[ previous ] [ next ] [ threads ]
 
 From:  "Tony" <m0n0wall at switchout dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Mobile IPSEC VPN Problems
 Date:  Tue, 29 Mar 2005 00:17:57 -0800 (PST)
Hello,

I am currently testing the mobile ipsec functionality of m0n0wall 1.11.
Since I'm only running some tests, I went ahead and assigned the WAN
interface a Private 10.1.1.201 address. I made sure to uncheck "Block
Private Networks" in the WAN Interface configuration. Here's where I'm at
a dead stop. Hopefully someone on this list can point me in the right
direction. I am able to authenticate to m0n0wall, however none of my
packets appear to get passed to the LAN subnet.

Strange thing is, once I am authenticated I can ping m0n0wall's LAN
interface, but not any other machine on that LAN subnet. I can even
connect to m0n0wall's webgui after authentication and ping my machines on
the LAN subnet using the Ping function in m0n0wall's Diagnostic section.

Following are my IPSEC configs for "Mobile Clients"

Phase 1 proposal (Authentication)
---------------------------------
Negotiation Mode = aggressive
My Identifier = My IP address
Encryption algorithm = SHA1
DH Key group = 2

Phase 2 proposal (SA/Key Exchange)
----------------------------------
Protocol = ESP
Encryption algorithms = 3DES
Hash algorithms = SHA1
PFS key group = 2

10.1.1.200 = latop connected to the same switch as m0n0wall's WAN interface
10.1.1.201 = m0n0wall's WAN interface

System Log
------------
Mar 28 23:49:09     racoon: INFO: isakmp.c:904:isakmp_ph1begin_r():
respond new phase 1 negotiation: 10.1.1.201[500]<=>10.1.1.200[500]
Mar 28 23:49:09     racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin
Aggressive mode.
Mar 28 23:49:09     racoon: INFO: isakmp.c:2459:log_ph1established():
ISAKMP-SA established 10.1.1.201[500]-10.1.1.200[500]
spi:a78c8b71f9251287:990742cb4e613362
Mar 28 23:49:11     racoon: INFO: isakmp.c:1059:isakmp_ph2begin_r():
respond new phase 2 negotiation: 10.1.1.201[0]<=>10.1.1.200[0]
Mar 28 23:49:11     racoon: INFO: isakmp_quick.c:2017:get_proposal_r(): no
policy found, try to generate the policy : 10.1.1.200/32[0]
10.1.50.0/24[0] proto=any dir=in
Mar 28 23:49:11     racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA
established: ESP/Tunnel 10.1.1.200->10.1.1.201 spi=26874439(0x19a1247)
Mar 28 23:49:11     racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA
established: ESP/Tunnel 10.1.1.201->10.1.1.200 spi=3934416717(0xea826f4d)
Mar 28 23:49:11     racoon: ERROR: pfkey.c:2009:pk_recvspdupdate(): such
policy does not already exist: 10.1.1.200/32[0] 10.1.50.0/24[0] proto=any
dir=in
Mar 28 23:49:11     racoon: ERROR: pfkey.c:2009:pk_recvspdupdate(): such
policy does not already exist: 10.1.50.0/24[0] 10.1.1.200/32[0] proto=any
dir=out

cat /var/etc/racoon.conf
------------------------
path pre_shared_key "/var/etc/psk.txt";

remote anonymous {
    exchange_mode aggressive;
    my_identifier address "10.1.1.201";
    initial_contact on;
    passive on;
    generate_policy on;
    support_proxy on;
    proposal_check obey;

    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}

sainfo anonymous {
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    pfs_group 2;
}


Any help would be appreciated.

Thanks & regards,

Tony