[ previous ] [ next ] [ threads ]
 
 From:  "Jason J. Ellingson" <jason at ellingson dot com>
 To:  "'Chris Breish'" <cbreish at pchelpservice dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] m0n0wall to m0n0wall IPSec Issues
 Date:  Mon, 15 Nov 2004 17:48:13 -0600 
Look in the archives.  About a month ago, I posted my IPSEC mono to mono
setup.  At least two people emailed me saying it worked for them.

My monowalls are even different versions and I have no problems.  (one is
1.1b16, and the other is 1.2b2)

Also, don't forget to open the set a rule to allow ESP (also check the
"allow fragments" for that ESP rule) to your m0n0 IP.
------------------------------------------------------------
Jason J Ellingson
Technical Consultant

615.301.1682 : nashville
612.605.1132 : minneapolis

www.ellingson.com
jason at ellingson dot com

-----Original Message-----
From: Chris Breish [mailto:cbreish at pchelpservice dot com] 
Sent: Monday, November 15, 2004 5:00 PM
To: 'Andreas Gracco'
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: RE: [m0n0wall] m0n0wall to m0n0wall IPSec Issues

I switched to main, and changed both sides to "My IP address"
Still no joy...

Thanks for the suggestions so far.

Here is another log post of what I'm getting:

m0n0wall 1:
Nov 15 17:50:36 	racoon: INFO: main.c:172:main(): @(#)package version
freebsd-20040617a
Nov 15 17:50:36 	racoon: INFO: main.c:174:main(): @(#)internal
version 20001216 sakane at kame dot net
Nov 15 17:50:36 	racoon: INFO: main.c:175:main(): @(#)This product
linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
Nov 15 17:50:36 	racoon: INFO: isakmp.c:1368:isakmp_open():
127.0.0.1[500] used as isakmp port (fd=7)
Nov 15 17:50:36 	racoon: INFO: isakmp.c:1368:isakmp_open():
10.0.1.1[500] used as isakmp port (fd=8)
Nov 15 17:50:36 	racoon: INFO: isakmp.c:1368:isakmp_open():
192.168.2.2[500] used as isakmp port (fd=9)
Nov 15 17:50:36 	racoon: INFO: isakmp.c:1368:isakmp_open():
68.*.*.*[500] used as isakmp port (fd=10)
Nov 15 17:50:37 	racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 192.168.2.0/24[0]
192.168.2.2/32[0] proto=any dir=in
Nov 15 17:50:37 	racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 10.0.0.0/24[0] 192.168.2.0/24[0]
proto=any dir=in
Nov 15 17:50:37 	racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 192.168.2.2/32[0]
192.168.2.0/24[0] proto=any dir=out
Nov 15 17:50:37 	racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 192.168.2.0/24[0] 10.0.0.0/24[0]
proto=any dir=out

M0n0wall 2:
Nov 15 17:50:37 racoon: INFO: main.c:172:main(): @(#)package version
freebsd-20040617a 
Nov 15 17:50:37 racoon: INFO: main.c:174:main(): @(#)internal version
20001216 sakane at kame dot net 
Nov 15 17:50:37 racoon: INFO: main.c:175:main(): @(#)This product linked
OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/) 
Nov 15 17:50:38 racoon: INFO: isakmp.c:1368:isakmp_open(): 127.0.0.1[500]
used as isakmp port (fd=7) 
Nov 15 17:50:38 racoon: INFO: isakmp.c:1368:isakmp_open(): 66.*.*.*[500]
used as isakmp port (fd=8) 
Nov 15 17:50:38 racoon: INFO: isakmp.c:1368:isakmp_open(): 10.0.0.1[500]
used as isakmp port (fd=9) 
Nov 15 17:50:38 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such policy
already exists. anyway replace it: 10.0.0.0/24[0] 10.0.0.1/32[0] proto=any
dir=in 
Nov 15 17:50:38 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such policy
already exists. anyway replace it: 192.168.2.0/24[0] 10.0.0.0/24[0]
proto=any dir=in 
Nov 15 17:50:38 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such policy
already exists. anyway replace it: 10.0.0.1/32[0] 10.0.0.0/24[0] proto=any
dir=out 
Nov 15 17:50:38 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such policy
already exists. anyway replace it: 10.0.0.0/24[0] 192.168.2.0/24[0]
proto=any dir=out

Chris Breish

-----Original Message-----
From: Andreas Gracco [mailto:A dot Gr at ims dot ch] 
Sent: Monday, November 15, 2004 5:17 PM
To: Chris Breish
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: AW: [m0n0wall] m0n0wall to m0n0wall IPSec Issues


Hi

I had a lot of problems using Aggressive Negotiation mode, try main mode
wich is also more secure.
What did you use in "My identifier", I suggest to use "My IP Address" ...

Andreas


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch