[ previous ] [ next ] [ threads ]
 
 From:  Diego Canalis <diegocanalis at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Problem with VPN
 Date:  Fri, 7 Jan 2005 13:00:42 -0300
Hi guys 

I have to monowalls in my network, this is a description:

      LAN 10.91.0.0/23
                  |
    ________|________
            monowall
    -----------------------------
                 | |               WAN IP 10.0.0.5/23
                 | |  IPsec
                 | |
    _______ | |_______ WAN IP 10.0.0.3/23
            monowall
    -----------------------------
                  |
                  |
        LAN 10.0.254.1/24

I've made the basic configuration for the vpn tunnel in both sides.
this are the values:

Negotiation mode  main 
My identifier  My IP address
Encryption algorithm  3DES
Hash algorithm  MD5 
DH key group   2 
Protocol  ESP   
Encryption algorithms  3DES 
Hash algorithms  MD5 
PFS key group  2
  
 

and the logs are:

Jan 7 09:48:05 racoon: INFO: isakmp.c:808:isakmp_ph1begin_i():
initiate new phase 1 negotiation: 10.0.0.3[500]<=>10.0.0.5[500]
Jan 7 09:48:05 racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
Identity Protection mode.
Jan 7 09:48:05 racoon: INFO: vendorid.c:128:check_vendorid(): received
Vendor ID: KAME/racoon
Jan 7 09:48:05 racoon: INFO: vendorid.c:128:check_vendorid(): received
Vendor ID: KAME/racoon
Jan 7 09:48:06 racoon: INFO: isakmp.c:2459:log_ph1established():
ISAKMP-SA established 10.0.0.3[500]-10.0.0.5[500]
spi:9ebb6c6c2cb0b35b:3bcc147f0eb8cf97
Jan 7 09:48:07 racoon: INFO: isakmp.c:952:isakmp_ph2begin_i():
initiate new phase 2 negotiation: 10.0.0.3[0]<=>10.0.0.5[0]
Jan 7 09:44:51 last message repeated 2 times 
Jan 7 09:48:07 /kernel: WARNING: pseudo-random number generator used
for IPsec processing
Jan 7 09:48:07 racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA
established: ESP/Tunnel 10.0.0.5->10.0.0.3 spi=37791830(0x240a856)
Jan 7 09:48:07 racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA
established: ESP/Tunnel 10.0.0.3->10.0.0.5 spi=229127567(0xda8358f)



It seems that work fine, but I cann't see the subnets from both sides. 
I cann't ping the computers from one lan to another,
may be I have to make NAT rules in both sides???
any ideas,suggestions ??

Thanks