudo setKey -D netstat -nr ifconfig -a (please replace confidential information like your public IP address with anynomized information). Thanks, Christoph
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Vincent on 2006-01-18 16:04:49 +0100
Hello, I have the same problem since installation of 10.4.4 but the check mark stay red. I deleted the pref file without success. Both setkey commands return nothing. The firewall is CheckPoint/Gateway R60 (NGX) HFA-01. Vincent
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Flo Wagner on 2006-01-18 19:48:01 +0100
Output of the commands is as follows: [code]$ sudo setkey -DP 0.0.0.0/0[any] 192.168.254.199[any] any in ipsec esp/tunnel/192.168.254.254-192.168.254.199/require spid=1 seq=1 pid=562 refcnt=1 192.168.254.199[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/192.168.254.199-192.168.254.254/require spid=2 seq=0 pid=562 refcnt=1[/code] [code]$ sudo setkey -D 192.168.254.199 192.168.254.254 esp mode=tunnel spi=1228686566(0x493c44e6) reqid=0(0x00000000) E: 3des-cbc [...] A: hmac-md5 [...] replay=4 flags=0x00000000 state=mature seq=1 pid=566 created: Jan 18 19:21:34 2006 current: Jan 18 19:23:21 2006 diff: 107(s) hard: 28800(s) soft: 23040(s) last: Jan 18 19:23:06 2006 hard: 0(s) soft: 0(s) current: 6832(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 45 hard: 0 soft: 0 refcnt=2 192.168.254.254 192.168.254.199 esp mode=tunnel spi=162150579(0x09aa38b3) reqid=0(0x00000000) E: 3des-cbc [...] A: hmac-md5 [...] replay=4 flags=0x00000000 state=mature seq=0 pid=566 created: Jan 18 19:21:34 2006 current: Jan 18 19:23:21 2006 diff: 107(s) hard: 28800(s) soft: 23040(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1[/code] [code]$ netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.254.254 UGSc 2 5 en1 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 63 6335 lo0 169.254 link#5 UCS 0 0 en1 192.168.254 link#5 UCS 2 0 en1 192.168.254.199 127.0.0.1 UHS 0 0 lo0 192.168.254.254 0:5:5d:a2:de:6 UHLW 5 59 en1 1046[/code] [code]$ ifconfig -a lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 gif0: flags=8010 mtu 1280 stf0: flags=0 mtu 1280 en0: [...] en1: flags=8863 mtu 1500 inet6 ****::***:****:****:****%en1 prefixlen 64 scopeid 0x5
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Olaf Seifert on 2006-01-19 17:11:58 +0100
The same here, since running Mac OS X v.10.4.4. When trying to establish a VPN-connection in the used manner, IPSecuritas 2.1 shows green checkmark but my Mac can not reach anything behind IPCop-firewall v1.4.10 (ping-time-out etc.) ???
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Nick Rutter on 2006-01-19 19:48:11 +0100
I've had the same problem! I was happily using IPsecuritas 2.1 on 10.4.3, on a network using IPsec, and all was well until I updated to 10.4.4. Now only local things work, and the windows machines on the network all are still working, so I know that it's me. Other mac users have suffered the same problem as me. Anybody know how to fix this? Is apple going to release a fix? Is IPsecuritas going to be updated?
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Chris Haas on 2006-01-19 23:25:21 +0100
On my mac IPSecuritas is working. On a other mac its broken. The thing what is different: I did the combo update. On the other mac it was the delta update. Any exp. with that? Chris
Re: 10.4.4 Update Broke IPSecuritas 2.1? by LBean on 2006-01-20 02:05:49 +0100
>could you please give a descripton of your settings and of your network setup I am connecting to an IPCop 1.4.10 firewall from home over cablemodem. Here is the writeup I use to configure IPSecuritas, which has worked fine for months and no changes have been made: ----In the General tab, set the following: Mode of Operation: Host to Network Remote IPSec Device: [firewall IP] Remote Network: [remote IP/mask] Local Address: [blank] Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 In the Phase-I tab, set the following: Lifetime: 28800 DH Group: Mod1536 (5) Encryption: 3DES Authentication: SHA1 In the Phase-2 tab, set the following: Lifetime: 28800 PFS Group: Mod1536 (5) Encryption: check "3DES" and "AES 128", uncheck all others Authentication: check "HMAC SHA1", uncheck all others In the ID/Auth tab, set the following: FIRST: select "Certificates" at the bottom, change Local: to the name of your private certificate, change Remote from "Check CA" to the name of the building SECOND: above, set both "Local Identifier" and "Remote Identifier" to "Certificate" In the Options tab, check everything EXCEPT Passive and Auto-Start Click OK When you want to connect, click "Start IPSec". If all was done correctly, after a few moments, the red X should change to a green checkmark. You can now use your remote computer on the school network just as though you were at school. ----I do get the green checkmark, and the IPCop also shows a connection successfully made. I'm told my message is too long, so I will post output separately.
Re: 10.4.4 Update Broke IPSecuritas 2.1? by LBean on 2006-01-20 02:06:23 +0100
>please supply the ouput of the following commands while IPSec is running >(the green check mark is visible) >sudo setkey -DP "*" used to mask real numbers, but all numbers are correct. My local address is assigned dynamically by RoadRunner, so I left it as is. 192.168.*.*/*[any] 24.198.95.95[any] any in ipsec esp/tunnel/*.*.*.*-24.198.95.95/require spid=1 seq=1 pid=284 refcnt=1 24.198.95.95[any] 192.168.*.*/*[any] any out ipsec esp/tunnel/24.198.95.95-*.*.*.*/require spid=2 seq=0 pid=284 refcnt=1 > sudo setKey -D 24.198.95.95 *.*.*.* esp mode=tunnel spi=1437978041(0x55b5cdb9) reqid=0(0x00000000) E: 3des-cbc 9c637e10 e4be7f47 ef9ddde9 def83280 036657ba 8b29c7a1 A: hmac-sha1 92d7e0ab d08d7b87 ce0a09f0 5fb22b4e 46988358 replay=4 flags=0x00000000 state=mature seq=1 pid=288 created: Jan 19 19:33:17 2006 current: Jan 19 19:55:09 2006 diff: 1312(s) hard: 28800(s) soft: 23040(s) last: Jan 19 19:36:44 2006 hard: 0(s) soft: 0(s) current: 4080(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 30 hard: 0 soft: 0 refcnt=2 *.*.*.* 24.198.95.95 esp mode=tunnel spi=191312427(0x0b67322b) reqid=0(0x00000000) E: 3des-cbc 842f4747 51ce44f1 3aaa2acd 401eb533 8d00d4a6 9c53aaf7 A: hmac-sha1 ca79cf33 f049c230 be103704 b7f96b4a 56c5d5d0 replay=4 flags=0x00000000 state=mature seq=0 pid=288 created: Jan 19 19:33:17 2006 current: Jan 19 19:55:09 2006 diff: 1312(s) hard: 28800(s) soft: 23040(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 refcnt=1 >netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 24.198.80.1 UGSc 15 105 en1 24.198.80/20 link#5 UCS 2 0 en1 24.198.80.1 0:5:74:f2:90:8c UHLW 15 0 en1 1200 24.198.93.26 0:a:95:72:b:b4 UHLW 1 9 en1 24.198.95.95 127.0.0.1 UHS 0 0 lo0 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 10 1969 lo0 169.254 link#5 UCS 0 0 en1
Re: 10.4.4 Update Broke IPSecuritas 2.1? by busta on 2006-01-20 15:06:29 +0100
Same problem here, just installed IPSecuritas 2.1 under Mac os X 10.4.4 and it isnt working. I don't seem to get much log output either. Sometimes it logs, and sometimes it doesen't. If i use VPN-tracker it works ok. I'm connecting to a Zywall 70.
Re: 10.4.4 Update Broke IPSecuritas 2.1? by LBean on 2006-01-28 20:42:31 +0100
RE:Chris Haas and 10.4.4 combo I just installed the 10.4.4 combo update over my current 10.4.4, but no change. Still green checkmarks and both ends log a good connection, but pings are 100% packet loss and traceroute shows nothing. Chris, did you use the 10.4.4 combo to update 10.4.3? Are you connecting to IPCop? If so, could you post your IPSecuritas settings and prefs and IPCop settings so I could compare for differences?
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Trevor Baker on 2006-01-29 21:57:31 +0100
Hi, Like other posters, I have the same problem since updating OS X to 10.4.4 (using the combo updater). Thinking that I have messed up, I re-installled OS X from the original media and used software update to bring myself back up to 10.4.4. Nothing has changed on my IPCop box, nor my IPSecuritas configuration. The only change has been updating from 10.4.3 to 10.4.4. I use my VPN to secure my wireless connection (IPCop blue interface) to the LAN and Internet (Host to Anywhere). When the VPN is not started, I can ping the WLAN intarface on my access point (10.0.1.3), the Blue interface on my IPCop Box (10.0.1.1) and the Green interface (10.0.0.1). When started, I can ping the access point (10.0.1.3), but cannot ping any anything else on my network/Internet. Both IPSecuritas and my IPCop box register an open VPN but no traffic can pass. I have been able to verify the IPCop side with another (wired) workstation. I am including my results from the terminal commands asked for by cnadig. sudo setkey -DP 10.0.1.1[any] 10.0.1.10[any] any in none spid=1 seq=7 pid=224 refcnt=1 0.0.0.0/0[67] 10.0.1.10[any] any in none spid=3 seq=6 pid=224 refcnt=1 0.0.0.0/0[68] 10.0.1.10[any] any in none spid=5 seq=5 pid=224 refcnt=1 0.0.0.0/0[any] 10.0.1.10[any] any in ipsec esp/tunnel/10.0.1.1-10.0.1.10/require spid=7 seq=4 pid=224 refcnt=1 10.0.1.10[any] 10.0.1.1[any] any out none spid=2 seq=3 pid=224 refcnt=1 10.0.1.10[67] 0.0.0.0/0[any] any out none spid=4 seq=2 pid=224 refcnt=1 10.0.1.10[68] 0.0.0.0/0[any] any out none spid=6 seq=1 pid=224 refcnt=1 10.0.1.10[any] 0.0.0.0/0[any] any out ipsec esp/tunnel/10.0.1.10-10.0.1.1/require spid=8 seq=0 pid=224 refcnt=1 sudo setkey -D No SAD entries.
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Trevor Baker on 2006-01-29 21:59:49 +0100
Sorry, I forgot to close my prevoius post. Thank you for looking at my post, I hope my information will be helpful in solving our problem. Trevor
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Chris Haas on 2006-02-09 09:17:40 +0100
I noticed that the problem only exist if the ip adress of the mac is an "official" ip adress and so the ip-adress of the mac is one end of the tunnel. If I establish a tunnel when my Mac is behind a NAT-router (and so it has a privat ip-adress) I can get traffic through the tunnel. I tested it with 2 different Mac all with 10.4.4. Chris
Re: 10.4.4 Update Broke IPSecuritas 2.1 WORKAROUND by LBean on 2006-02-10 14:11:15 +0100
I can verify this! I just set my airport base station to "share a single IP address using dhcp and nat" and my IPSecuritas worked perfectly. I went back to having my base station as a "dumb hub" only and although I still get the green connection checkmark I cannot connect to nor ping anything on the remote network. Back to dhcp/nat on the airport, and I am pinging, connecting to servers, and using Remote Desktop. Now the BIG QUESTION .... *WHY*??? And what about those poor souls who do not have an airport base station to carry around in their front pocket? Does anyone from Lobotomo participate in this list? I've sent two emails to their support address simply asking if they were aware of this thread, but never got any reply, not even just a simple "yes" or "no".
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Erik Meitner on 2006-02-13 20:41:09 +0100
We have also run into this problem. Connecting to a Netscreen 5GT worked great for our Macs until we updated them to 10.4.4. The Netscreen reports that the phase-2 negotiations could not complete because there were no acceptable phase-2 proposals. The exact same VPN configuration works fine on non-10.4.4 Macs. The Log shows the following after the VPN is brought up: Feb 13 13:19:41 Horse-with-no-name-3 racoon: ERROR: isakmp_inf.c:847:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 13 13:19:41 Horse-with-no-name-3 racoon: DEBUG: isakmp_inf.c:869:isakmp_info_recv_n(): notification message 14:NOPROPOSAL-CHOSEN, doi=1 proto_id=1 spi=0b57ba623078e122 279132308d30c6b6 (size=16).
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Erik Meitner on 2006-02-13 21:05:03 +0100
And in addition to my post above: The generated racoon and setkey configs do not differ at all between our Macs that work and those that don't(10.4.4).
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Jeremy cooke on 2006-02-14 12:35:46 +0100
I experienced the same problem and searched the web for a solution. I am NON technical and didnt understand half of what was being said.Remote connection for me was critical, so i decided to look for another VPN client solution,connecting to an Exchange server. I downloaded and installed the 30 day demo of VPN tracker and failed to configure it proerly because its way above my expertise. BUT geuss what,almost immediately my IP securits connection came to life on a hard wire connection and on the built in airport.dont know why or how but thats what happened.I geussi ts bad news for VPN Tracker sales, but hey it did it for me.
Re: 10.4.4 Update Broke IPSecuritas 2.1? by Erik Meitner on 2006-02-14 16:51:14 +0100
I tried the VPN Tracker demo on the same 10.4.4 box that IPSecuritas does not work on. VPN Tracker worked fine. As I understand it, it does not use the BSD native 'racoon' IKE daemon so it is no surprise that it works. I manually configured racoon and tried to establish a VPN. Phase-2 negatiations still fail. This is a known good configuration. I tried reconfiguring the VPN for various phase-2 authentication and encryption types with no success. Apple broke something. I think we need to just wait for them to fix it.
Re: 10.4.4 Update Broke IPSecuritas 2.1? by mrfett on 2006-02-14 20:21:09 +0100
[quote author=Jeremy cooke link=1137083596/15#19 date=1139916946]I downloaded and installed the 30 day demo of VPN tracker and failed to configure it proerly because its way above my expertise. BUT geuss what,almost immediately my IP securits connection came to life on a hard wire connection and on the built in airport.[/quote] wait you just installed this app and IPSecuritas started working? i know my issue is a little different than the one discussed here, but i'll give that a shot...
Re: 10.4.4 Update Broke IPSecuritas 2.1? by cnadig on 2006-02-14 22:04:56 +0100
Hello all, thank you very much for your logs and other hints - they helped a lot in tracking down the problem. There were indeed a lot of changes in racoon (the IKE daemon, responsible for the key exchange and some part of kernel configuration for IPSec) between 10.4.3 and 10.4.4. Unfortunately, these changes make it necessary for us to supply a new version of IPSecuritas which includes its own, working version of racoon, which will take one or two more days. We're very sorry for all inconveniences! The new version will be labeled 2.2 and will be announced through the usual channels (www.versiontracker.com, www.lobotomo.com) Thanks again, Christoph (Lobotomo Software)
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Trevor Baker on 2006-02-15 02:38:28 +0100
Hi, There's an update to Mac OS X (10.4.5) using Software Update. This fixed my issue with IPSecuritas. Thanks, Trevor
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Flo Wagner on 2006-02-15 12:31:45 +0100
Thanks Trevor, installing the 10.4.5 update did it for me, too. And thanks anyway to Christoph for his assistance! Cheers, Flo
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Vincent on 2006-02-17 14:03:27 +0100
I installed Combo 10.4.5 and no change. I rebuild the preference file. I have "IPSec started" but red X stay. No green check.
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Erik Meitner on 2006-02-17 19:17:26 +0100
I can verify that the 10.4.5 update did fix the problem.
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by yon on 2006-02-17 20:23:44 +0100
I am using 10.4.5 and I can't get an IP address from IPCOP behind the VPN. Any ideas? My setup looks like the normal IPCop/IPSecuritas setup.
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by xdavid on 2006-02-19 09:57:59 +0100
Another confirmation: 10.4.5 fixed it. From the update release notes: "... includes general operating system fixes, as well as specific fixes for the following applications and technologies: ... -VPN connections to Cisco servers when using NAT" Interestingly, I thought this was a misleading note since I only got a problem when I was on a public IP and it worked fine behind a NAT router (Netgear). However, on further analysing where it worked and where it did not, my 'public' IPs were all dynamically assigned by the ISP, whereas the LANs where I was behind a NAT router actually had a static external IP assigned to them. This suggests to me that there was more of a general routing bug in 10.4.4 than just NAT. This was the specific error in the logs where it broke down an would not complete phase 2 negotiations (although it seemed to get a fair way through them)... Feb 18 13:27:09 Redpaw racoon: DEBUG: isakmp.c:1831:isakmp_ph2resend(): resend phase2 packet dd03679ef51ce26e:ff15187961a5d0bf:2279bb6f\n Feb 18 13:27:09 Redpaw racoon: ERROR: isakmp.c:196:isakmp_handler(): the length of the isakmp header is too big.\n Feb 18 13:27:11 Redpaw racoon: ERROR: isakmp.c:183:isakmp_handler(): packet shorter than isakmp header size.\n Anyway, all better now with the 10.4.5 update. ;D Thanks Lobotomo for your continued support for IPSecuritas. I hope my small contribution to your tip-jar allows you to continue your great work for the Mac community! -david
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Brian Reed on 2006-03-01 19:11:15 +0100
IPSecuritas 2.1 and MAC OS 10.4.5 is NOT working for us
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Vincent on 2006-03-01 21:33:28 +0100
[quote author=Brian Reed link=1137083596/15#29 date=1141236675]IPSecuritas 2.1 and MAC OS 10.4.5 is NOT working for us[/quote] I override /usr/sbin/racoon file with the 10.4.3 version and it's OK. I don't know why...
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Trevor Baker on 2006-03-02 01:40:58 +0100
Hi, Just thought I'd drop a quick note. The Apple security update breaks the 10.4.5 "fix" again. VPN is down. According to Apple this update fixes an IPSec issue with regards to remote DoS attacks. The blurb from Apple's site follow. BTW, how's the update for IPSecuritas coming? I'll gladly be a tester if you like. Also, Vincent, where can one find /usr/sbin/racoon from 10.4.3? Trevor ----------------------------------Taken from docs.apple.com--------------------------IPSec CVE-ID: CVE-2006-0383 Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5 Impact: Remote denial of service against VPN connections Description: Incorrect handling of error conditions for virtual private networks based on IPSec may allow a remote attacker to cause a service interruption. This update addresses the issues by correctly handling the conditions that may cause crashes. Credit to OUSPG from the University of Oulu, NISCC, and CERT-FI for coordinating and reporting this issue.
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Vincent on 2006-03-02 02:28:52 +0100
Hi Travor, I try the update Update 2006-001 without success. I had installed 10.4 and Combo 10.4.3 on a external disk to obtain racoon. Vincent
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Flo Wagner on 2006-03-20 14:13:27 +0100
The Security Update did break my setup again, too. But if 10.4.5 worked for you, you can simply extract the racoon executable from the 10.4.5 Combo Update, available here: http://www.apple.com/support/downloads /macosxupdate1045combo.html. Mount the .dmg and choose 'Show package content' from the context menu of the .pkg file. Next unpack 'Archive.pax.gz' from the Content subdir of the package. Then just overwrite /usr/sbin/racoon with the one you just extracted (you must be root to do that). You can always revert to the latest racoon version by simply installing 'Security Update 002' (http://www.apple.com/support/downloads /securityupdate2006002v11macosx1045ppc.html). Regards, Flo P.S.: Do this at you own risk. I wont take any liability for damage (e.g. you Mac explodes or something ;)). Also be careful when working as root, as one can easily breake some vital system files.
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Trevor Baker on 2006-04-04 01:38:10 +0200
Hi Gang, The new OS X Tiger update, 10.4.6, again restores IPSecuritas functionality. Just wanted to let everyone know. Any news on the update to 2.2 for IPSecuritas? Thanks, Trevor
Re: ANN: 10.4.4 Update Broke IPSecuritas 2.1? by Vincent on 2006-04-04 11:55:46 +0200
No success for me with 10.4.6 and CheckPoint NGX Sometime it's work with 10.4.3 image of /usr/sbin/racoon Vincent
Local Address with Sonicwall
Local Address with Sonicwall by rtl on 2006-01-19 04:22:30 +0100
Hi, I've been trying to get IPSecuritas 2.1 working with a Sonicwall TZ150. It failed during Phase 2 with the following message... "IKE Responder: No match for proposed remote network address" I was able to resolve the issue by setting a remote address of 192.168.45.0 in the Sonicwall SA and setting my local address in IPSecuritas to 192.168.45.5, but I've never had to enter a local address for the settings I've used for Netscreen firewalls. Are there other Sonicwall/IPSecuritas users who have had this problem and been able to resolve it? I've tried some of the setups listed on the boards that say they work, but have not been able to get anything going until I added the local address setup. Thanks!
How to export a certificate that can go in to CM? How to export a certificate that can go in to CM? by GrandPA on 2006-02-01 23:26:33 +0100
Is there anyone who can tell me how to export a certificate (selsigned) from the mac to one thats accepted by IPSecuritas?
Unable to Browse Network - BEFSX41 Unable to Browse Network - BEFSX41 by mrfett on 2006-02-06 21:44:34 +0100
I'm trying to use IPSecuritas to connect to a Linksys BEFSX41 running 1.52.9 firmware. My Mac is running OS X 10.4.4. I can successfully make a connection (I get a green checkmark) but I am unable to see any of the machines on the network. When I try to ping a machine, the message is "no route to host". Can anyone offer some advice? I'm using 3DES and SHA if that makes any difference. Thank you.
Re: Unable to Browse Network - BEFSX41 by mrfett on 2006-02-15 18:45:50 +0100
10.4.5 didn't help me, just FYI.
Re: Unable to Browse Network - BEFSX41 by yves_kayak on 2006-03-05 20:17:29 +0100
Hello, If you get the green light and get a "no route to host" error, I think your remote network config is wrong. Edit your configuration. In the General tab, check the "remote network" field. (If you're not sure, the network admin will provide you this information). Also, check the other field on that line, the number of bits in mask. If your mask is 255.255.255.0, use 24 bits; it your mask is 255.255.0.0 use 16 bits. Hope this helps, Yves
Re: Unable to Browse Network - BEFSX41 by mrfett on 2006-03-24 17:22:58 +0100
forgot to thank you for the advice. unfortunately, that config tip didn't help either. i've gone over all the instructions pretty thoroughly, and can't see what the issue could be. but thanks for the help.
Starting IPSec from command line Starting IPSec from command line by Peer Sandtner on 2006-02-08 20:57:43 +0100
How can I start/stop IPSec from the command line? It seems that IPSecuritas is not scriptable. But perhaps there are other solutions out there. Thanks, Peer
Connecting to IPCOP IP Address (DHCP) Problem Connecting to IPCOP IP Address (DHCP) Problem by boblee on 2006-02-16 04:54:00 +0100
I am running OS X 10.4.5, and I am having the same issue with 10.4.4. When connecting to IPCOP VPN I do not seem to get an IP address from IPCOP via DHCP. Infact, I dont seem to have an IP address at my works internal network at all. Am I suppose to be getting an IP via DHCP from IPCOP? It's setup to give out addresses, and when I plug in my laptop at work I get an address.
Once I am connected to through the VNP I can connect to pretty much any machine in my works network, but every connection comes from my home's private IP. For example, if I ssh to one of our servers at its internal address of 192.168.1.158 and I check to see where I am connected from it'll show my Home's NAT, so it would look something like 10.1.1.101 Any ideas? I'd like to get a private IP from IPCOP via DHCP just like I do when I plug in my laptop at work.
Re: Connecting to IPCOP IP Address (DHCP) Problem by Stephen on 2006-02-17 20:21:17 +0100
Are you suppose to get an IP from the VPN with IPSecuritas? So your system has 2 IPS????
Re: Connecting to IPCOP IP Address (DHCP) Problem by yon on 2006-03-10 23:45:59 +0100
I have the same problem with 10.4.5 Any solution??
IPSecuritas Working with Windows Server RRAS IPSecuritas Working with Windows Server RRAS by Jack Valko on 2006-02-16 08:16:06 +0100
Has anyone gotten IPSecuritas to connect to a Windows 2003 Server running RRAS?
Universal Binary Universal Binary by Andreas Ley on 2006-02-20 02:06:30 +0100
Hey there. IPSecuritas rules - thanks for that! I'm a proud owner of an Intel-based iMac, and as such I prefer using native binaries (mostly for speed issues). But, for the record, everything works completely fine under Rosetta, using either 10.4.4 and 10.4.5. As far as I understand, IPSecuritas is a GUI for the built-in "racoon" of MacOS X, so the speed of the actual IPSec connection isn't affected by IPSecuritas beeing PowerPC only. Since that may change with version 2.2, I was wondering if I could provide any help to make IPSecuritas an universal binary. I can do some compiles and tests, but my coding skills are below average. :) Also, I had a few ideas concerning interface enhancements (with some additional icons, if you'd welcome that). Is it ok to drop you a mail with an example? Thanks for the great work; keep it up! PS: I tried to register, but I couldn't get the forum script to actually send me a mail in 15 minutes. But maybe it'll get to me later.
Re: Universal Binary by cnadig on 2006-02-21 23:40:37 +0100
Hello Andreas, thank you very much for your feedback - certainly I'd like to receive all of your proposals, please just send me an e-mail to
[email protected]. I will start to port IPSecuritas 3.0 (which at the moment is in beta testing, soon a public beta will be released) to the new Intel architecture as soon as I can get hold of a Intel machine for a few days. Cheers, Christoph
checkpoint office mode IKE over TCP checkpoint office mode IKE over TCP by Yitz Jacob on 2006-02-21 10:34:21 +0100
I use checkpoint's secureclient (username & password, office mode, and IKE over TCP being the only real configuration settings) does this translate into something that can be configured in ipsecuritas..? i would really love to use my ibook to do my work rather than my pc.. thanks :) yitz
Sonicwall TZ170 Sonicwall TZ170 by w_grace on 2006-02-21 13:08:46 +0100
Hello, I am trying to get connected to a Sonicwall TZ170 and I am getting the following; Feb 21 11:54:42 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Verify Identifyer is not selected and i have set the Remote Identifyer to the IP address of the Sonicwall, both these suggestions I have seen in relation to this error. Any ideas?
Re: Sonicwall TZ170 by w_grace on 2006-02-21 17:42:33 +0100
I get the same thing with VPN Tracker, and they suggest going back to the Default settings on the Sonicwall, but that would kill other clients that are logging in OK. This is the only Mac Client I have and I get the following all the time. Phase-1 Group 1 3DES MD5 28000 Phase-2 ESP 3DES MD5
Feb 21 16:31:35 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:31:35 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:31:54 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:32:04 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Feb 21 16:31:54 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:32:04 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Feb 21 16:33:49 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:33:49 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:34:10 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:34:19 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Feb 21 16:34:10 HDGroup-01 racoon: ERROR: isakmp_inf.c:848:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. Feb 21 16:34:19 HDGroup-01 racoon: ERROR: pfkey.c:745:pfkey_timeover(): 80.169.171.194 give up to get IPsec-SA to time up to wait. Any help would be great. Thanks
due
due
due
due
Watchguard Firebox Edge: USER_FQDN ID? Watchguard Firebox Edge: USER_FQDN ID? by jmaynard on 2006-02-24 04:56:44 +0100
I'm trying to get IPSecuritas running with a Watchguard Firebox Edge X5. I know it can do IPSec, because it's talking with VPN Tracker. Unfortunately, I can't get it to work with IPSecuritas. The problem is that the local identifier needs to be a USER_FQDN string, and I can't see how to set that in IPSecuritas. The underlying racoon config file has it as a valid my_identifier type, but I can't see where IPSecuritas is keeping its racoon.conf so I can see if it'll work at all. Can i get there from here?
Re: Watchguard Firebox Edge: USER_FQDN ID? by DDA on 2006-02-25 04:18:03 +0100
You can indeed get there from here; simply select DN for the Local Identifier in the Id/Auth page and fill it is with
[email protected] (or even just @domain.com) and IPSecuritas will send a USER_FQDN ID.
Re: Watchguard Firebox Edge: USER_FQDN ID? by jmaynard on 2006-02-25 05:19:23 +0100
[quote author=DDA link=1140753404/0#1 date=1140837483]You can indeed get there from here; simply select DN for the Local Identifier in the Id/Auth page and fill it is with
[email protected] (or even just @domain.com) and IPSecuritas will send a USER_FQDN ID. [/quote] Nice...except for one problem: it needs to be tagged as a USER_FQDN, but it's just a user name with no @ or domain name attached. Is there a way I can force it to USER_FQDN without that?
Re: Watchguard Firebox Edge: USER_FQDN ID? by DDA on 2006-02-25 17:35:28 +0100
I believe if you put an @ in front of it, it will be sent as a USER_FQDN. So if it would normally be "myusername", try "@myusername". From the help: [i]2. Domain Name (DN): This can either be a fully qualified distinguished name (FQDN, e.g. lobotomo.com) or a user fully qualified distinguished name (USER_FQDN, e.g.
[email protected]). Normally, IPSecuritas determines the type itself (i.e. if there is a @ character in the name it's automatically considered a USER_FQDN. If you want to force IPSecuritas to always send the consider the identification as USER_FQDN, prepend one @ character in front of the FQDN, e.g. @lobotomo.com)[/i] I don't know if this will send the @ or just force it to say it is a USER_FQDN but give it a try! :-)
Re: Watchguard Firebox Edge: USER_FQDN ID? by jmaynard on 2006-02-25 22:15:18 +0100
[quote author=DDA link=1140753404/0#3 date=1140885328]If you want to force IPSecuritas to always send the consider the identification as USER_FQDN, prepend one @ character in front of the FQDN, e.g. @lobotomo.com)[/quote] It didn't work. I tried it with the @ both before and after the user name. I think it's sending the @ while flagging it as a USER_FQDN. The help quoted seems to say that you can send a domain name as USER_FQDN. I need to send the user ID with no domain name or @ attached, as a USER_FQDN.
Netscreen 5XP login issues Netscreen 5XP login issues by Derek on 2006-02-27 16:58:54 +0100
I can connect from home to my Netscreen 5XP at work but I can only see a few macs as active using Apple remote desktop. Most of them are NOT visible. I can't even ping them. Any hints?
Re: Netscreen 5XP login issues by TZ on 2006-03-30 20:40:09 +0200
Review your netscreen policies, there should be something there... ;)
Anyone using IPSecuritas/Mac OS X/Checkpoint VPN-1 Anyone using IPSecuritas/Mac OS X/Checkpoint VPN-1 by Jack sellers on 2006-02-28 01:53:42 +0100
I was told by someone at Checkpoint that IPSecuritas works connecting a Mac running Panther or Tiger to a network running CheckPoint VPN-1. Is there anyone out there who can help me?
Re: Anyone using IPSecuritas/Mac OS X/Checkpoint V by Rolf Schmerder on 2006-03-05 17:43:11 +0100
Hi Jack! Yes - it can...or should I say ...under certain circumstances? I had a connection running from my IBook with Tiger 10.4.x to our company LAN beeing protected by CP-VPN-1 NGX. Unfortunately right now after an update (my IBook to 10.4.5 it doesn' t work anymore. But I could give you my config screenshots if you give me your email address. Greets Rolf, Hamburg - Northern Germany
Re: Anyone using IPSecuritas/Mac OS X/Checkpoint V by Paul Donovan on 2006-03-05 18:55:30 +0100
I'm unable to get IPSecuritas 2.1 to connect to a CheckPoint VPN-1 network either. I'm running 10.4.5. I can connect successfully using the demo of VPN Tracker 4.6 but the demo has an extremely annoying 3 minute timeout so I downloaded IPSecuritas. I've only been using VPN since yesterday so I'm new to all this! If you could give me the settings that used to work I can try those and see if I can get anywhere. I have a Mac mini still running 10.4.4 that I can test on too. Thanks a lot, Paul (paul at donovansbrain dot co dot uk)
10.4.5 giveth, Security 2006-001 taketh away 10.4.5 giveth, Security 2006-001 taketh away by Lawrence Bean on 2006-03-02 17:12:55 +0100
Saw IPSec listed in this Security Update released today by Apple, so I cloned to a non-critical machine and tested. Same issue as with 10.4.4, but worse. The NAT work-around works, so if your client running IPSecuritas is behind a natted device and running in the 10.x.x.x, 192.x.x.x, or 172.x.x.x ranges it works. In the 10.4.4 trouble with a public address, I could get general internet but could not ping/connect to the private network. Now in 10.4.5 with Security Update 2006-001 applied and "Replace DNS ..." checkmarked, in addition to not being able to ping/connect to the private network, I cannot get general internet services. Additional info: The client shows a green checkmark, and the IPCop firewall shows an open connection with the client. It appears I can ping public IPs by IP address. It appears I can lookup FQDNs and get their IP addresses. I cannot ping the FQDN, though, and it times out with "could not resolve host". I cannot ping the private network by IPAddress or FQDN, neither on the inside private addresses, nor on the outside public address(es). I cannot get any http, https, ftp, or ssh connections by FQDN. I can get ftp and ssh by IPAddress. I seem to begin to load a web page by IPAddress, i.e. I get the name of the page in the browser header, but loading stalls before the page renders and I get a "You are not connected to the Internet" error. If I go to IPSecuritas Preferences and uncheck "Replace DNS ...", this solves all the general internet trouble and web, ftp, ssh are all back to normal, but still no ping to private network on the inside or the outside addresses. I'd be happy to provide any further info and run any further tests that the Lobotomo team would like, including alphas and betas. Just ask.
Connection lost with SonicWall PRO 230 Connection lost with SonicWall PRO 230
by Yves Forget on 2006-03-05 18:04:54 +0100
Hello everyone, I'm using IPSecuritas to connect to a SonicWall PRO 230 firewall/VPN Server. It *does* work, but I lose the VPN connection every 10 minutes or so. I have a Linksys BEFSR41 router on the client side, I don't know if it's part of the problem. When I use VPN Tracker 3 as the VPN Client it works fine. (on the same Mac, connecting to the same server)
Re: Connection lost with SonicWall PRO 230 by Yves Forget on 2006-03-05 18:07:32 +0100
I'm on a PowerMac G5 with Mac OS X 10.4.5 Did anyone experience something similar ? Thanks ! yves
Re: Connection lost with SonicWall PRO 230 by Tom Komadowski on 2006-06-07 20:00:17 +0200
It's dropping you because of the dead peer detection. turn that off on the client and on the sonicwall and you will be fine.
Re: Connection lost with SonicWall PRO 230 by yves_kayak on 2006-10-07 04:40:15 +0200
Hi everyone, A couple of months after posting this question, we found the problem ! I connect to work using the VPN. Many of my work colleagues have routers too, and local IP addresses set the router's DHCP are often the same : 192.168.1.100 If someone is connected with that address and someone else comes it with the same (local) IP address, the user that was logged on is kicked out. Those who don't have a router are connecting with their Internet IP address, which is obviously unique, so the problem only happens for people having routers (or a really messy configuration...) In a small business, users can manage to use different local IP addresses (easily set on your router's config). Our VPN server (SonicWall Pro 230) can be set to provide DHCP addresses to users of the VPN, but see my post regarding that one.... Hope this may help, Yves Forget
IPSecuritas to IPSecuritas in a server config? IPSecuritas to IPSecuritas in a server config? by Matt Warren on 2006-03-08 22:40:47 +0100
This seems like it should be obvious, but I've yet to find docs or info on it. I'd like to set up a host to network vpn with IPSecuritas at both ends. Is this possible? I'm looking to get access to my home network from various public locations. I assume the client is setup as Host to Network. But what's a proper setup for the "server" end of things? And what ports would I forward on the home network's router? I've found all kinds of info on connecting to other devices, but little to none on connecting to IPSecuritas its self.
Intel Mac minor problem Intel Mac minor problem by jmaynard on 2006-03-10 15:34:34 +0100
I've got a shiny new MacBook Pro. IPSecuritas runs and VPNs, but there's one minor problem: the status icon next to the connection name is always blank, making it somewhat difficult to tell if the VPN link is actually up. I suspect this is just a matter of building a universal binary. Any idea when that might happen?
Netgear DG834GB Linksys RV082 by Rainer Kormann on 2006-06-27 22:13:09 +0200
Hi, anyone ever connected IPSecuritas with an Linksys RV082 VPN Router? I am trying for days now... Any help would be great!!! Thanks in advance, Rainer.
Re: IPSecuritas -> Linksys RV082 by incognito on 2006-07-19 18:39:52 +0200
I have a Linksys RV016 and can't get it to work either. In my logs, it shows this: Jul 19 00:29:30 2006 VPN Log Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x53713ffa (perhaps this is a duplicated packet) Jul 19 00:29:10 2006 VPN Log Cannot respond to IPsec SA request because no connection is known for 192.168.1.0/24==="ip address" [
[email protected]]...1.2.10.12[
[email protected]]===192.168.1.101/32 Jul 19 00:29:10 2006 VPN Log [Tunnel Negotiation Info] 216.194.197.194[4500] Jul 24, 18:58:23 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Jul 24, 18:58:23 Info IKE Adding remote and local NAT-D payloads. Jul 24, 18:58:23 Info IKE Hashing 216.194.197.194[4500] with algo #2 Jul 24, 18:58:23 Info IKE Hashing 10.0.0.4[4500] with algo #2 Jul 24, 18:58:23 Info IKE ISAKMP-SA established 10.0.0.4[4500]-216.194.197.194[4500] spi:668d5adfd265129f:fe2028ac928b6eda Jul 24, 18:58:24 Info IKE initiate new phase 2 negotiation: 10.0.0.4[4500]216.194.197.194[4500] Jul 24, 18:58:24 Info IKE NAT detected -> UDP encapsulation (ENC_MODE 1->3). Jul 24, 18:58:24 Info IKE Adjusting my encmode UDP-Tunnel->Tunnel Jul 24, 18:58:24 Info IKE Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Jul 24, 18:58:24 Info IKE IPsec-SA established: ESP/Tunnel 216.194.197.194[4500]->10.0.0.4[4500] spi=134320294(0x80190a6) Jul 24, 18:58:24 Info IKE IPsec-SA established: ESP/Tunnel 10.0.0.4[4500]->216.194.197.194[4500] spi=960951546(0x3946f4fa)
Re: IPSecuritas 3.0 Public Beta releasedI am by AaronA1975 on 2006-10-27 18:17:57 +0200
I am completely unable to get split DNS to work in 3.0b14. Are there any troubleshooting steps I can try or is there any way to help you fix this problem?
Re: IPSecuritas 3.0 Public Beta released by kramericafsu on 2006-11-09 05:11:48 +0100
Has there been any headway with configuring the Symantec Gateway 320? I have hit a road block!
Zyxel P-334WT anc IPSecuritas 3.0b5 Zyxel P-334WT anc IPSecuritas 3.0b5 by Thomas Thaler on 2006-07-10 23:47:23 +0200
Does anyone have sucssesfully setup IPSecuritas and a Zyxel P-334WT Firewall to setup a IPSec tunnel? It's hard to find out what on one side does compare to the same function on the otherside. If needed, I can provide snapshots of the Zyxel Settings. Best regards for anyones help Greetings from Switzerland Thomas Thaler
Where is HMAC 3.0b6 Where is HMAC 3.0b6 by LittleDan on 2006-07-12 16:41:28 +0200
I have installed 3.0b6 and it keeps failing on Phase 2 with "No Proposal is Chosen". I thought maybe it had something to do with HMAC not being under authentication in the Phase 2 config optiosn. Anyone have any suggestions? Mac OS X 10.4.7 w/ SonicWall PRO 200 using XAUTH Note: XAUTH is passing on the router log.
Re: Where is HMAC 3.0b6 by LittleDan on 2006-07-12 18:44:48 +0200
Made a good connection now what? Forgive me ignorance this is my first mac since the IIe days, I have since been a windows guy.
Log errors when trying to connect to home
Log errors when trying to connect to home by CdtDelta on 2006-07-14 18:35:28 +0200
Hey all, I've been using IPSecuritas for a while with my smoothwall firewall. It worked fine with version 2.x, but I'm having some issues with 3.0b5 (and I just tried it with b6 as well). I'm not sure if it's a configuration issue on my part or not. I've gotten it where it shows I'm connected to my home network. And I can see on my firewall that the connection has been established. However, if I try to ping any machines on my local network, I notice this error pop up: "the length in the isakmp header is too big" For each ping packet I send out. Now it is possible that the network I'm on right now is part of the problem. Because this worked a couple of days ago no problem at a hotel I was at. However I was back at the same hotel last night and I had the issue I have now. I can get connected, but not access anything on my home network. So I'm looking for suggestions on where to look (I'm not entirely sure if all my settings are correct). Thanks ahead of time....
Re: Log errors when trying to connect to home by cnadig on 2006-07-14 21:45:40 +0200
Hello, this look like a problem with NAT-T - is it enabled in your configuration (if it is, please try disabling it, if it isn't, please try enabling or even forcing it [Options tab]) Hope this helps, Christoph
IPsecuritas, Parallels and Internet Sharing IPsecuritas, Parallels and Internet Sharing by msolsona on 2006-07-16 01:13:29 +0200
I am having problems connecting to my company intranet using IP securitas from the Parallels virtual Machine (XP). Has anybody had this working? IPsecuritas 3.0b6 installed and running in 10.4.7(Intel) Airport connection to the world Internet sharing from Airport to the Parallels interface (en2) Parallels is connecting properly to the Internet (yahoo, google, etc) but it cannot reach the Intranet. Has anybody got it work? Doing TCPdump on en1 (Airport, external interface) of Macbook, I do see UDP-encap packets going out and coming back from GW. But they are not reaching the virtual machine. marc
Netgear FVS318v3 Netgear FVS318v3 by jscooper on 2006-07-22 20:46:05 +0200
Hi folks, I've seen a bunch of postings about this, but no solutions. Does anyone have the settings to get a working tunnel from a remote machine (roaming user/dynamic IP) to a FVS318v3? Thanks! Jeff ps - Cool app, go it working with a couple of different VPNs (just not the netgear so far).
Re: Netgear FVS318v3 by jscooper on 2006-07-26 04:22:30 +0200
Update: I was able to get it working, but I had it in a test environment: I made a subnet for the router and had it's "WAN" be the main router of my LAN (a dlink wireless). I was able to establish a VPN (green arrow and ping) the netgear from a laptop wirelessly connected to the dlink. I thought I was set until I put the netgear to use as a real router/gateway (WAN->LAN). It's working fine as a gateway; traffic can get out. But, when I try to establish a VPN to it from a different location (using the exact same settings), it gets hung up on Phase 2. Below is the client log (actual WAN IP replaced by x.x.x.x). It keeps trying to "initiate new phase 2 negotiation": Jul 25, 14:31:50 Info APP IKE daemon started Jul 25, 14:31:50 Info APP IPSec started Jul 25, 14:31:50 Info IKE Foreground mode. Jul 25, 14:31:50 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 25, 14:31:50 Info IKE @(#)This product linked OpenSSL 0.9.7i 14 Oct 2005 (http://www.openssl.org/) Jul 25, 14:31:50 Info IKE Resize address pool from 0 to 255 Jul 25, 14:31:50 Info IKE 192.168.22.21[4500] used as isakmp port (fd=6) Jul 25, 14:31:50 Info IKE 192.168.22.21[500] used as isakmp port (fd=7) Jul 25, 14:31:51 Info IKE IPsec-SA request for x.x.x.x queued due to no phase1 found. Jul 25, 14:31:51 Info IKE initiate new phase 1 negotiation: 192.168.22.21[500]x.x.x.x[500] Jul 25, 14:31:51 Info IKE begin Aggressive mode. Jul 25, 14:31:54 Info IKE ISAKMP-SA established 192.168.22.21[500]-x.x.x.x[500] spi:3238789ff58aba9f:9b586d8ffd398608 Jul 25, 14:31:55 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]x.x.x.x[500] Jul 25, 14:32:07 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]x.x.x.x[500] Jul 25, 14:32:19 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]x.x.x.x[500] Jul 25, 14:32:25 Error IKE x.x.x.x give up to get IPsec-SA due to time up to wait. Jul 25, 14:32:37 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]x.x.x.x[500] Jul 25, 14:32:37 Error IKE x.x.x.x give up to get IPsec-SA due to time up to wait. Jul 25, 14:32:49 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]x.x.x.x[500] Jul 25, 14:32:49 Error IKE x.x.x.x give up to get IPsec-SA due to time up to wait. Jul 25, 14:33:01 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]x.x.x.x[500] Jul 25, 14:33:07 Error IKE x.x.x.x give up to get IPsec-SA due to time up to wait. Jul 25, 14:33:19 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]x.x.x.x[500] Jul 25, 14:33:19 Error IKE x.x.x.x give up to get IPsec-SA due to time up to wait. Jul 25, 14:33:31 Info IKE initiate new phase 2 negotiation: 192.168.22.21[500]x.x.x.x[500] Jul 25, 14:33:31 Error IKE x.x.x.x give up to get IPsec-SA due to time up to wait.
Re: Netgear FVS318v12 by bradisa on 2006-07-31 09:04:16 +0200
Got it working with the following settings: Please note that I do not need to browse the Mac clients; I only needed them to access a server behind the FVS318. I have not attempted to access the macs, so you'll have to test it out: [b][u]ON THE FVS318[/u][/b] Local IPSec Identifier: 10.0.3.1 {local IP address of FVS318} Remote IPSec Identifier: 192.168.1.2 {local IP address of Mac} Tunnel can be accessed from: any local address Tunnel can access: a subnet of remote addresses Remote LAN start IP Address: 192.168.1.2 {local IP address of Mac} Remote LAN IP Subnetmask: 255.255.255.0 {subnet of Mac} Remote WAN IP or FQDN: xxxxx.dyndns.info {for dynamic ip of Mac; using Dynamic DNS Host service} Secure Association: Main Mode Perfect Forward Secrecy: Enabled Encryption Protocol: 3DES PreShared Key: AnyKeyY0uCh00se Key Life: 28800 Seconds IKE Life Time: 28800 Seconds Netbios: Enabled [b][u]On the Mac using IPSecuritas[/u][/b] [b][i]General[/i][/b] Remote IPSec Device: XXXXXXXX.com {FQDN or Dynamic Host Service} Local Side: Endpoint Mode: Network Network Address: 192.168.1.1 {local IP address of router for Mac} Remote Side: Endpoint Mode: Network Network Address: 10.0.3.0 [b][i]Phase 1[/i][/b] Lifetime: 2880 Seconds DH Group: 1024(2) Encryption: 3DES Authentication: SHA1 Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 [b][i]Phase 2[/i][/b] Lifetime: 28800 Seconds PFS Group: 1024(2) Encryption: {Check box for 3DES ONLY} Authentication: {Check box for SHA1 ONLY} [b][i]ID[/i][/b] Local Identifier: Address Remote Identifier: Address Authentication Method: Preshared Key Preshared Key: AnyKeyY0uCh00se {of course must match entry on FVS318} [b][i]Options[/i][/b] Check boxes for: IPSec DOI SIT_IDENTITY_ONLY Verify Identifier Initial Contact If anyone viewing this sees any serious flaws in this configuration, please post
Re: Netgear FVS318v3 by bradisa on 2006-07-31 17:48:14 +0200
FYI, Here are the log files: [b][i]IPSecuritas:[/i][/b] IPSecuritas 3.0b6 build 534, Tue Jul 11 22:00:26 CEST 2006, nadig Darwin 8.4.0 Darwin Kernel Version 8.4.0: Tue Jan 3 18:22:10 PST 2006; root:xnu-792.6.56.obj~1/RELEASE_PPC Power Macintosh Jul 31, 08:09:04 Info APP IKE daemon started Jul 31, 08:09:04 Info APP IPSec started Jul 31, 08:09:04 Error IKE Foreground mode. Jul 31, 08:09:04 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 31, 08:09:04 Info IKE @(#)This product linked OpenSSL 0.9.7i 14 Oct 2005 (http://www.openssl.org/) Jul 31, 08:09:04 Info IKE Resize address pool from 0 to 255 Jul 31, 08:09:04 Info IKE 192.168.1.2[4500] used as isakmp port (fd=6) Jul 31, 08:09:04 Info IKE 192.168.1.2[500] used as isakmp port (fd=7) Jul 31, 08:09:05 Info IKE IPsec-SA request for x.x.x.x queued due to no phase1 found. Jul 31, 08:09:05 Info IKE initiate new phase 1 negotiation: 192.168.1.2[500]x.x.x.x[500] Jul 31, 08:09:05 Info IKE begin Identity Protection mode. Jul 31, 08:09:08 Info IKE ISAKMP-SA established 192.168.1.2[500]-x.x.x.x[500] spi:xxxxx:xxxxxx Jul 31, 08:09:09 Info IKE initiate new phase 2 negotiation: 192.168.1.2[500]x.x.x.x[500] Jul 31, 08:09:12 Info IKE IPsec-SA established: ESP/Tunnel x.x.x.x[0]->192.168.1.2[0] spi=xxxxx Jul 31, 08:09:12 Info IKE IPsec-SA established: ESP/Tunnel 192.168.1.2[0]->x.x.x.x[0] spi=xxxxxx [b][i]Netgear FVS318:[/i][/b] Mon, 07/31/2006 07:08:51 - xxxxx IPsec:Receive Packet address:0x1807194 from x.x.x.x Mon, 07/31/2006 07:08:51 - xxxx IPsec:main_inI1_outR1() Mon, 07/31/2006 07:08:51 - xxxxx IKE: Peer Initialized IKE Main Mode Mon, 07/31/2006 07:08:51 - xxxxx IKE:[Mac] RX > MM_R1 : x.x.x.x Mon, 07/31/2006 07:08:51 - xxxxx IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #32 Mon, 07/31/2006 07:08:51 - xxxxx IPsec:Receive Packet address:0x1807194 from x.x.x.x Mon, 07/31/2006 07:08:51 - xxx IPsec:main_inI2_outR2() Mon, 07/31/2006 07:08:51 - xxxxx IKE:[Mac] RX > MM_R2 : x.x.x.x Mon, 07/31/2006 07:08:51 - xxxx IPsec:inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #32 Mon, 07/31/2006 07:08:53 - xxxxx IPsec:Receive Packet address:0x1807194 from x.x.x.x Mon, 07/31/2006 07:08:53 - xxxxx IPsec:main_inI3_outR3() Mon, 07/31/2006 07:08:53 - xxxxx IKE:[Mac] RX so I was wondering if IPCOP may be the one(s) that tricks me. again I don't know. @ home or others oFFices, as soon as I'm connected it's just OK in a bunch of seconds and I can see any of all the computers on the remote networks (via apple Remotedesktop and or finder). And here just nothing happens. So if anyone has any idea, I'll be glad to read it ;) Cause right I have to launch Apple remote desktop on the Macpro, then remote connect to my "home" server, them from here start IPSECURITAS and launch remote desktop and from there I can see what I want. but it's just not very simple nor handy (it works but... U know I just want to get it from here the Office I'm talking about). Office1->remotedesktop->Server->IPSEC+remotedesktop->Target Office(s) pfff many connections.
Hope I was clear enough and pardon my Bad english. IPsecuritas 3 is just what I wanted and saved me some applescript coding to switch settings ;), it just rocks....
IPSecuritas works /w Check Point VPN-1 NGX (R65) IPSecuritas works /w Check Point VPN-1 NGX (R65) by dantro on 2007-04-24 14:03:43 +0200
Hi, after struggling with the software a bit I finally got IPSecuritas 3.0 rc working with our Check Point VPN-1 NGX (R65) firewall. Respect to the Lobotomo dev team. Now we are not limited anymore to Check Point's aged SecureClient R65 for OSX. It always slowed down our hosts once installed. Best regards, Danny Trommer CCSA/CCSE/CCSE+
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by skyb on 2007-05-21 13:36:56 +0200
Hi Danny, currently I have problems to connect with our Checkpoint, too. I would be great if you could tell me how it worked for you. Christoph
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by Mr.Bove on 2007-10-22 19:28:09 +0200
[quote author=dantro link=1177416223/0#0 date=1177416223]Hi, after struggling with the software a bit I finally got IPSecuritas 3.0 rc working with our Check Point VPN-1 NGX (R65) firewall. Respect to the Lobotomo dev team. Now we are not limited anymore to Check Point's aged SecureClient R65 for OSX. It always slowed down our hosts once installed. Best regards, Danny Trommer CCSA/CCSE/CCSE+[/quote] I'm new to the MAC world, I would really like to know how to configure the IP Securitas client to work with Checkpoint VPN-1 NGX. Without revealing too much info can you send me what you did?
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by pstouffer on 2007-11-02 22:06:02 +0100
trying to get IPSecuritas to talk to Checkpoint VPN-1. Has anyone gotten this to work and if so what settings needed to be changed from the wizard settings. Pete
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by asnow_hk on 2007-11-17 06:22:55 +0100
I am also trying to get this to work, but have not been able to. In my CheckPoint setup I have the following: Authentication: Scheme: SecurID User name: "Use Key FOB hard token" Profile: Advanced: "Office Mode" Once connected I have the following in the Status: Office Mode IP: 10.88.8.xxx (can I assume that the network is 10.88.8.0/24) So essentially I use my username, password and tokencode to log in. I've not noticed any tokencode prompt in IPSecuritas. Is there one!? Is it possible for someone to help me please? I'd like to know how to translate this seemingly simple setup into an IPSecuritas Connection.
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by mangus on 2007-11-18 18:13:59 +0100
I have had both success and failures trying to connect to our Checkpoint VPN-1 Firewall using the Wizard set up. Once I achieved success connecting I thought my troubles were over, but unfortunately this was not to be the case. Since the initial success I later had problems connecting with the same settings. Not knowing much about the technical aspects of VPN I decided to save a debug-log for the failed attempts and then compare them to a successful attempt. I just now managed to get a connection again, and here's my findings comparing the two log-files. Please note that just before achieving success again I had been connected to the firewall through the Checkpoint client inside of VMware Fusion. This may or may not be the key to success. I have still to verify this, when I'm back to failing. Anyhow... Here's what I can see when I compare the log-files: Just above the log-row that reads: "Initiated connection Checkpoint" I get a "msg 5 not interesting" in the successful attempt. Not so in the failed attempt. Later, after negotiations on encryption, hash and authentication seem to be finished, the log states: "Adding NON-ESP marker" and then the client sends 88 bytes of data. In the successful attempt the firewall responds with a 1652 bytes long message, while in the failed attempt only 76 bytes are received. After this, things seem to go really bad in the failed attempt, spawning messages like: "Short payload" and "mode config 6 from xxx.xxx.xxx.xxx[4500], but we have no ISAKMP-SA." As I said, I don't know anything about anything VPN, but maybe this could help somehow... (Update: Since finishing this post I was back to failing, so I launched VMware and connected with the Checkpoint client to see if this would help IPSecuritas, but it didn't. So WMware doesn't seem to have anything to do with success/failure rates.)
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by mmulin on 2007-12-11 12:45:45 +0100
Hey Guys, at least for the ones who get partial success, could you please publish your IPSecuritas settings? Am not trying to be smart here but, 1st, other's might be able to help better and for the ones, like me, who have no success at all, it might bring them on the right path.. Thanks
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by bugfish on 2007-12-13 00:35:19 +0100
Well, I upgraded to Leopard, which killed Secureclient. After some fiddling, I got IPSecuritas working with our Checkpoint setup at work, and since people are asking, here are all the settings I'm using. Of course some of these are probably sepecific to my place of employment. i usd the wizard and chose Checkpoint VPN-1, but i made a few changes. here are the settings from each tab. I HOPE THIS HELPS SOMEONE!
General: Remote IPSec Device: (our vpn ip at work) Local Side: Endpoint Mode: Host remote Side: Endpoint Mode: Anywhere Phase1: Lifetime: 10 minutes DH Group: 1024 (2) Encryption: 3DES Authentication: SHA-1 Exchange Mode: Main Proposal Check: Obey Nonce Size: 16 Phase 2: Lifetime: 10 minutes PFS Grpoup: 768 (1) Encryption: DES, 3DES, AES 256, AES 192, AES 128 (the rest are unchecked) Authentication: HMAC MD5, HMAC SHA-1 (the rest are unchecked) ID: Local Identifier: User FQDN (filled in with my user name at work) Remote Identifier: User FQDN (filled in with my user name at work) Authentication Method: XAuth RSA Username: (filled in with my user name at work) Password: (filled in with my current password at work) DNS: (all blank) Options: IPSec DOI, SIT_IDENTITY_ONLY, Initial Contact, Request Certificate, Send Certificate, Unique SAs, IKE Fragmentation NAT-T: Force Action after connection timeout: Retry immediately
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by mmulin on 2007-12-13 08:11:26 +0100
Thanks, that actually helped me too. I have one problem though. My routes are not locally updated as it would happen with SecureClient. I need to specify all 120 networks under the "remote networks" settings manually. Now, I wonder, if I use the same configuration and choose the "Anywhere" option it doesn't connect at all. Any thoughts there?
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by travelguy2500 on 2007-12-29 23:51:16 +0100
I followed all of bugfish's suggestions and it connects just fine (thanks!!) but I can't browse any web pages. I'm new to MAC (my first mac - have always been a pc person) and was wondering if anybody has any assist on how to get web pages to view.
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by bugfish on 2007-12-30 01:10:33 +0100
The inability to get to web pages with my setup is probably because I left the DNS settings all blank. I left mine blank because I don't need them for what I connect to work for (it's all IP address based). But if you know the DNS ip addresses at work and plug those in, you'll probably get the web back.
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by travelguy2500 on 2007-12-30 03:50:13 +0100
thanks for the prompt reply. tried adding in my local dns server ip addresses but still no luck. i'm getting the green light to show a connection but something isn't allowing me to get to any internet addresses. I tried to ping the dns server but that's coming back failed. any ideas?
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by macman365 on 2008-01-18 08:16:26 +0100
Based on the setting posted by bugfish (thanks!), I can now connect to my work VPN. I did specify "Anywhere" for the remote side endpoint and that does allow me to see every network on my office LAN. However, I need to access my local network at the same time (for printing), but if I set the local side endpoint mode to "Network" rather than "Host" the connection isn't even attempted. Below is the full "Debug" log when I try to connect: [font=Courier New]IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Jan 18, 07:12:09 Info APP IPSec authenticating Jan 18, 07:12:09 Info APP IKE daemon started Jan 18, 07:12:09 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Jan 18, 07:12:09 Info APP IPSec started Jan 18, 07:12:09 Warning IKE Foreground mode. Jan 18, 07:12:09 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jan 18, 07:12:09 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jan 18, 07:12:09 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jan 18, 07:12:09 Info IKE Resize address pool from 0 to 255 Jan 18, 07:12:09 Debug IKE parse successed. Jan 18, 07:12:09 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jan 18, 07:12:09 Debug IKE my interface: fe80::1%lo0 (lo0) Jan 18, 07:12:09 Debug IKE my interface: 127.0.0.1 (lo0) Jan 18, 07:12:09 Debug IKE my interface: ::1 (lo0) Jan 18, 07:12:09 Debug IKE my interface: 172.16.1.14 (en1) Jan 18, 07:12:09 Debug IKE my interface: fe80::21c:42ff:fe00:0%en2 (en2) Jan 18, 07:12:09 Debug IKE my interface: 10.37.129.2 (en2) Jan 18, 07:12:09 Debug IKE my interface: fe80::21c:42ff:fe00:1%en3 (en3) Jan 18, 07:12:09 Debug IKE my interface: 10.211.55.2 (en3) Jan 18, 07:12:09 Debug IKE configuring default isakmp port. Jan 18, 07:12:09 Debug IKE 8 addrs are configured successfully Jan 18, 07:12:09 Info IKE 10.211.55.2[500] used as isakmp port (fd=6) Jan 18, 07:12:09 Info IKE fe80::21c:42ff:fe00:1%en3[500] used as isakmp port (fd=7) Jan 18, 07:12:09 Info IKE 10.37.129.2[500] used as isakmp port (fd=8) Jan 18, 07:12:09 Info IKE fe80::21c:42ff:fe00:0%en2[500] used as isakmp port (fd=9) Jan 18, 07:12:09 Info IKE 172.16.1.14[500] used as isakmp port (fd=10) Jan 18, 07:12:09 Info IKE ::1[500] used as isakmp port (fd=11) Jan 18, 07:12:09 Info IKE 127.0.0.1[500] used as isakmp port (fd=12) Jan 18, 07:12:09 Info IKE fe80::1%lo0[500] used as isakmp port (fd=13) Jan 18, 07:12:09 Debug IKE get pfkey X_SPDDUMP message Jan 18, 07:12:09 Debug IKE 02120200 02000000 00000000 b50c0000 Jan 18, 07:12:09 Debug IKE pfkey X_SPDDUMP failed: No such file or directory [/font] The last line of the log appears to be the real clue. What file or directory is it looking for?
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by brantwinter on 2008-01-20 14:05:27 +0100
I am having the same issue. My VPN ( IPSecuritas -> Draytek 2800 ) was working fine yesterday, but today keeps failing with error: pfkey X_SPDDUMP failed: No such file or directory Funny thing is, I have another profile in IPSecuritas set up that goes off to a different VPN endpoint that continues to work fine. I have used Frameseer to look at the outgoing traffic on both setups, the one that works does a DNS lookup first, the failing VPN configuration sends NO traffic out the interface at all. Just out of interest, my psk.txt file in: /Library/Application Support/Lobotomo Software/IPSecuritas/ is empty... Obviously psk.txt gets overwritten each time the vm config loads. When I use the vpn config for my working vpn I have entries in the psk.txt file. In my non-working vpn setup, the psk.txt remains empty. WTF????? As I said previousy, this same vpn config worked fine yesterday....
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by macman365 on 2008-01-22 16:45:12 +0100
I've found this thread on another forum: http://ubuntuforums.org/showthread.php?t=441078 Does this help anyone more knowledgeable than me...?
Re: IPSecuritas works /w Check Point VPN-1 NGX (R6 by gajos on 2008-01-29 22:50:39 +0100
Hi, my first time here. I need to connect to CheckPoint Safe@Office but using Checkpoint VPN client under Tiger was really problematic (if connection was successful then I had connection only to LAN without Internet), now I have Leopard and Checkpoint won't install. IPSecuritas 3.1 still doesn't connect. I tried to configure connection as [b]bugfish[/b] suggested previously but still nothing. Here is log: Jan 29, 20:50:56 Info APP IPSec authenticating Jan 29, 20:50:56 Info APP IKE daemon started Jan 29, 20:50:56 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Jan 29, 20:50:56 Info APP IPSec started Jan 29, 20:50:56 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 29, 20:50:56 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 29, 20:50:56 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 29, 20:50:56 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 29, 20:50:56 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 29, 20:50:56 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jan 29, 20:50:56 Error IKE Foreground mode. Jan 29, 20:50:56 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jan 29, 20:50:56 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jan 29, 20:50:56 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jan 29, 20:50:56 Info IKE Resize address pool from 0 to 255 Jan 29, 20:50:56 Debug IKE lifetime = 600 Jan 29, 20:50:56 Debug IKE lifebyte = 0 Jan 29, 20:50:56 Debug IKE encklen=0 Jan 29, 20:50:56 Debug IKE p:1 t:1 Jan 29, 20:50:56 Debug IKE 3DES-CBC(5) Jan 29, 20:50:56 Debug IKE SHA(2) Jan 29, 20:50:56 Debug IKE 1024-bit MODP group(2) Jan 29, 20:50:56 Debug IKE Hybrid RSA client(64221) Jan 29, 20:50:56 Debug IKE compression algorithm can not be checked because sadb message doesn't support it. Jan 29, 20:50:56 Debug IKE parse successed. Jan 29, 20:50:56 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jan 29, 20:50:56 Info IKE 192.168.1.2[4500] used as isakmp port (fd=6) Jan 29, 20:50:56 Info IKE 192.168.1.2[500] used as isakmp port (fd=7) Jan 29, 20:50:56 Debug IKE get pfkey X_SPDDUMP message Jan 29, 20:50:56 Debug IKE 02120000 0f000200 05000000 720f0000 03000500 ff000000 10020000 00000000 Jan 29, 20:50:56 Debug IKE 00000000 00000000 03000600 ff200000 10020000 c0a80102 00000000 00000000 Jan 29, 20:50:56 Debug IKE 07001200 02000100 20000000 00000000 28003200 02035800 10020000 59ab6892 Jan 29, 20:50:56 Debug IKE 00000000 00000000 10020000 c0a80102
Problem with Fortinet Fortigate 50A Problem with Fortinet Fortigate 50A by mspr on 2007-04-27 13:16:54 +0200
Hello, I hope that you can help me... I have a problem with IPSecuritas 3.0 Release Candidate and my Fortinet Fortigate 50A I tried to configure a VPU with a preshared key and XAuth but every time I receive a notify message "fatal NO-PROPOSAL-CHOSEN, phase1 should be deleted" and I cannot start my VPN I tried to disable the XAuth procedure and the VPN seems to work fine (only Preshared key authentication) These are my VPN parameters: [b]IPSecuritas Preferences[/b] [URL=http://img63.imageshack.us/my.php?image=07uu0.jpg][IMG]http: //img63.imageshack.us/img63/3673/07uu0.th.jpg[/IMG][/URL] [b]Connections General[/b] [URL=http://img101.imageshack.us/my.php?image=01lr6.jpg][IMG]http: //img101.imageshack.us/img101/7812/01lr6.th.jpg[/IMG][/URL] [b]Connections Phase 1[/b] [URL=http://img230.imageshack.us/my.php?image=02xl5.jpg][IMG]http: //img230.imageshack.us/img230/3806/02xl5.th.jpg[/IMG][/URL] [b]Connections Phase 2[/b] [URL=http://img170.imageshack.us/my.php?image=03id8.jpg][IMG]http: //img170.imageshack.us/img170/4381/03id8.th.jpg[/IMG][/URL] [b]Connections ID[/b] [URL=http://img230.imageshack.us/my.php?image=04sp3.jpg][IMG]http: //img230.imageshack.us/img230/157/04sp3.th.jpg[/IMG][/URL] I tried to insert Username/Psswd directly in this panel but I received the same message error If possible I would like that IPSecuritas asks me the Username/Psswd on VPN login [b]Connections DNS[/b] [URL=http://img145.imageshack.us/my.php?image=05qs1.jpg][IMG]http: //img145.imageshack.us/img145/7426/05qs1.th.jpg[/IMG][/URL] [b]Connections Options[/b] [URL=http://img291.imageshack.us/my.php?image=06ho1.jpg][IMG]http: //img291.imageshack.us/img291/8168/06ho1.th.jpg[/IMG][/URL] [b]This is the log:[/b] IPSecuritas 3.0rc build 1040 Info APP IKE daemon started Info APP IPSec started Error IKE Foreground mode. Info IKE @(#)ipsec-tools CVS (http://ipsec-tools.sourceforge.net) Info IKE @(#)This product linked OpenSSL 0.9.7i 14 Oct 2005 (http://www.openssl.org/) Info IKE Reading configuration from "/Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Info IKE Resize address pool from 0 to 255 Error IKE fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Error IKE fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP My server IP XXX.XXX.XXX.XXX[500]-> My computer IP 192.168.XXX.XXX[500]
Re: Problem with Fortinet Fortigate 50A by Forum Admin on 2007-04-27 15:53:06 +0200
Hi, have you tried 'Hybrid' instead of XAUTH PSK? Christoph
Re: Problem with Fortinet Fortigate 50A by mspr on 2007-04-27 16:01:35 +0200
[quote author=Forum Admin link=1177672614/0#1 date=1177681986]Hi, have you tried 'Hybrid' instead of XAUTH PSK? Christoph[/quote] Hi, yes I tried to set "Hybrid" instead of XAuth but it doesn't work
Re: Problem with Fortinet Fortigate 50A by Forum Admin on 2007-04-27 18:10:49 +0200
Hi again, could you please provide logs with log level set to 'Verbose'? Thanks alot, Christoph
Re: Problem with Fortinet Fortigate 50A by mspr on 2007-05-03 11:27:52 +0200
[quote author=Forum Admin link=1177672614/0#3 date=1177690249]Hi again, could you please provide logs with log level set to 'Verbose'? Thanks alot, Christoph[/quote] Hi, Christoph, I sent you by email the logs (XAuth and Hybrid) Thank you
VPN Case Study.com has solution for VPN Client VPN Case Study.com has solution for VPN Client by jmizoguchi on 2007-05-03 18:59:04 +0200
I have two new documents using FVS124G
IPSecuritas 3 (Mac OS X) using Prosafe VPN/Firewall Router FVS124G VPN Tracker 4 (Mac OS X) using Prosafe VPN/Firewall Router FVS124G http://vpncasestudy.com/casestudy/others/casestudy.html www.vpncasestudy.com If these docuemens help you. please e-mail me at
[email protected] for your testimonials
Dynamic dns as host Dynamic dns as host by omega_red on 2007-05-04 13:01:09 +0200
when i set my dynamic dns hostname in the Remote IPSec Device field i cannot connect to my ZyWALL 5 UTM but when i enter my remote ip(witch changes every day) it works. im using the beta client thanks!
ping to remote site impossible ping to remote site impossible by Joe on 2007-05-05 14:38:11 +0200
I have installed ipsecuritas 3.0rc3 for the first time on my Macbook Pro (OS X 10.4.9). First of all: very nice and helpful tool !! I established a connection to my remote site without problems, the light shows 'green' and the router log tells me: ...connection established.... My problem: i am not able to ping any host at the remote site ? Trying it with the exact same settings in a windows box (parallels session with win xp on the same Mcbook) is working without any problems! How can i manage this on the Mac OS site ?
Re: ping to remote site impossible by Joe on 2007-05-05 16:17:35 +0200
Followup (is this the correct engl. expression ? sorry for my bad english): if i take a look at my if-settings and routing tables i'm really wondering about, that there are no settings at all for the established vpn connection ?! After that, i tried this: # ifconfig gif0 172.16.0.10 192.168.23.0 netmask 255.255.255.0 # route add 192.168.23.0 172.16.0.10 # ping 192.168.23.200 PING 192.168.23.200 (192.168.23.200): 56 data bytes 64 bytes from 192.168.23.200: icmp_seq=0 ttl=126 time=57.507 ms 64 bytes from 192.168.23.200: icmp_seq=1 ttl=126 time=56.945 ms ... So, now it works. My question is now: do i have to do it by hand with IPSecuritas after establishing a connection, or are there any automatisms which i can use for that?
Endpoint mode: anywhere still not work in 3.0rc3 Endpoint mode: anywhere still not work in 3.0rc3 by Keen on 2007-05-05 21:34:06 +0200
Last log messages: May 05, 23:20:22 Debug May 05, 23:20:22 Debug May 05, 23:20:22 Debug directory
IKE get pfkey X_SPDDUMP message IKE 02120200 00020000 00000000 00003790 IKE pfkey X_SPDDUMP failed: No such file or
Re: Endpoint mode: anywhere still not work in 3.0r by nickl on 2007-05-11 04:31:51 +0200
I got it to work with my configuration by enabling the "Local IP in Remote Network" option.
Re: Endpoint mode: anywhere still not work in 3.0r by Forum Admin on 2007-05-12 11:26:25 +0200
Hello, thank you very much for this answer - I removed the necessity to enable this option for host to anwhere mode. Christoph
Phase 2 trouble Phase 2 trouble by ad_agent on 2007-05-16 03:01:27 +0200
When I initiate a connection, Phase 1 seems to complete but Phase 2 fails. Below is a relevant portion of the IPSecuritas log. Host is an iBook G4 running MacOS X 10.4.8. Testing is over Earthlink dialup as representative of service offered in many hotels. Network router is Netgear FVX538. Version of IPSecuritis is 3.0rc3. I would post my host and network settings gladly, but am not doing so now since I hope to get preliminary analysis of problem just posting log excerpts. LOG EXCERPTS (certain IP addresses redacted) May 15, 20:09:19 Debug IKE begin QUICK mode. May 15, 20:09:19 Info IKE initiate new phase 2 negotiation: 4.249.6.45[500]x.x.x.x[500] May 15, 20:09:19 Debug IKE compute IV for phase2 May 15, 20:09:19 Debug IKE phase1 last IV: May 15, 20:09:19 Debug IKE 5be42a2e 67590499 e50b77d1 May 15, 20:09:19 Debug IKE hash(sha1) May 15, 20:09:19 Debug IKE encryption(3des) May 15, 20:09:19 Debug IKE phase2 IV computed: May 15, 20:09:19 Debug IKE d1077c37 bd8058ce May 15, 20:09:19 Debug IKE call pfkey_send_getspi May 15, 20:09:19 Debug IKE pfkey GETSPI sent: ESP/Tunnel x.x.x.x[0]->4.249.6.45[0] May 15, 20:09:19 Debug IKE pfkey getspi sent. May 15, 20:09:19 Debug IKE get pfkey ACQUIRE message ............ May 15, 20:09:19 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00015180 May 15, 20:09:19 Debug IKE 00000000 00007080 00000000 00000000 00020012 00020200 0000000d 00000000 May 15, 20:09:19 Debug IKE ignore the acquire because ph2 found May 15, 20:09:19 Debug IKE get pfkey GETSPI message May 15, 20:09:19 Debug IKE 02010003 000a0000 00000012 00000134 00020001 0b9edf00 40060000 7f000001 May 15, 20:09:19 Debug IKE 00030005 ff200000 10020000 44a34441 00000000 00000000 00030006 ff200000 May 15, 20:09:19 Debug IKE 10020000 04f9062d 00000000 00000000 May 15, 20:09:19 Debug IKE pfkey GETSPI succeeded: ESP/Tunnel 68.163.68.65[0]->4.249.6.45[0] spi=194961152(0xb9edf00) May 15, 20:09:19 Debug IKE use local ID type IPv4_address May 15, 20:09:19 Debug IKE use remote ID type IPv4_subnet May 15, 20:09:19 Debug IKE IDci: May 15, 20:09:19 Debug IKE 01000000 c0a83202 May 15, 20:09:19 Debug IKE IDcr: May 15, 20:09:19 Debug IKE 04000000 c0a80100 ffffff00 May 15, 20:09:19 Debug IKE add payload of len 284, next type 10 May 15, 20:09:19 Debug IKE add payload of len 16, next type 5 May 15, 20:09:19 Debug IKE add payload of len 8, next type 5 May 15, 20:09:19 Debug IKE add payload of len 12, next type 0 May 15, 20:09:19 Debug IKE HASH with: ............ May 15, 20:09:19 Debug IKE hmac(hmac_sha1) May 15, 20:09:19 Debug IKE HASH computed: May 15, 20:09:19 Debug IKE add payload of len 20, next type 1 May 15, 20:09:19 Debug IKE begin encryption. May 15, 20:09:19 Debug IKE encryption(3des) May 15, 20:09:19 Debug IKE pad length = 8 ............... May 15, 20:09:19 Debug IKE 39bb3b63 ee17ccbd a4bcf648 0500000c 01000000 c0a83202 00000010 04000000 May 15, 20:09:19 Debug IKE c0a80100 ffffff00 104609a6 2903de07
NetScreen SSG5 NetScreen SSG5 by glancyguy on 2007-05-18 23:24:09 +0200
Hello, I downloaded the latest stable version of IPSecuritas today from the main site. I am trying to configure it for a NetScreen SSG5. This is a managed firewall/VPN device that I do not have access to. We have a windows client and corresponding policy file. Using the windows file, I believe I have reverse engineered the settings. I also downloaded "VPN Tracker" and configured it. It worked out of the box with our NetScreen. I copied the settings from the VPN Tracker into the IPSecuritas config screen. The only setting that did not map is the ID. The NetScreen uses an email address for local ID and the VPN Tracker software makes that specification. The IPSecuritas only allows for a DN. I am not sure if this makes a difference. I used a the email address in the DN field of the IP Securitas software. I enabled verbose logging. And tried to connect to the NetScreen. I am getting hung in Phase 1 and timing out. I have attached the log file to this message. I am hoping that someone can pull something out of the debug to help. I would much rather use this product than the VPN tracker. Here are interesting erors from the log:
May 18 16:07:56 darren-hochs-computer racoon: DEBUG: pfkey.c:210:pfkey_handler(): pfkey X_SPDDUMP failed: No such file or directory\n May 18 16:07:56 darren-hochs-computer racoon: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey REGISTER message\n May 18 16:07:56 darren-hochs-computer racoon: DEBUG: pfkey.c:234:pfkey_handler(): not supported command REGISTER\n May 18 16:07:56 darren-hochs-computer racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting\n May 18 16:07:56 darren-hochs-computer racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 1 not interesting\n May 18 16:07:56 darren-hochs-computer racoon: INFO: isakmp.c:2047:isakmp_post_acquire(): IPsec-SA request for 216.128.24.73 queued due to no phase1 found.\n May 18 16:07:56 darren-hochs-computer racoon: DEBUG: isakmp.c:1803:isakmp_ph1resend(): resend phase1 packet 75d194a46e9b155f:0000000000000000\n May 18 16:07:58 darren-hochs-computer racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 16 not interesting\n May 18 16:07:58 darren-hochs-computer racoon: DEBUG: grabmyaddr.c:340:update_myaddrs(): msg 15 not interesting\n May 18 16:08:16 darren-hochs-computer racoon: DEBUG: sockmisc.c:421:sendfromto(): sockname 192.168.1.105[50] May 18 16:08:27 darren-hochs-computer racoon: ERROR: isakmp.c:2139:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 216.128.24.73->192.168.1.105 \n May 18 16:08:27 darren-hochs-computer racoon: INFO:
Re: NetScreen SSG5 by Dave on 2007-05-19 17:17:26 +0200
I'm not sure if it will help but in the ID section of IPSecuritas, you can select FQDN which is basically an email address. Note that I'm using the RC3 version of 3.0; if you have 2.2, it might be called something else.
Fortigate 300A to optain DHCP on using IPSecuritas Fortigate 300A to optain DHCP on using IPSecuritas by lleung on 2007-05-23 12:53:45 +0200
Have anyone had problems with IPSecuritas getting a DHCP address from a Fortigate 300A (Firmware 3.00, Build0477,070126) ? I seem to have no problems getting the windows (Parallels VM) ipsec client (Forticlient) to connect and request an address from it's DHCP server. But no luck doing that natively. I can however get around this by defining a static address for the connection. But of course, that's messy when there are multiple users..
Re: Fortigate 300A to optain DHCP on using IPSecur by varruss on 2007-07-21 23:02:01 +0200
I figured this one out yesterday. :) You need a rule on the FG Inside--Your subnet--outside--all--DHCP---Encrypt. Leave the rule after your inside-outside-any rule. If you have any Fortigate questions don't hesitate ask.
Zyxel ZyWALL 35 Zyxel ZyWALL 35 by steffen on 2007-05-24 17:39:56 +0200
Hi All, it took some time to make IPSecuritas work with our ZyWALL 35. So I've decided to let you know a working configuration for both. - ZyWALL 35 firmware: V4.01(WZ.3) | 12/04/2006 - IPSecuritas 3.0rc - Mac OS X 10.4 The configuration works for dynamic client IP Adresses. You'll find the screenshots of the ZyWALL's web configuration utilitity and the IPSecuritas VPN client here: [url]http://www.semture.de/images/stories/external /ipsecutitas-screenshots.zip[/url]
Re: Zyxel ZyWALL 35 by nob on 2007-05-27 18:20:55 +0200
This looks good, but did not work for me. I get a Error, tried different other settings. But i canґt get it to work.... Error in IPSecuritas: inappropriate sadb aquire message passed Error in Zywall Log: Recv:[HASH][NOTFY:ERR_ID_INFO] IPSecuritas 3.0rc3 Zywall 5W, Firmware Version V4.01(XD.2) NAT in VPN-Rule is off.
Re: Zyxel ZyWALL 35 by steffen on 2007-05-27 22:14:07 +0200
Hi nob, the error indicates that you are using a different ID in IPSecuritas and the Zywall. First check the FQDN entries (or what ever you choose for identification/ID). Secondly even if you choose FQDN the adress ranges must match too. So compare the "Remote side" entry for "Network Adress" of IPSecuritas with the "Local Network" settings in the ZyWALL setup. Maybe you've translatet the Subnet mask to a wrong CIDR, if so have a look at [url]http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing[/url] for computing it.
Hope it helps Steffen
Re: Zyxel ZyWALL 35 by steffen on 2007-05-27 22:19:10 +0200
Hi all, I've noticed that if your Mac OS client is behind a firewall too, you have to switch the NAT-T to "Disabled" in IPSecuritas. You can (should?) leave NAT-Traversal in the Zywall enabled.
Support Apple Keychain Support Apple Keychain by dbertolo on 2007-05-25 09:04:25 +0200
Hi I am currently evaluating IPsec clients for Mac OS X. I came across IPSecuritas which I find is doing great and is probably my favorite. But unfortunately, one requirement is not met. Our new client should support the Apple Keychain to store the user certificates. Would be nice, if this feature will be implemented in the near future. Regards, Daniel Bertolo
Lost internet at VPN network... Lost internet at VPN network... by aklschnapps on 2007-05-25 20:17:41 +0200
I've run into an odd situation. - Macbook Pro on external wifi network. - Sonicwall Pro 2040 acting as firewall/dhcp/vpn for internal network. I can connect to my sonicwall 2040 with VPN Tracker without any problems. It took me a while to tweak the settings and get IPSecuritas to connect to the VPN. However, when it succeeds all of the computers on the internal network (connected to the sonicwall) lose their internet connection! As soon as I disconnect IPSecuritas from the VPN the internet connection resumes. Any thoughts? Anything I should do to test further? I've looked in the sonicwall logs but can't see anything odd after I've connected with IPSecuritas. Unfortunately I can't leave it connected for long periods to test, as it cuts off the entire office from the internet. Any help would be much appreciated! Here's my configuration in IPSecuritas: Host to Network Aggressive, Claim 16 Phase 1, Mod1024, 3DES, SHA1 Phase 2, None, 3DES, HMAC SHA1 Checked Options: IPSec DOI SIT_IDENTITY_ONLY Initial Contact MIP6 DHCP Pass-Through Establish IKE immediately
IPSecuritas and racoon IPSecuritas and racoon by lithium on 2007-05-30 13:46:23 +0200
Is there a reason for IPSecuritas to install and use another version of racoon? -r-xr-xr-x 1 root wheel 877932 Jan 3 08:38 /usr/sbin/racoon -rwxr-xr-x 1 root wheel 1232888 May 27 18:43 /Library/StartupItems /IPSecuritasDaemon/racoon
Re: IPSecuritas and racoon by cnadig on 2007-05-30 16:33:34 +0200
Hi, yes, the version of racoon included with MacOS doesn't support XAUTH and only offers limited, outdated NAT-T support as well as a few more things that are available with the racoon version that comes with IPSecuritas. Cheers, Christoph
Re: IPSecuritas and racoon by Athanyel on 2007-05-31 00:13:08 +0200
Does the version of racoon that ships with IPSecuritas support GSSAPI/Kerberos? This would be ideal for large IPsec deployments.
Re: IPSecuritas and racoon by cnadig on 2007-05-31 09:41:35 +0200
No, while there is support for it in the code, it is disabled. According to the documentation, it is very experimental and will most probably only work with very few firewalls. Christoph
Re: IPSecuritas and racoon by Athanyel on 2007-06-01 03:43:49 +0200
Well, for IPsec implementations in Transport mode (vs. Tunnel mode for VPNs and firewalls), Kerberos would be a huge benefit for large deployments. I'd love to see it long term. Thanks for all the great work on this!
Re: IPSecuritas and racoon by .guru on 2008-02-29 22:29:16 +0100
As racoon and the ipsec-tools are open source projects it would be great to see your modifications to the code. Is it possible to publish your MacOS X compatible version of racoon as sources? .guru
Sonicwall & X-AUTH Sonicwall & X-AUTH by mpgough on 2007-05-30 18:13:09 +0200
Hi, I have installed v3 today but am unable to connect to either of my two sites. Both Sonicwall TZ-170's which I can connect to fine using VPN Tracker but no IPSecuritas. I have tried configuring both connections using the wizard and also copying the config from VPN Tracker to IPSecuritas, also reducing my mtu to 1400 but no joy. I have attached the error Im getting but my suspision is its something to do with the handling of XAUTH?? IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 May 30, 17:12:51 Info APP IKE daemon started May 30, 17:12:51 Info APP IPSec started May 30, 17:12:51 Error IKE Foreground mode. May 30, 17:12:51 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) May 30, 17:12:51 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) May 30, 17:12:51 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" May 30, 17:12:51 Info IKE Resize address pool from 0 to 255 May 30, 17:12:52 Info APP Initiated connection KP Couriers May 30, 17:12:52 Error IKE inappropriate sadb acquire message passed. May 30, 17:12:52 Warning IKE No ID match. May 30, 17:12:52 Info IKE couldn't find the proper pskey, try to get one by the peer's address. May 30, 17:12:53 Error IKE fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. May 30, 17:12:53 Error IKE Message: 'v No proposal is chosen'. May 30, 17:12:54 Info APP IPSec stopping May 30, 17:12:55 Info APP IKE daemon terminated
Re: Sonicwall & X-AUTH by TimothyFerrell on 2007-06-12 17:30:03 +0200
Make sure your phase 1 is set to aggressive mode. If that doesn't do anything for you, I'd try matching the settings from the post "Cannot connect to Sonicwall TZ170." I am getting the same error about no ID match even with copying his settings. Good luck.
losing settings... losing settings... by lithium on 2007-06-03 21:41:34 +0200
Every time when I make some changes to a connection in IPSecuritas 3.0 (e.g. Change phase 1 information) it seems that my configuration is lost. I don’t mean that my settings in the different menus are lost but whenever I start an IPSEC connection I get an error mentioning a missing key file. I understand the warning in the log because /Library/Application Support/Lobotomo/IPsecuritas/psk.txt is empty and Library/Application Support/Lobotomo/IPsecuritas/racoon.conf is missing some vital information about just about everything (there is something mentioning padding…and that is it). The only solution I found is killing the IPSecuritas daemon, removing everything from Library/Application Support/Lobotomo/IPsecuritas. After restarting IPSecuritas and setting up a new connection everything works fine…until I have the need to change some settings. Any ideas about this problem?
Quick mode to Windows Server 2003 fails! Quick mode to Windows Server 2003 fails! by Athanyel on 2007-06-06 00:09:38 +0200
Please see the topic "Using 3.0 to connect to Windows in transport mode" ([url]http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?board=IPSecuritas; action=display;num=1176493464[/url]) for a brief description of what I'm trying to do. The above worked in 3.0rc and 3.0rc3. In 3.0 Final, it's broken. The client completes the main mode, begins quick mode and immediately fails. Here's an excerpt from the connection log: [code]Jun 05, 09:57:43 Info IKE ISAKMP-SA established x.x.x.x[500]-y.y.y.y[500] spi:04a82d40810af54e:142c9e35ad31af0b Jun 05, 09:57:43 Debug IKE === Jun 05, 09:57:44 Debug IKE === Jun 05, 09:57:44 Debug IKE begin QUICK mode. Jun 05, 09:57:44 Info IKE initiate new phase 2 negotiation: x.x.x.x[500] y.y.y.y[500] Jun 05, 09:57:44 Debug IKE compute IV for phase2 Jun 05, 09:57:44 Debug IKE phase1 last IV: Jun 05, 09:57:44 Debug IKE 5699e40c ca453648 e41a1ab6 Jun 05, 09:57:44 Debug IKE hash(sha1) Jun 05, 09:57:44 Debug IKE encryption(3des) Jun 05, 09:57:44 Debug IKE phase2 IV computed: Jun 05, 09:57:44 Debug IKE 54bdd941 4c341df1 Jun 05, 09:57:44 Debug IKE call pfkey_send_getspi Jun 05, 09:57:44 Debug IKE pfkey GETSPI sent: ESP/Transport y.y.y.y[0]->x.x.x.x[0] Jun 05, 09:57:44 Debug IKE pfkey getspi sent. Jun 05, 09:57:44 Debug IKE get pfkey GETSPI message Jun 05, 09:57:44 Debug IKE 02010003 0a000000 01000000 07010000 02000100 0ae31793 00000000 00000000 Jun 05, 09:57:44 Debug IKE 03000500 ff200000 10020000 ac107c90 00000000 00000000 03000600 ff200000 Jun 05, 09:57:44 Debug IKE 10020000 803e5e12 00000000 00000000 Jun 05, 09:57:44 Debug IKE pfkey GETSPI succeeded: ESP/Transport y.y.y.y[0]->x.x.x.x[0] spi=182654867(0xae31793) Jun 05, 09:57:44 Debug IKE hmac(modp1024) Jun 05, 09:57:44 Debug IKE hmac(modp1024) Jun 05, 09:57:44 Debug IKE hmac(modp1024) Jun 05, 09:57:44 Debug IKE compute DH's private. Jun 05, 09:57:44 Debug IKE 4928d074 54d4d6e4 b2aa3856 9cc570c2 ca8aad46 3bbe69c1 80913006 43a81766 Jun 05, 09:57:44 Debug IKE b8d6c017 1d924020 cc701d58 8070c3eb 0d226a5c d422672a a8486b61 7f96ce81 Jun 05, 09:57:44 Debug IKE ac1e2050 06205d44 23ca1723 fc7926b2 5d9be4bf 15b8e4a2 f270e305 3684b9ee Jun 05, 09:57:44 Debug IKE 6e677469 c7df9a57 611a6837 b24e51e5 e4358ee1 5a8deac4 8dab7505 ca1822f9 Jun 05, 09:57:44 Debug IKE compute DH's public. Jun 05, 09:57:44 Debug IKE c3a4f9dc ffd616ca 650fcd03 1c7c1ad7 66cb5e88 b8694dc1 bb1ee61a bf521f56 Jun 05, 09:57:44 Debug IKE 418313d7 2073a766 f12b36ca 31274310 be9301ef 141564fc 565bdc95 76c95823 Jun 05, 09:57:44 Debug IKE c12ba88e 34ca7282 cb64b967 e0f231c5 053abf72 a547040a 8407d74c 9a5e7040 Jun 05, 09:57:44 Debug IKE efb70f61 bf2a9fc5 08ab2e1d 475687be 748c114d 3ea47a16 55827b84 2dc19c7c Jun 05, 09:57:45 Info APP IKE daemon terminated Jun 05, 09:57:45 Debug APP State change from RUNNING to IDLE after event RACOON TERMINATED Jun 05, 09:57:45 Debug APP Received SADB message type X_SPDDELETE
Re: Quick mode to Windows Server 2003 fails! by Athanyel on 2007-06-07 01:18:39 +0200
After a bit more digging, it appears that Racoon is crashing. I'm running on a MacBook Pro with an Intel Core Duo. I'm going to try downloading the application again...but I'm not sure what else I can do to try to fix this. [code]Host Name: alexs-computer Date/Time: 2007-06-06 18:13:26.620 -0500 OS Version: 10.4.9 (Build 8P2137) Report Version: 4 Command: racoon Path: /Library/StartupItems/IPSecuritasDaemon/racoon Parent: IPSecuritasDaemon [110] Version: ??? (???) PID: 255 Thread: 0 Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000004 Thread 0 Crashed: 0 racoon 0x00064f05 0x1000 + 409349 1 racoon 0x0003f739 0x1000 + 255801 2 racoon 0x00033d11 0x1000 + 208145 3 racoon 0x00018551 0x1000 + 95569 4 racoon 0x0000900f 0x1000 + 32783 5 racoon 0x000257a2 0x1000 + 149410 6 racoon 0x00023e37 0x1000 + 142903 7 racoon 0x00002de8 0x1000 + 7656 8 racoon 0x00002618 0x1000 + 5656 9 racoon 0x000021ee 0x1000 + 4590 10 racoon 0x00002115 0x1000 + 4373 Thread 0 crashed with X86 Thread State (32-bit): eax: 0x00000004 ebx: 0x0003f703 ecx: 0x00000080 edx: 0x00309114 edi: 0x00000004 esi: 0x00000001 ebp: 0xbffff568 esp: 0xbffff530 ss: 0x0000001f efl: 0x00010206 eip: 0x00064f05 cs: 0x00000017 ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 Binary Images Description: 0x1000 - 0x86fff racoon /Library/StartupItems/IPSecuritasDaemon /racoon 0x8fe00000 - 0x8fe4afff dyld 46.12 /usr/lib/dyld 0x90000000 - 0x90170fff libSystem.B.dylib /usr/lib/libSystem.B.dylib 0x901c0000 - 0x901c2fff libmathCommon.A.dylib /usr/lib/system /libmathCommon.A.dylib 0x90bd0000 - 0x90bd7fff libgcc_s.1.dylib /usr/lib/libgcc_s.1.dylib 0x9193a000 - 0x919ecfff libcrypto.0.9.7.dylib /usr/lib /libcrypto.0.9.7.dylib 0x949d0000 - 0x949edfff libresolv.9.dylib /usr/lib /libresolv.9.dylib[/code]
Re: Quick mode to Windows Server 2003 fails! by Forum Admin on 2007-06-07 09:51:29 +0200
Hello Athanyel, this seems to be a bug in racoon - I will contact you by mail for further investigation on this. Thanks, Christoph
Attempting to connect to Netscreen 5gt Attempting to connect to Netscreen 5gt by lysistbp on 2007-06-07 17:38:20 +0200
Hey guys, I'm a Windows user that recently made the switch a month ago. I'm also an IT guy who knows little about VPNs unfortunately when it comes to troubleshooting (I use Netscreens with their software. It's pretty basic) Below is a log of when I try to connect to one of my clients. Can somebody explain what this is saying and tell me what changes should be made? The "red dot" next to the connection name states "network collision". Thanks in advance. IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Jun 07, 11:33:10 Debug APP State change from IDLE to AUTHENTICATING after event START Jun 07, 11:33:10 Info APP IKE daemon started Jun 07, 11:33:10 Info APP IPSec started Jun 07, 11:33:10 Debug APP State change from AUTHENTICATING to RUNNING after event AUTHENTICATED Jun 07, 11:33:10 Info IKE Foreground mode. Jun 07, 11:33:10 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jun 07, 11:33:10 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jun 07, 11:33:10 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jun 07, 11:33:10 Info IKE Resize address pool from 0 to 255 Jun 07, 11:33:10 Debug IKE parse successed. Jun 07, 11:33:10 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jun 07, 11:33:10 Debug IKE my interface: ::1 (lo0) Jun 07, 11:33:10 Debug IKE my interface: fe80::1%lo0 (lo0) Jun 07, 11:33:10 Debug IKE my interface: 127.0.0.1 (lo0) Jun 07, 11:33:10 Debug IKE my interface: fe80::217:f2ff:feec:7f3c%en1 (en1) Jun 07, 11:33:10 Debug IKE my interface: 10.10.1.109 (en1) Jun 07, 11:33:10 Debug IKE my interface: fe80::201:23ff:fe45:6789%en2 (en2) Jun 07, 11:33:10 Debug IKE my interface: 192.168.1.10 (en2) Jun 07, 11:33:10 Debug IKE my interface: fe80::210:32ff:fe54:7698%en3 (en3) Jun 07, 11:33:10 Debug IKE my interface: 10.211.55.2 (en3) Jun 07, 11:33:10 Debug IKE configuring default isakmp port. Jun 07, 11:33:10 Debug IKE 9 addrs are configured successfully Jun 07, 11:33:10 Info IKE 10.211.55.2[500] used as isakmp port (fd=7) Jun 07, 11:33:10 Info IKE fe80::210:32ff:fe54:7698%en3[500] used as isakmp port (fd=8) Jun 07, 11:33:10 Info IKE 192.168.1.10[500] used as isakmp port (fd=9) Jun 07, 11:33:10 Info IKE fe80::201:23ff:fe45:6789%en2[500] used as isakmp port (fd=10) Jun 07, 11:33:10 Info IKE 10.10.1.109[500] used as isakmp port (fd=11) Jun 07, 11:33:10 Info IKE fe80::217:f2ff:feec:7f3c%en1[500] used as isakmp port (fd=12) Jun 07, 11:33:10 Info IKE 127.0.0.1[500] used as isakmp port (fd=13) Jun 07, 11:33:10 Info IKE fe80::1%lo0[500] used as isakmp port (fd=14) Jun 07, 11:33:10 Info IKE ::1[500] used as isakmp port (fd=15) Jun 07, 11:33:10 Debug IKE get pfkey X_SPDDUMP message
Re: Attempting to connect to Netscreen 5gt by lysistbp on 2007-06-07 17:54:03 +0200
Alright sweet . . . I got it working (green light) but I cannot ping or rdp into anything. Below is a copy of the ping. The forum is yelling at me if I try to paste my log . . . Any ideas guys? steve-taylors-computer:~ Steve$ ping 192.168.0.2 PING 192.168.0.2 (192.168.0.2): 56 data bytes 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3889 0 0000 3d 01 78ff 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 388b 0 0000 3d 01 78fd 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 388c 0 0000 3d 01 78fc 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 388f 0 0000 3d 01 78f9 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3891 0 0000 3d 01 78f7 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3893 0 0000 3d 01 78f5 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3894 0 0000 3d 01 78f4 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3896 0 0000 3d 01 78f2 10.10.1.109 192.168.0.2 36 bytes from 53.177.14.8.voipum.com (8.14.177.53): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 3897 0 0000 3d 01 78f1 10.10.1.109 192.168.0.2 ^Z [4]+ Stopped
ping 192.168.0.2
Re: Attempting to connect to Netscreen 5gt by cnadig on 2007-06-07 22:11:32 +0200
Hello, the log probably won't show anything since the tunnel can be established propetly. May I ask you to post the output of the following commands while IPSec is active? ifconfig -a netstat -nr The ICMP error is sent by 8.14.177.53 - what is this (the remote firewall or your ISP)? Cheers, Christoph
Troubled while accessing Cisco PIX Firewalls Troubled while accessing Cisco PIX Firewalls by p0ddie on 2007-06-15 10:25:35 +0200
Hi there, I have two Cisco Pix Firewalls (a 501 and a 515E) I would like to connect to. The Cisco Client works smooth (of course), but I have trouble getting them to connect with IPSecuritas. I'll try to be as detailed as possible about my efforts to connect to the Pix 501. I am quite new to Cisco VPN stuff and spoiled by less complex PPTP connections with OS X / Windows' integrated clients... so please excuse my n00by descriptions... I set up a profile and connection and this is what I get in the log: IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Jun 15, 09:53:43 Info APP IKE daemon started Jun 15, 09:53:43 Info APP IPSec started Jun 15, 09:53:43 Error IKE Foreground mode. Jun 15, 09:53:43 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jun 15, 09:53:43 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jun 15, 09:53:43 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jun 15, 09:53:43 Info IKE Resize address pool from 0 to 255 Jun 15, 09:53:43 Info APP Initiated connection Pix 501 Jun 15, 09:53:50 Info APP Initiated connection Pix 501 Jun 15, 09:53:50 Error IKE inappropriate sadb acquire message passed. Jun 15, 09:53:57 Info APP Initiated connection Pix 501 Jun 15, 09:53:59 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xx[500]->172.30.17.31[500] Jun 15, 09:54:04 Info APP Initiated connection Pix 501 Jun 15, 09:54:06 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xx[500]->172.30.17.31[500] Jun 15, 09:54:11 Info APP Initiated connection Pix 501 Jun 15, 09:54:11 Error IKE inappropriate sadb acquire message passed. Jun 15, 09:54:13 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xx[500]->172.30.17.31[500] Jun 15, 09:54:14 Error IKE phase1 negotiation failed due to time up. 9cbf694fbedd0fa8:1234ed12347e918e Jun 15, 09:54:16 Warning APP Connection Pix 501 timed out Jun 15, 09:54:16 Warning APP Giving up Jun 15, 09:54:20 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xx[500]->172.30.17.31[500] Jun 15, 09:54:27 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xx[500]->172.30.17.31[500] Jun 15, 09:54:49 Info APP IPSec stopping Jun 15, 09:54:50 Info APP IKE daemon terminated ************** The Pix is on a leased line with fixed IP and connects smoothly with Cisco VPN clients. We use a pre-shared key (PSK) for authentication. Apparently the Phase 1 negotiation failes. This is quite weird since I checked with my Cisco expert to have the correct settings he applied to the Pix for Phase 1: Lifetime 1800 sec
Re: Troubled while accessing Cisco PIX Firewalls by cnadig on 2007-06-17 23:19:42 +0200
Hello, I received a Cisco PIX 501 a few days ago and just managed to find a working configuration today (Main mode + preshared key, no XAUTH yet). I will make a short description available within the next few days. Cheers, Christoph
Re: Troubled while accessing Cisco PIX Firewalls by Forum Admin on 2007-07-02 11:17:00 +0200
Hello, an updated wizard template is available for download at http://www.lobotomo.com/products/IPSecuritas/howtoUpdates.html. It includes templates and setup instructions for all PIX models. Cheers, Christoph
Re: Troubled while accessing Cisco PIX Firewalls by ajscam on 2007-08-02 22:37:48 +0200
Hello Christoph, I tried the new wizards against my PIX 515E. Unfortunately, on my PIX, the IPSec rules are already established, and I can't use your recommendations in the HOWTO. In short, I have the following differences: IPSec Rules for Remote Side Host/Network: 192.168.30.192/27. Tunnel Policy for Transform Set: ESP-3DES-MD5 IKE Policies for Hash: md5 IKE Policies for D-H Group: 2 I think I have modified IPSecuritas Phase 1 settings to match the IKE Policies above, but I'm not sure what I need to do to IPSecuritas for the IPSec Rules & Tunnel Policy above. In the log, I see the following errors: Error IKE inappropriate sadb acquire message passed. Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xx[500]->10.191.1888.160[500]
To me, it looks like the PIX doesn't like the sadb acquire message.... But beyond that I have no idea... Thanks for you help.
Re: Troubled while accessing Cisco PIX Firewalls by cnadig on 2007-08-03 12:35:18 +0200
Hello, you need to increase the log level to Debug in order to see the relevant stuff. You may send me the log to
[email protected] if you need assistance. Cheers, Christoph
IPSecuritas 3.0 & Certificates IPSecuritas 3.0 & Certificates by deanjaz on 2007-06-18 19:40:54 +0200
Hello,
I have upgraded to IPSecuritas 3.0 from previous version (2.2?) and imported the connection profile. But the connection fails to authenticate properly using certificates. I've verified the connection setup, and everything is properly setup. There just seems to be some kind of issue with client/server certificate exchange. This same profile worked fine with 2.2 of IPsecuritas, and the settings also work fine in VPN Tracker Demo. I think there might be something funky with the certificate manager and how it is dealing with Certificate/Key pairs? If you need any further information please let me know.
Re: IPSecuritas 3.0 & Certificates by deanjaz on 2007-06-19 02:28:41 +0200
Hi, In case anyone was wondering :P The problem i was having turned out to be ModeConfig. It seemed to be interfering with the Authentication of the client ID somehow. Manually specifying the ip address for the client works just fine. I would be interested in helping to debug this problem if it would be of interest or use to anyone. hx
Re: IPSecuritas 3.0 & Certificates by Forum Admin on 2007-06-19 16:22:45 +0200
Hello deanjaz, thank you very much for your feedback and your assistance offer. If possible, please send us exported logs to
[email protected] once with MODE_CFG [i]enabled[/i] and once with MODE_CFG [i]disabled[/i], both with the log level set to [i]Verbose[/i]. Thanks a lot, Christoph
Re: IPSecuritas 3.0 & Certificates by deanjaz on 2007-06-19 20:07:25 +0200
Will do! :)
Ipsecuritas v3.0 and smoothwall Ipsecuritas v3.0 and smoothwall by richardk on 2007-06-19 18:55:05 +0200
Hi, Has anbody had any success connecting v3 to a smoothwall corp server. My version 2 setup works great but version three cannot connect. Thanks Richard Kingsley
Re: Ipsecuritas v3.0 and smoothwall by barneygrice on 2007-06-27 12:56:32 +0200
Same problems here; v2 worked great but v3 does not. I have tried quite a few permutations of the connection "Options" to no avail. The SmoothWall logs do not even show a connection attempt - it's as if IPSecuritas 3.0 is not even trying to connect?! I'm still looking into this; I'll post back with any updates. In the mean time, please post here if you've had any luck. Thanks, Barney Grice.
Re: Ipsecuritas v3.0 and smoothwall by richardk on 2007-06-27 18:21:32 +0200
Really had no luck. Bit ashamed to say that i am a certified smoothwall reseller and had absolutely no luck at all. Going to have another try getting it working tonight on a new smoothwall installation using preshared keys instead of cetificate based connection to see if it works that way.
I am also going to try connecting v3 to an ipcop vpn see if that helps.
BTW, I have tried using smoothwall advanced firewall 2 as well as smoothwall corporate server 5 (not the free versions) Thanks Richard
Re: Ipsecuritas v3.0 and smoothwall by barneygrice on 2007-06-27 18:30:16 +0200
Sorry, should have stated that I'm trying using CF4, for the record. Still no luck, but I haven't given up - I'll look at it again when I have time. Barney.
Re: Ipsecuritas v3.0 and smoothwall by Forum Admin on 2007-06-27 22:29:02 +0200
Hi, could you please send me an IPSecuritas log with log level set to Verbose to
[email protected] (from IPSecuritas 3.0 and 2.2, if possible)? Thanks a lot, Christoph
Re: Ipsecuritas v3.0 and smoothwall by Forum Admin on 2007-06-28 20:09:29 +0200
Hello, IPSecuritas checks the received identifier more strictly than IPSecritas 2.2 did. If the received a different remote identifier from what is configured, an error will be logged (invalid ID payload). Try deselecting the option 'Verify Identifier' or check the configuration of the firewall to see what identification is sent. Hope this helps, Christoph
Re: Ipsecuritas v3.0 and smoothwall by richardk on 2007-06-28 21:07:39 +0200
Thank you very much for your help Christoph. I changed the remote identifier to fqdn and the connection worked first time. I shall some time this weekend take some screen grabs of my settings and created a mini howto for ipsecuritas 3 and smoothwall
Best Regards
Richard
Re: Ipsecuritas v3.0 and smoothwall by barneygrice on 2007-09-01 08:43:13 +0200
Hi all, I actually got some grabs from Smoothwall that helped me get this working this week. I'll post my own grabs online when I have a chance, but after importing my old IPSecuritas settings I think the "Local IP in Remote Network" was the checkbox that made the difference...... Barney.
Sonicwall: 'No proposal chose' error on 2nd netw.. Sonicwall: 'No proposal chose' error on 2nd netw.. by Banacek on 2007-06-20 01:10:26 +0200
Hello, you'll have to forgive me because I am new to all of this VPN business :) We're using a Sonicwall Pro 2040 and I can successfully connect to the VPN and ping machines on 10.0.10.x. Now, we also have a network at 10.0.20.x that we would like to have access too, but every time I try I get the following: Jun 19, 15:52:09 Error IKE messsage, phase1 should be Jun 19, 15:52:09 Error IKE Jun 19, 15:52:24 Error IKE to time up to wait.
fatal NO-PROPOSAL-CHOSEN notify deleted. Message: '2 No proposal is chosen'. xxx.xxx.xxx.xxx give up to get IPsec-SA due
Does anyone have any ideas as to why this is happening? Thanks!
[m]: Fan Control on macbook [m]: Fan Control on macbook by on 2007-06-20 07:03:33 +0200
[moved] [link=http://www.lobotomo.com/cgi-bin /yabb/YaBB.pl?num=1182315813/0]Others[/link] [move by] Forum Admin.
IPSecuritas 2.2 and video iChat? IPSecuritas 2.2 and video iChat? by villaged on 2007-06-20 20:08:04 +0200
So, I am trying to have two users running iChat and IPS2.2 video chat with each other. After a bunch of investigating, we can see what is happening. iChat is looking for all of the network devices on the machine, and IPS hasn't registered a device, and hence, never gets its VPN IP address. It just grabs the public address, which then fails to initiate the video chat, since these computers can not see each other outside of the VPN. Is there a way to create a device with IPS so that its IP gets snagged? Any ideas? Thanks.
IPSecuritas and Linksys WRV54G IPSecuritas and Linksys WRV54G by lcortex on 2007-06-21 22:24:51 +0200
I recently purchased a Linksys WRV54G vpn router and I'm trying to setup my vpn connection via IPSecuritas v. 3. I'm having the following problems in my log and cannot get it to work. Can anyone suggest what to try to fix it? Thanks! IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Jun 21, 13:03:42 Info APP IKE daemon started Jun 21, 13:03:42 Info APP IPSec started Jun 21, 13:03:42 Error IKE Foreground mode. Jun 21, 13:03:42 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jun 21, 13:03:42 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jun 21, 13:03:42 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jun 21, 13:03:42 Info IKE Resize address pool from 0 to 255 Jun 21, 13:03:42 Info APP Initiated connection NCT Jun 21, 13:03:49 Info APP Initiated connection NCT Jun 21, 13:03:56 Info APP Initiated connection NCT Jun 21, 13:03:56 Error IKE inappropriate sadb acquire message passed. Jun 21, 13:03:58 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.234.198.167[500]->10.51.21.30[500] Jun 21, 13:04:03 Info APP Initiated connection NCT Jun 21, 13:04:05 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.234.198.167[500]->10.51.21.30[500] Jun 21, 13:04:10 Info APP Initiated connection NCT Jun 21, 13:04:12 Error IKE phase1 negotiation failed due to time up. 78f8c8ae9fb0c975:0000000000000000 Jun 21, 13:04:12 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.234.198.167[500]->10.51.21.30[500] Jun 21, 13:04:15 Warning APP Connection NCT timed out Jun 21, 13:04:15 Warning APP Giving up Jun 21, 13:04:19 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.234.198.167[500]->10.51.21.30[500] Jun 21, 13:04:26 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.234.198.167[500]->10.51.21.30[500] Jun 21, 13:04:27 Info APP IPSec stopping Jun 21, 13:04:28 Info APP IKE daemon terminated
Any help will be greatly appreciated! Thanks!
--Ross
Re: IPSecuritas and Linksys WRV54G by tiffert on 2007-07-05 08:17:10 +0200
If you have found a solution or a configuration that works with the WRV54G, please let me know. Thanks!!
Re: IPSecuritas and Linksys WRV54G by tiffert on 2008-02-05 20:45:11 +0100
I have managed to setup a reliable VPN to my Linksys WRV54G (hardware rev .02, firmware 2.39.2) using IPSecuritas 3.1 and MacOS X 10.5.1. The WRV54G has rotten firmware. Sometimes saved changes to the VPN or DYNDNS settings do not actually take effect, even though the changes display in the browser window. After pointlessly trying every authentication and encryption combination under the sun for phases 1 and 2, I just deleted my existing tunnel and set one up from scratch. suddenly, the settings stuck and the VPN connection worked. I am using 3DES, SHA-1, 3600 sec., 1024, Main. In IPSecuritas, my configuration has the following options checked: IPSec DOI, SIT_IDENTITY_ONLY, Verify Identifier, IKE Fragmentation i hope this helps.
Re: IPSecuritas and Linksys WRV54G by tiffert on 2008-02-06 06:37:51 +0100
I spoke a moment too soon when I declared victory. The VPN is in fact stable once connected. But when I returned home and tried to connect, I discovered that I cannot negotiate Phase 1 from behind my router. I had heard that the WRV54G has problems traversing a NAT router and this seems to confirm it. But, to repeat, if my local client is not behind a NAT router, the VPN works well.
fails with Leopard fails with Leopard by theagent on 2007-07-09 19:28:55 +0200
Is there an alpha or beta build that works? Can someone send me a pointer?
Re: fails with Leopard by dublezero on 2007-07-17 05:41:16 +0200
bump
Re: fails with Leopard by cnadig on 2007-07-17 09:47:04 +0200
Working on it... a Beta will be releases this week. Cheers, Christoph
Re: fails with Leopard by dublezero on 2007-07-17 13:37:35 +0200
Excellent. You guys do an excellent job on this software. Thanks.
Re: fails with Leopard by theagent on 2007-07-17 16:12:51 +0200
Thanks a ton... really appreciate the effort. fix and you can get it done quick.
Hopefully it's not that big of a
thanks again
Re: fails with Leopard by theagent on 2007-07-19 23:36:56 +0200
Any idea how much longer for the beta that run on Leopard. I'm dead in the water...
Re: fails with Leopard by cnadig on 2007-07-22 21:22:36 +0200
Hello, I just published a Leopard compatible version. Please download it from this link: http://www.lobotomo.com/products/downloads /IPSecuritas%20Leopard.dmg Cheers, Christoph
Re: fails with Leopard by theagent on 2007-07-23 00:20:34 +0200
Thank... works like a charm to my SonicWall 2040 PRO
Re: fails with Leopard by theagent on 2007-07-31 22:04:01 +0200
I have found an issue with host --> networks. I am unable to get to my other subnets. Three separate networks via permanent VPN's. I can get into my main but not the other 3. 192.168.55.0/24 main 192.168.54.0/24 192.168.56.0/24 192.168.57.0/24
Re: fails with Leopard by Forum Admin on 2007-08-01 00:11:00 +0200
Hello, have you tried enabling the 'Unique SA' option? Cheers, Christoph
Re: fails with Leopard by theagent on 2007-08-20 22:04:27 +0200
SA doesn't change a thing.... all other networks are inaccessible. What info do you want from me to assist in debugging this?
Re: fails with Leopard by dublezero on 2007-09-20 22:03:16 +0200
Looks like the beta just expired. Can we get an updated one?
Re: fails with Leopard by Forum Admin on 2007-09-20 22:48:59 +0200
Hello, 3.0b2 is available for download. Christoph
Re: fails with Leopard by dublezero on 2007-09-20 22:59:47 +0200
Link?
Re: fails with Leopard by Forum Admin on 2007-09-21 06:27:06 +0200
http://www.lobotomo.com/products/downloads /IPSecuritas%20Leopard.dmg
Re: fails with Leopard by dublezero on 2007-09-21 15:37:27 +0200
Thanks! I had tried that link earlier but I probably jumped the gun and got it before you updated it.
Host to Anywhere with IPCOP connection problem Host to Anywhere with IPCOP connection problem by oortmanp on 2007-07-11 01:18:52 +0200
Hi all, I managed to get ipsecuritas to work with ipcop. But only when I'm using a specified range like 192.168.1.0/24. When I try to connect with the endpoint mode "anywhere" setting, I don't get a connection. (I'm using version 3, build 1693) Both setups have also been tested in Windows with thegreenbow vpn, where both setups work fine. The debug of ipsecuritas wasn't much help for me either. [code]IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Jul 11, 01:01:55 Debug APP State change from IDLE to AUTHENTICATING after event START Jul 11, 01:01:55 Info APP IKE daemon started Jul 11, 01:01:55 Info APP IPSec started Jul 11, 01:01:55 Debug APP State change from AUTHENTICATING to RUNNING after event AUTHENTICATED Jul 11, 01:01:55 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jul 11, 01:01:55 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jul 11, 01:01:55 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jul 11, 01:01:55 Debug APP Received SADB message type X_SPDUPDATE - not interesting Jul 11, 01:01:55 Debug IKE Foreground mode. Jul 11, 01:01:55 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 11, 01:01:55 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 11, 01:01:55 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 11, 01:01:55 Info IKE Resize address pool from 0 to 255 Jul 11, 01:01:55 Debug IKE lifetime = 28800 Jul 11, 01:01:55 Debug IKE lifebyte = 0 Jul 11, 01:01:55 Debug IKE encklen=0 Jul 11, 01:01:55 Debug IKE p:1 t:1 Jul 11, 01:01:55 Debug IKE 3DES-CBC(5) ... ... ... Jul 11, 01:01:56 Info IKE ISAKMP-SA established 10.71.14.222[500]-217.120.247.4[500] spi:8ff28b05d6afb4eb:de62ecd58bb1e726 Jul 11, 01:01:56 Debug IKE === Jul 11, 01:01:56 Debug IKE === Jul 11, 01:01:56 Debug IKE begin QUICK mode. Jul 11, 01:01:56 Info IKE initiate new phase 2 negotiation: 10.71.14.222[500]217.120.247.4[500] Jul 11, 01:01:56 Debug IKE compute IV for phase2 Jul 11, 01:01:56 Debug IKE phase1 last IV: Jul 11, 01:01:56 Debug IKE c7c53315 1367dacb 81e4df67 Jul 11, 01:01:56 Debug IKE hash(sha1) Jul 11, 01:01:56 Debug IKE encryption(3des) Jul 11, 01:01:56 Debug IKE phase2 IV computed:
Re: Host to Anywhere with IPCOP connection problem by richardk on 2007-07-20 00:48:33 +0200
Hi, Any chance of sharing what connection settings you are using with IPCOP and ipsecuritas. Not sure what to enter in the authentication form on ipsecuritas when using cert based roadwarrior connection Thanks Richard Kingsley
Re: Host to Anywhere with IPCOP connection problem by oortmanp on 2007-08-19 15:25:46 +0200
@richardk with boardsearch "ipcop" you would have found: http://www.taupehat.com/vpn/ good luck setting up your certificate vpn oortmanp
Frustrated with VPN on my new WRVS4400N Frustrated with VPN on my new WRVS4400N by Christian on 2007-07-15 03:08:13 +0200
I had VPN working on my WRT54G running DD-WRT, but I bricked it, so I decided to buy a router with built-in VPN. I've read through the other messages regarding the WRVS4400N and still can not get my iBook to log in to my home network. I've posted my debug log file here: [url]http://www.pariahware.com /vpnlog.txt[/url] Any help would be appreciated as I've spent way too much time butting my head against this door. :( Thank you very much.
Re: Frustrated with VPN on my new WRVS4400N by Christian on 2007-07-15 19:18:11 +0200
I turned on VPN logging for my router. Here is what the router has logged: [url]http://www.pariahware.com/routervpn.txt[/url]
Re: Frustrated with VPN on my new WRVS4400N by cnadig on 2007-07-16 10:55:57 +0200
Hello Christian, you need to set the Remote Security Group to a specific address, e.g. 10.1.1.1. Setting it to Any will for some reasons only Linksys knows not work. You then need to enter the same address in IPSecuritas for the local endpoint (Host Mode). Hope this helps, Christoph
Re: Frustrated with VPN on my new WRVS4400N by Christian on 2007-07-16 18:34:47 +0200
Thank you for the tip, but that still didn't work. I've updated my two log files, one from the router and the other from the app. [url]http://www.pariahware.com/vpnlog.txt [/url] [url]http://www.pariahware.com/routervpn.txt [/url] To update, my router settings are: IPsec VPN Tunnel: Enabled Tunnel named: HomeVPN Local Sec. Group Type: Subnet IP Address: 192.168.2.x Subnet: 255.255.255.0 Remote Sec. Group Type: IP Addr. IP Address: 10.1.1.1 Remote Sec Gateway Type: Any Key Exchange Method: Auto. (IKE) Encryption: 3DES Auth: SHA1 PFS: Enable PSK: xxx Key Life: 28800 NetBIOS: false Phase1: Op Mode: Main Local ID: Name, HomeVPN Remote ID: Remote IP Encryptin: 3DES Auth: SHA1 Group: 1024 Key Life Time: 3600 Phase2: Enc: 3DES Auth: SHA1 PFS: Enable Group: 768 Key Life: 28800
IPSecuritas Settings: General Tab: Remote IPSec Device: DDNS address IPv6: Disabled Local Side: Endpoint Mode: Host, IP: 10.1.1.1 Remote Side: Endpoint Mode: Host, IP: Router's internal gateway address Transpoirt Mode: Disabled Phase1: Lifetime: 3600 DH Group: 1024 Encrypt: 3DES Auth: SHA-1 Exchange Mode: Main
Re: Frustrated with VPN on my new WRVS4400N by Forum Admin on 2007-07-16 21:49:38 +0200
Hello Christian, two more things you need to change: In your router settings, change the local identification to address too (required for main mode) and in IPSecuritas, change the remote endpoint mode to Network (instead of host) and set the address to 192.168.2.0/24 Cheers, Christoph
Re: Frustrated with VPN on my new WRVS4400N by Christian on 2007-07-16 23:04:57 +0200
Thank you very much! I now have a green light and am on my LAN. ;D The one remaining issue is that my web surfing (and I'm assuming e-mail) are not going through my router, but rather, the router where I currently have my iBook off-site. Can you please tell me how to remedy this last piece of the puzzle? Thanks again!
problem with Netgear FVX538 problem with Netgear FVX538 by cenotaph on 2007-07-17 14:22:15 +0200
Hi, I am totally excited about IPSecuritas as it seems like a really great piece of software, and free too! However, I am having trouble trying to connect to a Netgear FVX538. The wizard had instructions for the FVS328 and also listed the FVX538 but the settings are somewhat more advances, and I can't get past phase1 of connecting. I can post debug logs, but first of all, are there any more specific instructions for configuring the FVX538? Thanks!
Re: problem with Netgear FVX538 by cnadig on 2007-07-17 17:34:06 +0200
Hello, have you had a look at the HOWTO yet? (in IPSecuritas->Windows->HowTo List) Or direct link: http://www.lobotomo.com/products/IPSecuritas/howto /Netgear%20FVS114%20FVS328%20HOWTO.pdf Cheers, Christoph
Re: problem with Netgear FVX538 by cenotaph on 2007-07-18 17:52:05 +0200
Yep - the HOWTO is great for the FVS328 but I have the FVX538 which is a bit different so I'm not sure if I'm setting it up right. I can send logs to someone (I don't want to post them here for security reasons) if anyone is up for helping.
Re: problem with Netgear FVX538 by ade76 on 2007-07-23 19:02:22 +0200
version 2 firmware is different on the FVX538 hence it not looking the same, I've had ipsecuritas 2 working fine until recently, version 3 is giving a few errors with connection failures I'll post up some logs later on. last time i did it i just followed the wizard in how to and it worked fine
Sonicwall Pro2040 config with IPSecuritas Sonicwall Pro2040 config with IPSecuritas by coot on 2007-07-18 13:00:11 +0200
Hi all, I spent lot's of wasted hours a few weeks ago trying to get IPSecuritas to work with our Sonicwall Pro 2040 firewall. I was unsuccessful! >:( Before I start to look at this again, has anybody successfully connected to a Sonicwall Pro 2040 and would you be so kind as to let me know the configurations both at the ipsecuritas side and the sonicwall side? Here's hoping. Regards.. Karl
Re: Sonicwall Pro2040 config with IPSecuritas by JoeG on 2007-08-29 01:52:26 +0200
Same problem here, Karl. It seems I am able to connect just fine with VPN Tracker but the settings don't quite translate directly. I will tell you that I suspect that IPSecuritas does not support DHCP; you must get you admin to assign a static IP and use that in you local connection... I think. I would like to get this program working to avoid the high cost of VPN Tracker.
Re: Sonicwall Pro2040 config with IPSecuritas by matthewyoung on 2007-08-30 02:17:10 +0200
Have a similar problem with our SonicWall 4100 - does not have DHCP therefore I am still struggling to get things to work - also strugging to get the hosts set up correctly as I can connect to our firewall but cannot go further.
Re: Sonicwall config with IPSecuritas by netnoah on 2007-09-15 15:38:52 +0200
Hey Folks. I don't know if this helps y'all, but after 3 hours of trying to get IPSecuritas to connect to my VPN (SonicWall) I have (partial) success! Since I am not in the IT dept (just trying to replicate my VPN Tracker setup on company laptop to my home desktop using a shared key), I've had to guess that the SonicWall is configured as per Equinux's specs (phase 1:3DES & SHA1; Phase 2:Strong Encrypt and Authenticate (ESP 3DES HMAC SHA1) Frankly, this is a lot of Greek to me, but I can tell you that the following settings connect with the same functionality as VPN tracker. (this is the result of the export wizard template menu command) The only thing that isn't working now is connecting to multiple subnets simultaneously...which didn't work with VPN tracker either. phase1.localEndpointMode: ISEndpointModeHost phase1.remoteEndpointMode: ISEndpointModeNetworks phase1.exchangeMode: ISExchangeModeAggressiveMain phase1.proposalCheck: ISProposalCheckObey phase1.nonceSize: 16 phase1.lifetimeValue: 28800 phase1.lifetimeUnit: ISLifetimeSeconds phase1.dhGroup: ISDHGroupMod768 phase1.encryption: ISEncryption3DES phase1.authentication: ISAuthenticationSHA1 phase2.lifetimeValue: 1800 phase2.lifetimeUnit: ISLifetimeSeconds phase2.pfsGroup: ISPFSGroupNone phase2.encryptions: ISEncryption3DES phase2.authentications: ISAuthenticationHmacSHA1 localIdentification.mode: ISIdentificationName remoteIdentification.mode: ISIdentificationName authentication.mode: ISAuthenticationPresharedKey options.ipsecDoi: 0 options.identityOnly: 0 options.verifyIdentifier: 0 options.initialContact: 0 options.generatePolicy: 0 options.supportProxy: 0 options.verifyCertificate: 0 options.sendCertificate: 0 options.sendCertificateRequest: 0 options.modeCfg: 0 options.uniqueSa: 0 options.ikeFragmentation: 0 options.nattMode: ISNATTDisable options.dhcpPassThrough: 0
Re: Sonicwall Pro2040 config with IPSecuritas by coot on 2007-09-17 11:34:35 +0200
I got this working. Here is my setup: ==On the SonicWALL== :General Authentication Method: IKE using Preshared Secret Name: WAN GroupVPN Share Secret: xxxxx -Proposals Phase 1 DH Group: Group 2 Encryption: 3DES Authentication: MD5 Life Time (seconds): 9600 Phase 2 Protocol: ESP Encryption: 3DES Authentication: MD5 Enable PFS: Disabled Life Time (seconds): 28800 :Advanced Enable Windows Networking Broadcase: Unchecked Apply NAT and Firewall Rules: Unchecked Forward Packets to remote VPNS: unchecked Default Gateway: 0.0.0.0 Terminated at: LAN/DMZ (I require DMZ access) Require Authentication of VPN Clients via XAUTH: Checked :Client Cache XAUTH User Name and Password on Client: Single Session Virtual Adapter Settings: DHCP Lease or Manual Allow Connections to: Split Tunnels Set Default Route as this Gateway: Unchecked Require Global Security Client for this Connection: Unchecked Use Default Key for Simple Client Provisioning: Checked ==In IPSecuritas== :General Remote IPSec Device: xxxxx Local Endpoint Mode Host: Remote Endpoint Mode Network: 10.5.1.1/16 Phase 1 Lifetime: 9600 seconds DH Group: 1024(2) Encryption: 3DES Authentication: MD5 Exchange Mode: Main, Aggressive Proposal Check: Claim Nonce Size: 16 Phase 2 Lifetime: 28800 seconds PFS Group: None Encryption: DES, 3DES Authentication: HMAC-SHA-1, MD5 :ID Local Identifier: Address
Re: Sonicwall Pro2040 config with IPSecuritas by deepstructure on 2007-09-19 19:46:10 +0200
hey coot, i've used your exact same settings and can't get them to work! i keep immediately getting: error: IKE: foreground mode error: IKE: inappropriate sadb acquire message passed error: IKE: delete phase1 handle anyone else able to make these settings work? my pc still connects fine with the settings coot used for the server, but no dice for my macbookpro with ipsecuritas.
Re: Sonicwall Pro2040 config with IPSecuritas by coot on 2007-09-20 10:48:28 +0200
If you're using a Sonicwall that isn't a pro 2040 running standard firmware then I'd guess there must be slight differences in the models. I can't really help any further as I was in the same boat as you, I just tried messing with the settings, Sorry! [smiley=sad.gif] PS: My PC's also worked fine with no problems.
Re: Sonicwall Pro2040 config with IPSecuritas by 16thnotes on 2007-10-05 12:47:49 +0200
I too get the same errors in my application log when trying to connect to ZyWALL hardware. (alas VPN Tracker works fine) see this thread... [url]http://www.lobotomo.com/cgi-bin /yabb/YaBB.pl?num=1191350831[/url]
Re: Sonicwall Pro2040 config with IPSecuritas by providence on 2007-10-10 16:56:42 +0200
What is Network Address Endpoint Mode or Network Mask (CIDR) ? Is this something that I have to set up on my SonicWall? Is there any way to get an update to the SonicWall instructions to take advantage of the latest firmware update?
Problems importing certs for requests generated Problems importing certs for requests generated by pacronce on 2007-07-21 23:45:06 +0200
Hi all, We've been using VPN Tracker for years with certificate authentication via our own CA. I'm exploring using IPSecuritas as an alternative, but I'm running into problems with certificates. The problem is there doesn't seem to be a way to import a certificate the corresponds to a certificate request generated in IPSecuritas. It looks like all I can do is import a certificate with a private key. But since I generated the request using IPSecuritas, and there isn't an option to export its corresponding private key, I don't see how to make this work. I would have thought that the workflow for processing requests would be something like this: 1. Generate the request with IPSecuritas. Under the hood a key pair is also created. 2. Send the request to the CA admin. 3. The CA admin generates the associated certificate and sends it back. 4. Import the certificate in IPSecuritas. The program should match the certificate imported to the keypair/request generated and enable that certificate for use in a connection. The above is what happens with VPN Tracker. Note that the certificates we're generating are in PEM format, in case that matters. But I can't get the above to work with IPSecuritas. The only cert import option that remotely matches my situation is "PEM/DER encoded foreign certificate". But when I use that, the resulting certificate is not available for selection in the connection. The other options fail to import at all. If I bypass IPSecuritas for certificate request generation and instead import a complete encrypted PKCS#12 file with a private key, then the resulting certificate does work. But I don't like the idea of providing all of our VPN clients with a key pair and cert. Because it opens up security issues like the strength of the password, transport and secure disposal of the PKCS#12 file, etc. Note that I have not tried converting the PEM certificate to a PKCS#12 file without a private key. Maybe that would work, but it seems like an unnecessary step. Why not just allow import of a PEM certificate that matches a request? Thanks in advance for any help you can provide. Best regards, -Allen Cronce
Re: Problems importing certs for requests generate by cnadig on 2007-07-22 20:44:23 +0200
Hello Allen, you're right, this is a misconception in IPSecuritas, which certainly needs to be fixed. I will get in touch with you once it's done. Thanks a lot, Christoph
Re: Problems importing certs for requests generate by pacronce on 2007-08-22 20:56:27 +0200
[quote author=cnadig link=1185054306/0#1 date=1185129863] you're right, this is a misconception in IPSecuritas, which certainly needs to be fixed. I will get in touch with you once it's done. [/quote] Thanks for getting back to me. Have you been able to make any progress on the fix? Thanks in advance! Best regards, -Allen Cronce
Re: Problems importing certs for requests generate by cnadig on 2007-08-29 17:57:33 +0200
Hello Allen, yes, this is fixed. Please let me know if you need a pre-release. Otherwise it will be available with 3.1 in a couple of weeks. Cheers, Christoph
Re: Problems importing certs for requests generate by pacronce on 2007-08-30 17:24:21 +0200
[quote author=cnadig link=1185054306/0#3 date=1188403053] yes, this is fixed. Please let me know if you need a pre-release. Otherwise it will be available with 3.1 in a couple of weeks. [/quote] Great! Thanks Christoph! I'd be happy to beta test the pre-release, if you'd like to make it available. Maybe you could PM me with the download URL? Thanks in advance, -Allen Cronce
Re: Problems importing certs for requests generate by pacronce on 2007-09-18 01:57:35 +0200
Hi Christoph, [quote author=cnadig link=1185054306/0#3 date=1188403053]yes, this is fixed. Please let me know if you need a pre-release. Otherwise it will be available with 3.1 in a couple of weeks. [/quote] I'm just checking in again to see if I can help test the pre-release. Thanks in advance. Best regards, -Allen Cronce
Re: Problems importing certs for requests generate by pacronce on 2008-01-05 19:10:13 +0100
Looks like this feature works, mostly. I tested it when 3.1 came out in October and was able to generate requests, then import the corresponding certificate. It's been successful for other users of ours also. Thanks for implementing this feature. But I had problems when I tried to use the feature today to renew several certificates. What I did was generate 3 requests, then created the corresponding 3 certificates, then imported the certificates into IPSecuritas. I got a message each time indicating that the request was found and that the private key was associated with the imported certificate. But none of the new certificates worked. I looked at the log on our server side and found digital signature errors. It occurred to me that maybe if there are more than one request, IPSecuritas gets confused at import time and associates the wrong private key with the certificate. So as an experiment, I deleted all of my requests and certs. Then I generated the 3 certificates one at a time. After each import, I deleted the corresponding request. When I did it this way, all of the certificates were valid and I was able to connect. Would it be possible for you to take a look at the import code to see if there's a bug with associating a certificate with a private key when there is more than one request?
Re: Problems importing certs for requests generate by pacronce on 2008-01-25 17:58:48 +0100
I hate to be a pest, but this is really becoming a problem. So far every user of ours that needs multiple certificates has run into the bug. The work around of deleting all requests before processing a new one seems to work. But it's counterintuitive and our users don't seem to be able to follow instructions (big surprise). It would be *really* great if this bug could be fixed. Otherwise the support headaches will force me to seek some alternative solution. Thanks in advance, -Allen Cronce
IPSecuritas NOT compatible with Mac OS X 10.5 Beta IPSecuritas NOT compatible with Mac OS X 10.5 Beta by galphanet on 2007-07-22 19:12:04 +0200
Hello, I've tested your exellent software on Mac OS X 10.5 Beta (Build 9A466) and IPSecuritas starts but continues jumping on the dock and say that he can't connect to the deamon and after quit unexpectly ! But IPSecuritasDeamon is really running... I think it'll be easy to adapt it for 10.5... I can help you if you want to test it ! (sorry for my bad english..say if I do mistakes)
Re: IPSecuritas NOT compatible with Mac OS X 10.5 by cnadig on 2007-07-22 21:21:49 +0200
Hello, I just published a Leopard compatible version. Please download it from this link: http://www.lobotomo.com/products/downloads /IPSecuritas%20Leopard.dmg Cheers, Christoph
Re: IPSecuritas NOT compatible with Mac OS X 10.5 by galphanet on 2007-07-22 21:25:20 +0200
Hello, Thanks you very much for this ! 8-)
FortiGate 800 configuration problem FortiGate 800 configuration problem by dg on 2007-07-23 22:27:26 +0200
Hi, my wife's workplace now uses FortiGate 800. Their support site explicitly recommends Mac users to use IPsecuritas. However, their IT guy claims that they use "two methods" authentication in Phase 1. In IPsecuritas, you only have a popup menu with a single method choice. Therefore he claims that IPsecuritas cannot be made to work on their VPN. Is this guy just giving me some B.S.? Any help appreciated, thanks. I have a FortiGate client profile. In theory, it should be possible to gather the configuration options out of that profile, but it is not that easy. Somebody here could do that?
Thanks.
Re: FortiGate 800 configuration problem by varruss on 2007-07-24 06:20:50 +0200
I have 5 Fortigate firewalls working fine with IPSecuritas. They all use XAuth and preshared secret. (In IPSecuritas under ID - Authentication Method). Have him confirm what does he mean by 2 methods authentication.
Re: FortiGate 800 configuration problem by dg on 2007-07-24 16:43:52 +0200
Well, this guy claims that in the Phase 1 authentication method, you need to select multiple methods (same as you can do in the Phase 2 setup, where you can check more than one method).
IPCOP and ipsecuritas IPCOP and ipsecuritas by richardk on 2007-07-23 23:45:36 +0200
Hi Has anybody sucessfully used ipsecuritas to connect to ipcop? If so,please post details of what to enter on the ID and option screen on ipsecurits. Have been trying for about 2 days with no luck whatsover. Thanks Richard
Re: IPCOP and ipsecuritas by cnadig on 2007-07-24 09:14:01 +0200
Hello, please have a look at http://www.taupehat.com/vpn/ Although it describes the setup for the older version 2.x, it should be easy enough to use it to configure 3.0 (the settings should be the same). The Wizard plugin for IPCop could help, too. Hope this helps, Christoph
Trying to connect to Fortinet FGT-60 Trying to connect to Fortinet FGT-60 by zoomin on 2007-07-26 15:36:10 +0200
Hello, I am trying to connect to a Fortinet Fortigate 60 at work. I have read Fortinet's instructions here: http://kc.forticare.com/default.asp?SID=&Lang=1&id=2012 but they seem a bit contradictory. At the top, it says "Authentication Method - Preshared Key (Note that the Pre-shard key must be empty)" and then at the bottom it says to "Select Id/Auth and enter the Pressured Secret (preshared key)." I am trying to set it up in Host to Network mode. Thanks for any tips.
Re: Trying to connect to Fortinet FGT-60 by cnadig on 2007-07-26 16:27:44 +0200
Hello, although I don't have a Fortinet available here, I can't imagine that the preshared key may be empty. I rather expect it to identical with the one entered in IPSecuritas. Please note XAUTH now also works with IPSecuritas and Fortinet (the instructions refer to the older version 2.x) - once you have it running with preshare key, you may try with XAUTH PSK (same preshared key, but per user passwords). Cheers, Christoph
Re: Trying to connect to Fortinet FGT-60 by zoomin on 2007-07-26 19:23:32 +0200
I have upgraded to Ipsecuritas 3.0 but I am still unable to establish a dial-up connection. I do have some successful connections setup to different networks behind the same hardware (FGT-60) using the static ip method but I am hoping to downgrade my service here and will no longer have a static IP, so that is why I am attempting to set this up with dial-up / roaming settings. I am unsure what to put in the ID section so I left the defaults but I am pretty sure that without a static IP I cannot use the ip address as local identifier: local identifier: address remote identifier: address authentication method: preshared key and put in my preshared key from the fortinet.
Does "Mutual Authentication" work with cisco 3000? Does "Mutual Authentication" work with cisco 3000? by cwalter on 2007-07-27 17:35:44 +0200
Dear All, I am trying to attach to a cisco 3000. It is running in Cisco's version of Hybrid Auth, which they call "mutual authentication". It uses a certificate for remote identification in the 1st phase and also uses xauth and a pre-shared key. I can't get it to work, and I can't figure out from the web page or the forums if it is really supported. Can anyone tell me? About the closest setup I can find is local id: key-id (set to group name) remote-id: certificate Auth method: Xauth RSA user name: (set to xauth name) password: (set to xauth password) I have imported our root certificate into the certificate manager but there is an "!" mark next to the connection name which if I hover over it says: "remote identifier set to certificate but no XAUTH server certificate chosen."
However I can't find an option anywhere to "choose a certificate". Does anyone have any ideas, or is this configuration not supported at all? BTW, thanks for the work! I am using ipsecuritas to to attach to another system not-using hybrid-auth and it is great! -Chris
Problem Connecting With SonicWall TZ-170 Problem Connecting With SonicWall TZ-170 by jmarsan on 2007-07-30 17:23:29 +0200
I'm trying to setup IPSecuritas 3.0 to connect to a SonicWall TZ-170. Right now when I try to connect, the indicator remains red and all I see is the following in the debug log: IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Jul 28, 16:49:22 Debug APP State change from IDLE to AUTHENTICATING after event START Jul 28, 16:49:22 Info APP IKE daemon started Jul 28, 16:49:22 Info APP IPSec started Jul 28, 16:49:22 Debug APP State change from AUTHENTICATING to RUNNING after event AUTHENTICATED Jul 28, 16:49:22 Info IKE Foreground mode. Jul 28, 16:49:22 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 28, 16:49:22 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 28, 16:49:22 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 28, 16:49:22 Info IKE Resize address pool from 0 to 255 Jul 28, 16:49:22 Debug IKE parse successed. Jul 28, 16:49:22 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jul 28, 16:49:22 Debug IKE my interface: ::1 (lo0) Jul 28, 16:49:22 Debug IKE my interface: 127.0.0.1 (lo0) Jul 28, 16:49:22 Debug IKE my interface: fe80::21b:63ff:fe04:da0b%en1 (en1) Jul 28, 16:49:22 Debug IKE my interface: 2002:d018:3087::21b:63ff:fe04:da0b (en1) Jul 28, 16:49:22 Debug IKE my interface: 192.168.1.94 (en1) Jul 28, 16:49:22 Debug IKE configuring default isakmp port. Jul 28, 16:49:22 Debug IKE 5 addrs are configured successfully Jul 28, 16:49:22 Info IKE 192.168.1.94[500] used as isakmp port (fd=7) Jul 28, 16:49:22 Info IKE 2002:d018:3087::21b:63ff:fe04:da0b[500] used as isakmp port (fd=8) Jul 28, 16:49:22 Info IKE fe80::21b:63ff:fe04:da0b%en1[500] used as isakmp port (fd=9) Jul 28, 16:49:22 Info IKE 127.0.0.1[500] used as isakmp port (fd=10) Jul 28, 16:49:22 Info IKE ::1[500] used as isakmp port (fd=11) Jul 28, 16:49:22 Debug IKE get pfkey X_SPDDUMP message Jul 28, 16:49:22 Debug IKE 02120200 02000000 00000000 03050000 Jul 28, 16:49:22 Debug IKE pfkey X_SPDDUMP failed: No such file or directory Do you have any hints or suggestions as to either debug this or what I'm missing in the setup?
Re: Problem Connecting With SonicWall TZ-170 by jmarsan on 2007-08-20 17:20:28 +0200
I got past this problem - my remote network uses (used) the same IP range as the network I was trying to connect to - this apparently causes problems for IPSecuritas. Now I'm on to the next issue...the connection attempt gets much further along but now my TZ-170 is reporting: 08/18/2007 21:19:29.192 IKE Responder: IPSec proposal does not match (Phase 2) xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.x.xxx.xxx/32 -> xxx.xxx.x.x/16 08/18/2007 21:19:29.192 IKE Responder: Default LAN gateway is set but peer is not proposing to use this SA as a default route xxx.xx.xx.xxx xxx.xxx.xxx.xxx xxx.xxx.x.x/16
Re: Problem Connecting With SonicWall TZ-170 by BHunsaker on 2007-09-26 03:37:40 +0200
I got the "X_SPDDUMP failed" message when the value for "Remote IPSec Device" under the General tab is a DNS string that won't translate. For example, I used "me.dyndns.com" instead of "me.dyndns.[b]org[/b]".
Problem connecting to Exchange server via IMAP Problem connecting to Exchange server via IMAP by RobertF on 2007-07-30 17:47:54 +0200
I'm trying to connect to our Exchange server from home. It has IMAP turned on and I can access it using Mail.app from work with no difficulty. However, when I try to access it from home using the VPN, I get a message saying it can't access the server. I am able to access internal network shares via the VPN, so it's not a simple connectivity problem. I can access my mail account via Web mail without difficulty. The mail server is on a 192.168 address, while the servers I'm able to access are on 10.0 addresses. However, the IP address I'm being assigned is in the 192.168 range and I can ping 192.168.1.1. Any troubleshooting ideas?
Netgear DG834 Netgear DG834 by robinb on 2007-08-10 12:19:55 +0200
Hi All Noob question which hopefuly hasn't been answered (I have searched forum) Has anyone had any sucess connecting securitas on OS X to a Netgear DG834? I have used the Netgear Wizzard and the Securitas Wizzard using (what I think) is going to be the nearest NG device on the list (124G) and the connection fails on phase 1. Error is Aug 10, 11:04:50 Info APP Initiated connection XXX Aug 10, 11:04:50 Error IKE inappropriate sadb acquire message passed. Aug 10, 11:04:52 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 213.2.210.66[500]->10.20.30.39[500] Aug 10, 11:04:57 Info APP Initiated connection XXX Aug 10, 11:04:59 Error IKE phase1 negotiation failed due to time up. 37646a8215af9cf4:0000000000000000 I am assuming that it is due to the device i chose but the 834 is not listed. I did try a couple of others but no joy. Can anyone point me in the right direction please TIA
VPN and Gateway VPN and Gateway by Christian on 2007-08-14 22:34:26 +0200
So, it has been about a month and I'm in need of my VPN again. As I mentioned back then, I can now connect to the VPN, but my home router is not my gateway for web traffic. How do I set up my Mac so that when I'm connected to my VPN, my home router is my gateway for all network traffic? Thank you!
Spit DNS? Spit DNS? by phssec on 2007-08-22 11:13:34 +0200
Hello. Has anyone got the Split DNS working with IPSecuritas 3.0? My problem is that it seems to work [i]only[/i] when there is also a public name. Example: a.example.fi has local address 10.0.0.1 b.example.fi has local address 10.0.0.2 [i]and[/i] public address 80.74.149.177 When I activate IPSecuritas' Split DNS feature for example.fi I can connet to b.example.fi but not to a.example.fi. With netstat I can check that b.example.fi connection really goes to 10.0.0.2 so it is using IPSec. host command can not find any address for a.example.fi and only public address for b.example.fi. VPN Tracker seems to be able to handle split dns properly.
Remote Network Settings Remote Network Settings by matthewyoung on 2007-08-23 18:51:51 +0200
We have IP addresses of 172.x.0.0 and I am trying to set this up so I can connect through to our SonicWall and into our network. I have it so I can connect to the SonicWall as I can login to the firewall management site but the network settings I have listed are not the same as if I use sonicwall's own vpn software on my windows machine (they don't make one for macs) - if on there I see the network as being 0.0.0.0 255.255.255.255 - how do I get that as the remote endpoint setting? Also....using the fireall software my computer gets a dhcp ip address from the firewall and I cannot see a setting for this in IPSecuritas. I can give myself a manual setting (Local Endpoint) but one on the firewall I cannot ping or connect to anything else on the network whether on 172.16.x.x (which is the firewall's internal) or another 17 address we have. any suggestions????
Linksys WRV200 Linksys WRV200 by rdfisher on 2007-09-05 06:03:03 +0200
I'm trying to establish a workstation to network VPN connection with a Linksys WRV200 router. Through searching these forums I found reference to an outdated guide (http://www.lobotomo.com/products/IPSecuritas /howto/Linksys%20WRV200%20HOWTO.pdf) but I haven't been successful at making a connection using these directions. Has anyone had success at connecting to this router, specifically running (current) firmware 1.0.32.2? I will certainly post logs etc if troubleshooting is necessary, but figured I'd first start by looking for any known good configurations. Thanks for the help. rf
Re: Linksys WRV200 by dandor on 2007-09-07 07:02:15 +0200
Hi, I've just been trying to get the same things working. I think I managed to work around the outdated HowTo--- not too much changed, luckily. After putting in all the details, I've got a connection, according to "sudo setkey -D" and "ifconfig". However, the link doesn't work! Pinging the router returns silence. In the next day or two I'll return to this forum either 1) to ask how to get it working, or 2) explain how I sorted it out. D.
Re: Linksys WRV200 by dandor on 2007-09-07 18:17:36 +0200
Hi, using the HowTo as a guide, I got it working. Need the configuration details? I can try to post a series of screenshots. Would that be helpful? [b]UPDATE:[/b]
[url=http://www.flickr.com/photos/xandxor/1342694152/][img]http: //farm2.static.flickr.com/1055/1342694152_906f7897b5_b.jpg[/img][/url] I suspect the WRV200 settings are more useful. Next update.
Re: Linksys WRV200 by dandor on 2007-09-07 18:58:54 +0200
WRV settings: (Note that the "Advanced Settings" should have the "Allow All" radio button checked, but that is in fact the default.) [url=http://www.flickr.com/photos/xandxor/1341846071/][img]http: //farm2.static.flickr.com/1317/1341846071_77e7df7bdf_o.jpg[/img][/url]
Re: Linksys WRV200
by rdfisher on 2007-09-20 07:02:38 +0200
That worked! I tried your solution a few weeks ago and it didn't work at that time. I don't know what I did different this time around but I'm connected right now. Excellent help with the screenshots! Thanks for the help.
IPSecuritas connecting to OS X Server 10.4 IPSecuritas connecting to OS X Server 10.4 by alex_schenkman on 2007-09-05 10:12:01 +0200
Hi: Is is possible to connect to an OSX Server 10.4 with IPSecuritas? I know that I can use the OSX built-in client, but I wonder if I can offer my users a single interface for connecting to all our resources. Thanks in advance!
IPSecuritas & Netgear DGFV338 IPSecuritas & Netgear DGFV338 by ridgedale on 2007-09-16 07:34:06 +0200
I wonder if anyone might be able to help. I'm trying to VPN into a Netgear DGFV338 and am having no success. Would someone be able to tell me where I am going wrong? I've provided a log of an attempted connection below: Sep 16, 06:06:52 Info APP IKE daemon started Sep 16, 06:06:53 Info APP IPSec started Sep 16, 06:06:53 Error IKE Foreground mode. Sep 16, 06:06:53 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 16, 06:06:53 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 16, 06:06:53 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 16, 06:06:53 Info IKE Resize address pool from 0 to 255 Sep 16, 06:06:53 Info APP Initiated connection Sep 16, 06:06:53 Error IKE inappropriate sadb acquire message passed. Sep 16, 06:06:54 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Sep 16, 06:07:00 Info APP Initiated connection Sep 16, 06:07:07 Info APP Initiated connection Sep 16, 06:07:09 Error IKE give up to get IPsec-SA due to time up to wait. Sep 16, 06:07:14 Info APP Initiated connection Sep 16, 06:07:14 Error IKE inappropriate sadb acquire message passed. Sep 16, 06:07:21 Info APP Initiated connection Sep 16, 06:07:26 Warning APP Connection timed out Sep 16, 06:07:26 Warning APP Giving up Sep 16, 06:07:29 Error IKE give up to get IPsec-SA due to time up to wait. Sep 16, 06:08:29 Info APP IPSec stopping Sep 16, 06:08:30 Info APP IKE daemon terminated Thanks in advance.
Re: IPSecuritas & Netgear DGFV338 by cnadig on 2007-09-17 07:12:22 +0200
Hello, could you please set the log level to Debug (in IPSecuritas' preferences) and post such a log again (please make sure to remove your public address and other confidential information from the output)? Thanks, Christoph
Re: IPSecuritas & Netgear DGFV338 by ridgedale on 2007-09-18 21:03:27 +0200
Christoph, Thanks for your reply. I've managed to sort the issue out - everything's working fine now. I'll remember to heed your comments when posting in future. Thanks again Dene
Re: IPSecuritas & Netgear DGFV338 by AKirchner on 2007-09-21 12:49:00 +0200
Hey I have the same Hard- and Software but I can't fix it. Thats my log. The Support-Hotline from Netgear is incompetent i think. IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Sep 21, 12:34:09 Info APP IPSec stopping Sep 21, 12:34:10 Info APP IKE daemon terminated Sep 21, 12:34:10 Info APP IKE daemon started Sep 21, 12:34:11 Info APP IPSec started Sep 21, 12:34:11 Info IKE Foreground mode. Sep 21, 12:34:11 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 21, 12:34:11 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 21, 12:34:11 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 21, 12:34:11 Info IKE Resize address pool from 0 to 255 Sep 21, 12:34:11 Info APP Initiated connection Rudi Renner Bellinghausen Sep 21, 12:34:11 Error IKE inappropriate sadb acquire message passed. Sep 21, 12:34:18 Info APP Initiated connection Rudi Renner Bellinghausen Sep 21, 12:34:25 Info APP Initiated connection Rudi Renner Bellinghausen Sep 21, 12:34:27 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xxx[500]->192.168.2.20[500] Sep 21, 12:34:32 Info APP Initiated connection Rudi Renner Bellinghausen Sep 21, 12:34:34 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xxx[500]->192.168.2.20[500] Sep 21, 12:34:39 Info APP Initiated connection Rudi Renner Bellinghausen Sep 21, 12:34:39 Error IKE inappropriate sadb acquire message passed. Sep 21, 12:34:41 Error IKE phase1 negotiation failed due to time up. fd391904457e4be8:0000000000000000 Sep 21, 12:34:41 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xxx[500]->192.168.2.20[500] Sep 21, 12:34:44 Warning APP Connection Rudi Renner Bellinghausen timed out Sep 21, 12:34:44 Warning APP Giving up Sep 21, 12:34:48 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xxx[500]->192.168.2.20[500] Sep 21, 12:34:55 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.xxx.xxx.xxx[500]->192.168.2.20[500] Sep 21, 12:35:50 Info APP IPSec stopping Sep 21, 12:35:51 Info APP IKE daemon terminated Sep 21, 12:35:53 Info APP IKE daemon started Sep 21, 12:35:53 Info APP IPSec started Sep 21, 12:35:53 Error IKE Foreground mode. Sep 21, 12:35:53 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 21, 12:35:53 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 21, 12:35:53 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 21, 12:35:53 Info IKE Resize address pool from 0 to 255 Sep 21, 12:35:53 Info APP Initiated connection Rudi Renner Bellinghausen
Re: IPSecuritas & Netgear DGFV338 by gmandil on 2008-11-12 20:58:18 +0100
ridgedale could you please explain us what have you done to make it work ? thanks in advance Guillaume
IPSecuritas - problem accessing the DMZ IPSecuritas - problem accessing the DMZ by coot on 2007-09-17 11:25:47 +0200
Hi all, We have a problem accessing our DMZ from home using the IPSecuritas VPN Client. We are connecting to a sonicwall pro 2040. I have two remote endpoints. One is the DMZ and one is the LAN. I can connect successfully to all LAN computers. I cannot connect to any computers in the DMZ. I have tested the Sonicwall VPN Client on a Windows PC and can access both the LAN and DMZ computers. Does anyone have an idea of what could be causing this problem? If you need any extra info about this then just let me know. Regards.. Karl
Re: IPSecuritas - problem accessing the DMZ by coot on 2007-09-17 17:40:29 +0200
I'm really stumped on this. I think there may be a problem accessing the second network. In the scenario above, I had the DMZ listed as the second network in the Remote Endpoint "Networks" section. I changed it around so that the DMZ network is listed first and the LAN network second. Now I can connect to the DMZ but not the LAN. :-/ Any ideas?
Problems connecting to Sonicwall TZ-170 Problems connecting to Sonicwall TZ-170 by adacey on 2007-09-19 13:53:21 +0200
I had this working fine under 2.1 but with 3.0 I can't connect. I imported my connection from 2.1 but when I connect the log shows "Id expected IP address in main mode but received FQDN" (sorry, posting from work so I don't have the exact message). I have identifiers set to address for both sides of the connection, I've checked the Sonicwall's configuration and can't find what it's using for identifiers. The closest option I found was the firewall's unique firewall identifier, which I did try inputting for it's identifier (as a FQDN) but that also didn't work. Any suggestions?
Fios Actiontec M1424-WR Fios Actiontec M1424-WR by headbaker on 2007-09-22 04:23:00 +0200
I have been using IPSecuritas on my Macbook Pro from home over a Linksys WRK54G router while with Comcast to a Sonicwall 4060. I just switched to Verizon FIOS with a Actiontec M1424-WR router and have had no luck. I am using the same LAN IP on this new router as the old one. I can connect from the MAC when booting into Vista and running Sonicwall's GlobalVPN client. Has anyone else experienced any difficulties switching over to FIOS or the Actiontech router?
Re: Fios Actiontec M1424-WR by headbaker on 2007-09-23 00:42:07 +0200
Well, with persistance I was able to get it working. The only configuration change was to disable NAT-T. It is working fine now.
Addressing questions Addressing questions by Roger408 on 2007-09-28 19:51:01 +0200
I'm setting up IPSecuritas for the first time, using a Netgear FVS114 there and a Mac mini here. I can get a connection established, but have trouble reaching anything at the end with the router (there). Addressing on the LAN there is 192.168.0.0/24. At present my Mac is on my home LAN (here) and is 10.43.x.x. Attempting to ping anything on 192.168.0.x fails, since I assume it is trying to ping on my home LAN. I'm not clear on how to direct traffic through the IPsec link to the 192.168... LAN. Can anyone clarify this for me? Here is the log for this session. The last three lines are repeated many times... Sep 28, 09:35:41 Info APP IKE daemon started Sep 28, 09:35:41 Info APP IPSec started Sep 28, 09:35:41 Error IKE Foreground mode. Sep 28, 09:35:41 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 28, 09:35:41 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 28, 09:35:41 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 28, 09:35:41 Info IKE Resize address pool from 0 to 255 Sep 28, 09:35:42 Info APP Initiated connection SVCF Sep 28, 09:35:42 Error IKE inappropriate sadb acquire message passed. Sep 28, 09:35:45 Warning IKE trns_id mismatched: my:DES peer:3DES Sep 28, 09:35:49 Info IKE the packet is retransmitted by 76.210.165.xx[500]. $ xx inserted by me. Sep 28, 09:35:54 Info IKE the packet is retransmitted by 76.210.165.xx[500]. Sep 28, 09:35:59 Info IKE the packet is retransmitted by 76.210.165.xx[500]. Sep 28, 09:36:44 Error IKE failed to get sainfo. Sep 28, 09:36:44 Error IKE failed to get sainfo. Sep 28, 09:36:44 Error IKE failed to pre-process packet. Sep 28, 09:36:48 Error IKE failed to get sainfo.
Re: Addressing questions by Forum Admin on 2007-10-01 17:36:52 +0200
Hello, when a connection is established, traffic to the remote network is directed automatically through the established tunnel, i.e. there is no need for an extra route entry. If you can't get traffic to or from the remote network although the connection is established (green dot), I see two possible problems: 1. NAT problem: your local router might not support VPN-passthrough or there are other IPSec tunnels active from the local network. Try enabling NAT-T 2. The remote firewall is not the default route for the machine you try to reach, the 10.x.x.x network is routed differently or not all. I'd try to specify a different "virtual" local IP (enter the address into the local endpoint address field), say from the 172.24.x.x range. If this doesn't help, try to find out if the traffic you send is reaching the other end at all, i.e. sniff the local network for traffic destined to the machine you're trying to reach, to see which direction doesn't work. Hope this helps, Christoph
Connection speed issue Connection speed issue by wilfredoz on 2007-10-01 14:35:12 +0200
Hello, Thank you for this great pice of software, I use it occasionaly with my mackbook-gprs connection to a monowall ip-sec router to login to a couple of servers at work via ssh and for a remote desktop machine. Now I got one problem. when I use a gprs (slow) connection everything is going well, when I connect with ssh I can control the remote servers perfectly, but when I use a highspeed cable of adsl connection the ssh session locks up when I try to use some commands like "ls". The same happens with remote desktop on Mac os x, the remote screen appears completly on a gprs connection but when I use a high speed connection the remote screen even doesn't appears. Is this a known problem and what can I do about it? Thanks!
Re: Connection speed issue by Forum Admin on 2007-10-01 17:26:53 +0200
Hello, this looks like an issue with the MTU. IPSec encapsulates the original user data into an ESP packet, probably making the resulting packet larger than allowed. Please try to decrease the MTU on the m0n0walls' WAN interface by 8 (no NAT-T) or 28 (NAT-T enabled). Hope this helps, Christoph
Re: Connection speed issue by wilfredoz on 2007-10-03 22:14:38 +0200
[quote author=Forum Admin link=1191242112/0#1 date=1191252413]Hello, this looks like an issue with the MTU. IPSec encapsulates the original user data into an ESP packet, probably making the resulting packet larger than allowed. Please try to decrease the MTU on the m0n0walls' WAN interface by 8 (no NAT-T) or 28 (NAT-T enabled). Hope this helps, Christoph[/quote] Thanks for your reply, I tried to decrease the MTU size but it did not solve the problem. I think when It was the other way around, it could be a MTU issue..
Re: Connection speed issue by Dave on 2007-10-31 16:17:11 +0100
[quote author=wilfredoz link=1191242112/0#2 date=1191442478]Thanks for your reply, I tried to decrease the MTU size but it did not solve the problem. I think when It was the other way around, it could be a MTU issue..[/quote] When I connect to the SonicWall at work, I have to set the Mac's MTU down to around 1400, do a couple of pings with no-fragment set, and then set it back up to 1500. After doing all this, things will work. If I don't, the first fragmented packet stalls the connection. Is there some way to do this automagically when the connection starts?
MacBook Pro can't find VPN server. MacBook Pro can't find VPN server. by gmoon on 2007-10-01 18:35:54 +0200
My office set up a VPN mostly to be used by me when I'm out of the office. I was given the .ipsc file to import, and I'm able to get connected in IPSecuritas (it shows green), but when I try to connect to server from the finder it says it's looking up the server, but then says it can't find it. A coworker has essentially the same Mac as me, I copied his .ipsc file and he is able to connect but I am not (from the same remote location). I have also tried from home on my other 2 macs, each shows green, but can't find the server. We went through all of our network and sharing settings to see if anything was different and it all appears the same. Is there a setting I may need to change on my Mac? When I'm at home I'm using an Airport extreme and I have to set NAT-T to enable and check "Local IP in Remote Netwrok", but even from the cafe up the street where we tried it, his works and mine won't! Any thoughts?? Thanks.
Re: MacBook Pro can't find VPN server. by Forum Admin on 2007-10-01 21:04:11 +0200
Hello, this seems odd... Have you tried to just ping a remote machine? Could you please run the following commands in a Terminal window on both your and your collueges machine, possibly from the same remote location (one command per line): ifconfig -a netstat -nr sudo setkey -DP sudo setkey -D (The second last command will ask you to enter your administrator password). Could you please e-mail me the output to
[email protected]? Thanks, Christoph
Zywall 5 and XAUTH Zywall 5 and XAUTH by wf10 on 2007-10-02 20:47:10 +0200
Hi everyone I use Zywall 5, Firmware Version 4.x and IPSecuritas Version 3. I want to manage the access using Extended Authentication and PSK. I can't establish a connection to my gateway. With PSK only, it runs fine. Even with VPN Tracker, it runs also. Any hint? Thanks a lot! Dave
Re: Zywall 5 and XAUTH by 16thnotes on 2007-10-05 12:24:39 +0200
I too would like to do Xauth with the ZyWALL 35 and 70 models with the 4.X firmware, but simply get following errors in the IP Securitas application connection log: [color=#990000]Oct 05, 19:07:53 Error IKE Xauth mode config request but peer did not declare itself as Xauth capable Oct 05, 19:07:53 Error IKE Hash verification failed Oct 05, 19:07:53 Error IKE unknown Informational exchange received. [/color]
Re: Zywall 5 and XAUTH by 16thnotes on 2007-10-05 12:41:14 +0200
I discovered that there was the option under the ID tab for Xauth PSK. I did not see that the first time, however, I still get the following errors in the IP Securitas application log: [color=#990000]Oct 05, 19:36:53 Error IKE inappropriate sadb acquire message passed. Oct 05, 19:36:54 Warning IKE ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Oct 05, 19:36:54 Error IKE No SIG was passed, hybrid auth is enabled, but peer is no Xauth compliant Oct 05, 19:36:54 Warning IKE Short payload[/color]
IPSecuritas and XAUTH IPSecuritas and XAUTH by sohonet on 2007-10-03 13:19:19 +0200
Hi, i am currently testing the final release of IPSecuritas adn i can't get xauth to work. The VPN connection is successful but i expected a pop up windows to come up so that the users can authenticate to the remote Netwscreen in my case. Any ideas anyone?
Re: IPSecuritas and XAUTH by 16thnotes on 2007-10-05 12:42:25 +0200
I'm unable to get it working with my ZyWALL 35 hardware as well. Did you try using the new option under the ID tab for Xauth PSK?
Draytek Vigor and "host to anywhere" Draytek Vigor and "host to anywhere"
by wanabe_cool on 2007-10-03 15:23:51 +0200
Hi, Anyone had any experience with connecting to a Draytek Vigor router with IPSecuritas? I've set up a "host to network" which works fine, but not when trying to route all traffic through the VPN (host to anywhere). The connection seems to just die when trying to connect. Below are a selection of details which I hope might help someone to understand what is happening: My system log shows: Oct 3 14:12:57 CG-MBP crashdump[704]: racoon crashed Oct 3 14:12:57 CG-MBP crashdump[704]: crash report written to: /Library /Logs/CrashReporter/racoon.crash.log the crash log shows this: Exception: EXC_BAD_ACCESS (0x0001) Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000004 I have the following settings: Version = 3.0rc3 (build 1693) General -> Remote Side -> Endpoint mode = Anywhere + DHCP Pass-Through enabled Phase 1 and Phase 2 should be OK as it works with the same config when connecting "host to network" ID -> Local Identifier = Address ID -> Remote Identifier = Address ID -> Authentication Method = Preshared Key Options Selected: IPSec DOI SIT_IDENTITY_ONLY Verify Identity Local IP in Remote Network Unique SAs IKE Fragmentation NAT-T = Enable (my client is behind a NAT firewall) The connection appears to get through phase 1 and possibly phase 2 until this happens: Oct 03, 14:12:57 Info APP IKE daemon terminated Oct 03, 14:12:57 Debug APP State change from RUNNING to IDLE after event RACOON TERMINATED Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE not interesting Oct 03, 14:12:57 Debug APP Received SADB message type X_SPDDELETE
-
IPSecuritas 3 and AVM Fritz Box IPSecuritas 3 and AVM Fritz Box by yap on 2007-10-09 16:56:50 +0200
Hallo, I have an AVM Fritz!Box with the actual firmware "Labor-Version 29.04.34-7728" installed. With the version 2.2 of IPSecuritas I can use VPN perfect. But it doesn't work with the new version of IPSecuritas. I had imported my settings from version 2.2 to version 3 but I only get this log entries: [code]IPSecuritas 3.0 build 1693, Sun May 27 21:43:28 MVT 2007, nadig Darwin 8.9.1 Darwin Kernel Version 8.9.1: Thu Feb 22 20:55:00 PST 2007; root:xnu-792.18.15~1/RELEASE_I386 i386 Oct 09, 16:33:22 Info APP Network configuration change detected Oct 09, 16:33:37 Info APP IKE daemon started Oct 09, 16:33:38 Info APP IPSec started Oct 09, 16:33:38 Error IKE Foreground mode. Oct 09, 16:33:38 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Oct 09, 16:33:38 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Oct 09, 16:33:38 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Oct 09, 16:33:38 Info IKE Resize address pool from 0 to 255 Oct 09, 16:34:53 Info APP IPSec stopping Oct 09, 16:34:54 Info APP IKE daemon terminated Oct 09, 16:35:15 Info APP Network configuration change detected Oct 09, 16:35:46 Info APP Network configuration change detected [/code] I don't know what's wrong. Can anyone help me? These are my settings: [quote] General: Remote IPSec Device: myadress.dyndns.org Local Side, Endpoint Mode: Host IP Adress (optional): 192.168.178.201 Remote Side, Endpoint Mode: Network Network Address: 192.168.178.0 Network Mask (CIDR) 24 Phase 1: 28800 Seconds 1024 (2) 3DES SHA-1 Aggressive Claim 16 Phase 2: Lifetime: 28800 Seconds PFS Group: 1024 (2) Encryption: AES 128 Authentication: HMAC MD5, HMAC SHA-1 ID: User FQDN
[email protected] Adress Preshared Key
Re: IPSecuritas 3 and AVM Fritz Box by Forum Admin on 2007-10-09 19:19:47 +0200
Hello, could you possibly send me the log output of both versions 2.2 and 3.0 with log level set to debug to
[email protected]? Thank you very much, Christoph
Re: IPSecuritas 3 and AVM Fritz Box by yap on 2007-10-14 12:45:25 +0200
Hi, thank you, but now it works. Just a few days ago AVM, the producer of the Fritz!Box, wrote a howto to connect with IPSecuritas to the AVM Fritz Box. Here the link to the HOWTO: http://www.avm.de/de/Service/Service-Portale/Service-Portal /VPN_Interoperabilitaet/box_zu_securitas.php?portal=VPN thanks
Re: IPSecuritas 3 and AVM Fritz Box by Forum Admin on 2007-10-16 15:15:21 +0200
Thank you very much for the link. IPSecuritas 3.1 now contains a wizard template and a HOWTO for the FRITZ!Box. Christoph
IPSecuritas and FVS318v3 IPSecuritas and FVS318v3 by fallous on 2007-10-18 04:53:25 +0200
ok, I've got a FVS318v3 sitting as the edge router for a local network that uses the 192.168.16.x local block for internal servers. I'm trying to connect with a remote client that's sitting in a 192.168.1.x NAT'd network. I went through the IPSecuritas doc for setting this net up, and when I try and connect the connect indicator turns green, but I can't ping anything or connect to anything. In addition a connect seems to fubar the FVS so that you can't web connect to the management page without power cycling the router, which sucks. I do have a second router on the net that handles traffic to other sites that are in the 192.168.x.x block and I'm wondering if I'm running into a problem there.
Re: IPSecuritas and FVS318v3 by jdsmcroy on 2007-11-08 23:29:35 +0100
I would be interested to know if you found a solution to this problem. I am experiencing the exact same issue.
Re: IPSecuritas and FVS318v3 by bstender on 2007-11-29 01:53:06 +0100
try setting the client ip to 10.0.0.1
IPSecuritas connecting to Netscreen NS25 XauthPSK IPSecuritas connecting to Netscreen NS25 XauthPSK by bence8810 on 2007-10-18 16:18:18 +0200
Hi I am trying to connect to a Netscreen Firewall, NS5, and I am using IPSecuritas. I am brand new to Mac, so I may be missing a lot of things. Firstly, the Netscreen requires a Xauth - PSK authentication, a Pre Shared key first, then a user supplied password, as we have multiple users on the Netscreen. I tried my best to set up IPSecuritas, but I obviously was not good enough. I have also set up a Client for Windows with the same PSK and Xauth login, and it works like a charm. I am including logs from the Netscreen when connecting successfully from Windows, and the error when connecting from IPSecuritas. Both connections are made from the same Wireless Router, so there is no difference between the two scenarrios, except the OS and VPN client, and of course, the settings. Successfull connection with Netscreen Remote Connect on Windows: [code] 2007-10-17 22:21:23 info IKE Phase 2 msg ID : Completed negotiations with SPI , tunnel ID , and lifetime seconds/ KB. 2007-10-17 22:21:23 info IKE Phase 2 msg-id : Completed for user . 2007-10-17 22:21:23 info IKE Phase 2 msg ID : Responded to the peer's first message from user . 2007-10-17 22:21:21 info IKE: XAuth login was passed for gateway , username , retry: 0. 2007-10-17 22:21:16 info IKE: Received initial contact notification and removed Phase 1 SAs. 2007-10-17 22:21:16 info IKE Phase 1: Completed Aggressive mode negotiations with a -second lifetime. 2007-10-17 22:21:16 info IKE Phase 1: Completed for user . 2007-10-17 22:21:16 info IKE: Received initial contact notification and removed Phase 2 SAs. 2007-10-17 22:21:16 info IKE: Received a notification message for DOI . [/code] And the Unsuccessfull one from Mac OS X and IPSecuritas: [code]2007-10-17 23:23:38 info Rejected an IKE packet on untrust from MY WIFI LAN STATIC IP:500 to NETSCREEN IP:500 with cookies 8d838541ab3c6dda and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.[/code] I would appreciate any help with this, Thanks Ben
Re: IPSecuritas connecting to Netscreen NS25 Xauth by Forum Admin on 2007-10-18 18:40:53 +0200
Hello Ben, which version of IPSecuritas did you use? Only 3.1 (or any beta of 3.1) is able to talk to Juniper's XAuth implementation. If you were using 3.1, could you send me a log output from IPSecuritas (with log level set to Debug) to
[email protected]? Thanks, Christoph
Re: IPSecuritas connecting to Netscreen NS25 Xauth by bence8810 on 2007-10-18 22:19:23 +0200
Hi Cristoph, I am happy to announce that I found a couple of mistakes, and after fixing those, I am now able to connect, and stay connected. I must say, although I havent used it that much all together, it seems rather stable. Thanks for all the effort, its a unique tool, and it finally FINALLY allows me to not have a Windows box at home. I want to send you a bottle of champagne :) Cheers Ben
Re: IPSecuritas connecting to Netscreen NS25 Xauth by gr33d on 2007-10-31 18:26:19 +0100
What did you finally come up with? I'm having a similar problem creating a simple policy-based VPN between my Juniper SSG5 and a Cisco PIX 501. IKE: Received initial contact notification and removed Phase 1 SAs IKE: Received initial contact notification and removed Phase 2 SAs IKE: Received a notification message for DOI . IKE: Phase 2: Initiated negotiations. IKE: Phase 1: Completed Main mode negotiations with a -second lifetime. I wasn't even getting negotiations yesterday, but these started today when I'm test pinging to bring the VPN up. Thanks in advance
Re: IPSecuritas connecting to Netscreen NS25 Xauth by bence8810 on 2007-11-01 08:58:42 +0100
Hi Actually I had the PSK wrong :( I know this is such an amature mistake, but that is what I had. From your logs though, you are showing a successfull or at least very near to successful connection. Those are the exact same logs I was getting when connecting successfuly from the windows PC. I guess you can fine tune some timings, delays, and timeouts, etc. Cheers Ben
IP Securitas Startup IP Securitas Startup by Tacitus on 2007-10-19 21:15:00 +0200
I run as user rather than admin. Every time I start IPSecuritas it asks for an Admin name & password. I think it does this because it is not connected to the Daemon. Is there anyway the connection can be made automaticaly or the Daemon run as a startup item? Would there be a security risk with this? I notice there are two IPSecuritas processes running already, ID 1407 and 769. They are using 0% cpu but around 8.5Mb memory.
Re: IP Securitas Startup by Tacitus on 2007-10-25 08:55:53 +0200
Any help out there? Please... :-)
no LAN IP when connected to RV042 no LAN IP when connected to RV042 by foilpan on 2007-10-22 15:48:54 +0200
i finally got a working connection between a client's linksys RV042 (firmware 1.3.8.2) and ipsecuritas 3.1, but i don't get an IP in the LAN when connected. the linksys config is basically the defaults for a client-to-gateway setup, and ipsecuritas config mirrors this. i've tried enabling NAT-T on both sides and NETBIOS and keepalive on the linksys. with these options enabled or disabled, i'm able to connect but can't ping or otherwise access anything on the client's LAN. any ideas?
Re: no LAN IP when connected to RV042
by sortofdumb on 2007-10-24 14:08:50 +0200
Hello, Have you had any luck getting this to work? I've got an RV042 as well and I'm curious to know if I can use IPSecuritas with it. Thanks!
Re: no LAN IP when connected to RV042 by foilpan on 2007-10-30 13:40:23 +0100
[quote author=sortofdumb link=1193060934/0#1 date=1193227730]Hello, Have you had any luck getting this to work? I've got an RV042 as well and I'm curious to know if I can use IPSecuritas with it. Thanks![/quote] no, i haven't gotten it to work, but i haven't tested much in the past week. i'll post back with an update as soon as i have one.
Re: no LAN IP when connected to RV042 by foilpan on 2007-11-13 22:04:26 +0100
has anyone gotten this to work? i'm still unsuccessful getting ipsecuritas to connect properly. may thanks for any tips.
mode_cfg not getting IP address from remote host mode_cfg not getting IP address from remote host by farlander on 2007-10-27 00:04:04 +0200
I'm using Juniper NetScreen SSG520 (similar to NetScreen-50 in all regards, when it comes to VPN), set up to use XAuth and Mode_Config, with "Host to Everywhere" set up. I can log in just fine, and I can ping remote gateway, however I'm not getting an IP address from a remote host and when I log into Juniper web GUI I can see that it shows that I'm logging in from a public IP address, not from an internal IP I'm supposed to get from Mode_Config. Bascially, there's no new interface created, and no aliases assigned to any of the existing ones on my Mac. When I use VPN Tracker, it creates a new point-to-point interface with an IP address from 172.x.x.x subnet (the subnet I use for dial-up VPN connections). Any ideas? Is this a bug in IPSecuritas or am I missing something?
m0n0wall to m0n0wall connection m0n0wall to m0n0wall connection by wilfredoz on 2007-10-31 13:58:00 +0100
Hello, A few weeks ago I posted a message with the subject "connection speed issue", and I disscoverd that the problem is that I cannot get the connection right like this: (I CAN connect but network sessions like ssh and vnc hangs immediately) computer (ipsecuritas)---->m0n0wall(ipsec)---->INTERNET---->m0n0wall(ipsec)---->computer (reversed also fails) But this configuration works fine: computer (ipsecuritas)----> any brand router---->INTERNET---->m0n0wall(ipsec)---->computer computer (ipsecuritas)----> GPRS/3G via phone---->INTERNET---->m0n0wall(ipsec)---->computer Both m0n0walls are a soekris 4501 board with m0n0wall ver. 1.21, NATed and some basic firewall rules. Does anyone had the same problem and came up with a solution? Help much appreciated, thanks!
Netgrar FVS124G connection problem Netgrar FVS124G connection problem by robinb on 2007-10-31 14:56:37 +0100
Hi All I have seen this error msg posted on here but the user then just said sorted thanks without saying what they did! I have a Netgear FVS124G and 3.1 IPSecuritas. I have followed to the letter the installtion guid provided but had no sucess. always with the same error. I have deleted all settings and tried again but always the same here is IPS log IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Oct 31, 13:54:51 Info APP IPSec authenticating Oct 31, 13:54:51 Info APP IKE daemon started Oct 31, 13:54:51 Info APP IPSec started Oct 31, 13:54:51 Info APP Initiated connection JIA Oct 31, 13:54:51 Error IKE Foreground mode. Oct 31, 13:54:51 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Oct 31, 13:54:51 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Oct 31, 13:54:51 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Oct 31, 13:54:51 Info IKE Resize address pool from 0 to 255 Oct 31, 13:54:58 Info APP Initiated connection JIA Oct 31, 13:55:05 Info APP Initiated connection JIA Oct 31, 13:55:12 Info APP Initiated connection JIA Oct 31, 13:55:12 Error IKE inappropriate sadb acquire message passed. Oct 31, 13:55:17 Error IKE 87.194.169.58 give up to get IPsec-SA due to time up to wait. Oct 31, 13:55:19 Info APP Initiated connection JIA Oct 31, 13:55:24 Warning APP Connection JIA timed out Oct 31, 13:55:24 Warning APP Giving up Oct 31, 13:55:29 Info APP IPSec stopping Oct 31, 13:55:30 Info APP IKE daemon terminated Oct 31, 13:55:30 Info APP IPSec stopped Anyone know what I need to do please? I am sure it will be easy TIA Robin Bateman
ipsecuritas -> FGT-60 ipsecuritas -> FGT-60 by zoomin on 2007-10-31 17:04:38 +0100
I am using Ipsecuritas 3.0 build 1693 to connect to a dozen different FGT-60 in our network. The FGT-60 are all on the same firmware: Fortigate-60 3.00,build0247,060417 The settings are exactly the same on both ends for ALL connections, save, of course, the things that must be different(networking bits). All tunnels are established as far as Ipsecuritas is concerned, however on just some of the FGT-60s, traffic travels from my Mac to the FGT-60 but not back again. In these cases, the FGT-60 shows *many* IPSEC connections being made in the Monitor screen: erik_161 123.123.123.123:4500 192.168.33.220 erik_152 123.123.123.123:4500 192.168.33.220 erik_143 123.123.123.123:4500 192.168.33.220 erik_134 123.123.123.123:4500 192.168.33.220 erik_180 123.123.123.123:4500 192.168.33.220 erik_171 123.123.123.123:4500 192.168.33.220 erik_162 123.123.123.123:4500 192.168.33.220 erik_153 123.123.123.123:4500 192.168.33.220 erik_144 123.123.123.123:4500 192.168.33.220 erik_135 123.123.123.123:4500 192.168.33.220 erik_181 123.123.123.123:4500 192.168.33.220 erik_172 123.123.123.123:4500 192.168.33.220 erik_163 123.123.123.123:4500 192.168.33.220 erik_154 123.123.123.123:4500 192.168.33.220 erik_145 123.123.123.123:4500 192.168.33.220
[email protected] 926 192.168.71.*
[email protected] 596 192.168.71.*
[email protected] 291 192.168.71.*
[email protected] 2 192.168.71.*
[email protected] 1552 192.168.71.*
[email protected] 1264 192.168.71.*
[email protected] 958 192.168.71.*
[email protected] 628 192.168.71.*
[email protected] 328 192.168.71.*
[email protected] 35 192.168.71.*
[email protected] 1583 192.168.71.*
[email protected] 1296 192.168.71.*
[email protected] 995 192.168.71.*
[email protected] 692 192.168.71.*
[email protected] 366 192.168.71.*
Any direction appreciated. NOTE: The few tunnels that will now not pass traffic in both directions used to work, and there have been no changes to configuration of either endpoint. The ipsecuritas logs have a few errors in them in regards to the failing tunnels: Error IKE inappropriate sadb acquire message passed. Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 123.123.123.123[4500]->192.168.33.220[4500]
issue with leopard? issue with leopard? by spectre on 2007-10-31 18:12:53 +0100
So I got Leopard on my Macbook and had version 2.2 of IpSecuritas and for some reason when I connected to my Netscreen VPN it would connect fine but I wouldn't have any access to the remote network. Upgraded IPSecuritas to 3.1 and imported the old connection and it worked without a hitch. Just thought I would post this incase people were having issues with the old version.
What does "inappropriate sadb acquire message" ? What does "inappropriate sadb acquire message" ? by palouis on 2007-11-02 07:14:38 +0100
can someone at least tell me what this cryptic response means? I have spent days trying to get IPsecuritas working with my NetGear DG834 Put me out of my misery please. paul
Re: What does "inappropriate sadb acquire message" by robinb on 2007-11-08 21:31:27 +0100
I too have posted about this but had no reply but just to let you know you are not alone in having the problem
Re: What does "inappropriate sadb acquire message" by palouis on 2007-11-09 04:37:55 +0100
Oh well looks like VPN Tracker for me - no support is no good to me. Thanks anyway.
Re: What does "inappropriate sadb acquire message" by Forum Admin on 2007-11-09 11:58:21 +0100
Hello, the sadb message is sent by the kernel to the IKE daemon racoon, whenever a new tunnel needs to be established or when an established tunnel is about to expire. Some of these messages are not used and therefore ignored by racoon, leading to this log entry. I will remove or rename this log entry, since it seems to cause confusion. Cheers, Christoph
Connection becomes available - NETSCREEN 5GT Connection becomes available - NETSCREEN 5GT by houser on 2007-11-05 13:16:54 +0100
Dear all, Using IP Securitas 3.1 under OSX 10.5. Works fine...but the connection becomes unavailable after a while... I am connecting to a Juniper, NETSCREEN 5GT and after a while, I can not connect. Restart fixes it every time.. Any idea of where to tweak a setting? best Janne A.
Re: Connection becomes available - NETSCREEN 5GT by Forum Admin on 2007-11-05 14:15:42 +0100
Hello Janne, by restart you mean restarting IPSec or rebooting the computer? Christoph
Re: Connection becomes available - NETSCREEN 5GT by houser on 2007-11-05 14:16:47 +0100
Thanx for reply, Sorry to be unclear, I meant rebooting the computer, as restarting Ip Sec does not help. TIA and regards Janne A.
[quote author=Forum Admin link=1194265014/0#1 date=1194268542]Hello Janne, by restart you mean restarting IPSec or rebooting the computer? Christoph[/quote]
Re: Connection becomes available - NETSCREEN 5GT by Forum Admin on 2007-11-08 09:54:48 +0100
Hello Janne, could you please check the following? Once the connection becomes unavailable and a restart of IPSec won't re-establish it, could you run the command 'sudo ipfw list' and see if there is more than one entry? Thanks a lot, Christoph
Re: Connection becomes available - NETSCREEN 5GT by houser on 2007-11-08 11:40:14 +0100
I get this line when I type that: "65535 allow ip from any to any" sorry, not fluent in Unix... best Janne A. [quote author=Forum Admin link=1194265014/0#3 date=1194512088]Hello Janne, could you please check the following? Once the connection becomes unavailable and a restart of IPSec won't re-establish it, could you run the command 'sudo ipfw list' and see if there is more than one entry? Thanks a lot, Christoph[/quote]
IPsecuritas 3.1 and Firebox X700 IPsecuritas 3.1 and Firebox X700 by chimera on 2007-11-06 22:07:43 +0100
Hi there, I'm hardly trying to setup a vpn-connection to a firebox x700. It works great with VPN-Tracker, so I duplicated the settings from VPN-tracker. I get the following messages in the logfile: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Nov 06, 22:03:54 Info APP IPSec authenticating Nov 06, 22:03:54 Error APP Tunnel creation failed with errno 39 Nov 06, 22:03:54 Error APP Activation of connection test01 failed Nov 06, 22:03:54 Info APP IKE daemon started Nov 06, 22:03:54 Info APP IPSec started Nov 06, 22:03:54 Info IKE Foreground mode. Nov 06, 22:03:54 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Nov 06, 22:03:54 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Nov 06, 22:03:54 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Nov 06, 22:03:54 Info IKE Resize address pool from 0 to 255 Nov 06, 22:03:59 Info APP IPSec stopping Nov 06, 22:04:00 Info APP IKE daemon terminated Nov 06, 22:04:00 Info APP IPSec stopped I did not follow the configuration instructions on lobotomo's website, because it took a long time to get the tunnel work with vpn-tracker and I don't see a reason, why the settings shouldn't work with IPsecuritas. Can anybody help? Thanks!
Need Help Dubugging Connection with Cisco PIX 501 Need Help Dubugging Connection with Cisco PIX 501 by yodarunamok on 2007-11-07 16:52:54 +0100
Hello All, I'm working on setting up a connection to a Cisco PIX 501, and though I've looked at the log, I'm not sure what it's telling me. Basically, I try to connect, but the attempt eventually times out. When I look at the log, I see apparently the same process repeated over and over... [code] Nov 05, 09:41:02 Info IKE initiate new phase 1 negotiation: 192.168.2.8[500]71.216.36.206[500] Nov 05, 09:41:02 Info IKE begin Identity Protection mode. Nov 05, 09:41:02 Debug IKE new cookie: Nov 05, 09:41:02 Debug IKE 444600aba4c7d84b Nov 05, 09:41:02 Debug IKE add payload of len 52, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 20, next type 13 Nov 05, 09:41:02 Debug IKE add payload of len 16, next type 0 Nov 05, 09:41:02 Debug IKE 348 bytes from 192.168.2.8[500] to 71.216.36.206[500] Nov 05, 09:41:02 Debug IKE sockname 192.168.2.8[500] Nov 05, 09:41:02 Debug IKE send packet from 192.168.2.8[500] Nov 05, 09:41:02 Debug IKE send packet to 71.216.36.206[500] Nov 05, 09:41:02 Debug IKE 1 times of 348 bytes message will be sent to 71.216.36.206[500] Nov 05, 09:41:02 Debug IKE 444600ab a4c7d84b 00000000 00000000 01100200 00000000 0000015c 0d000038 Nov 05, 09:41:02 Debug IKE 00000001 00000001 0000002c 01010001 00000024 01010000 800b0001 000c0004 Nov 05, 09:41:02 Debug IKE 00015180 80010005 80030001 80020002 80040001 0d000014 4a131c81 07035845 Nov 05, 09:41:02 Debug IKE 5c5728f2 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014 Nov 05, 09:41:02 Debug IKE 439b59f8 ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f Nov 05, 09:41:02 Debug IKE 02ec7285 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e Nov 05, 09:41:02 Debug IKE ed937c65 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 Nov 05, 09:41:02 Debug IKE 0d000014 cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e Nov 05, 09:41:02 Debug IKE 086381b5 ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014 Nov 05, 09:41:02 Debug IKE 4485152d 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f Nov 05, 09:41:02 Debug IKE 00d6c2d3 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Nov 05, 09:41:02 Debug IKE resend phase1 packet 444600aba4c7d84b:0000000000000000 Nov 05, 09:41:09 Info APP Initiated connection Nifty West Nov 05, 09:41:09 Debug IKE get pfkey ACQUIRE message Nov 05, 09:41:09 Debug IKE 02060003 14000000 45000000 73410000 03000500 ff200000 10020000 c0a80208
Problems With Securitas and VPN-1 Edge X ADSL Problems With Securitas and VPN-1 Edge X ADSL by yakuzah on 2007-11-07 21:03:25 +0100
I have just discovered this software on Macupdate and am testing it at the moment. If it works for me I would be happy to donate via Paypal, but I am experiencing some weird problems, and was wondering if anyone could help? I am using a Checkpoint VPN-1 Edge X (Safe@office) device on a UK ADSL Broadband service and have enabled VPN on the router to allow remote access to my home network. I initially tried the "Checkpoint VPN-1" Profile using the supplied wizard, but could never get past Phase One authentication. So I thought I would try Safe@Office, and to my surprise I got a green light in the IPSecuritas Status window. The problem is even though I can connect, I can not ping anything through the established tunnel? If I use a windoze machine using Checkpoint Secure Client I get connected fine and can ping through the tunnel to devices on the other side, but I can not ping when using the tunnel and IPSecuritas. Can anyone possibly advise or help? If I type netstat -rn on the command line, the right IP addresses appear to be there, just can't get connected. I am running Leopard 10.5 Thanks G ;)
Re: Problems With Securitas and VPN-1 Edge X ADSL by yakuzah on 2007-11-12 16:58:57 +0100
Well no one has replied no I guess this software does not work for me? I am looking at the routes on the Mac when a VPN is established with Securitas and then comparing them with Checkpoint under windows, and the allocated IP address and default gateway that Securitas thinks is correct is all Wrong!! I can not seem to correct the route entries either, so I am stuck with a workin tunnel with no IP connectivity... Oh well guess I will have to wait for Xmas 2020 for Checkpoint to release their client... :(
Openswan Connection fails
Openswan Connection fails by gerritche on 2007-11-08 11:58:25 +0100
Hello, there, I'm trying unsuccessfully to connect with Version 3.x to a FreeSWAN/ openSWAN Gateway. Version 2.1 works beautifully and importing the details into 3.x succeeds but connection fails. IPSecuritas claims a collision of local host and remote network addresses and refuses to start a connection. The firewall admin doesn't find any connection attempts in his logs. In "Firewalladdress" I enter the address of the IPSec Gateway. In "Local IP for Host" I enter the address I got from the administrator of the VPN Gateway. In "Remote Network" I set 10.0.0.0/8. IPSecuritas seems to be unhappy with these settings though they work fine in the older version. Any ideas? Best regards :) Gerrit
Re: Openswan Connection fails by Forum Admin on 2007-11-08 13:01:52 +0100
Hello Gerrit, enabling the option 'Local IP in remote network' should resolve this issue. Hope this helps, Christoph
Tunnelling from DrayTek Vigor to Sonicwall Pro Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-09 19:12:48 +0100
Hi, I've got IPSecuritas set up on my MacBook to connect to one of my clients' VPNs, which is hosted on a Sonicwall Pro 2040. I generally have no problems accessing the 2040. However, I often encounter intermittent problems when my MacBook is behind a DrayTek Vigor 2910 router. What seems to happen is the VPN tunnel, for some reason, cannot be re-established at some point, then I have to actually stop the VPN in IPSecuritas, wait at least 15 minutes, then try connecting again. Sometimes it works, sometimes it doesn't. Rebooting the DrayTek seems to do the trick, but this is obviously not an ideal solution since that affects everyone in our office. We are running the latest DrayTek firmware for this model (3.1.0.1). I realize this sounds like an issue with the DrayTek router, but has anyone else encountered this problem before? I haven't found any configuration options in the DrayTek web interface that might be causing these problems... Thanks in advance!
Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-09 23:44:23 +0100
I was able to reproduce this condition just now. Here is a snippet of the debug log if it helps: Nov 09, 17:36:17 Info IKE initiate new phase 1 negotiation: 192.168.1.112[500]xxx.xxx.xxx.xxx[500] Nov 09, 17:36:17 Info IKE begin Aggressive mode. Nov 09, 17:36:17 Debug IKE new cookie: Nov 09, 17:36:17 Debug IKE 33b733c8f62a4ebe Nov 09, 17:36:17 Debug IKE use ID type of IPv4_address Nov 09, 17:36:17 Debug IKE compute DH's private. Nov 09, 17:36:17 Debug IKE 4b4e15df b841bd78 d8b4ea02 f8612e55 906bafe6 3e56b3ba afcb2090 f2a5db7d Nov 09, 17:36:17 Debug IKE ac6a2312 bde6c528 9ca12ee2 b3a29284 6f16b16d 165807f2 c7daee43 ad5ff4d5 Nov 09, 17:36:17 Debug IKE 7d52a343 df805b3b 733de06a f4352bef 0e7c71a0 2d8fdfa2 f02ae55a 97ecb912 Nov 09, 17:36:17 Debug IKE 748c3244 fba8af07 b8092555 5f355a16 5f64d545 efc078eb ff50e35a d5498311 Nov 09, 17:36:17 Debug IKE compute DH's public. Nov 09, 17:36:17 Debug IKE 2ddd8cc6 8a74e8bd 706967d9 190e8b8b 2304340f a60bfc7f 13921143 d3b2cc0b Nov 09, 17:36:17 Debug IKE 5c8c298c c8a3de89 75808fc7 2a334099 26d3bbbb 5916caf0 db95c838 4be219b8 Nov 09, 17:36:17 Debug IKE 9abc94c1 1cd42aee 19394d40 f7cd1fa3 ec374bb3 0cb35396 8e5838b0 455c4d2c Nov 09, 17:36:17 Debug IKE de2068b0 b1907a53 c4e3db8f c7811f77 ba7801a5 0490bb63 965a7a1c 0ff974f6 Nov 09, 17:36:17 Debug IKE authmethod is pre-shared key Nov 09, 17:36:17 Debug IKE add payload of len 48, next type 4 Nov 09, 17:36:17 Debug IKE add payload of len 128, next type 10 Nov 09, 17:36:17 Debug IKE add payload of len 16, next type 5 Nov 09, 17:36:17 Debug IKE add payload of len 8, next type 13 Nov 09, 17:36:17 Debug IKE add payload of len 16, next type 0 Nov 09, 17:36:17 Debug IKE 264 bytes from 192.168.1.112[500] to xxx.xxx.xxx.xxx[500] Nov 09, 17:36:17 Debug IKE sockname 192.168.1.112[500] Nov 09, 17:36:17 Debug IKE send packet from 192.168.1.112[500] Nov 09, 17:36:17 Debug IKE send packet to xxx.xxx.xxx.xxx[500] Nov 09, 17:36:17 Debug IKE 1 times of 264 bytes message will be sent to xxx.xxx.xxx.xxx[500] Nov 09, 17:36:17 Debug IKE 33b733c8 f62a4ebe 00000000 00000000 01100400 00000000 00000108 04000034 Nov 09, 17:36:17 Debug IKE 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 Nov 09, 17:36:17 Debug IKE 80010005 80030001 80020002 80040002 0a000084 2ddd8cc6 8a74e8bd 706967d9 Nov 09, 17:36:17 Debug IKE 190e8b8b 2304340f a60bfc7f 13921143 d3b2cc0b 5c8c298c c8a3de89 75808fc7 Nov 09, 17:36:17 Debug IKE 2a334099 26d3bbbb 5916caf0 db95c838 4be219b8 9abc94c1 1cd42aee 19394d40 Nov 09, 17:36:17 Debug IKE f7cd1fa3 ec374bb3 0cb35396 8e5838b0 455c4d2c de2068b0 b1907a53 c4e3db8f Nov 09, 17:36:17 Debug IKE c7811f77 ba7801a5 0490bb63 965a7a1c 0ff974f6 05000014 ec6a0571 16d9677d Nov 09, 17:36:17 Debug IKE f1e0ee58 300bb493 0d00000c 011101f4 c0a80170 00000014 afcad713 68a1f1c9 Nov 09, 17:36:17 Debug IKE 6b8696fc 77570100 Nov 09, 17:36:17 Debug IKE resend phase1 packet 33b733c8f62a4ebe:0000000000000000 ... Nov 09, 17:36:31 Info APP Initiated connection HTC
Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-15 16:59:34 +0100
FWIW, ever since I assigned a static (internal) IP address for my MacBook to the DrayTek router a couple of days ago, I've not seen a recurrence of this problem. *crosses fingers* If this is the solution, then I hope it helps someone out!
Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-19 16:21:00 +0100
Just a followup: I thought this "solution" was working, but it is no longer. :'( Nobody can offer any clues?
Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-23 09:03:36 +0100
Well, in case this helps anyone, downgrading the firmware from 3.1.2 to 3.0.7 appears to have at least temporarily solved my VPN issues. In fact, since upgrading to the 3.1.2 version that was released a couple of days ago, I had been completely unable to use my VPN. IPSecuritas would show a green light as if everything was okay, but no traffic was going through the VPN. However, in the last few hours since I've downgraded the firmware, all seems okay so far...
Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by racoon on 2007-11-23 10:57:02 +0100
Where can you download the archived version from?
Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-23 18:31:04 +0100
[quote author=racoon link=1194631968/0#5 date=1195811822]Where can you download the archived version from? [/quote] Click the "more edition" link in the bottom left corner of the "Firmware of Vigor 2910..." box [url]http://www.draytek.com/support/download /Vigor2910.php#Firmware[/url]. It'll take you to their FTP site where they store previous versions of the firmware.
Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by wailaki on 2007-11-27 21:21:50 +0100
Derek, I work for SonicWALL and we have a customer needing expert help with ipsecuritas connecting to a similar SonicWALL Pro Model. What version of SonicOS are you running (version # and Standard vs. Enhanced)? Thanks in advance.
Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-28 17:54:38 +0100
[quote author=wailaki link=1194631968/0#7 date=1196194910]Derek, I work for SonicWALL and we have a customer needing expert help with ipsecuritas connecting to a similar SonicWALL Pro Model. What version of SonicOS are you running (version # and Standard vs. Enhanced)? Thanks in advance.[/quote] Hi, We are running SonicOS Enhanced 3.2.3.0-6e. FYI, since downgrading our Draytek's firmware as previously mentioned, I have had no further connection issues to our Sonicwall. FYI #2: I never had any issues connecting to our Sonicwall through my Linksys router at home.
Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by wailaki on 2007-11-28 18:19:29 +0100
Thanks Derek. I'll search upthread, but I believe you had this working with NAT-Traversal enabled on the ipsecuritas side?
Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by DerekF on 2007-11-28 18:30:57 +0100
[quote author=wailaki link=1194631968/0#9 date=1196270369]Thanks Derek. I'll search upthread, but I believe you had this working with NAT-Traversal enabled on the ipsecuritas side?[/quote] NAT-Traversal never made a difference either way. When it was working (including now), it was working with or without NAT-T enabled. When it wasn't working, enabling NAT-T didn't make a difference..
Re: Tunnelling from DrayTek Vigor to Sonicwall Pro by wailaki on 2007-11-28 18:41:35 +0100
Thanks Derek. PM me with your account on www.mysonicwall.com and I'll give you a gift for your efforts.
Not connecting in Leopard Not connecting in Leopard by syber on 2007-11-12 02:51:47 +0100
I did a clean install of Leopard and used Export/ Import to copy my configuration from Tiger and now it seems that Ipsecuritas no longer connects to my VPN. It says that the connection times out. However, it seems to timeout long before the set timeout ( in seconds ). Phase 1 is supposed to timeout in 360 seconds. Log IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Nov 11, 20:48:38 Info APP Smart Environment Detection enabled Nov 11, 20:48:39 Info APP IKE daemon started Nov 11, 20:48:39 Info APP IPSec starting Nov 11, 20:48:39 Info APP Smart Environment Detection: Start Nov 11, 20:48:39 Error IKE Foreground mode. Nov 11, 20:48:39 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Nov 11, 20:48:39 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Nov 11, 20:48:39 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Nov 11, 20:48:39 Info IKE Resize address pool from 0 to 255 Nov 11, 20:48:39 Info APP Initiated connection Office Nov 11, 20:48:39 Error IKE inappropriate sadb acquire message passed. Nov 11, 20:48:46 Info APP Initiated connection Office Nov 11, 20:48:53 Info APP Initiated connection Office Nov 11, 20:49:00 Info APP Initiated connection Office Nov 11, 20:49:00 Error IKE inappropriate sadb acquire message passed. Nov 11, 20:49:07 Info APP Initiated connection Office Nov 11, 20:49:09 Error IKE phase1 negotiation failed due to time up. 7ce6c32f663c8b06:0000000000000000 Nov 11, 20:49:10 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:14 Info APP Initiated connection Office Nov 11, 20:49:17 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:21 Info APP Initiated connection Office Nov 11, 20:49:21 Error IKE inappropriate sadb acquire message passed. Nov 11, 20:49:24 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:28 Info APP Initiated connection Office Nov 11, 20:49:31 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:35 Info APP Initiated connection Office Nov 11, 20:49:38 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:42 Warning APP Connection Office timed out Nov 11, 20:49:42 Warning APP Giving up Nov 11, 20:49:45 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:52 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:49:59 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500] Nov 11, 20:50:06 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP ***********[500]->192.168.1.175[500]
Re: Not connecting in Leopard by syber on 2007-11-12 18:56:13 +0100
I've confirmed that this issue only exists when connecting via WLAN. Connecting via WLAN on my macbook works fine but not on my macbook pro.
Re: Not connecting in Leopard by planetzeos on 2007-12-12 18:10:52 +0100
We've duplicated the same issue. Same cert on tiger and leopard. Same configuration on fresh installs of tiger and leopard. Tiger connects using wifi Leopard does not connect using wifi -- it times out on phase1 from the log Checkpoint VPN-1 with Certificates on macbook pro's
Re: Not connecting in Leopard by cottard on 2008-01-31 15:35:07 +0100
I've also run across this issue: Leopard and Wifi. Currently forced to run Windows XP in Parallels and connect with Checkpoint SecureClient - as I share a connection with my neighbours via Wifi. I'm really looking forward to using IPSecuritas (free, vendor-agnostic) to connect to my work VPN!
Re: Not connecting in Leopard by jrsharp on 2008-08-08 18:25:51 +0200
Can anyone comment on the current status of this issue?
XAuth + RSA mutual authentication XAuth + RSA mutual authentication by Daniel on 2007-11-14 21:57:30 +0100
Hey guys, I'm trying to set-up IPSecuritas 3.1 to connect to our corporate Netscreen SSG140 firewall. Mutual authentication with RSA certificates works like a charm. However, when I try to add XAuth I run into an issue. It seems like IPSecuritas doesn't support XAuth with RSA mutual authentication? Unfortunately, hybrid mode is not supported by Netscreen, and I really like the thought of using certificates (we already have our own company-wide PKI). On the ID page I've got the following selected: - Local ID: certificate - Remote ID: certificate - Authentication method: XAuth RSA The GUI seems to accept this selection, even though I'm unable to select my local and peer certificate. The debug log shows: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Nov 14, 21:54:59 Debug APP State change from IDLE to AUTHENTICATING after event START Nov 14, 21:54:59 Info APP IPSec authenticating Nov 14, 21:54:59 Info APP IKE daemon started Nov 14, 21:54:59 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Nov 14, 21:54:59 Info APP IPSec started Nov 14, 21:54:59 Debug APP Received SADB message type X_SPDUPDATE - not interesting Nov 14, 21:54:59 Debug APP Received SADB message type X_SPDUPDATE - not interesting Nov 14, 21:54:59 Info IKE Foreground mode. Nov 14, 21:55:00 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Nov 14, 21:55:00 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Nov 14, 21:55:00 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Nov 14, 21:55:00 Info IKE Resize address pool from 0 to 255 Nov 14, 21:55:00 Error IKE /Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf:55: "}" ASN1 ID not specified and no CERT defined! Nov 14, 21:55:00 Error IKE Nov 14, 21:55:00 Error IKE fatal parse failure (1 errors) Nov 14, 21:55:00 Error IKE racoon: failed to parse configuration file. Nov 14, 21:55:00 Info APP IKE daemon terminated Nov 14, 21:55:00 Debug APP State change from RUNNING to IDLE after event RECONFIGURE Nov 14, 21:55:00 Info APP IPSec terminated Nov 14, 21:55:00 Debug APP Received SADB message type X_SPDDELETE - not interesting Nov 14, 21:55:00 Debug APP Received SADB message type X_SPDDELETE - not interesting Nov 14, 21:55:00 Debug APP Received SADB message type X_SPDFLUSH - not interesting Nov 14, 21:55:00 Debug APP Received SADB message type FLUSH Nov 14, 21:55:00 Debug APP SA change detected
Re: XAuth + RSA mutual authentication by Daniel on 2007-11-15 22:19:06 +0100
I did some more diggin' on this and it seems the generated config is indeed for XAuth + RSA hybrid authentication: Part of the /Library/Application Support/Lobotomo Software/IPSecuritas /racoon.conf file: # Connection "test" remote X.X.X.X { verify_cert on; verify_identifier on; initial_contact on; passive off; support_proxy off; generate_policy off; verify_cert on; send_cert on; send_cr on; mode_cfg off; ike_frag off; doi ipsec_doi; situation identity_only; nat_traversal on; exchange_mode main; proposal_check obey; nonce_size 16; my_identifier asn1dn; peers_identifier asn1dn; xauth_login "daniel"; proposal { lifetime time 28800 seconds; encryption_algorithm aes 128; hash_algorithm sha1; authentication_method hybrid_rsa_client; 192.168.123.103[500] Jan 25, 13:50:15 Info APP Initiated connection Kodak DirectView Jan 25, 13:50:15 Error IKE inappropriate sadb acquire message passed. Jan 25, 13:50:17 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 216.197.193.153[500]->192.168.123.103[500] Jan 25, 13:50:22 Info APP Initiated connection Kodak DirectView Jan 25, 13:50:24 Error IKE phase1 negotiation failed due to time up. c746ba12283e6bfd:0000000000000000 Jan 25, 13:50:24 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 216.197.193.153[500]->192.168.123.103[500] Jan 25, 13:50:27 Warning APP Connection Kodak DirectView timed out Jan 25, 13:50:27 Warning APP Giving up Jan 25, 13:50:31 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 216.197.193.153[500]->192.168.123.103[500] Jan 25, 13:50:38 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 216.197.193.153[500]->192.168.123.103[500]
Any ideas?
Re: Leopard IPsecuritas 3.1 not working with Leopa by ask on 2008-02-02 01:29:18 +0100
I have almost the same history / problem. I had IPsecuritas working fine pre-OSX 10.5 and pre IPSecuritas 3.1 with my Juniper NS25, NS5XP, etc... but since the upgrade to OSX 10.5.x and the migration to the new IPSecuritas, I can't get anything to connect. I have tried the wizards and instructional PDFs... no luck. Anyone have any ideas?
Re: Leopard IPsecuritas 3.1 not working with Leopa by Rommel on 2008-02-02 18:37:55 +0100
Changed Exchange Mode from Aggressive to Main, Aggressive. This did not get transferred properly in the importation. Works just fine now. :)
Re: Leopard IPsecuritas 3.1 not working with Leopa by ask on 2008-02-08 21:51:02 +0100
Tried that... still not working for me.
IPSecuritas Stopped Working After Leopard Upgrade IPSecuritas Stopped Working After Leopard Upgrade by ask on 2008-01-29 02:50:09 +0100
I have been using IPSecuritas with my Juniper firewalls for a couple years now. I recently upgraded my OS to Leopard and my existing VPN would not connect. I tried upgrading to the latest IPSecuritas and importing my existing VPN configs... bu tstill no luck. I have tried recreating my VPNS with the wizards on my firewall and in IPSecuritas according to the Juniper Netscreen HOWTO.pdf... no luck.
as anyone had any luck getting IPSecuritas on Leopard to connect to and Juniper/Netscreen firewalls? Thanks! Spencer
Re: IPSecuritas Stopped Working After Leopard Upgr by brantwinter on 2008-01-29 12:06:25 +0100
I don't know if I am having the same issues, but totally uninstall IPSecuritas 3.1 and install the older 2.2 version. When I did this mine worked. If this does work please let Christoph know and he will probably ask for some logs etc.
Re: IPSecuritas Stopped Working After Leopard Upgr by mribiz on 2008-01-30 15:44:45 +0100
I can't seem to get 3.1 to work on Leopard as well. Where can I get the old version?
Re: IPSecuritas Stopped Working After Leopard Upgr by ask on 2008-02-03 01:16:01 +0100
I tried using IPSecuritas v2.2 again... still no luck.
Re: IPSecuritas Stopped Working After Leopard Upgr by brantwinter on 2008-02-03 06:03:00 +0100
I fixed my issues under Leopard by setting the Endpoint Mode to Anywhere rather than Network. Still not good, but at least I can get a tunnel up now.
Re: IPSecuritas Stopped Working After Leopard Upgr by ask on 2008-02-08 21:52:01 +0100
That did not fix the issue for me. Anyone else?
Re: IPSecuritas Stopped Working After Leopard Upgr by 2fs2ns on 2008-03-07 21:08:01 +0100
Same issue, installed IPSecuritas on 5 macbooks running pre-lepoard OS, all work just fine. The one Leopard machine we have, it doesn't work. I've tried all the above suggestions with no luck.
Re: IPSecuritas Stopped Working After Leopard Upgr by Cucumber on 2008-03-17 04:20:59 +0100
i just discovered IPSecuritas hoping that it would allow me to connect to a clients NetScreen 5GT. i went through the Wizards and while it said it connected. pings or anything else would just hang (and finally timeout). i tried all the above suggestions, and resorted to randomly changing the options (one at a time) disabling NAT-T was the winner for me :) i'm using IPSecuritas 3.1 on 10.5.2
Re: IPSecuritas Stopped Working After Leopard Upgr by 2fs2ns on 2008-03-19 17:32:49 +0100
Just got it to work, checked the "Local IP in Remote Network" check box in Options... :-/
3.1 Does not work, 2.2 does 3.1 Does not work, 2.2 does by rghiglianovich on 2008-01-29 19:58:11 +0100
Hi, I have IPSecuritas 2.2 connecting to an IPCop box and it works quite good (using preshared key), OSX 10.4.11 on my site Now I have downloaded 3.1 ; copied the configuratione parameters and so on... The new version does not work. Why? Is there something to do? Thanks, RIc
Re: 3.1 Does not work, 2.2 does by brantwinter on 2008-01-31 12:36:58 +0100
Set your log to Debug in 3.2 and post the output here ( please remove destination IP address ) - I am having similar issues as well. I have sent logs and configs to the author but haven't heard back as yet.
Trouble Exporting Trouble Exporting by BladesAway on 2008-02-01 02:36:45 +0100
I have no idea what I am doing wrong....I have build up a connection that is working perfectly. I need to export it to use on another machine. When I go to Edit Connections and then select Export I enter a file name to export to and then click on Export. I then get prompted with Missing Import Password Please enter an Import password. Even if I put something in the Import Password field I get the error. Any ideas of what I might be doing wrong? Thanks Scott
Re: Trouble Exporting by Forum Admin on 2008-02-01 09:52:44 +0100
Hello Scott, this is probably due to the Leopard related bug (see http://www.lobotomo.com/cgi-bin/yabb/YaBB.pl?num=1195575910). Please press TAB one more time after you entered a password and the export should just work fine. Hope this helps, Christoph
Re: Trouble Exporting by BladesAway on 2008-02-01 12:11:43 +0100
That was it. Thank you. That was driving me crazy! Being new to Mac OS and being a veteran of PC for over 20 years I couldn't help but wonder if it was me! Thanks again.
can connect to ipsec vpn, other subnet unreachable can connect to ipsec vpn, other subnet unreachable by blst on 2008-02-05 06:09:25 +0100
i have a tunnel between a fortigate firewall and a dlink firewall which works fine. i have a vpn connection remotely to the fortigate, but cannot reach resources on the other subnet. has anyone solved this problem before? can't seem to figure out if it's firewall issues or client issues.
thanks!
Where is the Wizard? Where is the Wizard? by jscooper on 2008-02-06 12:53:39 +0100
OK, it's early, so I must just be beery-eyed. But just downloaded this app and cannot find this "wizard" icon anywhere. Not on the menu. in the app. Where is it? Thanks, Jeff
Re: Where is the Wizard? by jscooper on 2008-02-07 03:50:12 +0100
Nevermind, I found it. Looks like when you choose Open IPSecuras form the menubar, it opens version 2.1 but when you click the application icon, you get v3.1. Is this a bug or did I miss some setting somewhere? Thanks, Jeff ps- used this app a couple years ago and loved it. The site vanished for a while -- I'm very happy to see it back! :)
Re: Where is the Wizard? by jscooper on 2008-02-07 04:08:25 +0100
Nevermind, I found it. Looks like when you choose Open IPSecuras form the menubar, it opens version 2.1 but when you click the application icon, you get v3.1. Is this a bug or did I miss some setting somewhere? Thanks, Jeff ps- used this app a couple years ago and loved it. The site vanished for a while -- I'm very happy to see it back! :)
Netgear G834GT Netgear G834GT by andy on 2008-02-07 22:00:44 +0100
Been having difficulty getting into my remote network remotely. Do I need to make alterations on the pass through on the router?
Re: Netgear G834GT by Tanster on 2008-02-19 01:27:26 +0100
Pass through to *WHAT*? IPSecuritas is acting as the client side. You must have a server side. If your router doesn't have a VPN server built-in (and the Netgear G834GT doesn't from the specs I see on the Netgear website), then what are you connecting to behind it? Do you have a VPN server sitting there? Otherwise, you're barking up the wrong tree.
Re: Netgear G834GT by andy on 2008-02-19 09:51:27 +0100
Yes, was a bit cryptic. But you have helped on other post. First job - get a new VPN server able locally router. Thanks
not creating racoon.conf completely not creating racoon.conf completely by coreyva on 2008-02-08 21:22:42 +0100
I'm having issues with IPSecuritas 3.1 on a 10.5.1 intel system. The log stops at Resize address pool. Looking at the created racoon.conf, it is incomplete. It contains no connection setting. I've tried removing and reinstalling IPSecuritas, creating new profiles and connections, and creating a new user. No change. Below is the contents of of the created racoon.conf. # Racoon configuration created by IPSecuritas log notify; path pre_shared_key "/Library/Application Support/Lobotomo Software/IPSecuritas/psk.txt"; path certificate "/Library/Application Support/Lobotomo Software/IPSecuritas/certs"; padding { maximum_length 20; randomize on; strict_check off; exclusive_tail on; } timer { counter 5; interval 5 seconds; persend 1; phase1 15 seconds; phase2 15 seconds; } listen { adminsock "/Library/Application Support/Lobotomo Software/IPSecuritas /admin.sock"; }
Anyone else seen this happen?
Re: not creating racoon.conf completely by brantwinter on 2008-02-09 08:29:29 +0100
Yes - I have been battling with exactly the same issue, but have had no real response or fix for the issue from these boards. I got around mine by changing the 'Endpoint Mode' to 'Anywhere' In my case I was routing to a 10.x.x.x subnet, although I was using a Class C subnet mask ( /24 ) I think IPSecuritas was applying the standard Class A subnet mask to this subnet. This is the only explanation I can come up with as my Telstra NextG internet connection always gives me a 10.x.x.x/8 IP address. As I said, nobody has replied to my issues so I am only speculating. Try changing the endpoint mode and get back to me.
Re: not creating racoon.conf completely by coreyva on 2008-02-11 17:36:50 +0100
I'll give that a try, but what's strange, is it's only one system having that issue. My laptop works fine. Both are intel systems for what it's worth.
Re: not creating racoon.conf completely by Forum Admin on 2008-02-13 22:50:07 +0100
Hello, hovering the mouse over the red indicator in the main window should give you a short indication of what's wrong. In your case, the connection is considered 'not runnable' for some reason, hence the empty racoon.conf file. Hope this helps, Christoph
Re: not creating racoon.conf completely by brantwinter on 2008-02-14 08:55:10 +0100
When I was having issues ( Intel MBP 10.5.1 ) hovering over the red dot did nothing. I never got any help text...
Re: not creating racoon.conf completely by coreyva on 2008-02-22 20:35:54 +0100
[quote author=Forum Admin link=1202502162/0#3 date=1202939407]Hello, hovering the mouse over the red indicator in the main window should give you a short indication of what's wrong. In your case, the connection is considered 'not runnable' for some reason, hence the empty racoon.conf file. Hope this helps, Christoph[/quote] Thanks, but no go. Hovering over the dot produces nothing. I am using a working exported policy. Double checked all of the settings, and they are identical on the system that works and the one that doesn't. In fact, I can not get it to make a connection to any of my VPN's. One difference between the two systems is that the working one was an upgrade to leopard, and the non-working one was a fresh install. Not sure if that is contributing to the issue or not. The fact that it is only one system I'm seeing an issue with, makes me believe it's something with that system rather than ipsecuritas, but I've not found it.
Connection successful, but can't reach network Connection successful, but can't reach network by gould on 2008-02-09 20:23:23 +0100
I can establish a connection to the remote Lancom 1722 VPN gateway (green status dot), but besides the gateway I can't ping any computer in the remote network. This is my configuration: Host 192.168.223.232 to network 192.168.223.0/24 I can only ping 192.168.223.0 and 192.168.223.254, no other server in the same network. I suppose no data come back from the remote side. First I thought the router on the local part, where my Mac is, blocks the packages, but when I use my Linux PC everything is fine - without changing the router configuration. Ergo: Linux with Shrew VPN Manager works, IPSecurtias (VPN Tracker neither) on Mac not. Leopard firewall is off. I really have no idea whats wrong with my Mac configuration. Is there a routing problem? Any suggestions what I can do? By the way: MODE_cfg never works, while I get a IP from the gateway on my Linux PC. Really weird.
Re: Connection successful, but can't reach network by Forum Admin on 2008-02-13 22:53:35 +0100
Hello, please try to change the local (virtual) IP to an address that's outside the remote network (interpreting the IPSec standard strictly, this is nor allowed, although some router allow it). Hope this helps, Christoph
Re: Connection successful, but can't reach network by gould on 2008-02-13 23:18:40 +0100
An IP address outside the remote network is not allowed. Furthermore, I was told that I shouldn't give an IP myself, because IKE config mode is configured. Due to the fact, that MODE_CFG in IPSecuritas doesn't work for me, the Lancom gateway has no MAC address of the local interface and can't reach my local machine. My system administrator adviced my to use a client that supports IKE config. Are there any known problems with the MODE_CFG option in IPSecuritas?
Re: Connection successful, but can't reach network by gould on 2008-02-15 15:37:54 +0100
In the meantime I'm pretty sure: The config mode is the problem. Is there a way to proof wheather MODE_CFG in IPSecuritas works correctly? I think there must be something wrong the this option.
Re: Connection successful, but can't reach network by Tanster on 2008-02-19 01:54:43 +0100
Just curious but is "Local IP in Remote Network" checked under the "Options" tab?
Re: Connection successful, but can't reach network by gould on 2008-02-21 14:33:36 +0100
Yes, it's checked. Otherwise I'd get a collision error.
What do you reckon? What do you reckon? by andy on 2008-02-10 17:40:24 +0100
I run a newspaper and want my journalists to roam and link to network. A friend recommended Lobo's software, saying it was very easy to set up. So I took a MacBook pro with MacOSX 10.5.1 The local work router is a Netgear DG834GT fronting a Mac and PC network that we want to get into. The remote router is a Netgear DG834G. I have been told that we cannot configure the firewall on the DG834GT (no IKE etc etc), while the DG834G has VPN policies available. VPN Tracker's network environment checker shows both routers to be functional for IPSec and NAT. Should I buy a new office router? What would you recommend?
Re: What do you reckon? by Tanster on 2008-02-19 01:44:17 +0100
Insufficient data to work with. Could you give us more info about your intended network topology (i.e., what and where do you want to connect to what: connect the dots for us a bit more than you have thus far)? The Netgear DG843GT doesn't have a VPN server (according to the Netgear website) while the Netgear DG834G does (5 endpoints, again according to the Netgear website). But it's on the remote end. Which doesn't make sense. And where does IPSecuritas fit into the whole shebang you've described above? Note that "VPN traversal" does *NOT* mean VPN-server capable--it just means that it allows VPN packets to get through to a separate VPN server sitting somewhere on the back end on the local side. Normally, if you don't have a separate VPN server sitting on the back end, you'd have a VPN server-capable router at the local end (i.e., use the Netgear DG834G and toss the Netgear DG834GT) with all the roaming, remote laptops having IPSecuritas installed on them and connecting to the local end (i.e., the Netgear DG834G) from the outside via broadband or similar. And that's just the 30,000 foot view with really broad strokes of the paintbrush. I don't know if this is all you want or you have something else in mind. Hope it helps.
Re: What do you reckon? by andy on 2008-02-19 09:40:53 +0100
Yup, sorry :-/ I'm a novice but we can't afford a techie I will firstly get a VPN server router fitted locally. Then I'll get IPSecuritas loaded onto the remote laptops. Basically, I need them to run 'anywhere to local network' But you have confirmed what I wasn't sure about, that the local router is not capable. Thanks for that. Andy
IP collision between local and remote networks IP collision between local and remote networks by blst on 2008-02-13 17:15:29 +0100
i have set up a an ipsec tunnel to a fortigate 60B with three users and only one seems to work. everything works fine for me (leopard), but on the users' machine (tiger) she started getting this message. my network at home is 10.0.1.0 and hers at home is 192.168.7.0 and the remote network is 192.168.0.0. i have a feeling it is probably not related to the client software but i am not really sure. does anyone have any idea why this is happening? thanks so much, jason
Re: IP collision between local and remote networks by Forum Admin on 2008-02-13 22:48:11 +0100
Hello Jason, the problem is indeed that the two networks 192.168.7.0 and 192.168.0.0 overlap. This is not recommended (and probably also against the specification) for various reasons (one being that other computers will not be reachable anymore, another that there might an address conflict between the local address and a machine in the remote network with the same address). However, I will add an option to disable these collision checks, since several people asked for it. For now, the easiest (and cleanest anyway) solution is to change her local network range to a different private range, please have a look at RFC 1918, section 3 () Hope this helps, Christoph
Re: IP collision between local and remote networks by blst on 2008-02-13 23:29:08 +0100
christoph, turns out that local ip in remote network became unchecked. is there an explanation of what this setting means some where in the docs? thanks so much for the quick reply. --jason
Re: IP collision between local and remote networks by Tanster on 2008-02-18 21:28:15 +0100
[quote author=Forum Admin link=1202919329/0#1 date=1202939291] the problem is indeed that the two networks 192.168.7.0 and 192.168.0.0 overlap. [/quote] I was just reading through this thread and noticed that the original poster didn't provide subnet mask or CIDR info. I'm curious as to what clued you in to the two networks overlapping. Is there any other info that's not showing up here?
Re: IP collision between local and remote networks by blst on 2008-02-18 21:42:18 +0100
my original post:
IP collision between local and remote networks 13. Feb 2008 at 17:15 Quote i have set up a an ipsec tunnel to a fortigate 60B with three users and only one seems to work. everything works fine for me (leopard), but on the users' machine (tiger) she started getting this message. my network at home is 10.0.1.0 and hers at home is 192.168.7.0 and the remote network is 192.168.0.0. i have a feeling it is probably not related to the client software but i am not really sure. does anyone have any idea why this is happening? thanks so much, jason
Re: IP collision between local and remote networks by Tanster on 2008-02-19 01:02:56 +0100
It kinda looks exactly the same to me. There's still no subnet mask (e.g., 255.255.255.0) or CIDR (e.g. /24) info. Now, if your subnet mask was, say, 255.255.0.0 (i.e., CIDR of /16) or 255.0.0.0 (i.e., CIDR of /8), then I can see where 192.168.0.0 and 192.168.7.0 would overlap. But if your subnet mask was 255.255.255.0 (i.e., CIDR of /24), which is what most class C subnets would use, then 192.168.0.0 and 192.168.7.0 would not overlap. Since you didn't provide this info, there's no way to tell as far as I could see just from network addresses alone. That's why I was wondering if there was something I wasn't seeing here.
Re: IP collision between local and remote networks by blst on 2008-02-19 04:50:30 +0100
sorry, i see what you mean now. acually, this didn't seem to be the problem after all. what ended up being wrong is that the "local IP in remote network" option was not checked. once i changed this, it was all fine. this doesn't make sense to me though. is the local address the one you define in host endpoint or is it your local address outside the vpn? thanks for any light you could shed on this. we used to have a less sophisticated firewall and the mac vpn connections we sufficient and had far less options. --jason
Sonicwall tz170w and non-standard VPN Profile Sonicwall tz170w and non-standard VPN Profile by russ990 on 2008-02-16 17:03:40 +0100
I have a tz170w running enhanced OS. The default GroupVPN policy has been configured to be used as our default L2TP server for windows clients. I am trying to get IP Securitas to connect to a different VPN Profile, but I can't figure out how to specify the VPN Profile to use. When I connect to the Sonicwall, the logs indicate that is is always trying to connect to the WAN GroupVPN. Is there a way to specify to IPSecuritas to tell it to use a different profile?
I have attempted to configure the IPSecuritas side with the same parameters as our default groupVPN, but that doesn't seem to want to connect.
Re: Sonicwall tz170w and non-standard VPN Profile by JimPBarber on 2008-06-07 01:25:58 +0200
On the ID Tab set the Local Identifier to Key ID and enter the VPN Group ID If you were connecting to the default group id it would be GroupVPN Just enter the name of the new VPN you created.
Recommend me a VPN server Recommend me a VPN server by andy on 2008-02-19 11:23:56 +0100
Can you recommend a VPN server with firewall that IPSecuritas likes and is featured in the preloads? Thanks Andy
Re: Recommend me a VPN server
by Forum Admin on 2008-02-21 21:12:50 +0100
Hello Andy, I can recommend the following models, all of them can be setup very easily, work very reliably in my test environment and support NAT-T (which is important, if you want to connect from public W-LAN or mobile phone networks): - Zyxel ZyWall (e.g. P1 or ZyWall 5) - Linksys WRV200 - Juniper Netscreen 5x or SSG models - m0n0Wall (http://www.m0n0.ch) , for example on this platform (http://www.pcengines.ch/alix.htm) - very flexible and powerful, needs some tinkering, though There is quite a range in price and features (besides VPN capability), best choose what you need. Please feel free to get in touch with me again if you need further information. Hope this helps, Christoph
Re: Recommend me a VPN server by andy on 2008-02-22 08:51:38 +0100
Thanks Christoph. I will be looking at several today. I might run some spec by you if I may. Cheers Andy
Re: Recommend me a VPN server by Forum Admin on 2008-02-22 19:58:22 +0100
Sure, anytime Cheers, Christoph
Connection Green, but not working - Leopard Connection Green, but not working - Leopard by neil456 on 2008-02-23 00:02:23 +0100
Mac os x 10.5.2. Can not ping or otherwise use the connection. Nothing seems to work. Have tried all of the things mentioned in the forum for Leopard. Reused the wizard to create a new connection. If it helps I am out of the country, but can IM and Audio Conference without the vpn to the home network. It was also working prior to upgrade to Leopard and has worked from the same hotel outside the country prior to leopard for sure. It also worked using my WAN cellular card prior to leaving the country with Leopard. My WAN card does not work internationally so I am trying to use the same config with wired ethernet. How do I troubleshoot the problem? Log: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Feb 22, 16:55:42 Info APP IPSec authenticating Feb 22, 16:55:43 Info APP IKE daemon started Feb 22, 16:55:43 Info APP IPSec started Feb 22, 16:55:43 Error IKE Foreground mode. Feb 22, 16:55:43 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Feb 22, 16:55:43 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Feb 22, 16:55:43 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Feb 22, 16:55:43 Info IKE Resize address pool from 0 to 255 Feb 22, 16:55:43 Info APP Initiated connection Bloomingdale AT&T Card Feb 22, 16:55:43 Error IKE inappropriate sadb acquire message passed. Feb 22, 16:55:47 Warning IKE No ID match. Feb 22, 16:55:47 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Feb 22, 16:55:50 Info APP Initiated connection Bloomingdale AT&T Card Feb 22, 16:55:51 Info IKE the packet is retransmitted by 76.223.254.88[500]. Feb 22, 16:55:57 Info IKE the packet is retransmitted by 76.223.254.88[500]. Feb 22, 16:55:57 Info IKE the packet is retransmitted by 76.223.254.88[500]. Feb 22, 16:56:02 Error IKE libipsec failed pfkey check (Invalid SA type) Feb 22, 16:56:02 Info IKE the packet is retransmitted by 76.223.254.88[500]. Feb 22, 16:56:02 Info IKE the packet is retransmitted by 76.223.254.88[500]. Feb 22, 16:56:08 Info IKE the packet is retransmitted by 76.223.254.88[500]. Feb 22, 16:56:08 Info IKE the packet is retransmitted by 76.223.254.88[500].
Re: Connection Green, but not working - Leopard by neil456 on 2008-02-24 15:19:42 +0100
OK, Touch down in Miami and everything works. I am going back in 3 weeks and need to have this working. How do I troubleshoot this? Could be one of several possibilities? 1. Network is being filtered and some part of the VPN does not work. The hotel network provider indicates they allow VPNs and have not had any problems. 2. The method of securing internet access keeps the VPN from working. You know the problem, browser comes up and you have to put in code to get access to the hotel network. 3. Leopard is unreliable. Any Ideas?
Re: Connection Green, but not working - Leopard by neil456 on 2008-03-21 14:11:35 +0100
Solved :) Need to get public IP from ISP. Now it works. Why couldn't IP Securitas tell me it needed a public IP address? Neil
Connecting to Nortel Contivity (DreamHost) Connecting to Nortel Contivity (DreamHost) by tuatara on 2008-02-23 02:19:45 +0100
DreamHost offers a VPN for customers. They're using Nortel Contivity. There are a few mentions of this VPN type in the forums here, but mainly seem to be unresolved issues. Has anyone successfully connected to this VPN? Nortel Contivity doesn't appear in IPSecuritas' setup wizard, so I'm trying to configure it manually, using the rather brief info at the DreamHost wiki, [url]http://wiki.dreamhost.com/KB_/_Account_Control_Panel_ /_VPN_Users[/url]. The main info they give is that it uses IPSec, ESP (Encapsulated Security Payload) and AH (Authentication Header), encryption is 3DES, key length is 168 bits (56 bits per DES cipher). (Is that key length related to the DH Group option in IPSecuritas?) I've tried a few different permutations with no luck so far. Most recently, I tried it with the General tab set with IPSec Device ant.cloudconnector.com, a dimmed-out local Endpoint Mode, a remote Endpoint Mode set to Anywhere and DHCP Pass-Through enabled. The Phase 1 tab has Lifetime of 1800 seconds, DH Group as 1024 (2), Encryption as 3DES, Authentication as SHA-1 (I've also tried MD5), and the rest left at their defaults (Main, Obey, and Nonce Size of 16). I never seem to get past Phase 1. This is from the connection log, with some hex data stripped (just in case my password is in there). I'm not familiar with VPN setup so I may have missed something obvious. Hopefully there's some data here that's useful. Thanks for any help! Matt
[code]Feb 23, 14:01:11 Info APP Initiated connection DreamHost VPN Feb 23, 14:01:11 Debug IKE get pfkey ACQUIRE message (Stripped hex data ...) Feb 23, 14:01:11 Debug IKE suitable outbound SP found: 192.168.0.2/32[0] 0.0.0.0/0[0] proto=any dir=out. Feb 23, 14:01:11 Debug IKE sub:0xbffff35c: 0.0.0.0/0[0] 192.168.0.2/32[0] proto=any dir=in Feb 23, 14:01:11 Debug IKE db :0x108bf8: 0.0.0.0/0[0] 192.168.0.2/32[0] proto=any dir=in Feb 23, 14:01:11 Debug IKE suitable inbound SP found: 0.0.0.0/0[0] 192.168.0.2/32[0] proto=any dir=in. Feb 23, 14:01:11 Debug IKE new acquire 192.168.0.2/32[0] 0.0.0.0/0[0] proto=any dir=out Feb 23, 14:01:11 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=22:21) Feb 23, 14:01:11 Debug IKE (trns_id=DES encklen=0 authtype=hmac-md5) Feb 23, 14:01:11 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-md5) Feb 23, 14:01:11 Debug IKE (trns_id=AES encklen=256 authtype=hmac-md5) Feb 23, 14:01:11 Debug IKE (trns_id=AES encklen=192 authtype=hmac-md5) Feb 23, 14:01:11 Debug IKE (trns_id=AES encklen=128 authtype=hmac-md5) Feb 23, 14:01:11 Debug IKE in post_acquire Feb 23, 14:01:11 Debug IKE configuration found for 66.33.195.193. Feb 23, 14:01:11 Info IKE request for establishing IPsec-SA was queued due to no phase1 found.
Re: Connecting to Nortel Contivity (DreamHost) by tuatara on 2008-03-06 08:44:09 +0100
Any other info I can give? Is it reasonable to think IPSecuritas might work with the Contivity system?
iPhone support? iPhone support? by unhitched on 2008-02-26 01:39:34 +0100
hey guys, Will IPSECURITAS ever work on an iPhone or iPod touch?
cheers
Re: iPhone support? by cnadig on 2008-02-26 18:39:44 +0100
Hello, this depends on the capabilities and availability of the Apple's iPhone SDK. There are definitely intentions to port IPSecuritas to the iPhone. Cheers, Christoph
Re: iPhone support? by unhitched on 2008-02-26 23:46:58 +0100
hey, thanks for the quick reply. I am a little confused over how the IPSECURITAS product is... 'written'. Does it use the 'builtin' osx client which appears to me to be only L2TP/PPTP or have you guys written some funky pure-IPSEC feature-set to interact with or work over the top of OSX? The reason I ask is I have a few Apple engineers I may be able to help depending on the answers.
cheers
Re: iPhone support? by cnadig on 2008-02-29 19:24:13 +0100
Hello, IPSecuritas comes with its own version of racoon, the IKE daemon, and does not use Apple's standard version of racoon (with 3.0, that is). The version supplied with IPSecuritas is based on the ipsec-tools rather than the KAME project and has a few extensions for NAT-T, ModeCfg support for certain firewall vendors as well as Checkpoint specific extensions. The rest of IPSecuritas is written in Objective-C using Cocoa. Any help for porting this to the iPhone is highly appreciated, of course. Cheers, Christoph
Netgear FVG318 Netgear FVG318 by Tanster on 2008-02-28 00:07:44 +0100
Does anybody out there have an Netgear FVG318 that can help me? I'm getting this issue where a setting of 0.0.0.0 or "Any" for the remote IP in the VPN policy (for traveling users whose IPs cannot be determined until activation time) results in everybody in the LAN losing connectivity to the Internet and each other. But all of them can ping the remote user using IPSecuritas 3.1. According to all the articles I've read in the Netgear KB, the remote IP setting of "Any" is correct. But it doesn't quite work in reality. The problem smacks to me of a routing issue but I can't figure out how to rectify on the FVG318 side since this problem occurs even if I just activate the VPN Policy but without any VPN tunnels active. Basically, I think I somehow need to specify that all packets intended for the remote user go through the VPN but everything else go through the FVG318's LAN port (and thereby either resent through the local LAN or out through the WAN port). But no other router such as ZyWALL or SonicWall has ever required me to do this manually. Does the FVG318 require special static routes set up manually?
Sonicwall 3060 Enhanced Sonicwall 3060 Enhanced by TeckboyNY on 2008-02-29 02:20:03 +0100
Anyone get it to work with a 3060 enhanced model? Just curious.
Re: Sonicwall 3060 Enhanced by megamiles on 2008-03-07 23:00:21 +0100
Hello TeckboyNY Suffering with the same problem on our SonicWall Pro box. Have started a new post, but solution if found will certainly assist you in connecting. Regards
Re: Sonicwall 3060 Enhanced by el_doctor on 2008-03-18 14:46:20 +0100
I'm working with a 2040 Pro Enhanced. If I follow the setup wizard with SonicWall model and Sonic Pro selection, it dosen't work. I tried with the TZ170 pre-configuration setup wizard and it works!!!
Re: Sonicwall 3060 Enhanced by andyfram on 2008-03-21 19:24:04 +0100
I'm also using the 3060Pro Enhanced and can't get it to work. I have the following in the logs if this means anything to anyone: ERROR IKE inappropriate sadb acquire message passed. ERROR IKE delete phase1 handle. ERROR IKE delete phase1 handle. Initiated Connection delete phase1 handle Initiated Connection delete phase1 handle ERROR IKE phase2 negotiation failed due to time up waiting for phase1. It repeats that a few times and then says: Warning APP giving up.
Re: Sonicwall 3060 Enhanced by JimPBarber on 2008-06-07 00:44:03 +0200
You can get it working but you have to drop XAUTH.... It is broken between sonicwall and ipsecuratas and causes a hang in phase2 negotiation. Just turn off xauth. I am a CSSA and it took me a couple of days to work it all out. Here are the settings. [color=#003366]SonicWall WAN GroupVPN:[/color] [color=#003399][b]General Tab:[/b][i][/i][highlight][/highlight][/color] Authentication Method: IKE using Preshared Secret Name: WAN GroupVPN Shared Secret: [color=#003366][b]Proposals Tab:[/b][/color] [u][color=#003399][b]IKE (Phase 1) Proposal[/b][/color][/u] [u]DH Group:[/u] Group 2 [u]Encryption:[/u] 3DES [u]Athentication:[/u] Sha1 [u]Lifetime: [/u]28800 [color=#003399][u][b]Ipsec (Phase 2) Proposal[/b][/u][/color] [u]Protocol: [/u]ESP [u]Encryption:[/u] 3DES [u]Authentication:[/u] Sha1 [b]Enable Perfect Forward Secrecy [unchecked][/b] [u]Life Time[/u] (seconds): 28800
[color=#003366][u][b]Advanced Settings Tab:[/b][/u][/color] [i][color=#003366][u](Optional)[/u][/color][/i] [x]Enable Windows Networking (NetBIOS) Broadcast [x]Enable Multicast Management via this SA: [] HTTP [] HTTPS [] SSH Default Gateway:
0.0.0.0
Client Authentication [] Require Authentication of VPN Clients via XAUTH User Group for XAUTH users: Greyed out Allow Unauthenticated VPN Client Access: [u][color=#003366][b]Client Tab:[/b][/color][/u] [u][color=#003366]User Name and Password Caching[/color][/u] Cache XAUTH User Name and Password on Client: How you want it. [500] Error IKE inappropriate sadb acquire message passed.[/i] etc. Similarly, I get an error in the Zywall log which is well-documented but doesn't seem to have a solution: [i]Receive IPSec packet, but no corresponding tunnel exists[/i] At the basic TCP/IP level I have a functioning connection from my laptop to my Zywall (as an endpoint). However, IPSecuritas has not set up my local DNS server although I made what I think is an appropriate entry under the DNS tab in the connections dialogue. I am not the first person to report this: is it still a known bug, or should I go back and look at it again? The result is that I have to use IP numbers all the time, which is obviously not nice. I tried adding the address of the DNS server to the Network configuration in System Preferences, but that did not help. Bonjour doesn't seem to work across the VPN either (measured with Bonjour Browser). I have a number of services on my Linux servers advertised with Avahi, which show up in Bonjour on my local Macs but don't make it across the VPN to my laptop. As far as I can tell, the VPN places no restrictions on packets transfered from the LAN to the VPN so I don't understand why Bonjour doesn't work. If anyone can help me with these problems, I'd be very grateful. Other things I want to do later are to make my AFP and NFS mounts visible (using Avahi/Bonjour). I know some of the issues there, but if anyone has an hints, I'd would also apppreciate that. Steve
Re: Launch2Net, IPSecuritas and Zywall 2 Plus by winnall on 2008-05-23 13:19:52 +0200
Further research reveals that a VPN will not route multicast packets, so Bonjour will not work without some extra work. This means having something at either end of the VPN which tunnels Bonjour's multicast packets though the VPN. There is something called mtunnel which purports to do this, but it is no longer available at its author's site. Why DNS doesn't work remains a mystery to me. I tried VPN Tracker too, but DNS doesn't work with that either. Steve
Connecting MacBook to OpenSwan on CentOs Linux Connecting MacBook to OpenSwan on CentOs Linux by angelocr on 2008-05-22 16:21:59 +0200
Hi to everybody here! I am trying to access an OpenSwan Firewall with an OSX 10.4.11 MacBook (soon to become 10.5.2). Not being so knowledgeable I have made several attempts trying to understand settings and log results to no avail. I get the errors: IKE 508:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 508:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:707: IKE Invalid SIG. IKE none message must be encrypted IKE inappropriate sadb acquire message passed. IKE phase2 negotiation failed due to time up waiting for phase1. ESP 55.113.55.186[4500]->192.168.1.105[4500] Beyond this, I see that IPsesuritas wisely has "suggested settings" for several firewalls. Is there anything like that to connect to an openswan based linux machine? Thanks for any hint, I am eager to learn! Angelo.
IPSecuritas IPSecuritas by vdubvr6 on 2008-05-28 15:54:45 +0200
Good Morning, I have been handed a task to help an end user with VPN connectivity. I am not familiar with this software and need some advise. Our typical user uses //shame Windows with a CheckPoint client, anyway this user is on a direct connected connection on a comcast home account. They connect but it automatically puts a red dot next to the connection. What could this mean, I'm sure a lot? Is there a log file or can I enable logging? This is a remote machine so if I could do this from SSH that would be wonderful. If not, is there a supplied manual. -- Thank you
Re: IPSecuritas by angelocr on 2008-06-03 00:24:42 +0200
I am no expert, just a beginner glad to be able to help :) 1) The red dot says that the connection had no success. So there is something in the settings to tweak; 2) Yes, you can enable logs and see it through menus. Thay help a lot, in fact! 3) The whole purpose of IPSecuritas is to put an user interface to make racoon (the native IPsec of Mac & BSD) easier. I am quite sure you coud use racoon through SSH, being geeky enough, but not IPSecuritas. 4) Yes, there is a manual included in the product. Disclaimer: See the beginning!
How to direct all traffic through the VPN How to direct all traffic through the VPN by consi on 2008-06-05 10:41:33 +0200
I have successfully set up a VPN in host to network mode so that I can reach private IPs in the remote network. All my traffic to websites however still goes out directly instead of going through the router in the remote network. How can I tunnel my traffic through the remote network, either all or selectively, perhaps on a by application basis? Thanks!
Re: How to direct all traffic through the VPN by consi on 2008-06-11 00:59:00 +0200
Nobody knows? It is an option in Apple's built-in VPN client... which is lacking in other areas though. How can it be done with IPSecuritas? I don't have to mention that this is vital if you want to protect your web usage from a public hotspot.
Re: How to direct all traffic through the VPN by Forum Admin on 2008-06-11 18:47:11 +0200
Hello, select Anywhere for the remote endpoint. However, it very much depends on your firewall and its configuration if this is working. Cheers, Christoph
Re: How to direct all traffic through the VPN by consi on 2008-06-12 01:10:13 +0200
Thanks for the tip. Unfortunately with the 'anywhere' setting, my connection lamp stays yellow, DCHP pass-through enabled or not. My os x firewall is set to allow all incoming connections. I suppose I need to open some ports on my router? Which are those?
Re: How to direct all traffic through the VPN by consi on 2008-06-18 10:43:44 +0200
A hint from somebody?
Certificate request import error Certificate request import error by domodomo on 2008-06-06 22:38:38 +0200
Hello, I am trying to import a DER request file I generated in IPSecuritas's Certificate Manager, into Windows Server Certificate Authority. When I import the submit the request to windows CA I get a 'ASN1 bad tag value met. 0x8009310b (ASN: 267)' error. Does anyone know what this is about? Thanks, Ian
Help with Nortel 1800/2800
Help with Nortel 1800/2800 by enygma on 2008-06-07 13:42:47 +0200
Has anyone had any luck setting up a connection (user/pass auth) on a Nortel 1800 or 2800 remote vpn machine? I've been messing with settings for a while now and I can't seem to get it. Any help would be appreciated!
Local-Network to Remote-Network Local-Network to Remote-Network by LinkNet on 2008-06-08 03:21:45 +0200
Hi, I have used, very successfully, IPSecuritas to connect a single machine (my MacBook Pro) in host mode to a remote network. Great job, Christoph, and many thanks. I particularly enjoy using an ExpressCard to access the Internet via cellular broadband. I also use Airport to access WiFi broadband. IPSecuritas is working great as an "emulator" of the [b]hardware[/b] Linksys BEFVP41 VPN client that I have used for years and that I hope to be able to leave at home (in honorable retirement) for the rest of its days. Unfortunately, there is one (very important) case that forces me to still travel with the Linksys BEFVP41 VPN client (and to find hotels that have wired Internet access, to be able to connect the Linksys's WAN port to the Internet). If you could please help me solve this challenge, it would be wonderful. Specifically: For local printing via VPN (using a print server at the remote network and an HP LaserJet as a networked printer next to my MacBook Pro), I have not found a way to configure IPSecuritas to connect a local "network" (consisting of the LaserJet, directly connected to the Ethernet port of my MacBook Pro) to the remote network. Please recall that I prefer to use an ExpressCard to access the Internet via cellular broadband (or Airport to access WiFi broadband). So, in these two cases, I have the Ethernet port available for the LaserJet. How can I connect the Ethernet "network" (consisting of just the LaserJet in this case) to the remote network via IPSecuritas (connected to the remote network via an ExpressCard or via Airport)?
On page 10, the IPSecuritas Manual does not explicitly say how to connect a local network -- unless I am missing something: ------------------------------------------------------------------------[b]Local Side[/b]: This determines whether you want to connect a single machine (Host), one (Network) or multiple (Networks) local networks to the remote end. Most usually you connect a single machine. In Host mode, you may define a virtual local IP address. All traffic sent to the remote end will have this address as the sender address. If you leave the field empty, the address of the default network interface is used instead. Please clarify this with your system administrator if in doubt. -------------------------------------------------------------------------
How do you define the meaning of "the default network interface"? Thank you.
Re: Local-Network to Remote-Network by Forum Admin on 2008-06-09 23:08:19 +0200
Hello, I'm not sure if I understand your setup completely. If I understand you correctly, you are travelling with your printer, which is attached to your MBP's ethernet port. The print server, however, is not on your machine but in the remote network that you access through the VPN (basically, sending the print job through the VPN twice). Is this correct? Cheers, Christoph
Re: Local-Network to Remote-Network by LinkNet on 2008-06-18 19:33:24 +0200
[quote author=Forum Admin link=1212888105/0#1 date=1213045699]Hello, ... If I understand you correctly, you are travelling with your printer, which is attached to your MBP's ethernet port. The print server, however, is not on your machine but in the remote network that you access through the VPN (basically, sending the print job through the VPN twice). Is this correct? Cheers, Christoph[/quote] Your interpretation is correct, but the print job does not go through the VPN twice. The print job does not originate on my Mac: It originates on a remote print server, which just blasts it to a given IP address of my choice (which happens to be a printer on the "corporate" network when I am at home, or a printer on my "hotel network" when I am on the road). I issue commands from my MBP to the print server via a specialized variant of the Telnet protocol. Here is a specific example. Let's assume the following addresses, which work great when I specify an Endpoing Mode of "Host" for the [b]local[/b] side: The Cellular broadband ExpressCard assigns some public address to my MBP: 111.122.133.144. My MacBook Pro's VPN IP Address, as specified in "IPSecuritas Connections=>General Local Side Endpoint Mode := Host" is 192.168.202.17. So far, so good. I can connect from my MBP to the remote network via the IPSecuritas VPN tunnel (and any host from the remote network can access my MBP, using 192.168.202.17, via the IPSecuritas VPN tunnel) without any problem. Now, the challenge: If I set "IPSecuritas Connections=>General Local Side Endpoint Mode := Network" (with specifications along the lines of 192.168.202.17 / CIDR 24 -- and I have tried several kinds, including 192.168.202.0) I get a lot of debugging log entries (which I'll be happy to email to you) but no connection ever happens. If I simply change the local endpoint mode back to "Host", IPSecuritas immediately connects and all is well. The printer's manually-configured IP address is 192.168.202.22. I would love to be able to -- somehow -- "include" the printer as part of the VPN tunnel as established by my MBP via IPSecuritas. I use this printer all the time when I travel with the Linksys BEFVP41 VPN client, which connects to the remote network via its WAN port and handles up to 4 local hardwired Ethernet addresses (my MBP, with 192.168.202.17, the printer, with 192.168.202.22, and up to two other machines, if I wish to do so). With the Linksys VPN client, I am forced to use a hardwired Ethernet connection to the Internet. With IPSecuritas, I can use Cellular broadband with my Express card, or I can use WiFi. IPSecuritas is obviously better. Thanks!
Juniper Netscreen isg-1000 support Juniper Netscreen isg-1000 support by jarlt on 2008-06-19 01:53:10 +0200
Does ipsecuritas support the Juniper Netscreen isg-1000? I am unable to connect. Here is the log: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Jun 18, 16:23:23 Info APP IPSec authenticating Jun 18, 16:23:23 Info APP IKE daemon started Jun 18, 16:23:23 Info APP IPSec started Jun 18, 16:23:23 Error IKE Foreground mode. Jun 18, 16:23:23 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jun 18, 16:23:23 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jun 18, 16:23:23 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jun 18, 16:23:23 Info IKE Resize address pool from 0 to 255 Jun 18, 16:23:24 Info APP Initiated connection MLML Jun 18, 16:23:24 Error IKE inappropriate sadb acquire message passed. Jun 18, 16:23:24 Warning IKE No ID match. Jun 18, 16:23:24 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Jun 18, 16:23:25 Error IKE fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Jun 18, 16:23:25 Error IKE Message: '] '. Jun 18, 16:23:30 Error IKE fatal NO-PROPOSAL-CHOSEN notify messsage, phase1 should be deleted. Jun 18, 16:23:30 Error IKE Message: '] '. Jun 18, 16:23:30 Info APP IPSec stopping Jun 18, 16:23:31 Info APP IKE daemon terminated Jun 18, 16:23:31 Info APP IPSec stopped Jun 18, 16:26:25 Info APP Network configuration change detected Jun 18, 16:26:25 Info APP IKE daemon started Jun 18, 16:26:25 Info APP IPSec starting Jun 18, 16:26:25 Info APP Smart Environment Detection: Start Jun 18, 16:26:25 Error IKE Foreground mode. Jun 18, 16:26:25 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jun 18, 16:26:25 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jun 18, 16:26:25 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jun 18,16:26:25 Info IKE Resize address pool from 0 to 255 Jun 18, 16:26:26 Info APP Initiated connection MLML Jun 18, 16:26:26 Error IKE inappropriate sadb acquire message passed. Jun 18, 16:26:33 Info APP Initiated connection MLML Jun 18, 16:26:40 Info APP Initiated connection MLML Jun 18, 16:26:42 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 205.155.73.9[500]->169.254.237.206[500] Jun 18, 16:26:47 Info APP Initiated connection MLML Jun 18, 16:26:49 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 205.155.73.9[500]->169.254.237.206[500] Jun 18, 16:26:51 Error IKE sendfromto failed Jun 18, 16:26:54 Info APP Initiated connection MLML Jun 18, 16:26:54 Error IKE inappropriate sadb acquire message passed. Jun 18, 16:26:56 Error IKE phase1 negotiation failed due to time up. a3aa741a87214ef9:0000000000000000 Jun 18, 16:26:56 Error IKE phase2 negotiation failed due to time up
Re: Juniper Netscreen isg-1000 support by cnadig on 2008-06-19 08:49:21 +0200
Hello, I'd expect it to as I made good experiences with other models and I'd imagine Juniper is using the same IPSec software for all of their models. In the log you attached I can see that the phase 1 proposal is not accepted by the firewall - most probably a detail is different on both sides (like encryption, authentication or ID setting). Please verify the settings of firewall and IPSecuritas exactly. You may also send me a log with log level set to Debug to
[email protected] and I will probably be able to help you further (please make sure to strip confidential information like IP address and IDs from the log) Cheers, Christoph
Re: Juniper Netscreen isg-1000 support by jarlt on 2008-06-20 01:06:39 +0200
I made configuration changes that enabled me to connect: Phase 2 PFS None (was 1024 (2)), and Options disable NAT-T. I can now connect to a single network. Connecting to multiple networks fails with "msg 5 not interesting"
IPSecuritas and IPComp (LZS) IPSecuritas and IPComp (LZS) by rodknocker on 2008-06-21 12:16:41 +0200
Hello, i would like to use IPSecuritas with IPCOMP (LZS), but I think in the gui there are no possibilities for settings. Are there ways to use IPCOMP in IPSecuritas? Many thanks in advance ;) Best greetings David
Re: IPSecuritas and IPComp (LZS) by cnadig on 2008-06-23 10:35:26 +0200
Hello, the kernel of MacOS X only supports the deflate compression method, LZS and OUI are not supported. IPCOMP deflate is therefore always enabled by IPSecuritas. Cheers, Christoph
VPN always "on," would like to be prompted for pwd VPN always "on," would like to be prompted for pwd by blst on 2008-06-24 00:12:25 +0200
IPSecuritas is great, but I can't seem to figure out how to make it ask you for your VPN password rather that your connection always being available. Is this possible? Thanks so much!
IPSecuritas, Netgear FVS318v3, AEBS, and NAT-T IPSecuritas, Netgear FVS318v3, AEBS, and NAT-T by filterban on 2008-06-24 05:20:47 +0200
I finally got my Netgear FVS318v3 VPN to work with IPSecuritas 3.1, Leopard, and an Apple Airport Extreme Base Station. My network looks like this:
MacBook (IPSecuritas) 10.0.1.2 ---> AEBS ---> |||| INTERNET |||| ---> Netgear FVS318v3 ---> Servers (192.168.0.X) For the most part, the default instructions worked, but I was running into a problem where IPSecuritas would say it was successfully connected (green light) but I was unable to ping my servers. Here's what I found: 1) The client comp has to have a fixed IP behind the AEBS. This is easy to set up in your Airport Settings - just assign a specific IP (in my case 10.0.1.2) to your Mac by DHCP Client ID. 2) Set up everything else as described in the manual, except in IPSecuritas, be sure to DISABLE "NAT-T". Once I did that, everything worked like a charm. Thanks for the great software... this is really neat stuff. One more thing... this was with the latest FVS firmware of 3.0_26.
Export connections requests import password Export connections requests import password by jarlt on 2008-07-01 23:34:58 +0200
I have 5 connections. When I exported the first one I was asked for an import password, and put one in. I can not export any additional connections because I now get "Missing Import Password Please enter an import password for the exported connection." This is regardless of what I type in to the the Import password field. -Sidebar- the reason I have 5 connections is because I can not connect with Networks having more than 1 entry. I do not see any docs on Export. Thanks
Re: Export connections requests import password by cnadig on 2008-07-03 13:13:00 +0200
Hello, please download a prerelease of 3.2 from here: www.lobotomo.com/products/downloads/IPSecuritas32b1.dmg The included Readme lists the enhancements and new features. Feedback is welcome! Cheers, Christoph
Re: Export connections requests import password by jarlt on 2008-07-03 19:35:04 +0200
Thanks. I downloaded and installed. The Export works. The multi networks in connections is buggy. I am connecting to a Juniper ISG-1000. I have networks: 192.190.45.0/24, 198.189.27.0/24, 205.155.73.32/27, 205.155.73.128/27, 205.155.74.0/24 and 205.155.75.0/24. If I just have the 192.190.. and 198.189.. I can connect but if I add all 6 networks the log shows that there are 3 networks configured and I cannot connect them and the status light is red. Here is the log Jul 03, 10:27:09 Debug APP All connections authenticated Jul 03, 10:27:09 Debug APP State change from IDLE to AUTHENTICATING after event START Jul 03, 10:27:09 Info APP IPSec authenticating Jul 03, 10:27:09 Error APP Connection MLML 27-45 is not started because no route to remote host was found Jul 03, 10:27:09 Info APP IKE daemon started Jul 03, 10:27:09 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Jul 03, 10:27:09 Info APP IPSec started Jul 03, 10:27:09 Info IKE Foreground mode. Jul 03, 10:27:09 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 03, 10:27:09 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 03, 10:27:09 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 03, 10:27:09 Info IKE Resize address pool from 0 to 255 Jul 03, 10:27:09 Debug IKE parse successed. Jul 03, 10:27:09 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jul 03, 10:27:09 Debug IKE my interface: fe80::1%lo0 (lo0) Jul 03, 10:27:09 Debug IKE my interface: 127.0.0.1 (lo0) Jul 03, 10:27:09 Debug IKE my interface: ::1 (lo0) Jul 03, 10:27:09 Debug IKE configuring default isakmp port. Jul 03, 10:27:09 Debug IKE 3 addrs are configured successfully Jul 03, 10:27:09 Info IKE ::1[500] used as isakmp port (fd=6) Jul 03, 10:27:09 Info IKE 127.0.0.1[500] used as isakmp port (fd=7) Jul 03, 10:27:09 Info IKE fe80::1%lo0[500] used as isakmp port (fd=8) Jul 03, 10:27:09 Debug IKE get pfkey X_SPDDUMP message Jul 03, 10:27:09 Debug IKE 02120200 02000000 00000000 46080000 Jul 03, 10:27:09 Debug IKE pfkey X_SPDDUMP failed: No such file or directory
Re: Export connections requests import password by cnadig on 2008-07-04 13:19:31 +0200
Hello, what does the tooltip say when you hover the mouse over the red dot? Cheers, Christoph
Re: Export connections requests import password
by jarlt on 2008-07-07 20:14:43 +0200
I connected this morning and the dot is green and the mouse over is connected. When I attempt to connect to a server on the 192.190.45.0/24 network it fails. I'll send you the connection log. Thanks
Re: Export connections requests import password by jarlt on 2008-07-07 20:22:19 +0200
I am getting "msg 5 not interesting" when I attempt to connect to servers on the different networks. When I use the connection for the individual network I am able to connect.
odd issue odd issue by tmcnicho on 2008-07-02 21:40:01 +0200
I hadn't used IPSecuritas in a while, had since updated to 10.5.3. Went to connect and it just sits there doing nothing. I've found troubleshooting that if change the remote settings from "network" to "anywhere" it connects just fine, but then of course sends ALL my traffic down the tunnel. Any ideas here? I'm connecting a checkpoint vpn. Thanks, Tom
Re: odd issue by tmcnicho on 2008-07-02 22:10:47 +0200
OK... maybe my notation is just way off here. I was previously using 172.16.0.0/12 as the remote side. if i define the networks on the other end i need to connect to manually, it works fine. such as. 172.16.19.0/24 172.16.225.0/24... etc.. I have previously used 172.16.0.0/12 without a problem... :| tom
Re: odd issue by dbc on 2008-07-03 04:23:48 +0200
172.16.0.0/12 is the same as 172.0.0.0/12, as the /12 specifies a netmask of 255.240.0.0 I suspect you mean 172.16.0.0/16 which would be a netmask of 255.255.0.0 -dave
Works wired, fails wireless Works wired, fails wireless by dbc on 2008-07-03 03:33:56 +0200
Search did not turn up any similar problems. IPsecuritas 3.1 on OS X 10.4.11, Netgear FVS318r3 I configured and tested everything perfectly well through the wired Ethernet port. Today I tried with Airport for the first time. IPSecuritas came right up to the "green ball" stage with no hitches. But.. no connectivity either. Could not ping my home network or the router. Yet, I come back to the wired network and IPsecuritas works perfectly. All the time on wireless, IPSecuritas is perfectly happy to start and stop and the log messages are all normal, as far as I can tell. Yet, no pings back to router. Is there something that needs to be configured differently? Clearly from the log messages IPSecuritas is finding the wireless network and is connecting to the Netgear box without any problem. Yet no traffic flows that way. My home network is a 192.168.0.0/24 network, and the wireless network that I was on served a DHCP address from the 192.168.1.0/24 range. So, there should not be a conflict there since both networks use netmask 255.255.255.0. IPSecuritas is configured to tunnel traffic to 192.168.0.0/24 only. All other traffic was going out correctly. Again, IPSecuritas appears to think it is working correctly, but doesn't seem to pass any traffic.
Re: Works wired, fails wireless by dbc on 2008-07-04 18:12:20 +0200
Update: This appears to be a problem with the hot spot infrastructure, not ipsecuritas, but hopefully people here can shed some light on what may be happening. After reading the documentation, it seems that when you get a "green ball connect" but no traffic passes that it is a symptom of NAT traversal problems. My original configuration was set for "enable" NAT-T. I created another configuration set for "force" NAT-T. Also, I went to another hot spot to test, and both the "enable" and "force" NAT-T configurations worked perfectly. At the problematic hot spot, both the "enable" and "force" configurations gave a "green ball connect" but would not pass traffic. At this point, I suspect that there is some configuration issue in the hot spot, and would like to help diagnose the problem there. What should I look for? There are several boxes in the path, a wireless access point of course, and also a firewall box. Something somewhere is serving DHCP addresses. What can I do to provide additional diagnosis?
Re: Works wired, fails wireless by Forum Admin on 2008-07-05 12:41:17 +0200
Hello, I public hotspots you will usually need NAT-T. IPSec traffic is transported in ESP packets, which is not NAT aware (incoming ESP packets cannot be uniquely assigned to a host in a NATed network, which hotspots usually are. Some NAT routers will send incoming ESP packets to the host that last sent out an ESP paket, problematic if you are not the only user using IPSec in this hotspot. Other router do not pass on ESP at all or it is disabled by its oprator). NAT-T encapsulates the ESP traffic in UDP packets, which is NAT aware and incoming traffic can be assigned to the right host by any router. Please note that the firewall you connect to needs to support NAT-T (not to be confused with IPSec pass-through). The reason why you get the greed dot but cannot connect to any remote host is that the tunnel could be established successfully (the tunnel negotiation is done with UDP as well), but traffic is silently dropped by the hotspot. Hope this helps, Christoph
Re: Works wired, fails wireless by dbc on 2008-07-05 18:29:20 +0200
Yes, that helps, it clarifies a lot. I'm still unclear on what may be causing the packets to be dropped by the hot spot. With NAT-T enabled, how does the tunnel negotiation traffic differ from payload traffic? It would seem that the hot spot is dropping the payload UDP packets but passing the negotiation UDP packets.
Re: Works wired, fails wireless by Forum Admin on 2008-07-10 10:15:00 +0200
Hello, this depends on the NAT versions that your firewall supports, but basically there is not a lot of differences. In some NAT versions, the UDP port is different between IKE (connection negotiation, ports 500 and 4500) and payload (a free port number agreed on during connection negotiation). If you can establish a connection but payload is blocked, chances are high that no NAT-T was agreed even if NAT-T was forced in IPSecuritas. The best way to check this is to sniff your network traffic with tcpdump, e.g. sudo tcpdump -i en1 (or en0 when connected with Ethernet). If the command only shows ESP traffic going to your firewall, no NAT-T was negotiated and your firewall most probably does not support it. Hope this helps, Christoph
Re: Works wired, fails wireless by dbc on 2008-07-11 07:44:10 +0200
OK, very good. I will try that the next time I am at that hotspot.
Re: Works wired, fails wireless by uocooper on 2008-11-25 22:01:44 +0100
Similar setup here with the same issues. 10.5.5, IPSecuritas 3.1, Netgear FVS318v3. Airport network is on 172.16.33.x and the VPN is on 192.168.1.x. It works fine if I'm directly connected to my cable modem but if I use an Airport Extreme (802.11 g) with firmware 5.7 it shows that it's connected but nothing actually works. I can't ping an IP on the VPN network. This is the Airport Extreme that looks like a white mushroom. I've tried going through the various NAT-T options in IPSecuritas but no dice. I've also modifying the NAT options of the basestation but it doesn't matter how it's set. Is using this version of the Airport Extreme known to not work with IPSecuritas or is there anything else I can try to get it working?
VPN connections with same local and remote netaddr VPN connections with same local and remote netaddr by TStewart on 2008-07-03 20:09:09 +0200
I have a SonicWall Pro 100 at work that I connect to from outside our LAN. The internal private address scheme is 192.168.0.x /24. When I was first setting up my VPN client, I couldn't connect from home, as my home network had a matching network address scheme—192.168.0.x. I then changed the network address to 192.168.1.x, and all has worked fine. However, there are times when I need to connect to my work VPN from remote networks where the local private network address matches the same private network address as work. I have been unsuccessful at coming up with a solution around this? Is there anything I can do? Am I just missing a simple setting? Thanks! TStewart Here are screenshots of my settings: [img]http://www.gigafiles.co.uk/files/2130/Picture%202.jpg[/img] [img]http://www.gigafiles.co.uk/files/2130/Picture%203.jpg[/img] [img]http://www.gigafiles.co.uk/files/2130/Picture%204.jpg[/img] [img]http://www.gigafiles.co.uk/files/2130/Picture%205.jpg[/img] [img]http://www.gigafiles.co.uk/files/2130/Picture%206.jpg[/img] [img]http://www.gigafiles.co.uk/files/2130/Picture%207.jpg[/img]
Re: VPN connections with same local and remote net by TStewart on 2008-07-09 01:01:32 +0200
Disregard! This was a kind of stupid question I asked. How can you route between duplicate IP spaces. Doesn't work. . . Tyler
Re: VPN connections with same local and remote net by joostvdl on 2008-12-15 08:42:00 +0100
It isn't a stupid question. Because a lot of companies select the same private address range for their local network. So when they need to be connected it gives conflicts. I found that the ZyWALL Firewalls have the option to use NAT over IPSEC (Virtual Address Mapping) to solve this problem. I tried it with IPSecuritas 3.1 but I could get it working. So if anyone has got it working please let me know.
Re: VPN connections with same local and remote net by Forum Admin on 2008-12-16 14:56:05 +0100
Hello, there is an option to disable the address collision check altogehter in 3.2 (see latest beta). Please note, however, that using the same network locally and remotely will hide the local network (since all traffic will be routed through the tunnel to the remote side). Therefore, hosts (machines, printers etc.) in the local lan will be unavailable when IPSec is active with such a configuration. Hope this helps, Christoph
Run as Non-Admin user Run as Non-Admin user by gibbsjoh on 2008-07-10 11:43:14 +0200
Hi All, We are hoping to deploy IPSecuritas in lieu of VPN Tracker to around 5 remote users. These users are not currently admin users on their company laptops - and I'd prefer to keep it that way. My question: is there any way to run IPSecuritas without needing an admin username and password? I suspect not as it's a racoon issue from what I can see. I've tried using an AppleScript, using "do shell script" with the path to the executable, and the "with administrator privileges" flag with no luck. Any info would be much appreciated. John
Re: Run as Non-Admin user by cnadig on 2008-07-16 11:46:16 +0200
Hello, it should work finde for non-admin users, you should need to enter the admin password at first run only. However, if you run it as a non-admin user for the first time, you'll need to reboot the machine afterwards. Otherwise the user will be prompted for the admin password again he logs in for the next time and runs IPSecuritas (this is due to a limitation/bug in MacOS which we have no way to change). Hope this helps, Christoph
Network Collision Network Collision
by mudiam on 2008-07-17 21:37:07 +0200
Hello, I am trying to setup my vpn to my work and I get a red light when I connect. Here is the log
IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Jul 17, 12:21:05 Debug APP State change from IDLE to AUTHENTICATING after event START Jul 17, 12:21:05 Info APP IPSec authenticating Jul 17, 12:21:05 Info APP IKE daemon started Jul 17, 12:21:05 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Jul 17, 12:21:05 Info APP IPSec started Jul 17, 12:21:05 Info IKE Foreground mode. Jul 17, 12:21:05 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 17, 12:21:05 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 17, 12:21:05 Info IKE Reading configuration from "/Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 17, 12:21:05 Info IKE Resize address pool from 0 to 255 Jul 17, 12:21:05 Debug IKE parse successed. Jul 17, 12:21:05 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jul 17, 12:21:05 Debug IKE my interface: ::1 (lo0) Jul 17, 12:21:05 Debug IKE my interface: fe80::1%lo0 (lo0) Jul 17, 12:21:05 Debug IKE my interface: 127.0.0.1 (lo0) Jul 17, 12:21:05 Debug IKE my interface: fe80::217:f2ff:fed4:dab6%en0 (en0) Jul 17, 12:21:05 Debug IKE my interface: 192.168.1.100 (en0) Jul 17, 12:21:05 Debug IKE my interface: fe80::21c:42ff:fe00:0%en2 (en2) Jul 17, 12:21:05 Debug IKE my interface: 10.37.129.3 (en2) Jul 17, 12:21:05 Debug IKE my interface: fe80::21c:42ff:fe00:1%en3 (en3) Jul 17, 12:21:05 Debug IKE my interface: 10.211.55.3 (en3) Jul 17, 12:21:05 Debug IKE configuring default isakmp port. Jul 17, 12:21:05 Debug IKE 9 addrs are configured successfully Jul 17, 12:21:05 Info IKE 10.211.55.3[500] used as isakmp port (fd=7) Jul 17, 12:21:05 Info IKE fe80::21c:42ff:fe00:1%en3[500] used as isakmp port (fd=8) Jul 17, 12:21:05 Info IKE 10.37.129.3[500] used as isakmp port (fd=9) Jul 17, 12:21:05 Info IKE fe80::21c:42ff:fe00:0%en2[500] used as isakmp port (fd=10) Jul 17, 12:21:05 Info IKE 192.168.1.100[500] used as isakmp port (fd=11) Jul 17, 12:21:05 Info IKE fe80::217:f2ff:fed4:dab6%en0[500] used as isakmp port (fd=12) Jul 17, 12:21:05 Info IKE 127.0.0.1[500] used as isakmp port (fd=13) Jul 17, 12:21:05 Info IKE fe80::1%lo0[500] used as isakmp port (fd=14) Jul 17, 12:21:05 Info IKE ::1[500] used as isakmp port (fd=15) Jul 17, 12:21:05 Debug IKE get pfkey X_SPDDUMP message Jul 17, 12:21:05 Debug IKE 02120200 02000000 00000000 ff110000 Jul 17, 12:21:05 Debug IKE pfkey X_SPDDUMP failed: No such file or directory
My local network is 192.168.1.xxx and my office network is 10.0.0.0/8
Re: Network Collision by mudiam on 2008-07-18 07:17:01 +0200
Ok, so, I got rid of the interfaces that were conflicting.. as I was running parallels interfaces, I disabled them, as they were in the 10. network as well. Now I am getting a different error, Connection timed out. Here is the debug log.. IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Jul 17, 22:10:52 Debug APP State change from IDLE to AUTHENTICATING after event START Jul 17, 22:10:52 Info APP IPSec authenticating Jul 17, 22:10:52 Info APP IKE daemon started Jul 17, 22:10:52 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Jul 17, 22:10:52 Info APP IPSec started Jul 17, 22:10:52 Debug APP Received SADB message type X_SPDUPDATE not interesting Jul 17, 22:10:52 Debug APP Received SADB message type X_SPDUPDATE not interesting Jul 17, 22:10:52 Debug IKE Foreground mode. Jul 17, 22:10:52 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 17, 22:10:52 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 17, 22:10:52 Info IKE Reading configuration from "/Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 17, 22:10:52 Info IKE Resize address pool from 0 to 255 Jul 17, 22:10:52 Debug IKE lifetime = 28800 Jul 17, 22:10:52 Debug IKE lifebyte = 0 Jul 17, 22:10:52 Debug IKE encklen=0 Jul 17, 22:10:52 Debug IKE p:1 t:1 Jul 17, 22:10:52 Debug IKE 3DES-CBC(5) Jul 17, 22:10:52 Debug IKE SHA(2) Jul 17, 22:10:52 Debug IKE 1536-bit MODP group(5) Jul 17, 22:10:52 Debug IKE XAuth pskey client(65001) Jul 17, 22:10:52 Debug IKE hmac(modp1536) Jul 17, 22:10:52 Debug IKE compression algorithm can not be checked because sadb message doesn't support it. Jul 17, 22:10:52 Debug IKE parse successed. Jul 17, 22:10:52 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Jul 17, 22:10:52 Info IKE 192.168.1.100[4500] used as isakmp port (fd=7) Jul 17, 22:10:52 Info IKE 192.168.1.100[500] used as isakmp port (fd=8) Jul 17, 22:10:52 Debug IKE get pfkey X_SPDDUMP message Jul 17, 22:10:52 Debug IKE 02120000 0f000100 01000000 ed130000 03000500 ff080000 10020000 0a000000 Jul 17, 22:10:52 Debug IKE 00000000 00000000 03000600 ff200000 10020000 c0a80164 00000000 00000000 Jul 17, 22:10:52 Debug IKE 07001200 02000100 34000000 00000000 28003200 02020000 10020000 3fe55d05 Jul 17, 22:10:52 Debug IKE 00000000 00000000 10020000 c0a80164 00000000 00000000 Jul 17, 22:10:52 Debug IKE get pfkey X_SPDDUMP message Jul 17, 22:10:52 Debug IKE 02120000 0f000100 00000000 ed130000 03000500 ff200000 10020000 c0a80164 Jul 17, 22:10:52 Debug IKE 00000000 00000000 03000600 ff080000 10020000 0a000000 00000000 00000000 Jul 17, 22:10:52 Debug IKE 07001200 02000200 33000000 00000000 28003200 02020000 10020000 c0a80164
Re: Network Collision by mudiam on 2008-07-18 07:21:03 +0200
well, the main errors are.. Jul 17, 22:10:52 Info APP Initiated connection Vcommerce VPN Jul 17, 22:10:52 Debug IKE get pfkey ACQUIRE message Jul 17, 22:10:52 Debug IKE 02060003 24000000 e9000000 00000000 03000500 ff200000 10020000 c0a80164 Jul 17, 22:10:52 Debug IKE 00000000 00000000 03000600 ff200000 10020000 3fe55d05 00000000 00000000 Jul 17, 22:10:52 Debug IKE 1c000d00 20000000 00030000 00000000 00010008 00000000 01000000 01000000 Jul 17, 22:10:52 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Jul 17, 22:10:52 Debug IKE 80700000 00000000 00000000 00000000 00040000 00000000 0001c001 00000000 Jul 17, 22:10:52 Debug IKE 01000000 01000000 00000000 00000000 00000000 00000000 00000000 00000000 Jul 17, 22:10:52 Debug IKE 80510100 00000000 80700000 00000000 00000000 00000000 000c0000 00000000 Jul 17, 22:10:52 Debug IKE 00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 Jul 17, 22:10:52 Debug IKE 00000000 00000000 80510100 00000000 80700000 00000000 00000000 00000000 Jul 17, 22:10:52 Error IKE inappropriate sadb acquire message passed. Jul 17, 22:10:52 Debug IKE get pfkey ACQUIRE message Jul 17, 22:10:52 Debug IKE 02060003 14000000 e7000000 51130000 03000500 ff200000 10020000 c0a80164 Jul 17, 22:10:52 Debug IKE 00000000 00000000 03000600 ff200000 10020000 3fe55d05 00000000 00000000 Jul 17, 22:10:52 Debug IKE 0a000d00 20000000 000c0000 00000000 00010001 00000000 01000000 01000000 Jul 17, 22:10:52 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Jul 17, 22:10:52 Debug IKE 80700000 00000000 00000000 00000000 02001200 02000200 33000000 00000000 Jul 17, 22:10:52 Debug IKE suitable outbound SP found: 192.168.1.100/32[0] 10.0.0.0/8[0] proto=any dir=out. Jul 17, 22:10:52 Debug IKE sub:0xbffff4fc: 10.0.0.0/8[0] 192.168.1.100/32[0] proto=any dir=in Jul 17, 22:10:52 Debug IKE db :0x308cb8: 10.0.0.0/8[0] 192.168.1.100/32[0] proto=any dir=in Jul 17, 22:10:52 Debug IKE suitable inbound SP found: 10.0.0.0/8[0] 192.168.1.100/32[0] proto=any dir=in. Jul 17, 22:10:52 Debug IKE new acquire 192.168.1.100/32[0] 10.0.0.0/8[0] proto=any dir=out Jul 17, 22:10:52 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) Jul 17, 22:10:52 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-sha)
--Jul 17, 22:10:53 Jul 17, 22:10:53 Jul 17, 22:10:53 Jul 17, 22:10:53 ------
Debug IKE Configuration exchange type mode config SET Debug IKE Attribute XAUTH_STATUS Error IKE Xauth authentication failed Debug IKE Sending MODE_CFG ACK
Re: Network Collision by mudiam on 2008-07-18 07:26:10 +0200
well, there was too much logging when in debug, so I am just doing info.. PSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Jul 17, 22:23:26 Info APP IPSec started Jul 17, 22:23:26 Error IKE Foreground mode. Jul 17, 22:23:26 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Jul 17, 22:23:26 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Jul 17, 22:23:26 Info IKE Reading configuration from "/Library/Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jul 17, 22:23:26 Info IKE Resize address pool from 0 to 255 Jul 17, 22:23:27 Info APP Initiated connection Vcommerce VPN Jul 17, 22:23:27 Error IKE inappropriate sadb acquire message passed. Jul 17, 22:23:27 Warning IKE No ID match. Jul 17, 22:23:27 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Jul 17, 22:23:27 Error IKE Xauth authentication failed Jul 17, 22:23:27 Error IKE unknown Informational exchange received. Jul 17, 22:23:27 Error IKE unknown Informational exchange received. Jul 17, 22:23:34 Info APP Initiated connection Vcommerce VPN Jul 17, 22:23:41 Info APP Initiated connection Vcommerce VPN Jul 17, 22:23:43 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 63.229.93.5[0]->192.168.1.100[0] Jul 17, 22:23:48 Info APP Initiated connection Vcommerce VPN Jul 17, 22:23:48 Warning IKE No ID match. Jul 17, 22:23:48 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Jul 17, 22:23:48 Error IKE Xauth authentication failed Jul 17, 22:23:48 Error IKE unknown Informational exchange received. Jul 17, 22:23:48 Error IKE unknown Informational exchange received. Jul 17, 22:23:55 Info APP Initiated connection Vcommerce VPN Jul 17, 22:23:55 Error IKE inappropriate sadb acquire message passed. Jul 17, 22:24:00 Warning APP Connection Vcommerce VPN timed out Jul 17, 22:24:00 Warning APP Suspending for 15 seconds Jul 17, 22:24:04 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 63.229.93.5[0]->192.168.1.100[0] Jul 17, 22:24:16 Warning APP Connection Vcommerce VPN reactivated after suspension Jul 17, 22:24:16 Error IKE such policy does not already exist: "192.168.1.100/32[0] 10.0.0.0/8[0] proto=any dir=out" Jul 17, 22:24:16 Error IKE such policy does not already exist: "10.0.0.0/8[0] 192.168.1.100/32[0] proto=any dir=in" Jul 17, 22:24:19 Info APP Initiated connection Vcommerce VPN Jul 17, 22:24:19 Error IKE inappropriate sadb acquire message passed. Jul 17, 22:24:19 Warning IKE No ID match. Jul 17, 22:24:19 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Jul 17, 22:24:19 Error IKE Xauth authentication failed Jul 17, 22:24:19 Error IKE unknown Informational exchange received. Jul 17, 22:24:19 Error IKE unknown Informational exchange received. Jul 17, 22:24:26 Info APP Initiated connection Vcommerce VPN Jul 17, 22:24:33 Info APP Initiated connection Vcommerce VPN Jul 17, 22:24:35 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 63.229.93.5[0]->192.168.1.100[0] Jul 17, 22:24:40 Info APP Initiated connection Vcommerce VPN Jul 17, 22:24:40 Warning IKE No ID match. Jul 17, 22:24:40 Info IKE couldn't find the proper pskey, try to get one by
smb, ssh drops after few minutes smb, ssh drops after few minutes by ejbcommander on 2008-07-18 14:36:57 +0200
Hi, everything here works fine (after 3 days of trial & error) with Ceckpoint SecureClient NGX VPN-1 and IPSecuritas 3.2b1 on 10.4.11 - except smb-shares and ssh-Sessions. Mounted smb-shares are dropped after a few Minutes, same with ssh. Is that a known issue? Is there a solution? I often have to start long running build-processes on remote servers, now I can only complete them by starting them nohup. Thanks in advance, Michael
Linksys WVRS4400N - Any Secrets??? Linksys WVRS4400N - Any Secrets??? by Beavis on 2008-07-19 01:52:47 +0200
So I have a Linksys WVRS4400N that I know is set up right because I can connect via QuickVPN with XP from my mac at home. Did the connection wizard with ipsecuritas and no dice : { Been reading posts here but still can't find any detailed instructions to get this working. Even following the advice of setting the Remote Security Group to a specific IP. Am I missing something? Their are still a lot of acronyms and things I don't fully understand, but I know I'm ALMOST there. Does anyone have some detailed instructions. Thanks in advance! Beavis McSleavis :-/
WRVS 4400N Setup WRVS 4400N Setup by Beavis on 2008-07-21 22:51:00 +0200
We have this linksys router with these specs... [img]http://www.boxwrench.net/images/posts/VPN.png[/img] [img]http://www.boxwrench.net/images/posts/Advanced.png[/img] [img]http://www.boxwrench.net/images/posts/General.png[/img] And this is how we have it setup in IPSecuritas... [img]http://www.boxwrench.net/images/posts/Phase_1.png[/img] [img]http://www.boxwrench.net/images/posts/Phase_2.png[/img] [img]http://www.boxwrench.net/images/posts/ID.png[/img] [img]http://www.boxwrench.net/images/posts/DNS.png[/img] [img]http://www.boxwrench.net/images/posts/Options.png[/img] We still can't get a connection. We purchased a static IP thru our ISP and it is correctly set up to passthrough VPN with NAT disabled. Can anyone see what is wrong? Thanks in advance 8-)
Re: WRVS 4400N Setup by cnadig on 2008-07-22 15:19:43 +0200
Hello, I helped configuring a WRVS4400N a while ago and found it had a rather peculiar speciality - connecting with a random IP address would not work. We got it working by specifying an IP address for 'Remote Security Group Type' (like 10.10.1.1, please copy this address to the local endpoint IP address field in IPSecuritas). This also means, that you need to setup more than one connections if more than one user wants to connect at the same time.
Hope this helps, Christoph
Re: WRVS 4400N Setup by Beavis on 2008-07-22 20:40:18 +0200
Thanks Christoph, For clarification, what is the local host IP? Is that the local LAN IP of the departure router from the remote location? Example: I'm at a coffee shop with my laptop, I don't know the local IP of the shops router. This is my remote departure point. I'm attempting to connect to my router at my home office which is behind a statip IP. I know the static IP, DNS, LAN IP, and subnet mask at my office. Again I do not know the coffee shops LAN. Does their router need to have VPN enabled? Is it possible to use IPSecuritas to make an IPSec connection without knowing your departure LAN IP? The connection works fine with the Linksys Quick VPN on a PC in the above scenario. Hoping IPSecuritas will enable my Macbook Pros the same access! Thanks again! :)
Re: WRVS 4400N Setup by DistortedLoop on 2008-12-04 18:56:12 +0100
The WRVS4400N is temperamental with Macs and IPSecuritas, but you can establish a working tunnel to get onto your network. I figured this out a couple of years ago and posted settings here on this forum. I also see that the newer versions of IPSecuritas include auto-configuration file for the 4400N. Looking at the particular settings you set, the first thing I see you have set wrong is in the Advanced Settings on the Linksys. Both your local and remote identifiers have to be set to ip address, not name. If you use name, it must be a domain name (ie., www.mydomain.com), and any DNS lookup on that name must resolve to your current ip address on that end of the connection. Also, use Main, not Aggressive. I've found that dissecting the WRVS4400N's VPN log can really help in figuring out what settings you have that are wrong. One caveat about the connection: I've just learned after a couple of years of using IPSecuritas --> WRVS4400N that not all network traffic goes over the VPN (https, mail, chat, etc - they aren't on the VPN). I'm trying to research that right now, which is why I came back to the forum here and ran across your older post. At this point, you've probably given up or figured it out, but maybe my information above will help others who are trying to figure out getting a connection going.
Re: WRVS 4400N Setup by DistortedLoop on 2008-12-04 21:49:53 +0100
Oops! Forgot to mention that you have to use Firmware V1.00.16 or earlier. I spent a good 12 hours trying to get the new firmware (V1.03?) working without success. Pretty frustrating. The issue with the new firmware is that you must use a domain name or specific ip address to identify the client; the use of "any" never worked. I verified this by using a Spring Aircard to attempt to VPN while sitting in front of my router. If I put in the dynamic ip address of the Aircard as the remote identifier, connection establishes. This won't work if you're on the road unless you jump through some hoops. One way to do it would be to enable remote administration of your WRVS4400N over the WAN. You could log in via the web interface, and change the VPN settings on the router to match your current ip address. Ugly workaround in my opinion. Another method that might work for the Aircard user, which I haven't tried because I am not interested at this time in upgrading the firmware back to V1.03 to test it out, would be to register an account with DYNDNS.ORG for your laptop/remote system, then use their OS X widget that dynamically updates your ip address on their DNS servers. You would then use the domain name in the remote identifier (i.e. mymobilename.dyndns.org). Should work, but again, I haven't tested it. I may have to if trying to get all network traffic to go over the VPN forces me to try the newer firmware.
Re: WRVS 4400N Setup by DistortedLoop on 2008-12-05 16:02:49 +0100
[quote author=DistortedLoop link=1216673460/0#4 date=1228423793] Another method that might work for the Aircard user, which I haven't tried because I am not interested at this time in upgrading the firmware back to V1.1.03 to test it out, would be to register an account with DYNDNS.ORG for your laptop/remote system, then use their OS X widget that dynamically updates your ip address on their DNS servers. You would then use the domain name in the remote identifier (i.e. mymobilename.dyndns.org). Should work, but again, I haven't tested it. I may have to if trying to get all network traffic to go over the VPN forces me to try the newer firmware. [/quote] Desperately trying to figure out another problem, I bit the bullet and upgraded back to Firmware v1.1.03. My method above does work in terms of allowing you to use a domain name as the mobile user's ip address. This is pretty handy if your system is stable with v1.1.03. Unfortunately I had to downgrade back to v1.00.16 because the newer firmware leaves the router in a corrupt state after IPSecuritas connections to it disconnect. ;-(
Linksys VS Netgear Linksys VS Netgear by Beavis on 2008-07-22 20:57:26 +0200
I'm having problems with my linksys WRVS4400N, and have been looking into a Netgear FVS336G. Can anyone recommend one over the other while using IPSecuritas? Or any other brand or model for that matter. The Netgear seems to have some better specs. Any advice is appreciated. Thanks!
Re: Linksys VS Netgear by mann on 2008-09-09 05:38:59 +0200
I have installed 3 Netgear FVS338's and have had zero problems.
Re: Linksys VS Netgear by DistortedLoop on 2008-12-04 18:29:46 +0100
[quote author=Beavis link=1216753046/0#0 date=1216753046]I'm having problems with my linksys WRVS4400N, and have been looking into a Netgear FVS336G. Can anyone recommend one over the other while using IPSecuritas? Or any other brand or model for that matter. The Netgear seems to have some better specs.[/quote]
Did you take the plunge? Are you happy with the results? I'm actually looking at the same device to replace/supplement my WRVS4400N right now. The WRVS4400N is a tempermental beast when dealing with Mac IPSEC.
[quote author=mann link=1216753046/0#1 date=1220931539]I have installed 3 Netgear FVS338's and have had zero problems.[/quote] Do you actually get all network services routed through the VPN when using your Netgear with IPSecuritas? I've got few problems connecting with my Linksys to access the internal network, but web and email and other protocols are not routed over the Linksys (that will be the subject of a different post, I'm just wondering if the Netgear works properly in that regard.
Wizard | Updated Choices Wizard | Updated Choices by NeilMcG on 2008-07-23 02:48:32 +0200
Hi, after experimenting, with mixed success - I think it's time to ask for help. In the wizard, what are the appropriate choices for the FVS338 & FVG318? Given the FVS318 is now obsolete or deleted from Netgears product range could the wizard choices be updated? I'm not sure of the product families for FVS318v3, FVS3128, FVS338, FVS538, etc. Thanks in advance.
Netgear FVS338 Netgear FVS338 by NeilMcG on 2008-07-23 02:51:43 +0200
Is the Netgear FVS338 - closer to the FVS318v3 or the FVS328? Is it possible the start a topic (stickie) with updates on the latest hardware available? Thanks in advance.
Re: Netgear FVS338 by blue68f100 on 2008-08-19 22:31:48 +0200
The 338 is closer to the 328 but it has a lot of features like a 538 if your using the latest firmware. I'm here seeking help on getting my FVS338 to connect up to my MBP. I did not have time to test before I left and I could not connect.
Re: Netgear FVS338 by NeilMcG on 2008-08-30 11:32:46 +0200
I successfully got both an FVS338 & FVG318 to connect, using the latest firmware for each and the 3.2b1 IPsecuritas I generated Connection Wizard Templates and emailed them to lobotomo.
Re: Netgear FVS338 by digitalscanner on 2008-09-23 10:40:49 +0200
hallo is it possible to send me the wizard template for the FVS338 cause itґs still not included in the b2 thanx digital
Juniper Netscreen wizard hole
Juniper Netscreen wizard hole by douger on 2008-07-25 21:01:59 +0200
I am trying to set up a VPN to a Netscreen 5XT from a machine running leopard. I downloaded the instructions for Juniper Netscreen / Juniper SSG and followed them, using the two wizards (IPSecuritas and Netscreen). I fire up the connection, and it doesn't seem to connect - red light. However, I ping the server I am trying to reach and it gets there. Not sure what is going on at this point, but if it is working and the light doesn't turn green so who cares - well, probably my user who will be confused. So I quit and exit the daemon, and still can ping the server. Hmm, maybe something left on - reboot. Try and ping the server again - sure, no problem. ??? OK, something on the firewall - oh here it is. The new policy added for the VPN allows everything in! So I check the document again and there it is, the last line in the configuration from the wizard is: set policy top from "Untrust" to "Trust" "Any" "192.168.215.0/24' Permit This allows all traffic from the untrust port to the trust port. Bad idea. Like having no firewall at all. OK, so what I did that worked was use this document http://kb.juniper.net /kb/documents/public/ApplicationNotes/Technical/ScreenOS%204.0.0 /VPN_Vaporsec.htm and adapt it to the IPSecuritas screens. I had to turn off Nat-T on the IPSecuritas side as I was using a static IP address for testing, may need to turn that back on. I did turn on Nat Traversal on the firewall. I started out to post a question about the VPN working but the red light on, but figured it out and decided to post this one as a warning. Hope it helps - Doug
IP Securitas From Mac book Pro to Fortinet 800 IP Securitas From Mac book Pro to Fortinet 800 by Yuseff on 2008-07-31 05:40:41 +0200
Hi everybody, I have an issue with a MAC Book Pro running IPSecuritas. The VPN connection to a Fortigate 800 drops in some cases every 20-30 min but in the mayority of time evey 5 min. I have more MACs running the IPSecuritas and they don't have this problem. Does anybody have a clue to what may be causing this problem? Thank you
Re: IP Securitas From Mac book Pro to Fortinet 800 by chris-in-sf on 2008-08-01 23:28:27 +0200
We are having a similar issue, but I'm not sure if it's a Fortigate problem or a VLAN problem on our switch. Also 2 of 3 MacBook Pros are having the issue, but mine has not shown the issue. We are using a Fortigate 300a. Our problem more specifically is the VPN connection itself doesn't seem to drop, but you get disconnected from machines on the LAN after about 30 minutes. Particularly if you are using remote desktop which most of us do. You can't ping those machines on that subnet anymore. Then you have to disconnect VPN connection, and reconnect, and then you can get back to the LAN. The error message that IP Securitas throws up when the LAN drops is: "Jul 28, 23:03:08 Error IKE fatal INVALID-SPI notify messsage, phase1 should be deleted. Jul 28, 23:03:12 Error IKE fatal INVALID-SPI notify messsage, phase1 should be deleted." etc, etc... Any ideas?
Fritzbox 3270 VPN problems Fritzbox 3270 VPN problems by ivan on 2008-08-08 11:26:45 +0200
I have a FritzBox 3270 wlan DSL router, NAT, including a VPN gateway. I have configured it as explained here: http://www.avm.de/de/Service/Service-Portale/Service-Portal /VPN_Interoperabilitaet/box_zu_securitas.php On my internal network I have a MacMini with shares and remote screen sharing activated. I connect to the network with a Macbook with IPSecuritas configured as described above. When I connect with my Macbook to the wired network or the Wifi network at home (no VPN) I can see the Mac Mini machine and other shares. When I connect through a foreign (wifi) network with an internal IP I can access the shares of the MacMini if I do "Connect to computer" in the Finder and type the IP, but the Macbook does not see the names of the computers with shares on the local network, neither can it resolve the computername of the MacMini. If I type the computername instead of the IP, it does not get resolved. I cannot do screen sharing either as this relies of the resolution of the computername. Now I know that Macs advertise themselves on the local network with a Mac specific Bonjour protocol, and I guess that for some reason that traffic does not pass through the VPN. Anybody has an idea how to solve this? The only computer I see in Finder with shares is "localhost" which is a loopback to my macbook I guess. I tried to switch the use_nat_t parameter to yes, to check if this has anything to do with NAT translation, but it did not solve the problem (was a shot in the dark anyway)
Re: Fritzbox 3270 VPN problems by deltanine on 2008-09-09 00:44:37 +0200
you could try: http://www.macosxhints.com/article.php?story=20080626194901370 > regards delta
Checkpoint VPN-1 connection drops all others Checkpoint VPN-1 connection drops all others by mpdg on 2008-08-08 16:55:57 +0200
I have a work PC and Mac at home. When I connect to my work Checkpoint VPN with IPSecuritas from the mac it kills the VPN connection between the Checkpoint and my work PC (which has checkpoint's software on it). If I connect two PCs with the checkpoint software I can connect to both fine. Anyone had this issue?/knows a way around it?
was working, now is not. was working, now is not. by eylisian on 2008-08-12 21:56:01 +0200
Hi, Have a user with OS X 10.5 and IPSecuritas 3.* This was working until approx a month ago, and then the gateway started getting PACKET_MALFORMED messages when he'd try and connect. I figured something got munged and generated a new cert/key pair and installed them. Now the gateway throws different errors and the connection log locally states that IKE cant find certificates or keys. Any ideas? I can and will post some logs, the user had to fly the coop and I'll get him to forward them on. Thanks, Robert
Re: was working, now is not. by eylisian on 2008-08-20 23:21:37 +0200
Finally got got the Connection Log from the user IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Aug 20, 13:40:14 Debug IKE filename: /Library/Application Support/Lobotomo Software/IPSecuritas/certs /aab01961-75e9-40f0-9c15-2ad51224602d.cert Aug 20, 13:40:14 Error IKE failed to get my CERT. Aug 20, 13:40:14 Error IKE failed to get own CERT. Aug 20, 13:40:14 Error IKE failed get my ID Aug 20, 13:40:14 Error IKE failed to process packet. Aug 20, 13:40:14 Error IKE phase1 negotiation failed. Aug 20, 13:40:14 Debug IKE IV freed Aug 20, 13:40:20 Debug IKE === Aug 20, 13:40:20 Debug IKE 244 bytes message received from *.*.*.*[500] to 192.168.0.18[500] Aug 20, 13:40:20 Debug IKE 3c491ae8 5ab88c4b 7a68aaa4 28e5d263 04100200 00000000 000000f4 0a0000c4 Aug 20, 13:40:20 Debug IKE 82aa60e6 25e77bd5 b25340a0 21ae9410 e15d820d fc6c0f29 3edb2f33 6228871b Aug 20, 13:40:20 Debug IKE 00b930be 9a74d311 64e76c6c 25230920 e2bdaee3 fadfd4cf 7f3a4925 d9d02853 Aug 20, 13:40:20 Debug IKE 2e67ebfc 9c72d332 a2512b6f 8b44ba73 f1f63591 d519ccdf 7dccc4ac d498230e Aug 20, 13:40:20 Debug IKE 3dd7d88f f036ec63 52e894f8 2094dfa0 aeffec47 73bfb8d9 042b702c bd74a54f Aug 20, 13:40:20 Debug IKE 5cd3f40e 0893c14e 65650fe3 2478a200 ebdca70d 75fb8bd9 a40730d8 0d5e382f Aug 20, 13:40:20 Debug IKE 87b87354 61e09c7f 50c68257 237a0419 77f481eb 58ba7e68 c235710d 72afce34 Aug 20, 13:40:20 Debug IKE 00000014 c7deff2a acb9acf7 dc886f3b 5ec5f427 Aug 20, 13:40:20 Debug IKE malformed cookie received or the spi expired. Aug 20, 13:40:21 Info APP Initiated connection Outside of Rulespace Aug 20, 13:40:21 Debug IKE get pfkey ACQUIRE message Aug 20, 13:40:21 Debug IKE 02060003 24000000 06000000 00000000 03000500 ff200000 10020000 c0a80012 Aug 20, 13:40:21 Debug IKE 00000000 00000000 03000600 ff200000 10020000 cea37bcf 00000000 00000000 Aug 20, 13:40:21 Debug IKE 1c000d00 20000000 00030000 00000000 00010008 00000000 01000000 01000000 Aug 20, 13:40:21 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Aug 20, 13:40:21 Debug IKE 80700000 00000000 00000000 00000000 00040000 00000000 0001c001 00000000 Aug 20, 13:40:21 Debug IKE 01000000 01000000 00000000 00000000 00000000 00000000 00000000 00000000 Aug 20, 13:40:21 Debug IKE 80510100 00000000 80700000 00000000 00000000 00000000 000c0000 00000000 Aug 20, 13:40:21 Debug IKE 00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 Aug 20, 13:40:21 Debug IKE 00000000 00000000 80510100 00000000 80700000 00000000 00000000 00000000 Aug 20, 13:40:21 Error IKE inappropriate sadb acquire message passed. Aug 20, 13:40:21 Debug IKE get pfkey ACQUIRE message Aug 20, 13:40:21 Debug IKE 02060003 14000000 12000000 53000000 03000500 ff200000 10020000 c0a80012
Strange connections of Daemon Strange connections of Daemon by abfdx279 on 2008-08-22 00:27:37 +0200
Little Snitch reports on Leopard the following inbound connections for the Daemon. IPSecuritas was is not active. Could this be some kind of "spill over" from remote Skype clients trying to connect? Skype is running at the same time.
Verbindungsverlauf fьr: IPSecuritasDaemon (/Library/StartupItems /IPSecuritasDaemon/IPSecuritasDaemon) Gesamt: 0 Bytes gesendet, 0.6kB empfangen ###.netcologne.de (###.###.243.214), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 170 Bytes empfangen ###.hrz.fh-zwickau.de (###.###.72.1), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 56 Bytes empfangen ###.pools.arcor-ip.net (###.###.16.47), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 77 Bytes empfangen ###.adsl.alicedsl.de (###.###.174.3), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 89 Bytes empfangen ###.zaq.ne.jp (###.###.113.26), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 91 Bytes empfangen ###.###.144.95 (###.###.144.95), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 86 Bytes empfangen ###.TU-Berlin.DE (###.###.8.19), Port 0 (1024/tcp), Protokoll 1 (ICMP), 0 Bytes gesendet, 56 Bytes empfangen
Second question: Someone has asked similar question before, but how can you generally route all traffic through the VPN? Do you have to have this feature on both the client (like IPSecuritas) and the server or is that just a feature IPSecuritas could implement (or has already) on its own? Thanks to the developer! The connection works (to some degree) for an AVM Fritz!Box 7170. Though, it would be nice if you could route the websurfing through the VPN.
Re: Strange connections of Daemon by cnadig on 2008-08-24 21:55:55 +0200
Hello, this traffic looks strange indeed. IPSecuritas sends ICMP ping packets if the connection surveillance is enabled and only to the configured hosts while connected. The traffic could also be ICMP unreachable replies, but then I could not imagine why they are addresses to IPSecuritasDaemon. Would it be possible to tcpdump the traffic for further analysis (as root, run 'tcpdump -i en0 -s1500 -w ~/Desktop/traffic.pcap' for a while)? Cheers, Christoph
Re: Strange connections of Daemon by abfdx279 on 2008-08-25 17:59:35 +0200
Hi again! Just tried MacSniffer (uses tcpdump) together with Little Snitch. After closing down all other programs (including Skype), IPSecuritas' Daemon doesn't seem to get any more inbound connects. Guess I have to look further into that. But Skype will produce significant traffic when launched... In my opinion that has something to do with skype. Could someone try that on his Mac (Leopard)? (running Skype, LittleSnitch as shareware version and just the Deamon without IPSecuritas itself and without any IPSec connection). The IPs look like they are dynamic (for example Alice is a German provider) and Skype uses a decentral system of connections...
Re: Strange connections of Daemon by abfdx279 on 2008-08-30 15:03:46 +0200
Has anyone else tested this thing? OS X Leopard - Skype - IPSecuritas - LittleSnitch (or some other monitoring software) Christoph?
route add issue route add issue by deltanine on 2008-08-27 19:40:42 +0200
I have successfully established an IPSEC VPN connection from a MacBook Pro to a Draytek Vigor 2820 using IPSecuritas's Wizard. The remote router (net 192.168.10.0) can establish VPN connections to other networks. When using PPTP or L2TP for the same connection I was able to [code]sudo route -n add -net 192.168.30.0 192.168.10.1 255.255.255.0[/code] in order to allow applications on the MacBook to access network 192.168.30.0 via 192.168.10.1 . The same approach fails when using IPSEC with IPSecuritas. Is there a way to make this work? Thanks in advance. Delta
MacOS: 10.4.11 IPSecuritas: 3.1 Router: Draytek Vigor 2820 with Firmware 3.2.1_2111112
New 3.2 Beta version released New 3.2 Beta version released by cnadig on 2008-08-31 10:47:36 +0200
Good morning, a new beta version has been release to replace the expiring 3.2b1. Please download it from [url]http://www.lobotomo.com/products/downloads /IPSecuritas32b2.dmg[/url]. The included Readme file contains a list of enhancements and bug fixes. Cheers, Christoph
Problem connecting to VPN with Netgear DGFV338 Problem connecting to VPN with Netgear DGFV338 by greyloki on 2008-09-02 17:41:06 +0200
Hey folks, I'm trying to set up a roadwarrior VPN using a Mac laptop connecting to a Netgear DGFV338. I've found a tutorial that I followed (I can't remember the link for it, but the first page shows it's for IPSecuritas 3.x by Lobotomo Software and a Netgear DGFV338, written Oct 15th 2007), but i'm having trouble in connecting - all of the settings in both IPSecuritas and the Netgear appear to be correct, but my log seems to say otherwise, and I get a yellow dot next to my connection's name, too. Here's the log: http://pastebin.com/m4a12da21 Any help would be greatly appreciated :) Edit: The tutorial talks about matching 'local' and 'remote' IKE policy identifiers - on the router, i have the remote identifier set as remote_roadwarrior, since this is theoretically the laptop, and the local identifier is esw_office.com. In IPSecuritas, I have these reversed - local is remote_roadwarrior, and remote is esw_office.com - is that correct?
Problem installing IPSecuritas Problem installing IPSecuritas by marconcini on 2008-09-03 00:14:33 +0200
hi all, I'm new to the Mac world and am having trouble loading the IPSecuritas software. I get an error message saying that i am trying to load to a read only file system. I am trying to instal to the applications folder so I don't understand. I'm frustrated :-[
Nortel VPN Nortel VPN by rambling_rebel on 2008-09-05 04:08:39 +0200
just downloaded this vpn software.....I'm trying to get MAC's into my customer base instead of MS based stuff. I have this customer and 4 more behind him all wanting MACS and VPN's. I Favour Nortel VPN's and need to get this working on a contivity. I have the s/w loaded and it sayz its working (IPSEC service started) but I don't ever see it on the contivity trying to connect, and I can't seem to get my head around where to begin to figure out where to look for solving this problem, any suggestions....
Re: Nortel VPN by rambling_rebel on 2008-09-05 04:23:32 +0200
ok, I'm a knucklehead, I found the user guide.....ill read through it, but if anyone has info that could help me, it would be appreciated...
Can't Connect to SonicWall Pro
Can't Connect to SonicWall Pro by Philodox on 2008-09-09 03:15:03 +0200
Hi all, I'm trying to set up IPSecuritas to give me access to a SonicWall Pro vpn network. I can't connect and unfortunately the logs are rather cryptic so I'm not sure where to look. I'm running this on the latest rev Macbook Pro. [quote] IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Sep 08, 17:59:39 Info APP IPSec authenticating Sep 08, 17:59:39 Info APP IKE daemon started Sep 08, 17:59:39 Info APP IPSec started Sep 08, 17:59:39 Error IKE Foreground mode. Sep 08, 17:59:39 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 08, 17:59:39 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 08, 17:59:39 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 08, 17:59:39 Info IKE Resize address pool from 0 to 255 Sep 08, 17:59:39 Info APP Initiated connection tre Sep 08, 17:59:39 Error IKE inappropriate sadb acquire message passed. Sep 08, 17:59:39 Error IKE delete phase1 handle. Sep 08, 17:59:44 Error IKE delete phase1 handle. Sep 08, 17:59:46 Info APP Initiated connection tre Sep 08, 17:59:49 Error IKE delete phase1 handle. Sep 08, 17:59:53 Info APP Initiated connection tre Sep 08, 17:59:54 Error IKE delete phase1 handle. Sep 08, 17:59:55 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.16.134.55[500]->192.168.1.2[500] Sep 08, 17:59:59 Error IKE delete phase1 handle. Sep 08, 18:00:00 Info APP Initiated connection tre Sep 08, 18:00:00 Error IKE inappropriate sadb acquire message passed. Sep 08, 18:00:02 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.16.134.55[500]->192.168.1.2[500] Sep 08, 18:00:04 Error IKE delete phase1 handle. Sep 08, 18:00:07 Info APP Initiated connection tre Sep 08, 18:00:09 Error IKE phase1 negotiation failed due to time up. 3dfec7ca41ce9d94:0000000000000000 Sep 08, 18:00:09 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.16.134.55[500]->192.168.1.2[500] Sep 08, 18:00:12 Warning APP Connection tre timed out Sep 08, 18:00:12 Warning APP Giving up Sep 08, 18:00:16 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.16.134.55[500]->192.168.1.2[500] Sep 08, 18:00:23 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP 24.16.134.55[500]->192.168.1.2[500] [/quote] [quote]# Racoon configuration created by IPSecuritas log notify; path pre_shared_key "/Library/Application Support/Lobotomo Software/IPSecuritas/psk.txt"; path certificate "/Library/Application Support/Lobotomo Software/IPSecuritas/certs"; padding { maximum_length 20;
Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-10 08:18:02 +0200
Edit: I've got a little bit farther, I had my DH group set incorrectly for phase 1. My current log looks like: [quote] IPSecuritas 3.2b2 build 2391, So 31 Aug 2008 10:13:21 CEST, nadig Darwin 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 i386 Sep 10, 00:02:16 Info APP IPSec authenticating Sep 10, 00:02:16 Info APP Connection tre is started Sep 10, 00:02:16 Info APP IKE daemon started Sep 10, 00:02:16 Info APP IPSec started Sep 10, 00:02:16 Info APP Initiated connection tre Sep 10, 00:02:16 Error IKE Foreground mode. Sep 10, 00:02:16 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 10, 00:02:16 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 10, 00:02:16 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 10, 00:02:16 Info IKE Resize address pool from 0 to 255 Sep 10, 00:02:23 Info APP Initiated connection tre Sep 10, 00:02:23 Error IKE ISAKMP mode config exchange with immature phase 1 Sep 10, 00:02:28 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:30 Info APP Initiated connection tre Sep 10, 00:02:33 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:37 Info APP Initiated connection tre Sep 10, 00:02:38 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:39 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP [remote][4500]->192.168.1.2[4500] Sep 10, 00:02:43 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:44 Info APP Initiated connection tre Sep 10, 00:02:46 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP [remote][4500]->192.168.1.2[4500] Sep 10, 00:02:48 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:49 Warning APP Connection tre timed out Sep 10, 00:02:49 Warning APP Giving up Sep 10, 00:02:53 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP [remote][4500]->192.168.1.2[4500] [/quote] I'm using XAuth PSK. If I turn off XAuth PSK I get this log, does anybody know which one is "better"? [quote]IPSecuritas 3.2b2 build 2391, So 31 Aug 2008 10:13:21 CEST, nadig Darwin 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 i386 Sep 10, 00:05:02 Info APP IPSec restarting Sep 10, 00:05:03 Info APP IKE daemon terminated Sep 10, 00:05:03 Info APP IPSec restarting Sep 10, 00:05:03 Info APP Connection tre is started Sep 10, 00:05:03 Info APP IKE daemon started Sep 10, 00:05:03 Info APP IPSec started Sep 10, 00:05:03 Error IKE Foreground mode. Sep 10, 00:05:03 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 10, 00:05:03 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 10, 00:05:03 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 10, 00:05:03 Info IKE Resize address pool from 0 to 255
Re: Can't Connect to SonicWall Pro by cnadig on 2008-09-11 18:01:58 +0200
Hello, I'd try normal PSK first since XAuth isn't strictly standardized and there are many vendor-specific implementations around. In main mode, identification is usually only possible by IP address (you set it to FQDN) and may or may not work for road warriors depending on the implementation of your firewall firmware. For road warriors, aggressive mode is usually the better way, especially if there is more than one user. Please set the log level to Debug to get more detailed information. Hope this helps, Christoph
Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-13 03:48:08 +0200
Thanks :) I changed it to address but I'm still getting the same errors. How do I set the log level to debug? I tried doing it through System Preferences/Network but that hasn't seem to have done anything. My current config: [quote]# Racoon configuration created by IPSecuritas log notify; path pre_shared_key "/Library/Application Support/Lobotomo Software/IPSecuritas/psk.txt"; path certificate "/Library/Application Support/Lobotomo Software/IPSecuritas/certs"; padding { maximum_length 20; randomize on; strict_check off; exclusive_tail on; } timer { counter 5; interval 5 seconds; persend 1; phase1 15 seconds; phase2 15 seconds; } # Connection "tre" remote x.x.x.x { verify_cert off; verify_identifier off; initial_contact on; passive off; support_proxy off; generate_policy off; verify_cert off; send_cert on; send_cr on; mode_cfg off; ike_frag on; doi ipsec_doi; situation identity_only; nat_traversal on; exchange_mode main; proposal_check obey; nonce_size 16; my_identifier address; peers_identifier address; proposal { lifetime time 1800 seconds; encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key;
Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:20:44 +0200
Found the debug log option, it was under preferences :-[ Anyways here's the debug log[quote]IPSecuritas 3.2b2 build 2391, So 31 Aug 2008 10:13:21 CEST, nadig Darwin 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 i386 Sep 14, 16:14:21 Debug APP All connections authenticated Sep 14, 16:14:21 Debug APP State change from IDLE to AUTHENTICATING after event START Sep 14, 16:14:21 Info APP IPSec authenticating Sep 14, 16:14:21 Info APP Connection tre is started Sep 14, 16:14:21 Info APP IKE daemon started Sep 14, 16:14:21 Debug APP State change from AUTHENTICATING to RUNNING after event AUTHENTICATED Sep 14, 16:14:21 Info APP IPSec started Sep 14, 16:14:21 Debug APP Received SADB message type X_SPDUPDATE not interesting Sep 14, 16:14:21 Debug APP Received SADB message type X_SPDUPDATE not interesting Sep 14, 16:14:21 Info IKE Foreground mode. Sep 14, 16:14:21 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 14, 16:14:21 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 14, 16:14:21 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 14, 16:14:21 Info IKE Resize address pool from 0 to 255 Sep 14, 16:14:21 Debug IKE lifetime = 1800 Sep 14, 16:14:21 Debug IKE lifebyte = 0 Sep 14, 16:14:21 Debug IKE encklen=0 Sep 14, 16:14:21 Debug IKE p:1 t:1 Sep 14, 16:14:21 Debug IKE 3DES-CBC(5) Sep 14, 16:14:21 Debug IKE SHA(2) Sep 14, 16:14:21 Debug IKE 1024-bit MODP group(2) Sep 14, 16:14:21 Debug IKE pre-shared key(1) Sep 14, 16:14:21 Debug IKE compression algorithm can not be checked because sadb message doesn't support it. Sep 14, 16:14:21 Debug IKE parse successed. Sep 14, 16:14:21 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Sep 14, 16:14:21 Info IKE 192.168.1.2[4500] used as isakmp port (fd=6) Sep 14, 16:14:21 Info IKE 192.168.1.2[500] used as isakmp port (fd=7) Sep 14, 16:14:21 Debug IKE get pfkey X_SPDDUMP message Sep 14, 16:14:21 Debug IKE 02120000 0f000200 01000000 2e030000 03000500 ff180000 10020000 0a0a0a00 Sep 14, 16:14:21 Debug IKE 00000000 00000000 03000600 ff200000 10020000 c0a80102 00000000 00000000 Sep 14, 16:14:21 Debug IKE 07001200 02000100 08000000 00000000 28003200 02030e00 10020000 18108637 Sep 14, 16:14:21 Debug IKE 00000000 00000000 10020000 c0a80102 00000000 00000000 Sep 14, 16:14:21 Debug IKE get pfkey X_SPDDUMP message Sep 14, 16:14:21 Debug IKE 02120000 0f000200 00000000 2e030000 03000500 ff200000 10020000 c0a80102 Sep 14, 16:14:21 Debug IKE 00000000 00000000 03000600 ff180000 10020000 0a0a0a00 00000000 00000000 Sep 14, 16:14:21 Debug IKE 07001200 02000200 07000000 00000000 28003200 02030d00 10020000 c0a80102 Sep 14, 16:14:21 Debug IKE 00000000 00000000 10020000 18108637 00000000 00000000
Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:22:24 +0200
[quote]Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 20, next type 13 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 0 Sep 14, 16:14:21 Debug IKE 344 bytes from 192.168.1.2[500] to x.x.x.x[500] Sep 14, 16:14:21 Debug IKE sockname 192.168.1.2[500] Sep 14, 16:14:21 Debug IKE send packet from 192.168.1.2[500] Sep 14, 16:14:21 Debug IKE send packet to x.x.x.x[500] Sep 14, 16:14:21 Debug IKE 1 times of 344 bytes message will be sent to x.x.x.x[500] Sep 14, 16:14:21 Debug IKE 5dd654cd bfed7735 00000000 00000000 01100200 00000000 00000158 0d000034 Sep 14, 16:14:21 Debug IKE 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0708 Sep 14, 16:14:21 Debug IKE 80010005 80030001 80020002 80040002 0d000014 4a131c81 07035845 5c5728f2 Sep 14, 16:14:21 Debug IKE 0e95452f 0d000014 8f8d8382 6d246b6f c7a8a6a4 28c11de8 0d000014 439b59f8 Sep 14, 16:14:21 Debug IKE ba676c4c 7737ae22 eab8f582 0d000014 4d1e0e13 6deafa34 c4f3ea9f 02ec7285 Sep 14, 16:14:21 Debug IKE 0d000014 80d0bb3d ef54565e e84645d4 c85ce3ee 0d000014 9909b64e ed937c65 Sep 14, 16:14:21 Debug IKE 73de52ac e952fa6b 0d000014 7d9419a6 5310ca6f 2c179d92 15529d56 0d000014 Sep 14, 16:14:21 Debug IKE cd604643 35df21f8 7cfdb2fc 68b6a448 0d000014 90cb8091 3ebb696e 086381b5 Sep 14, 16:14:21 Debug IKE ec427b1f 0d000014 16f6ca16 e4a4066d 83821a0f 0aeaa862 0d000014 4485152d Sep 14, 16:14:21 Debug IKE 18b6bbcd 0be8a846 9579ddcc 0d000018 4048b7d5 6ebce885 25e7de7f 00d6c2d3 Sep 14, 16:14:21 Debug IKE 80000000 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Sep 14, 16:14:21 Debug IKE resend phase1 packet 5dd654cdbfed7735:0000000000000000 Sep 14, 16:14:21 Debug IKE === Sep 14, 16:14:21 Debug IKE 112 bytes message received from x.x.x.x[500] to 192.168.1.2[500] Sep 14, 16:14:21 Debug IKE 5dd654cd bfed7735 59ae89f0 711e7f3e 01100200 00000000 00000070 0d000034 Sep 14, 16:14:21 Debug IKE 00000001 00000001 00000028 01010001 00000020 01010000 80010005 80020002 Sep 14, 16:14:21 Debug IKE 80040002 80030001 800b0001 800c0708 0d00000c 5b362bc8 20f60006 00000014 Sep 14, 16:14:21 Debug IKE 4a131c81 07035845 5c5728f2 0e95452f Sep 14, 16:14:21 Debug IKE begin. Sep 14, 16:14:21 Debug IKE seen nptype=1(sa) Sep 14, 16:14:21 Debug IKE seen nptype=13(vid) Sep 14, 16:14:21 Debug IKE seen nptype=13(vid) Sep 14, 16:14:21 Debug IKE succeed. Sep 14, 16:14:21 Debug IKE received unknown Vendor ID Sep 14, 16:14:21 Debug IKE 5b362bc8 20f60006 Sep 14, 16:14:21 Info IKE received Vendor ID: RFC 3947
Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:23:29 +0200
[quote]Sep 14, 16:14:21 Debug IKE (lifebyte = 0:0) Sep 14, 16:14:21 Debug IKE enctype = 3DES-CBC:3DES-CBC Sep 14, 16:14:21 Debug IKE (encklen = 0:0) Sep 14, 16:14:21 Debug IKE hashtype = SHA:SHA Sep 14, 16:14:21 Debug IKE authmethod = pre-shared key:pre-shared key Sep 14, 16:14:21 Debug IKE dh_group = 1024-bit MODP group:1024-bit MODP group Sep 14, 16:14:21 Debug IKE an acceptable proposal found. Sep 14, 16:14:21 Debug IKE hmac(modp1024) Sep 14, 16:14:21 Debug IKE agreed on pre-shared key auth. Sep 14, 16:14:21 Debug IKE === Sep 14, 16:14:21 Debug IKE compute DH's private. Sep 14, 16:14:21 Debug IKE 6d19d366 249a109c 36b021cd b3107c47 3914824e df5ea643 ef185e07 1823fbe1 Sep 14, 16:14:21 Debug IKE 497aabf9 10104106 5848a852 358c239c a0bdd736 b1019038 08d9de94 e866a799 Sep 14, 16:14:21 Debug IKE 804237ef 5bce8aec 3709d370 5e63c132 c3406398 d0741fc6 40776d07 b6cee87c Sep 14, 16:14:21 Debug IKE 6ca1af6c 87d09681 7218df0f 18be22fb 88320cf3 9c25db6b a43e0c0d 096398e7 Sep 14, 16:14:21 Debug IKE compute DH's public. Sep 14, 16:14:21 Debug IKE 970dd812 1a62895a ab5cb04b 843e04d7 06aabb36 dd897189 a2307b08 ed6b7735 Sep 14, 16:14:21 Debug IKE 7a552f68 d3e7b588 1c4613ad 28a9bf2a 3eebce18 7215c3ad 48e3b5c1 c33f42b1 Sep 14, 16:14:21 Debug IKE 4f7752b5 961f9ba2 1179335e 09fc7e7e 7e664936 016c5444 2e885254 fd76339b Sep 14, 16:14:21 Debug IKE 727cc1cb 70f23bcf e1fee811 17eca979 c3bb190d 8915b374 02ba17a1 0c0f2ad2 Sep 14, 16:14:21 Info IKE Hashing x.x.x.x[500] with algo #2 Sep 14, 16:14:21 Debug IKE hash(sha1) Sep 14, 16:14:21 Info IKE Hashing 192.168.1.2[500] with algo #2 Sep 14, 16:14:21 Debug IKE hash(sha1) Sep 14, 16:14:21 Info IKE Adding remote and local NAT-D payloads. Sep 14, 16:14:21 Debug IKE add payload of len 128, next type 10 Sep 14, 16:14:21 Debug IKE add payload of len 16, next type 20 Sep 14, 16:14:21 Debug IKE add payload of len 20, next type 20 Sep 14, 16:14:21 Debug IKE add payload of len 20, next type 0 Sep 14, 16:14:21 Debug IKE 228 bytes from 192.168.1.2[500] to x.x.x.x[500] Sep 14, 16:14:21 Debug IKE sockname 192.168.1.2[500] Sep 14, 16:14:21 Debug IKE send packet from 192.168.1.2[500] Sep 14, 16:14:21 Debug IKE send packet to x.x.x.x[500] Sep 14, 16:14:21 Debug IKE 1 times of 228 bytes message will be sent to x.x.x.x[500] Sep 14, 16:14:21 Debug IKE 5dd654cd bfed7735 59ae89f0 711e7f3e 04100200 00000000 000000e4 0a000084 Sep 14, 16:14:21 Debug IKE 970dd812 1a62895a ab5cb04b 843e04d7 06aabb36 dd897189 a2307b08 ed6b7735 Sep 14, 16:14:21 Debug IKE 7a552f68 d3e7b588 1c4613ad 28a9bf2a 3eebce18 7215c3ad 48e3b5c1 c33f42b1 Sep 14, 16:14:21 Debug IKE 4f7752b5 961f9ba2 1179335e 09fc7e7e 7e664936 016c5444 2e885254 fd76339b Sep 14, 16:14:21 Debug IKE 727cc1cb 70f23bcf e1fee811 17eca979 c3bb190d 8915b374 02ba17a1 0c0f2ad2 Sep 14, 16:14:21 Debug IKE 14000014 9c8ed4a5 d1653546 a7b0d169 82d56448 14000018 bfad97a7 acc7f714 Sep 14, 16:14:21 Debug IKE 1174bbe3 eabd4651 e92c2300 00000018 00360655 a1fd4d3f f68c07a6 29ff959e Sep 14, 16:14:21 Debug IKE 2a842026 Sep 14, 16:14:21 Debug IKE resend phase1 packet
Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:24:11 +0200
[quote] Sep 14, 16:14:21 Info IKE KA list add: 192.168.1.2[4500]->x.x.x.x[4500] Sep 14, 16:14:21 Debug IKE === Sep 14, 16:14:21 Debug IKE compute DH's shared. Sep 14, 16:14:21 Debug IKE a397f573 07369726 f5cde748 422998c4 704ace1b bf96c581 9294b1e8 990d0dd7 Sep 14, 16:14:21 Debug IKE b5b6f45c b7adaea9 a2c70199 7e5a8162 88e18344 f1939812 615df1ea bf531d62 Sep 14, 16:14:21 Debug IKE ba03b1a6 1f2a7652 8b3d5224 acc599a3 6012f54b 38ddee03 5eaf86ed 0112d0de Sep 14, 16:14:21 Debug IKE 5a5664ae 2672534b 6cc6fe04 97f0dbb4 37c12eea c095d2ba 905f57be 61589745 Sep 14, 16:14:21 Debug IKE the psk found. Sep 14, 16:14:21 Debug IKE psk: 2008-09-14 16:14:21: DEBUG2: Sep 14, 16:14:21 Debug IKE 45304343 43394338 42394236 38364637 Sep 14, 16:14:21 Debug IKE nonce 1: 2008-09-14 16:14:21: DEBUG: Sep 14, 16:14:21 Debug IKE 9c8ed4a5 d1653546 a7b0d169 82d56448 Sep 14, 16:14:21 Debug IKE nonce 2: 2008-09-14 16:14:21: DEBUG: Sep 14, 16:14:21 Debug IKE 71603fde 2e350ff6 1f9fdf6b 0588c60f 2151080a Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1) Sep 14, 16:14:21 Debug IKE SKEYID computed: Sep 14, 16:14:21 Debug IKE 21425a9a d9d29890 23b41dae bc80c129 6299ebbf Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1) Sep 14, 16:14:21 Debug IKE SKEYID_d computed: Sep 14, 16:14:21 Debug IKE 40a8f852 117dbf35 681434f9 7234ecc2 1301d50d Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1) Sep 14, 16:14:21 Debug IKE SKEYID_a computed: Sep 14, 16:14:21 Debug IKE 56898368 ae8a501c 1a6b4523 133e704b 0025d46b Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1) Sep 14, 16:14:21 Debug IKE SKEYID_e computed: Sep 14, 16:14:21 Debug IKE e8ba7e4e 77ce21be 04e56ddc 8c7094cf 4562e6a1 Sep 14, 16:14:21 Debug IKE encryption(3des) Sep 14, 16:14:21 Debug IKE hash(sha1) Sep 14, 16:14:21 Debug IKE len(SKEYID_e) < len(Ka) (20 < 24), generating long key (Ka = K1 | K2 | ...) Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1) Sep 14, 16:14:21 Debug IKE compute intermediate encryption key K1 Sep 14, 16:14:21 Debug IKE 00 Sep 14, 16:14:21 Debug IKE e0f43032 2960130d 4d3c200d 09204dcd 1c4daa82 Sep 14, 16:14:21 Debug IKE hmac(hmac_sha1) Sep 14, 16:14:21 Debug IKE compute intermediate encryption key K2 Sep 14, 16:14:21 Debug IKE e0f43032 2960130d 4d3c200d 09204dcd 1c4daa82 Sep 14, 16:14:21 Debug IKE 5c44252e a8f6897c 4d505519 1c3a78c3 f9a3c728 Sep 14, 16:14:21 Debug IKE final encryption key computed: Sep 14, 16:14:21 Debug IKE e0f43032 2960130d 4d3c200d 09204dcd 1c4daa82 5c44252e Sep 14, 16:14:21 Debug IKE hash(sha1) Sep 14, 16:14:21 Debug IKE encryption(3des) Sep 14, 16:14:21 Debug IKE IV computed: Sep 14, 16:14:21 Debug IKE 76b4a289 4d986ea9 Sep 14, 16:14:21 Debug IKE use ID type of IPv4_address Sep 14, 16:14:21 Debug IKE HASH with: Sep 14, 16:14:21 Debug IKE 970dd812 1a62895a ab5cb04b 843e04d7
Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:25:13 +0200
[quote]Sep 14, 16:14:21 Debug IKE 1 times of 72 bytes message will be sent to x.x.x.x[4500] Sep 14, 16:14:21 Debug IKE 00000000 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 00000044 Sep 14, 16:14:21 Debug IKE a553b0ff d11baa03 0f1b4d4a a393f28c f4e6506e 18c6aebc b5a95620 2c032e4b Sep 14, 16:14:21 Debug IKE 3e0f94ab 847c7586 Sep 14, 16:14:21 Debug IKE resend phase1 packet 5dd654cdbfed7735:59ae89f0711e7f3e Sep 14, 16:14:21 Debug IKE === Sep 14, 16:14:21 Debug IKE 76 bytes message received from x.x.x.x[4500] to 192.168.1.2[4500] Sep 14, 16:14:21 Debug IKE 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 0000004c e7b56bd6 Sep 14, 16:14:21 Debug IKE 5b7dd040 8ebb5c37 1f50211a 1aef5e8b f8e37816 876c612d 7926a0c8 a86e0e7c Sep 14, 16:14:21 Debug IKE 9790da4c 2f789bdc e9b130ad Sep 14, 16:14:21 Debug IKE begin decryption. Sep 14, 16:14:21 Debug IKE encryption(3des) Sep 14, 16:14:21 Debug IKE IV was saved for next processing: Sep 14, 16:14:21 Debug IKE 2f789bdc e9b130ad Sep 14, 16:14:21 Debug IKE encryption(3des) Sep 14, 16:14:21 Debug IKE with key: Sep 14, 16:14:21 Debug IKE e0f43032 2960130d 4d3c200d 09204dcd 1c4daa82 5c44252e Sep 14, 16:14:21 Debug IKE decrypted payload by IV: Sep 14, 16:14:21 Debug IKE 3e0f94ab 847c7586 Sep 14, 16:14:21 Debug IKE decrypted payload, but not trimed. Sep 14, 16:14:21 Debug IKE 08000014 02000000 30303036 42313131 36333838 00000018 70bdb824 15d12217 Sep 14, 16:14:21 Debug IKE 851cf849 61538c22 df7b05fc 00000003 Sep 14, 16:14:21 Debug IKE padding len=4 Sep 14, 16:14:21 Debug IKE skip to trim padding. Sep 14, 16:14:21 Debug IKE decrypted. Sep 14, 16:14:21 Debug IKE 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 0000004c 08000014 Sep 14, 16:14:21 Debug IKE 02000000 30303036 42313131 36333838 00000018 70bdb824 15d12217 851cf849 Sep 14, 16:14:21 Debug IKE 61538c22 df7b05fc 00000003 Sep 14, 16:14:21 Debug IKE begin. Sep 14, 16:14:21 Debug IKE seen nptype=5(id) Sep 14, 16:14:21 Debug IKE seen nptype=8(hash) Sep 14, 16:14:21 Debug IKE succeed. Sep 14, 16:14:21 Error IKE Expecting IP address type in main mode, but FQDN. Sep 14, 16:14:21 Error IKE invalid ID payload. Sep 14, 16:14:26 Debug IKE Adding NON-ESP marker Sep 14, 16:14:26 Debug IKE 72 bytes from 192.168.1.2[4500] to x.x.x.x[4500] Sep 14, 16:14:26 Debug IKE sockname 192.168.1.2[4500] Sep 14, 16:14:26 Debug IKE send packet from 192.168.1.2[4500] Sep 14, 16:14:26 Debug IKE send packet to x.x.x.x[4500] Sep 14, 16:14:26 Debug IKE 1 times of 72 bytes message will be sent to x.x.x.x[4500] Sep 14, 16:14:26 Debug IKE 00000000 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 00000044 Sep 14, 16:14:26 Debug IKE a553b0ff d11baa03 0f1b4d4a a393f28c f4e6506e 18c6aebc b5a95620 2c032e4b Sep 14, 16:14:26 Debug IKE 3e0f94ab 847c7586 Sep 14, 16:14:26 Debug IKE resend phase1 packet 5dd654cdbfed7735:59ae89f0711e7f3e
Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:25:55 +0200
[quote]Sep 14, 16:14:28 Debug IKE 02060003 24000000 04000000 00000000 03000500 ff200000 10020000 c0a80102 Sep 14, 16:14:28 Debug IKE 00000000 00000000 03000600 ff200000 10020000 18108637 00000000 00000000 Sep 14, 16:14:28 Debug IKE 1c000d00 20000000 00030000 00000000 00010008 00000000 01000000 01000000 Sep 14, 16:14:28 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Sep 14, 16:14:28 Debug IKE 80700000 00000000 00000000 00000000 00040000 00000000 0001c001 00000000 Sep 14, 16:14:28 Debug IKE 01000000 01000000 00000000 00000000 00000000 00000000 00000000 00000000 Sep 14, 16:14:28 Debug IKE 80510100 00000000 80700000 00000000 00000000 00000000 000c0000 00000000 Sep 14, 16:14:28 Debug IKE 00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 Sep 14, 16:14:28 Debug IKE 00000000 00000000 80510100 00000000 80700000 00000000 00000000 00000000 Sep 14, 16:14:28 Debug IKE get pfkey ACQUIRE message Sep 14, 16:14:28 Debug IKE 02060003 14000000 07000000 73000000 03000500 ff200000 10020000 c0a80102 Sep 14, 16:14:28 Debug IKE 00000000 00000000 03000600 ff200000 10020000 18108637 00000000 00000000 Sep 14, 16:14:28 Debug IKE 0a000d00 20000000 000c0000 00000000 00010001 00000000 01000000 01000000 Sep 14, 16:14:28 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Sep 14, 16:14:28 Debug IKE 80700000 00000000 00000000 00000000 02001200 02000200 07000000 00000000 Sep 14, 16:14:28 Debug IKE suitable outbound SP found: 192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out. Sep 14, 16:14:28 Debug IKE sub:0xbffff67c: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:28 Debug IKE db :0x108b78: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:28 Debug IKE suitable inbound SP found: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in. Sep 14, 16:14:28 Debug IKE new acquire 192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out Sep 14, 16:14:28 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=14:13) Sep 14, 16:14:28 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-sha) Sep 14, 16:14:28 Debug IKE in post_acquire Sep 14, 16:14:28 Debug IKE configuration found for x.x.x.x. Sep 14, 16:14:28 Info IKE request for establishing IPsec-SA was queued due to no phase1 found. Sep 14, 16:14:31 Debug IKE Adding NON-ESP marker Sep 14, 16:14:31 Debug IKE 72 bytes from 192.168.1.2[4500] to x.x.x.x[4500] Sep 14, 16:14:31 Debug IKE sockname 192.168.1.2[4500] Sep 14, 16:14:31 Debug IKE send packet from 192.168.1.2[4500] Sep 14, 16:14:31 Debug IKE send packet to x.x.x.x[4500] Sep 14, 16:14:31 Debug IKE 1 times of 72 bytes message will be sent to x.x.x.x[4500] Sep 14, 16:14:31 Debug IKE 00000000 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 00000044 Sep 14, 16:14:31 Debug IKE a553b0ff d11baa03 0f1b4d4a a393f28c f4e6506e 18c6aebc b5a95620 2c032e4b Sep 14, 16:14:31 Debug IKE 3e0f94ab 847c7586 Sep 14, 16:14:31 Debug IKE resend phase1 packet
Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:26:33 +0200
[quote] Sep 14, 16:14:35 Debug IKE 80700000 00000000 00000000 00000000 02001200 02000200 07000000 00000000 Sep 14, 16:14:35 Debug IKE suitable outbound SP found: 192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out. Sep 14, 16:14:35 Debug IKE sub:0xbffff67c: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:35 Debug IKE db :0x108b78: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:35 Debug IKE suitable inbound SP found: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in. Sep 14, 16:14:35 Debug IKE new acquire 192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out Sep 14, 16:14:35 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=14:13) Sep 14, 16:14:35 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-sha) Sep 14, 16:14:35 Debug IKE in post_acquire Sep 14, 16:14:35 Debug IKE configuration found for x.x.x.x. Sep 14, 16:14:35 Info IKE request for establishing IPsec-SA was queued due to no phase1 found. Sep 14, 16:14:36 Debug IKE Adding NON-ESP marker Sep 14, 16:14:36 Debug IKE 72 bytes from 192.168.1.2[4500] to x.x.x.x[4500] Sep 14, 16:14:36 Debug IKE sockname 192.168.1.2[4500] Sep 14, 16:14:36 Debug IKE send packet from 192.168.1.2[4500] Sep 14, 16:14:36 Debug IKE send packet to x.x.x.x[4500] Sep 14, 16:14:36 Debug IKE 1 times of 72 bytes message will be sent to x.x.x.x[4500] Sep 14, 16:14:36 Debug IKE 00000000 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 00000044 Sep 14, 16:14:36 Debug IKE a553b0ff d11baa03 0f1b4d4a a393f28c f4e6506e 18c6aebc b5a95620 2c032e4b Sep 14, 16:14:36 Debug IKE 3e0f94ab 847c7586 Sep 14, 16:14:36 Debug IKE resend phase1 packet 5dd654cdbfed7735:59ae89f0711e7f3e Sep 14, 16:14:36 Debug IKE === Sep 14, 16:14:36 Debug IKE 76 bytes message received from x.x.x.x[4500] to 192.168.1.2[4500] Sep 14, 16:14:36 Debug IKE 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 0000004c e7b56bd6 Sep 14, 16:14:36 Debug IKE 5b7dd040 8ebb5c37 1f50211a 1aef5e8b f8e37816 876c612d 7926a0c8 a86e0e7c Sep 14, 16:14:36 Debug IKE 9790da4c 2f789bdc e9b130ad Sep 14, 16:14:36 Debug IKE begin decryption. Sep 14, 16:14:36 Debug IKE encryption(3des) Sep 14, 16:14:36 Debug IKE IV was saved for next processing: Sep 14, 16:14:36 Debug IKE 2f789bdc e9b130ad Sep 14, 16:14:36 Debug IKE encryption(3des) Sep 14, 16:14:36 Debug IKE with key: Sep 14, 16:14:36 Debug IKE e0f43032 2960130d 4d3c200d 09204dcd 1c4daa82 5c44252e Sep 14, 16:14:36 Debug IKE decrypted payload by IV: Sep 14, 16:14:36 Debug IKE 3e0f94ab 847c7586 Sep 14, 16:14:36 Debug IKE decrypted payload, but not trimed. Sep 14, 16:14:36 Debug IKE 08000014 02000000 30303036 42313131 36333838 00000018 70bdb824 15d12217 Sep 14, 16:14:36 Debug IKE 851cf849 61538c22 df7b05fc 00000003 Sep 14, 16:14:36 Debug IKE padding len=4 Sep 14, 16:14:36 Debug IKE skip to trim padding. Sep 14, 16:14:36 Debug IKE decrypted.
Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:27:22 +0200
[quote]Sep 14, 16:14:41 Debug IKE encryption(3des) Sep 14, 16:14:41 Debug IKE IV was saved for next processing: Sep 14, 16:14:41 Debug IKE 2f789bdc e9b130ad Sep 14, 16:14:41 Debug IKE encryption(3des) Sep 14, 16:14:41 Debug IKE with key: Sep 14, 16:14:41 Debug IKE e0f43032 2960130d 4d3c200d 09204dcd 1c4daa82 5c44252e Sep 14, 16:14:41 Debug IKE decrypted payload by IV: Sep 14, 16:14:41 Debug IKE 3e0f94ab 847c7586 Sep 14, 16:14:41 Debug IKE decrypted payload, but not trimed. Sep 14, 16:14:41 Debug IKE 08000014 02000000 30303036 42313131 36333838 00000018 70bdb824 15d12217 Sep 14, 16:14:41 Debug IKE 851cf849 61538c22 df7b05fc 00000003 Sep 14, 16:14:41 Debug IKE padding len=4 Sep 14, 16:14:41 Debug IKE skip to trim padding. Sep 14, 16:14:41 Debug IKE decrypted. Sep 14, 16:14:41 Debug IKE 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 0000004c 08000014 Sep 14, 16:14:41 Debug IKE 02000000 30303036 42313131 36333838 00000018 70bdb824 15d12217 851cf849 Sep 14, 16:14:41 Debug IKE 61538c22 df7b05fc 00000003 Sep 14, 16:14:41 Debug IKE begin. Sep 14, 16:14:41 Debug IKE seen nptype=5(id) Sep 14, 16:14:41 Debug IKE seen nptype=8(hash) Sep 14, 16:14:41 Debug IKE succeed. Sep 14, 16:14:41 Error IKE Expecting IP address type in main mode, but FQDN. Sep 14, 16:14:41 Error IKE invalid ID payload. Sep 14, 16:14:42 Info APP Initiated connection tre Sep 14, 16:14:42 Debug IKE get pfkey ACQUIRE message Sep 14, 16:14:42 Debug IKE 02060003 14000000 09000000 73000000 03000500 ff200000 10020000 c0a80102 Sep 14, 16:14:42 Debug IKE 00000000 00000000 03000600 ff200000 10020000 18108637 00000000 00000000 Sep 14, 16:14:42 Debug IKE 0a000d00 20000000 000c0000 00000000 00010001 00000000 01000000 01000000 Sep 14, 16:14:42 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Sep 14, 16:14:42 Debug IKE 80700000 00000000 00000000 00000000 02001200 02000200 07000000 00000000 Sep 14, 16:14:42 Debug IKE suitable outbound SP found: 192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out. Sep 14, 16:14:42 Debug IKE sub:0xbffff67c: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:42 Debug IKE db :0x108b78: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:42 Debug IKE suitable inbound SP found: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in. Sep 14, 16:14:42 Debug IKE new acquire 192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out Sep 14, 16:14:42 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=14:13) Sep 14, 16:14:42 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-sha) Sep 14, 16:14:42 Debug IKE in post_acquire Sep 14, 16:14:42 Debug IKE configuration found for x.x.x.x. Sep 14, 16:14:42 Info IKE request for establishing IPsec-SA was queued due to no phase1 found. Sep 14, 16:14:44 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP x.x.x.x[4500]->192.168.1.2[4500] Sep 14, 16:14:44 Info IKE delete phase 2 handler.
Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:28:38 +0200
[quote]Sep 14, 16:14:46 Debug IKE 5dd654cd bfed7735 59ae89f0 711e7f3e 05100201 00000000 0000004c 08000014 Sep 14, 16:14:46 Debug IKE 02000000 30303036 42313131 36333838 00000018 70bdb824 15d12217 851cf849 Sep 14, 16:14:46 Debug IKE 61538c22 df7b05fc 00000003 Sep 14, 16:14:46 Debug IKE begin. Sep 14, 16:14:46 Debug IKE seen nptype=5(id) Sep 14, 16:14:46 Debug IKE seen nptype=8(hash) Sep 14, 16:14:46 Debug IKE succeed. Sep 14, 16:14:46 Error IKE Expecting IP address type in main mode, but FQDN. Sep 14, 16:14:46 Error IKE invalid ID payload. Sep 14, 16:14:49 Info APP Initiated connection tre Sep 14, 16:14:49 Debug IKE get pfkey ACQUIRE message Sep 14, 16:14:49 Debug IKE 02060003 24000000 05000000 00000000 03000500 ff200000 10020000 c0a80102 Sep 14, 16:14:49 Debug IKE 00000000 00000000 03000600 ff200000 10020000 18108637 00000000 00000000 Sep 14, 16:14:49 Debug IKE 1c000d00 20000000 00030000 00000000 00010008 00000000 01000000 01000000 Sep 14, 16:14:49 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Sep 14, 16:14:49 Debug IKE 80700000 00000000 00000000 00000000 00040000 00000000 0001c001 00000000 Sep 14, 16:14:49 Debug IKE 01000000 01000000 00000000 00000000 00000000 00000000 00000000 00000000 Sep 14, 16:14:49 Debug IKE 80510100 00000000 80700000 00000000 00000000 00000000 000c0000 00000000 Sep 14, 16:14:49 Debug IKE 00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 Sep 14, 16:14:49 Debug IKE 00000000 00000000 80510100 00000000 80700000 00000000 00000000 00000000 Sep 14, 16:14:49 Debug IKE get pfkey ACQUIRE message Sep 14, 16:14:49 Debug IKE 02060003 14000000 0a000000 73000000 03000500 ff200000 10020000 c0a80102 Sep 14, 16:14:49 Debug IKE 00000000 00000000 03000600 ff200000 10020000 18108637 00000000 00000000 Sep 14, 16:14:49 Debug IKE 0a000d00 20000000 000c0000 00000000 00010001 00000000 01000000 01000000 Sep 14, 16:14:49 Debug IKE 00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000 Sep 14, 16:14:49 Debug IKE 80700000 00000000 00000000 00000000 02001200 02000200 07000000 00000000 Sep 14, 16:14:49 Debug IKE suitable outbound SP found: 192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out. Sep 14, 16:14:49 Debug IKE sub:0xbffff67c: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:49 Debug IKE db :0x108b78: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:49 Debug IKE suitable inbound SP found: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in. Sep 14, 16:14:49 Debug IKE new acquire 192.168.1.2/32[0] 10.10.10.0/24[0] proto=any dir=out Sep 14, 16:14:49 Debug IKE (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=14:13) Sep 14, 16:14:49 Debug IKE (trns_id=3DES encklen=0 authtype=hmac-sha) Sep 14, 16:14:49 Debug IKE in post_acquire Sep 14, 16:14:49 Debug IKE configuration found for x.x.x.x. Sep 14, 16:14:49 Info IKE request for establishing IPsec-SA was queued due to no phase1 found.
Re: Can't Connect to SonicWall Pro by Philodox on 2008-09-15 01:29:15 +0200
[quote] Sep 14, 16:14:54 Debug IKE 020f0000 0f000000 00000000 73000000 07001200 02000100 08000000 00000000 Sep 14, 16:14:54 Debug IKE 28003200 02031000 10020000 18108637 00000000 00000000 10020000 c0a80102 Sep 14, 16:14:54 Debug IKE 00000000 00000000 03000500 ff180000 10020000 0a0a0a00 00000000 00000000 Sep 14, 16:14:54 Debug IKE 03000600 ff200000 10020000 c0a80102 00000000 00000000 Sep 14, 16:14:54 Debug IKE sub:0xbffff6a4: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:54 Debug IKE db :0x108b78: 10.10.10.0/24[0] 192.168.1.2/32[0] proto=any dir=in Sep 14, 16:14:54 Debug IKE caught rtm:14, need update interface address list Sep 14, 16:14:58 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP x.x.x.x[4500]->192.168.1.2[4500] Sep 14, 16:14:58 Info IKE delete phase 2 handler. Sep 14, 16:14:58 Debug IKE msg 5 not interesting Sep 14, 16:15:05 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP x.x.x.x[4500]->192.168.1.2[4500] Sep 14, 16:15:05 Info IKE delete phase 2 handler. Sep 14, 16:15:17 Debug IKE msg 5 not interesting [/quote]
Re: Can't Connect to SonicWall Pro by rayiron on 2008-10-06 23:41:59 +0200
Check your Sonicwall log. If it's saying "I don't allow static IPs" then, make sure you set the GroupVPN Client setting to 'DHCP or Manual'. Then it will connect instantly!
Re: Can't Connect to SonicWall Pro by alan on 2008-11-19 12:12:20 +0100
Hello, did you find a solution to this problem IKE the length in the isakmp header is too big. what was the issue ? Regards. Alan [quote author=Philodox link=1220922903/0#1 date=1221027482]Edit: I've got a little bit farther, I had my DH group set incorrectly for phase 1. My current log looks like: [quote] IPSecuritas 3.2b2 build 2391, So 31 Aug 2008 10:13:21 CEST, nadig Darwin 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 i386 Sep 10, 00:02:16 Info APP IPSec authenticating Sep 10, 00:02:16 Info APP Connection tre is started Sep 10, 00:02:16 Info APP IKE daemon started Sep 10, 00:02:16 Info APP IPSec started Sep 10, 00:02:16 Info APP Initiated connection tre Sep 10, 00:02:16 Error IKE Foreground mode. Sep 10, 00:02:16 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 10, 00:02:16 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 10, 00:02:16 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 10, 00:02:16 Info IKE Resize address pool from 0 to 255 Sep 10, 00:02:23 Info APP Initiated connection tre Sep 10, 00:02:23 Error IKE ISAKMP mode config exchange with immature phase 1 Sep 10, 00:02:28 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:30 Info APP Initiated connection tre Sep 10, 00:02:33 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:37 Info APP Initiated connection tre Sep 10, 00:02:38 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:39 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP [remote][4500]->192.168.1.2[4500] Sep 10, 00:02:43 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:44 Info APP Initiated connection tre Sep 10, 00:02:46 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP [remote][4500]->192.168.1.2[4500] Sep 10, 00:02:48 Error IKE the length in the isakmp header is too big. Sep 10, 00:02:49 Warning APP Connection tre timed out Sep 10, 00:02:49 Warning APP Giving up Sep 10, 00:02:53 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP [remote][4500]->192.168.1.2[4500] [/quote] I'm using XAuth PSK. If I turn off XAuth PSK I get this log, does anybody know which one is "better"? [quote]IPSecuritas 3.2b2 build 2391, So 31 Aug 2008 10:13:21 CEST, nadig Darwin 9.4.0 Darwin Kernel Version 9.4.0: Mon Jun 9 19:30:53 PDT 2008; root:xnu-1228.5.20~1/RELEASE_I386 i386 Sep Sep Sep Sep Sep
10, 10, 10, 10, 10,
00:05:02 00:05:03 00:05:03 00:05:03 00:05:03
Info Info Info Info Info
APP APP APP APP APP
IPSec restarting IKE daemon terminated IPSec restarting Connection tre is started IKE daemon started
Connect to VPN before or at login? Connect to VPN before or at login? by wpd7 on 2008-09-09 21:30:54 +0200
Is there any way to have the VPN connection start prior to login? That way we can login directly to OD from the satellite offices.
Re: Connect to VPN before or at login? by cnadig on 2008-09-11 14:34:45 +0200
Hello, the autostart function in IPSecuritas' preferences has exactly this purpose. Hope this helps, Christoph
setup with a cisco vpn setup with a cisco vpn by ashelin79 on 2008-09-10 16:18:32 +0200
my companies has a network admin that won't help me with anything 'cause i have a mac. anyways, i have the cisco vpn client, i have a .pcf file that i can import and/or open as txt to view the settings, but i don't know how to import this file into ipsecuritas. I do not know the model of the cisco vpn my work uses... can anyone help me out with this one? Thanks in advance!
Zyxel 661-H Zyxel 661-H by Garhu on 2008-09-11 12:36:48 +0200
Hi all, first to the general knowledge it's the first time for me to build a VPN. I've bought a Zyxel 661H which is from my view only the little borther from 662H. If tried to tutorial for the 662-H which is not the same interface, but the settings are more or less the same. Here are the settings from the router ... [img] http://web118.441.hosttech.eu/Ville/vpn-1.jpg[/img] [img] http://web118.441.hosttech.eu/Ville/vpn-2.jpg[/img] [img] http://web118.441.hosttech.eu/Ville/vpn-3.jpg[/img] And that's what IPSecuritas gives out in the Protokoll [quote]IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Sep 11, 12:30:07 Debug APP State change from IDLE to AUTHENTICATING after event START Sep 11, 12:30:07 Info APP IPSec authenticating Sep 11, 12:30:07 Info APP IKE daemon started Sep 11, 12:30:07 Debug APP State change from AUTHENTICATING to RUNNING after event TIMER Sep 11, 12:30:07 Info APP IPSec started Sep 11, 12:30:07 Info IKE Foreground mode. Sep 11, 12:30:07 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Sep 11, 12:30:07 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Sep 11, 12:30:07 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Sep 11, 12:30:07 Info IKE Resize address pool from 0 to 255 Sep 11, 12:30:07 Debug IKE parse successed. Sep 11, 12:30:07 Debug IKE open /Library/Application Support/Lobotomo Software/IPSecuritas/admin.sock as racoon management. Sep 11, 12:30:07 Debug IKE my interface: fe80::1%lo0 (lo0) Sep 11, 12:30:07 Debug IKE my interface: 127.0.0.1 (lo0) Sep 11, 12:30:07 Debug IKE my interface: ::1 (lo0) Sep 11, 12:30:07 Debug IKE my interface: fe80::21b:63ff:fec7:62b5%en1 (en1) Sep 11, 12:30:07 Debug IKE my interface: 192.168.1.36 (en1) Sep 11, 12:30:07 Debug IKE configuring default isakmp port. Sep 11, 12:30:07 Debug IKE 5 addrs are configured successfully Sep 11, 12:30:07 Info IKE 192.168.1.36[500] used as isakmp port (fd=6) Sep 11, 12:30:07 Info IKE fe80::21b:63ff:fec7:62b5%en1[500] used as isakmp port (fd=7) Sep 11, 12:30:07 Info IKE ::1[500] used as isakmp port (fd=8) Sep 11, 12:30:07 Info IKE 127.0.0.1[500] used as isakmp port (fd=9) Sep 11, 12:30:07 Info IKE fe80::1%lo0[500] used as isakmp port (fd=10) Sep 11, 12:30:07 Debug IKE get pfkey X_SPDDUMP message Sep 11, 12:30:07 Debug IKE 02120200 02000000 00000000 07020000 Sep 11, 12:30:07 Debug IKE pfkey X_SPDDUMP failed: No such file or directory [/quote] Any idears?
Re: Zyxel 661-H by cnadig on 2008-09-11 14:45:54 +0200
Hello, one apparent point is the local subnet, which should be 255.255.255.0 instead of 192.168.1.1. Other than that I can see that there isn't even a connection attempt made by IPSecuritas, which ususally means that some details in the configuration is missing or there is an address confilict between the local and the remote network addresses. Both should be indicated by a red dot next to the connection name in the main window of IPSecuritas. When you hover your mouse over this red dot, you should get a short explanation of what is the culprit in a tooltip window. Hope this helps, Christoph
Re: Zyxel 661-H by Garhu on 2008-09-11 16:37:51 +0200
Hi, the subnet is automaticli changed to 192.168.1.1 from 255.255.255.0 ...... the red dot is there but if I hover over it there doesn't come any tooltip window. I changed my Ip settings on the nextwork to 192.168.2.1 and no it looks like it trys to connect. The protocoll was to big, so here is the whol protocoll. I tried to read it, but what now wrong I didn't get :S [url]http://web118.441.hosttech.eu/Ville/vpn-protokoll.txt[/url]
Problems with the popular 192.168.1.0 Subnet. Problems with the popular 192.168.1.0 Subnet. by mi.ch on 2008-09-12 17:52:54 +0200
hello everybody. first of all thanks a lot for this wonderful tool. it works very good. but there is a problem i was not able to solve. since many years our lan uses the 192.168.1.0 /24 network. but also many of our homeworkers use this subnet. this leads to problems. is there a posibility to configure ipsecuritas in that way that it can establish a connection from a 192.168.1.0 subnet to a 192.168.1.0 subnet. i'm also thankful for any other suggestions. bye chris
Re: Problems with the popular 192.168.1.0 Subnet. by cnadig on 2008-09-15 17:09:48 +0200
Hello Chris, there is a very basic problem with this: two networks require different addresses, otherwise adressing is ambiguous and strange side effects will occur. This is usually prevented by the address collision check in IPSecuritas, however, I added an option to disable this collision check (currently only available in beta releases of 3.2, see [url]http://www.lobotomo.com/cgi-bin /yabb/YaBB.pl?num=1220172456[/url]). In this case, be prepared to loose any connectivity to the local network, because all traffic for 192.168.1.0 will be directed through the VPN tunnel). Hope this helps, Christoph
Netgear FVS336G Netgear FVS336G by sfmike64 on 2008-09-12 19:12:32 +0200
I have a client who has this Netgear device and wants to use the IPSEC functionality with the Mac (they think the built in SSL VPN is too complicated to use). There are setup guides for similar Netgear models, but not this one. Has anyone actually set up a 336G successfully with IPSecuritas? I tried running the VPN Wizard and then setting up IPSecuritas with what seemed like the right settings, but I get a Phase 2 error (time out waiting for Phase 1). I'm sure it's something fairly trivial, but I'm no Raccoon Expert. Please note this is a 336 not a 338, 328 or 318. It's a little bit different beast.
Routing IPSecuritasґs tunnel to Parallels Desktop Routing IPSecuritasґs tunnel to Parallels Desktop by openservice on 2008-09-13 09:07:13 +0200
Hi there, IPSecuritas rocks, no question. Thankґs for that fine, litte app. I am using Parallels Desktop (sometimes :-) and would appreciate to use the connected vpn tunnel (established through ipsecuritas) in there (XP Pro virtual machine). Is there a chance of getting this to work. In the preferences of that VM there are three options to coose, but none of them offer the virtual interface created by IPSecuritas. Thank you! Klaus
DHCP over IPSec DHCP over IPSec by lirmm-jlo on 2008-09-17 13:23:54 +0200
Bonjour, I'm using IPSecuritas v32b2 on OSX 10.5.5 ... thanks for this great job IPSec connections are made to a Fortigate300A, and the MR7 of FortiOS 3.0 solved the Xauth PSK stuff. But I still can't get a DHCP address through the IPSec tunnel. I think the conf of the fortigate unit is good because I get the DHCP address when I use the forticlient on a windows virtual machine ... Could you give me any points to try debugging this ??? (which interface is used by the tunnel - no ip address on gif0 and nothing in the routing table ) Thanks
Re: DHCP over IPSec by scarabee on 2008-09-18 20:15:11 +0200
I have exactly the same problem. The configuration is perfect with the FortiClient on XP (with DHCP IPSec).
Re: DHCP over IPSec by roos on 2008-10-01 10:30:31 +0200
Have you enabled the MODE_CFG option in your config? Here, it works with many Juniper Netscreens. Haven't tried with Fortigate.
Re: DHCP over IPSec by lirmm-jlo on 2008-10-01 10:40:58 +0200
Hello, Yes ....
Re: DHCP over IPSec by roesslm on 2008-10-06 14:49:32 +0200
Do you have Proxy ARP enabled on your router?
Transport Mode Check Box Transport Mode Check Box by dbailey on 2008-09-18 18:42:19 +0200
In 3.0 if both endpoint modes were set to Host, there was a checkbox for Transport. This does not appear for 3.1, however importing a connection with Transport checked from 3.0 works and will reveal the check box. Is there another way to get to it? Or does this require a bugfix? Thanks.
Re: Transport Mode Check Box by dbailey on 2008-09-18 18:43:49 +0200
This is on leopard BTW...
[solved] Lancom 1811 connection problem [solved] Lancom 1811 connection problem by roesslm on 2008-10-07 22:33:08 +0200
I was able to track down the problem by analysing the trace on the vpn router. The problem seems to be mode_cfg, which isn't working in IPSecuritas. LANCOM trace for the IPSecuritas connection: Note: The connection is made via a 3G mobile and the provider is using nat on his side. So we have three ip addresses: local_public_ip (MacBook Pro), public_ip (Provider) and remote_public_ip (LANCOM vpn router) IKE info: The remote server public_ip:500 peer def-aggr-peer id supports NAT-T in mode rfc IKE info: The remote server public_ip:500 peer def-aggr-peer id negotiated rfc-3706-dead-peer-detection [VPN-Status] 2008/10/07 21:09:46,900 IKE info: phase-1 proposal failed: remote No 1 hash algorithm = SHA local No 1 hash algorithm = MD5 IKE info: Phase-1 remote proposal 1 for peer def-aggr-peer matched with local proposal 2 [VPN-Status] 2008/10/07 21:09:55,160 IKE info: Phase-1 [responder] for peer IPSECURITAS between initiator id ipsecuritas, responder id lancom done IKE info: NAT-T enabled in mode rfc, we are behind a nat, the remote side is behind a nat IKE info: SA ISAKMP for peer IPSECURITAS encryption aes-cbc authentication sha1 IKE info: life time ( 8000 sec/ 0 kb) [VPN-Status] 2008/10/07 21:10:00,940 IKE info: Phase-2 failed for peer IPSECURITAS: no rule matches the phase-2 ids local_public_ip 192.168.0.0/255.255.255.0 IKE log: 211000 Default message_negotiate_sa: no compatible proposal found IKE log: 211000 Default dropped message from public_ip port 4966 due to notification type NO_PROPOSAL_CHOSEN IKE info: dropped message from peer IPSECURITAS public_ip port 4966 due to notification type NO_PROPOSAL_CHOSEN [VPN-Status] 2008/10/07 21:10:00,950 VPN: Error: IPSEC-R-No-rule-matched-IDs (0x3201) for IPSECURITAS (public_ip) [VPN-Status] 2008/10/07 21:10:00,950 VPN: selecting next remote gateway using strategy eFirst for IPSECURITAS => no remote gateway selected [VPN-Status] 2008/10/07 21:10:00,950 VPN: selecting first remote gateway using strategy eFirst for IPSECURITAS => no remote gateway selected [VPN-Status] 2008/10/07 21:10:00,950 VPN: installing ruleset for IPSECURITAS (0.0.0.0) [VPN-Status] 2008/10/07 21:10:00,950 VPN: installing ruleset generally [VPN-Status] 2008/10/07 21:10:00,970 IKE info: Delete Notificaton sent for Phase-1 SA to peer IPSECURITAS [VPN-Status] 2008/10/07 21:10:00,970 IKE info: Phase-1 SA removed: peer IPSECURITAS rule IPSECURITAS removed
The IKE-CFG request is missing between phase 1 and phase 2, therefore no rule matches phase 2.
This is how it should be, trace is taken from a VPNTracker5 connection with the same parameters_ IKE info: The remote server public_ip:500 peer def-aggr-peer id supports NAT-T in mode rfc
Re: Lancom 1811 connection problem by roesslm on 2008-10-08 15:10:56 +0200
I solved the problem by using a static IP address for the MacBook Pro and setting a static route in the Lancom vpn router. This is a solution I wanted to avoid. When can we expect a working IKE Config mode support in IPSecuritas? Cheers Michael
VNC service at port 5950 not working VNC service at port 5950 not working by slightly on 2008-10-07 03:45:37 +0200
Hi I have just successfully set up a VPN tunnel site-to-site with IPSecuritas between my home FVS114 and one of my client offices, which is also behind a Netgear FVS114. I can access AFP service, and VNC or Remote Desktop to several remote Macs which use the standard Mac VNC (5900) service. However, I can't VNC to a Sun Solaris server which uses port 5950, and which works perfectly when I'm physically inside the network. I can, however, ping this server, as well as VNC to it from a machine within the network. Can anyone advise? My home network is 10.91.3.0/24, and the remote network is 192.168.1.0/24. I've configured my home FVS114 to allow the VNC service through the firewall. Thanks!
CheckPoint VPN-1 Disconnects CheckPoint VPN-1 Disconnects by trolin on 2008-10-10 19:06:25 +0200
I'm using IPSecuritas with a CheckPoint VPN-1 server using XAUTH. Despite having Phase 1 and Phase 2 timeouts of 4 hours, my connection keeps dropping much more frequently than that. I have it configured to retry the connection immediately, so interruptions are brief and automatically recovered, but they are enough to kill certains types of connections, such as SMB and SSH. Has anyone else observed this problem? Any workarounds or suggestions? (I'll be dissecting a debugging log, but I don't see anything obvious at the moment.)
New computer, no connections... New computer, no connections... by ahancock on 2008-10-18 16:38:27 +0200
I just had to move my drive to a new computer.... so new byhost prefs take effect My IPSecuritas connections are gone now... where can I go to see them, and edit the prefs w/ my new machine info so I can make them show back up again?
Re: New computer, no connections... by AlexB on 2008-10-22 03:12:51 +0200
I have the same problem after the logic board of my MacBook Pro had to be changed: [b]all the IPSecuritas profiles are gone![/b] :-( It seems as if IPSecuritas resets its database on startup? Because of ... the changed MAC address? ...?? Any solution? Thanks Alex
Re: New computer, no connections... by Forum Admin on 2008-10-22 17:15:55 +0200
The changed MAC address indeed... I shall remove this in the next release since it seems that its harm is larger than its benefit. However, in your situation I don't see a solution unless you happen to still know the old MAC address.
Christoph
Re: New computer, no connections... by ahancock on 2008-10-22 17:34:43 +0200
The old MAC address is visible in ~/Library/Preferences/Byhost... it is just a matter of the user determining the right address I know mine, how could I use that to fix the issue? Thank you!
Re: New computer, no connections... by Forum Admin on 2008-10-23 22:33:16 +0200
Hello, if you send the MAC address (en0), I will create a version that is able to read your old configuration. Cheers, Christoph
Re: New computer, no connections... by ahancock on 2008-10-25 14:09:29 +0200
[quote author=Forum Admin link=1224340707/0#4 date=1224793996]Hello, if you send the MAC address (en0), I will create a version that is able to read your old configuration. [/quote] simple enough: 0017f2c3ca8b
Re: New computer, no connections... by Forum Admin on 2008-10-30 23:26:01 +0100
Hello, please download another beta from www.lobotomo.com/products /downloads/IPSecuritas32b3.dmg It will properly read your old configuration. Before starting the new version, please make sure to stop the daemon (run IPSecuritas and select the menu item 'Terminate daemon and quit'), then copy your old configuration data from your backup to /Library/Application Support/Lobotomo Software/IPSecuritas/configuration.data and restart IPSecuritas. Cheers, Christoph
Re: New computer, no connections... by pacronce on 2008-12-03 17:07:36 +0100
I moved to a new computer yesterday and am seeing the same problem. I tried to manually copy the files located here: /Library/Application Support/Lobotomo Software/IPSecuritas But when I restart IPSecuritas, it wipes my configuration and certificates. I'm running IPSecuritas v3.1.1p1. Could you possibly provide me with a beta that will allow me to migrate my old settings? My old machine's MAC address was 0017f2ca61b9. Sorry to be a pain. Thanks in advance for your help. Best, -Allen Cronce
Re: New computer, no connections... by pacronce on 2008-12-04 20:36:22 +0100
[quote author=pacronce link=1224340707/0#7 date=1228320456]Could you possibly provide me with a beta that will allow me to migrate my old settings? My old machine's MAC address was 0017f2ca61b9. Sorry to be a pain. Thanks in advance for your help. [/quote] Never mind. I couldn't wait so I manually exported and imported to work around the problem. Best, -Allen Cronce
Where is the beta again? (I'm an idiot) Where is the beta again? (I'm an idiot) by cr0100 on 2008-10-24 15:22:46 +0200
I've been using IPSecuritas 3.2b2, and it tells me this morning that it has expired. For the life of me, I can't figure out where the betas are so that I can download a newer beta and keep using this version. The small improvements over 3.1 are much appreciated so I'm trying not to go backwards. I suppose I should have bookmarked the location the LAST time I downloaded a beta, but I failed to do so. :-( Any pointers would be appreciated, thanks! -Charles
Re: Where is the beta again? (I'm an idiot) by NeilMcG on 2008-10-28 17:40:38 +0100
There is nothing in the download folder now, there is no directory index, it will return to the product index page. I have mailed with Christoph in August and he said, "[i]If no major problems with this beta will be found, I will release the productive version 3.2.[/i]" So if we are lucky, the full production version of 3.2 could be close.
Re: Where is the beta again? (I'm an idiot) by auser on 2008-10-30 20:16:02 +0100
Is it possible we could get some news on this 3.2 release and/or a 3.2b3. I rely on the "disable collision check" feature and am unable to login to my remote accounts at present. Regards, Andrew
Re: Where is the beta again? (I'm an idiot) by Forum Admin on 2008-10-30 22:22:26 +0100
Hello, please download another beta from [url]www.lobotomo.com/products /downloads/IPSecuritas32b3.dmg[/url] I'd like to apologize for not making the production release available yet. There have been a few last minute changes (configuration data not bound to machine anymore) that I'd like to test a bit further, and the updated user manual is not quite ready yet. Cheers, Christoph
Re: Where is the beta again? (I'm an idiot) by NeilMcG on 2008-10-30 22:45:10 +0100
Thanks Christoph, Your efforts are appreciated.
Re: Where is the beta again? (I'm an idiot) by blue68f100 on 2008-11-02 23:42:57 +0100
[quote author=Forum Admin link=1224854566/0#3 date=1225401746]Hello, please download another beta from [url]www.lobotomo.com/products /downloads/IPSecuritas32b3.dmg[/url] I'd like to apologize for not making the production release available yet. There have been a few last minute changes (configuration data not bound to machine anymore) that I'd like to test a bit further, and the updated user manual is not quite ready yet. Cheers, Christoph[/quote] This is the first release I have got to work with my Netgear FVS-338. Nice work ;) One other user got his FVS338 to work, but it did not work for me. Since his was working let me know if you want my profile, too? Any time frame on the official release?
Updated 3.2 beta Updated 3.2 beta by Forum Admin on 2008-10-30 22:30:12 +0100
Hello, please download another beta from [url]www.lobotomo.com/products /downloads/IPSecuritas32b3.dmg[/url] I'd like to apologize for not making the production release available yet. There have been a few last minute changes (configuration data not bound to machine anymore) that I'd like to test a bit further, and the updated user manual is not quite ready yet. Cheers, Christoph
Wireless and RoadRunner Wireless and RoadRunner by net2008 on 2008-11-03 19:38:18 +0100
I have a Linksys WRVS4400n VPN and it works fine using Verizon wireless card. But does not work on a rr connection ( with the same setting). Quick VPN also works on the XP side (using VMWare - both RR and wireless card). I tested 3.1 and 3.2b. What could be the problem?
ipv over ipv6 Tunnel - how?
ipv over ipv6 Tunnel - how? by must21 on 2008-11-04 10:16:56 +0100
Hi, On my OSX Leopard system I want to setup an ipsec tunnel to a linux firewall establishing an ipv4 over ipv6 tunnel (as I do have a fixed ipv6 address I can filter on, so I want to avoid the roadwarrier mode). When I do this, IPSecuritas logs an error message on the kernel call that tries to set the ipsec policy. This happens regardless whether I use the ipv6 notation or the ipv4 notation for the tunneled ipv4 net (see below).
When I on the other hand try to this by hand using setkey and racoon and try to set a policy with setkey spdadd 192.168.210.0/24 192.168.209.0/24 any -P in ipsec esp/tunnel/2002::1-2001::2/require; I get an "Invalid Argument" error - however, on our linux firewall this kind of policy does work! When I use ipv6 notations for my ipv4 networks using spdadd ::ffff:c0a8:D200/24 ::ffff:c0a8:D100/24 any -P in ipsec esp/tunnel/2002::1-2001::2/require; this policy is accepted but obviously does not what I want. Is this a limitation of the current ipsec implementation? Is there a way to get this to work or do I have to use L2TP over IPSec instead? Regards, Markus
Zyxel P-662HW-D1 Local ID Issue Zyxel P-662HW-D1 Local ID Issue by inky on 2008-11-06 20:49:26 +0100
I am trying to connect to this Zyxel Router via a VPN. Have taken various insturctions and feel I am now close, however, I get the following error log text on the router: Rule Verifying Local ID failed: I have both local and remote (peer) IDs set to IP on the Zyxel, and have set the IDs on IPsecuritas to 'Address'. It seems all Phases do pass and the only error in the IPsecuritas (debug) log reads xx.xx.xx.xx give up to get IPsec-SA due to time up to wait. Any ideas?
PAYLOAD_MALFORMED PAYLOAD_MALFORMED by bandad on 2008-11-10 18:23:37 +0100
I have had to rebuild the VPN connection on my mac book after a hard disk failure. I can't get it to work. The target is an IPCOP server and here are the server messages: [code] Nov 10 16:47:32 ipcop pluto[31505]: packet from 89.194.197.152:500: ignoring Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d380000000] Nov 10 16:47:32 ipcop pluto[31505]: packet from 89.194.197.152:500: received Vendor ID payload [Dead Peer Detection] Nov 10 16:47:32 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: responding to Main Mode from unknown peer 89.194.197.152 Nov 10 16:47:32 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: transition from state (null) to state STATE_MAIN_R1 Nov 10 16:47:33 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Nov 10 16:47:34 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=UK, O=xxxxxxxxxxxxxxx, CN=macbob' Nov 10 16:47:34 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: crl update is overdue since Mar 08 21:29:50 UTC 2008 Nov 10 16:47:34 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: crl update is overdue since Mar 08 21:29:50 UTC 2008 Nov 10 16:47:34 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Nov 10 16:47:34 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: sent MR3, ISAKMP SA established Nov 10 16:47:34 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: next payload type of ISAKMP Hash Payload has an unknown value: 39 Nov 10 16:47:34 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: malformed payload in packet Nov 10 16:47:34 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: sending notification PAYLOAD_MALFORMED to 89.194.197.152:500 Nov 10 16:47:38 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3 Nov 10 16:47:41 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: byte 2 of ISAKMP Hash Payload must be zero, but is not Nov 10 16:47:41 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: malformed payload in packet Nov 10 16:47:41 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: sending notification PAYLOAD_MALFORMED to 89.194.197.152:500 Nov 10 16:47:44 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: retransmitting in response to duplicate packet; already STATE_MAIN_R3 Nov 10 16:47:44 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: next payload type of ISAKMP Hash Payload has an unknown value: 240 Nov 10 16:47:44 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: malformed payload in packet Nov 10 16:47:44 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: sending notification PAYLOAD_MALFORMED to 89.194.197.152:500 Nov 10 16:47:49 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3 Nov 10 16:47:55 ipcop pluto[31505]: "macbook"[1] 89.194.197.152 #1: discarding duplicate packet -- exhausted retransmission; already STATE_MAIN_R3 [/code] It seems to get through phase 1 and to stage R3, but then it gets problems. I will reply to this with the output from the Mac book side - IPSecuritas log
Re: PAYLOAD_MALFORMED by bandad on 2008-11-10 19:08:42 +0100
OK the stripped down log looks like this: [code]IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Nov 10, 18:04:36 Info APP IKE daemon started Nov 10, 18:04:36 Info APP IPSec started Nov 10, 18:04:36 Error IKE Foreground mode. Nov 10, 18:04:36 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Nov 10, 18:04:36 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Nov 10, 18:04:36 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Nov 10, 18:04:36 Info IKE Resize address pool from 0 to 255 Nov 10, 18:04:37 Info APP Initiated connection garage Nov 10, 18:04:37 Error IKE inappropriate sadb acquire message passed. Nov 10, 18:04:38 Error IKE 1477:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 1477:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:707: Nov 10, 18:04:38 Error IKE Invalid SIG. Nov 10, 18:04:38 Error IKE none message must be encrypted Nov 10, 18:04:43 Error IKE 1477:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 1477:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:707: Nov 10, 18:04:43 Error IKE Invalid SIG. Nov 10, 18:04:43 Error IKE none message must be encrypted Nov 10, 18:04:44 Info APP Initiated connection garage Nov 10, 18:04:50 Error IKE 1477:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: 1477:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:707: Nov 10, 18:04:50 Error IKE Invalid SIG. Nov 10, 18:04:50 Error IKE none message must be encrypted Nov 10, 18:04:51 Info APP Initiated connection garage Nov 10, 18:04:52 Info APP IPSec stopping Nov 10, 18:04:53 Info APP IKE daemon terminated Nov 10, 18:04:53 Info APP IPSec stopped[/code] Is this a certificate problem? Do I need to recreate them? help please!
Re: PAYLOAD_MALFORMED by bandad on 2008-11-12 00:16:32 +0100
Got it sorted. Problem was the certificates. I re-read the instructions, wiped the existing certs on IPCOP and started again. Now working OK. However, why can't I save the connection to a file?
How to test while on local network ? How to test while on local network ? by Xinram on 2008-11-10 22:52:37 +0100
I would like to test my VPN setup while being on the local network. Is there any way to do so ? Do I need a proxy service for this ? While on the local network the logfile shows an error message errno 17. I tried searching for it but did not receive any hits. Any help appreciated.
IP Securitas & Fitzbox 7270 IP Securitas & Fitzbox 7270 by Xinram on 2008-11-13 23:18:55 +0100
I have now managed to get a green dot, but I do not get any further. In the log there are several errors: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Nov 13, 23:09:00 Info APP IPSec authenticating Nov 13, 23:09:00 Info APP IKE daemon started Nov 13, 23:09:00 Info APP IPSec started Nov 13, 23:09:00 Warning IKE Foreground mode. Nov 13, 23:09:00 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Nov 13, 23:09:00 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Nov 13, 23:09:00 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Nov 13, 23:09:00 Info IKE Resize address pool from 0 to 255 Nov 13, 23:09:00 Info APP Initiated connection Home Fritzbox Nov 13, 23:09:00 Error IKE inappropriate sadb acquire message passed. Nov 13, 23:09:01 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Nov 13, 23:09:02 Warning IKE attribute has been modified. Nov 13, 23:09:02 Warning IKE authtype mismatched: my:hmac-md5 peer:hmac-sha Nov 13, 23:09:31 Info APP IPSec stopping Nov 13, 23:09:32 Info APP IKE daemon terminated Nov 13, 23:09:32 Info APP IPSec stopped Nov 13, 23:09:53 Info APP Network configuration change detected Nov 13, 23:09:53 Info APP Smart Environment Detection: Off, reconfiguration I am running IPsecuritas 3.1. My fritzbox config: /* * C:\Users\hgoetze\AppData\Roaming\AVM\FRITZ!Fernzugang \fritzbox7170vpn_dyndns_org\fritzbox.cfg * Tue Sep 11 14:21:02 2007 */ vpncfg { connections { enabled = yes; conn_type = conntype_user; name = "
[email protected]"; always_renew = no; reject_not_encrypted = no; dont_filter_netbios = yes; localip = 0.0.0.0; local_virtualip = 0.0.0.0; remoteip = 0.0.0.0; remote_virtualip = 192.168.178.210; remoteid { user_fqdn = "
[email protected]"; } mode = phase1_mode_aggressive; phase1ss = "all/all/all"; keytype = connkeytype_pre_shared; key = "xxxxxxxx";
It was the UMTS provider by Xinram on 2008-11-14 23:17:50 +0100
which did not provide me with a reachable IP address. Thus although a tunnel appeared to be established it was not between my computer and the fritzbox. A different UMTS provider worked smoothly.
ZyWall USG100 ZyWall USG100 by beginner on 2008-11-17 14:33:56 +0100
Hi as a VPN-nobody i got the job to connect a Mac 10.5.5 Client to two USG 100. So i made the setup as fare as i can. Can some one tell me what the error Log is telling about? thanks rax The error Log i got: IPSecuritas 3.1 build 1860, Mon Oct 15 22:03:05 CEST 2007, nadig Darwin 8.10.1 Darwin Kernel Version 8.10.1: Wed May 23 16:33:00 PDT 2007; root:xnu-792.22.5~1/RELEASE_I386 i386 Nov 17, 14:27:18 Info APP IPSec authenticating Nov 17, 14:27:18 Info APP IKE daemon started Nov 17, 14:27:18 Info APP IPSec started Nov 17, 14:27:18 Error IKE Foreground mode. Nov 17, 14:27:18 Info IKE @(#)ipsec-tools CVS (http://ipsectools.sourceforge.net) Nov 17, 14:27:18 Info IKE @(#)This product linked OpenSSL 0.9.7l 28 Sep 2006 (http://www.openssl.org/) Nov 17, 14:27:18 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Nov 17, 14:27:18 Info IKE Resize address pool from 0 to 255 Nov 17, 14:27:19 Info APP Initiated connection ABC Nov 17, 14:27:19 Error IKE inappropriate sadb acquire message passed. Nov 17, 14:27:19 Warning IKE SPI size isn't zero, but IKE proposal. Nov 17, 14:27:19 Warning IKE ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Nov 17, 14:27:19 Error IKE Expecting IP address type in main mode, but FQDN. Nov 17, 14:27:19 Error IKE invalid ID payload. Nov 17, 14:27:24 Warning IKE ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Nov 17, 14:27:24 Error IKE Expecting IP address type in main mode, but FQDN. Nov 17, 14:27:24 Error IKE invalid ID payload. Nov 17, 14:27:26 Info APP Initiated connection ABC Nov 17, 14:27:29 Warning IKE ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Nov 17, 14:27:29 Error IKE Expecting IP address type in main mode, but FQDN. Nov 17, 14:27:29 Error IKE invalid ID payload. Nov 17, 14:27:33 Info APP Initiated connection ABC Nov 17, 14:27:34 Warning IKE ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Nov 17, 14:27:34 Error IKE Expecting IP address type in main mode, but FQDN. Nov 17, 14:27:34 Error IKE invalid ID payload. Nov 17, 14:27:35 Error IKE phase2 negotiation failed due to time up waiting for phase1. ESP xx.yyy.zzz.14[4500]->10.0.7.82[4500] Nov 17, 14:27:39 Warning IKE ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Nov 17, 14:27:39 Error IKE Expecting IP address type in main mode, but FQDN. Nov 17, 14:27:39 Error IKE invalid ID payload. Nov 17, 14:27:40 Info APP Initiated connection ABC Nov 17, 14:27:42 Error IKE phase2 negotiation failed due to time up
Re: ZyWall USG100 by Forum Admin on 2008-11-18 18:09:16 +0100
Hello, the log says that an IP address was expected for identification, but A FQDN (fully qualified distinguished name) was sent by IPSecuritas (see ID tab in the connection manager). So either change the local identification to IP address (which may or may not work with your firewall), or change the exchange mode to aggressive instead of main. If you run into further problems, setting the log level to 'Debug' will give more details about the problem. Hope this helps, Christoph
Can't Connect To Remote Computer Despite Green Can't Connect To Remote Computer Despite Green by Ron on 2008-11-22 02:30:52 +0100
I have IPSecuritas 3.1 configured to connect to a D-Link DI-804HV. The client Mac is connected to the 192.168.2.0/24 subnet with IP address 192.168.2.2. The DI-804HV is connected to the 192.168.0.0/24 subnet via its 192.168.0.9 LAN interface. The IPsec connection is established across the public Internet with no problems. For the sake of this note, I am trying to connect to a remote computer whose IP address is 192.168.0.201. When I attempt to ping 192.168.0.201 in the remote network, my packet sniffer can see the ping request packets leaving the DI-804HV 192.168.0.9 interface for 192.168.0.201. The packets have a source IP address of 192.168.2.2 and a destination address of 192.168.0.201. It seems likely that the ping request packets are probably reaching 192.168.0.201. I am not seeing any ping response packets however. The 192.168.0.0/24 subnet has other routers, and the remote computers (including 192.168.0.201) are configured to use one of those other routers as their default route for subnets other than 192.168.0.0/24. I suspect that 192.168.0.201 is sending the ping response packets to its default router which will attempt (unsuccessfully) to send them out to the Internet. Strangely enough, the remote network has a printer at 192.168.0.200. When I ping it, I do get ping response packets. I suspect that the printer firmware is using the source Ethernet MAC address of the DI-804HV to return the response packets rather than the source IP address. I tried using MODE_CFG to assign a 192.168.0.0/24 IP address to the client computer, but it did not work. The Local IP in Remote Network flag is not relevant, because the local and remote subnets do not overlap. Does anybody have any bright ideas about how to make this work?
Office Mode on 3.2 beta3 Office Mode on 3.2 beta3 by buglasm on 2008-11-26 15:03:33 +0100
I have successfully configured office mode to a Checkpoint VPN-1 firewall (NGX R60) when using a user id and password to authenticate. If I change this to use a certificate, the office mode address is not used. Any pointers available on how to get this to work?
WRVS4400N - Route All Traffic Over VPN? WRVS4400N - Route All Traffic Over VPN? by DistortedLoop on 2008-12-05 16:36:53 +0100
Been happily running IPSecuritas to connect to my WRVS4400N for a couple of years, but didn't realize that only my LAN traffic was being routed over the VPN tunnel. My email, web browsing, IM and other traffic was all going out in the clear. I've been playing with the router and different firmware versions for over 12 hours, but cannot figure this out. Has anyone successfully gotten all traffic to route over the VPN tunnel with IPSecuritas and this router? I can't even be sure what to look at in the router settings. It's supposed to support VPN NAT-T, but it just doesn't do it with my IPSecuritas tunnels. Any ideas? One option I am considering is continuing with this router and IPSecuritas in my current state, but adding some SSH tunnels that bind specific ports to the SSH host behind the IPSEC tunnel. I've tested this successfully, but it's a bit of a hassle because you have to set up proxies, and I've only seen it work with VNC and Web browsing (haven't tested IM or email binding). Another problem with the SSH binding solution is I read (and think I noticed the same) that it really limits web browser functionality, in that if you have multiple tabs, only one tab's requests can pass through the SSH tunnel at once. I need to play with that more, but it appeared that background tabs wouldn't start loading until the current tab had finished.
Re: WRVS4400N - Route All Traffic Over VPN? by bazil on 2009-01-29 23:30:34 +0100
Good Day, I was wondering as whether you found a solution to your problem of routing all traffic; I am in a similar situation namely that I would like to send outgoing email via the VPN to the office. This is where the outgoing mailserver resides. Any ideas? Best regards
Router Recommendations? Router Recommendations? by DistortedLoop on 2008-12-05 16:53:34 +0100
I'm pretty tired of hassling with a Linksys WRVS4400N and am looking to replace the device with something a bit more user friendly and fully functional with Macs. What are those of you who are happily IPSEC tunneling using? I'll consider using anything that works, even staying with my current device, which is pretty good hardware-wise, but lacking in the connectivity I need. My dream VPN Router would have the following features: IPSEC, PPTP and L2TP support NATIVE in itself (i.e., not passthrough - if I want a PPTP or L2TP tunnel, the router serves it up). The perfect router would support all three, but two of three would make me happy. Full NAT-T support for the VPN clients - I want ALL network traffic to pass through the VPN tunnel seamlessly and without user interventions. All the standard Firewall goodies like SPI, port forwarding, etc. Gigabit LAN ports. I move a lot of data back and forth on my internal network. Wireless N support. (Not a deal breaker, but would be nice.) Native OS X client software for easy connections, sort of like Linksys QuickVPN works for Windows machines to the WRVS4400N and other products. Not that I really need this if IPSecuritas supports the router I get. Gigabit LAN ports. Wireless N support. IPV6 support. Anyone heard of such a thing? Any features the perfect router would have that I forgot to list...?
Trouble with IPSecuritas and Sidewinder 7 Trouble with IPSecuritas and Sidewinder 7 by Zeihold_von_SSL on 2008-12-07 13:30:00 +0100
Hi there, currently I've some problems with setting up a vpn tunnel. Typically I use shrew vpn (http://www.shrew.net) under Windows and Linux. Two of our employee are using a macbook pro, so I've to install IPSecuritas. The vpn server is a Securecomputing Sidewinder 7 Firewall. The conntection with the shrew vpn client works fine. Unfortunately I could not connect with the IPSecuritas client. Is there any way to convert a shrew vpn client configuration to IPSecuritas? Greetings Renй
Problems with Astaro, X509 certs and IPSecuritas Problems with Astaro, X509 certs and IPSecuritas by playersons on 2008-12-11 10:18:44 +0100
I have problems establishing a VPN connection between my MacBook Pro 10.5.5 with IPSecuritas 3.1 and an Astaro VPN Gateway. Everything is set up all right so far and I can connect using VPN Tracker with the certificates issued by the Astaro. Only IPSecuritas does not like something and I am not quite sure what the problem is. Here is a little snippet from the log: Dec 11, 10:14:25 Info APP Initiated connection vpntest Dec 11, 10:14:25 Error IKE inappropriate sadb acquire message passed. Dec 11, 10:14:26 Warning IKE remote address mismatched. db=88.217.xxx.xxx[4500], act=88.217.xxx.xxx[500] Dec 11, 10:14:26 Error IKE ignore information because ISAKMP-SAhas not been established yet. The connection is set up in host to network mode and and the local IP Adress expected by the Gateway is provided (192.168.100.100). I have no idea what mistake I am making here. Thanks for any suggestions. playersons
IpSecuritas and T-Mobile UMTS Stick web`n walk IpSecuritas and T-Mobile UMTS Stick web`n walk
by armacor on 2008-12-20 19:28:50 +0100
Hi, got a funny problem here (though it is not really funny....). Using IpSecuritas does not give me any problem using W-LAN when aways from the office, connection to Remotedesktop and the internet on my Mac is no problem at all. Different with web`n walk : no green light, no connection, no work :-( Any idea somebody ? Thanks. Cheers Armacor :(
Re: IpSecuritas and T-Mobile UMTS Stick web`n walk by Forum Admin on 2008-12-24 08:43:40 +0100
Hello, could you possibly send me a log with log level set to Debug to
[email protected]? Cheers, Christoph
Re: IpSecuritas and T-Mobile UMTS Stick web`n walk by p0ddie on 2008-12-28 23:42:46 +0100
Hi, you mention WLAN instead of WIFI so I assume you're German. Try using a different APN for T-Mobile. internet.t-mobile.de gives you a private LAN IP so NAT probably fails when trying to establish a VPN connection. Use internet.t-d1.de, and it should work. I had this issue with a customer using a L2TP connection to a MS ISA server, this was the solution. If you're not from Germany, just ask T-Mobile for an alternative APN that gives you a real public IP and works with VPN. I'm interested in feedback, wanna pin this issue down once and for all - not 100% sure this is the final solution for the problem (my customer is a happy VPN user now tho...)
Beta 3.2b3 Expired? Beta 3.2b3 Expired? by NeilMcG on 2009-01-01 13:16:07 +0100
Is there a b4 available - much appreciated.
Re: Beta 3.2b3 Expired? by dZiTao on 2009-01-01 17:07:48 +0100
Second that! Beta 3 has been working great for me and Now I'm stuck. I guess I'll have to see if going backwards will work so I can support my customers. Thanks for the excellent program!!! Please get us fixed up with a new working beta ASAP. Thanks so much and Happy New Year!
can not connet to AVM - fatal INVALID-ID-Informati can not connet to AVM - fatal INVALID-ID-Informati by mik_schreiber on 2009-01-27 14:45:10 +0100
hi, here is the log: Jan 27, 12:37:30 Info IKE Reading configuration from "/Library /Application Support/Lobotomo Software/IPSecuritas/racoon.conf" Jan 27, 12:37:30 Info IKE Resize address pool from 0 to 255 Jan 27, 12:37:31 Info APP Initiated connection vpn Jan 27, 12:37:34 Info IKE couldn't find the proper pskey, try to get one by the peer's address. Jan 27, 12:37:34 Error IKE fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Jan 27, 12:37:34 Error IKE Message: 'XO'. Jan 27, 12:37:38 Info APP Initiated connection vpn Jan 27, 12:37:39 Error IKE fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Jan 27, 12:37:39 Error IKE Message: 'XO'. Jan 27, 12:37:44 Error IKE fatal INVALID-ID-INFORMATION notify messsage, phase1 should be deleted. Jan 27, 12:37:44 Error IKE Message: 'XO'. Jan 27, 12:37:45 Info APP Initiated connection vpn
Netgear DG834 setup to IPSecuritas Netgear DG834 setup to IPSecuritas by kaos on 2009-02-03 11:09:01 +0100
Does anyone have this working and can share some screenshots? I am a pretty handy tech, and i just spent a whole day trying to get ipsecuritas to talk to this router. I currently have it running with no problems to a couple of other Netgear routers, but this most basic one seems to hate me. ANY help would be much appreciated, and will be shared with this forum. I have tried the suggestions of a couple of forum entries and nothing has worked so far..... regards Adam
