problem ipsec tunnel m0n0 to m0n0 behind a router

From:	"Andreas Breuer" <abe01 at zwp dot de>
To:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	problem ipsec tunnel m0n0 to m0n0 behind a router
Date:	Fri, 22 Oct 2004 15:26:57 +0200
Hi there,
 
i have a problem with an IPSec Tunnel between two monowall installations.
one monowall is connected to a router suppling 4 official ip addresses to
our network. at the other location the  monowall is connected to a router
wich has only on offical ip address an gives all traffic (including ESP) to
monowall via NAT. Here the detailed configuration (ip's are not real)
 
Site A:
 
our offical static ip's 
157.156.1.145
157.156.1.146
157.156.1.147
157.156.1.148
157.156.1.149
157.156.1.150
 
Devices
 
1. Internet
2. Router from our ISP (IP 157.156.1.145), Administration ISP only
3  Monowall WAN IP 157.156.1.150 / LAN IP 192.168.1.100 / NAT to some
internal Servers
4. Switch inside Subnet
5. Clients an Server with IP 192.168.1.x/24
 
IPSec Tunnel
Local Net LAN
Remote Net 192.168.5.1/24
Interface WAN
Remote GW 194.13.117.73
 
 
 
Site B:
 
our offical static ip
194.13.117.73
 
Devices
 
1. Internet
2. Router from ISP (WAN IP 194.13.117.73 / LAN IP 192.168.0.254), NAT all
traffic to 192.168.0.1 including ESP, Administration ISP only
3. Monowall WAN IP 192.168.0.1 LAN IP 192.168.5.1 Default Gateway
192.168.0.254
4. Switch inside Subnet
5. Clients an Server with IP 192.168.5.x/24
 
IPSec Tunnel
Local Net LAN
Remote Net 192.168.1.1/24
Interface WAN
Remote GW 157.156.1.150
 
Because of the configuration at Site B there are mismatches in the IPSec
diagnostic Tunnel Endpoints between Site A and Site B, maybe that's the
problem:
 
Site A:
 
SPA empty:
SPD:
 
Source: 192.168.5.1/24 Destination: 192.168.1.0/24 Direction: incoming ->
Protocol: ESP Tunnel endpoints: 194.13.117.73 - 157.156.1.150
Source: 192.168.1.0/24 Destination: 192.168.5.1/24 Direction: outgonig <-
Protocol: ESP Tunnel endpoints: 157.156.1.150 - 194.13.117.73
 
 
Site B:
 
SPA empty:
SPD:
 
Source: 192.168.1.1/24 Destination: 192.168.5.0/24 Direction: incoming ->
Protocol: ESP Tunnel endpoints: 157.156.1.150 - 192.168.0.1
Source: 192.168.5.0/24 Destination: 192.168.1.1/24 Direction: outgonig <-
Protocol: ESP Tunnel endpoints: 192.168.0.1- 157.156.1.150
 
The other IPSec parameters are the same at both sites (aggressiv, blowfish,
sha1, My identifier: My IP address)
WAN Rules for ESP are set.
 
Pinging to the offical IPs 157.156.1.150/194.13.117.73 works fine. Pinging
to Clients in the remote Subnet failed.
 
 
Here the System log form Site A (last on top):
 
	racoon: ERROR: pfkey.c:804:pfkey_timeover(): 212.202.105.73 give up
to get IPsec-SA due to time up to wait.	
	racoon: WARNING: isakmp.c:371:isakmp_main(): remote address
mismatched. db=194.13.117.73[500], act=194.13.117.73[39573]	
	racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2
negotiation: 157.156.1.150 [0]<=>194.13.117.73[0]	
	racoon: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA
established 157.156.1.150 [500]-194.13.117.73[500]
spi:6545fc6dbc3aece3:0c8f7b1d322c2da8	
 
Here the System log form Site B (last on top):
 
	racoon: ERROR: isakmp.c:1073:isakmp_ph2begin_r(): failed to
pre-process packet.	
	racoon: ERROR: isakmp_quick.c:1046:quick_r1recv(): failed to get
sainfo.	
	racoon: ERROR: isakmp_quick.c:1812:get_sainfo_r(): failed to get
sainfo.	
	racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r(): respond new phase 2
negotiation: 192.168.0.1[0]<=> 157.156.1.150 [0]	
 
 
Some Ideas?