Hello,
Setting up a point-to-point IPSec VPN between RouterOS and a FreeBSD server running racoon. As far as I can tell, I have everything configured correctly, but when I attempt to send traffic over the tunnel and bring up the VPN, I get these messages in the log:
13:33:49 ipsec,ike respond new phase 1 negotiation: 66.170.8.18[500]<=>69.129.194.51[500]
13:33:49 ipsec,ike begin Identity Protection mode.
13:33:49 ipsec,ike received Vendor ID: DPD
13:33:50 ipsec,ike ISAKMP-SA established 66.170.8.18[500]-69.129.194.51[500] spi:4a1db066a87d8bf1:7d3b7c7b60599f0c
13:33:51 ipsec,ike respond new phase 2 negotiation: 66.170.8.18[500]<=>69.129.194.51[500]
13:33:51 ipsec,ike spid 5c1 is not found
13:33:51 ipsec,ike failed to get sainfo.
13:33:51 ipsec,ike failed to get proposal for responder.
13:33:51 ipsec,ike failed to pre-process packet.
I’m curious to see if anybody has any insight on the last four lines here. It would appear that I have something wrong in my phase 2 configs, but like I said before, everything seems to match up. If it helps, here are the relevant portions of my configs:
RouterOS:
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=yes enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
add auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=1d name=proposal1 pfs-group=modp1024
/ip ipsec peer
add address=x.x.x.x/32:500 auth-method=pre-shared-key dh-group=modp1024 disabled=no dpd-interval=20s dpd-maximum-failures=\
1 enc-algorithm=3des exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0 lifetime=1d nat-traversal=no \
proposal-check=obey secret=passphrasegoeshere send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=17.16.23.0/25:any ipsec-protocols=esp level=require manual-sa=none priority=0 \
proposal=proposal1 protocol=all sa-dst-address=x.x.x.x sa-src-address=y.y.y.y src-address=\
192.168.93.0/24:any tunnel=yes
where x.x.x.x is the public IP of my racoon server, y.y.y.y is the public ip of my RouterOS device.
and from my racoon.conf:
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per send.
phase1 30 sec;
phase2 30 sec;
}
remote y.y.y.y
{
exchange_mode main;
situation identity_only;
my_identifier address;
lifetime time 14400 seconds;
nonce_size 16;
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
lifetime time 14400 seconds;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
pfs_group modp1024;
}