[ previous ] [ next ] [ threads ]
 
 From:  "James F. Newberry" <jamesn at djcomputing dot net>
 To:  "Mike Mentges" <mmentges at gstisecurity dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSEC Problems
 Date:  Tue, 31 May 2005 12:20:38 -0500
Here is the current setup.  I've tried many different ones.  Right now it is setup using cast128
with a dh_group of 1.  I've tried the others also with no luck.
 
 
Box 1
 
remote xx.xx.146.34 {
exchange_mode aggressive;
my_identifier address "xx.xx.146.43";
peers_identifier address xx.xx.146.34;
initial_contact on;
support_proxy on;
proposal_check obey;

proposal {
encryption_algorithm cast128;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 1;
lifetime time 28800 secs;
}
lifetime time 28800 secs;
}

sainfo address 10.0.0.0/24 any address 10.1.1.0/24 any {
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
pfs_group 2;
lifetime time 7200 secs;
 
Box 2
 
remote xx.xx.146.43 {
exchange_mode aggressive;
my_identifier address "xx.xx.146.34";
peers_identifier address xx.xx.146.43;
initial_contact on;
support_proxy on;
proposal_check obey;

proposal {
encryption_algorithm cast128;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 1;
lifetime time 28800 secs;
}
lifetime time 28800 secs;
}

sainfo address 10.1.1.0/24 any address 10.0.0.0/24 any {
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
pfs_group 2;
lifetime time 7200 secs;
}



 
Can you browse to the hidden exec.php script   (http://yourmonoip/exec.php) and provide the ipsec
configs for each machine?
You should be able to view it by typing this....       'cat /var/etc/racoon.conf' unless there is
something different with your install.. (I use CD) 
From there we can see if we can help. Make sure you take out anything you might not want us to see
such as passkeys and ip's

Mike Mentges
Security Engineer/Architect
Global Security Technologies Inc.
mmentges at gstisecurity dot com





James F. Newberry wrote: 

	I've checked the settings more times then I can count.  I've started over many times, I've tried
different options.  It's very strange.
	 
	On Tuesday 31 May 2005 08:48, James F. Newberry wrote:
	  

		I just tried setting the MTU to 1400 with no luck.  Right now I have
		2 monowall boxes hooked to my WAN side switch and they still can not
		create an IPSEC link between the two of them.  I have tried the setup
		guide in the Docs.  I have read as many posts as I could find.  Any
		other ideas?  Here is the log
		
		May 31 07:47:41        racoon: INFO: isakmp.c:813:isakmp_ph1begin_i():
		begin Aggressive mode. May 31 07:47:41         racoon: INFO:
		isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation:
		64.233.146.34[500]<=>64.233.146.43[500] May 31 07:47:41        racoon:
		INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for
		64.233.146.43 queued due to no phase1 found. May 31 07:47:33   racoon:
		INFO: isakmp.c:1791:isakmp_chkph1there(): delete phase 2 handler. May
		31 07:47:33    racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
		phase2 negotiation failed due to time up waiting for phase1. ESP
		64.233.146.43->64.233.146.34 May 31 07:47:18   racoon: ERROR:
		isakmp.c:1447:isakmp_ph1resend(): phase1 negotiation failed due to
		time up. d38c8163638cd5fa:0000000000000000 May 31 07:47:02     racoon:
		INFO: isakmp.c:1713:isakmp_post_acquire(): request for establishing
		IPsec-SA was queued due to no phase1 found. May 31 07:46:49    racoon:
		INFO: isakmp.c:1791:isakmp_chkph1there(): delete phase 2 handler. May
		31 07:46:49    racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
		phase2 negotiation failed due to time up waiting for phase1. ESP
		64.233.146.43->64.233.146.34 May 31 07:46:18   racoon: INFO:
		isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode.
		
		    

	Looking at your logs it seems that the tunnel is never established.  My
	problem was that big packets just got clipped but _after_ the tunnel
	was established.  I suspect that you have some mismatch in parameters
	at the two endpoints.
	
	--george
	
	---------------------------------------------------------------------
	To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
	For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch