[ previous ] [ next ] [ threads ]
 
 From:  Mike Mentges <mmentges at gstisecurity dot com>
 To:  "James F. Newberry" <jamesn at djcomputing dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC Problems
 Date:  Tue, 31 May 2005 13:38:07 -0400
Have you setup your preshared key both in the configuration editor as 
well as the Pre-Shared Key tab ensuring there are no white spaces or 
differences between them? I know I had an issue with whitespace or my 
fat finger when I set the first couple up, I setup a new key and things 
worked. Try a simple key to test and then move to a more random key if 
the simple key works.
I am not sure if it is needed but I allowed ESP and AH traffic on my WAN 
rulesets to the ip's that use the tunnel, I did that during a test and 
never removed it to fully test it.
Just some random thoughts since it looks like your rules are ok, the xml 
config might be the next thing to provide if nothing else helps.

Mike Mentges
Security Engineer/Architect
Global Security Technologies Inc.
mmentges at gstisecurity dot com






James F. Newberry wrote:

>Here is the current setup.  I've tried many different ones.  Right now it is setup using cast128
with a dh_group of 1.  I've tried the others also with no luck.
> 
> 
>Box 1
> 
>remote xx.xx.146.34 {
>exchange_mode aggressive;
>my_identifier address "xx.xx.146.43";
>peers_identifier address xx.xx.146.34;
>initial_contact on;
>support_proxy on;
>proposal_check obey;
>
>proposal {
>encryption_algorithm cast128;
>hash_algorithm md5;
>authentication_method pre_shared_key;
>dh_group 1;
>lifetime time 28800 secs;
>}
>lifetime time 28800 secs;
>}
>
>sainfo address 10.0.0.0/24 any address 10.1.1.0/24 any {
>encryption_algorithm 3des;
>authentication_algorithm hmac_md5;
>compression_algorithm deflate;
>pfs_group 2;
>lifetime time 7200 secs;
> 
>Box 2
> 
>remote xx.xx.146.43 {
>exchange_mode aggressive;
>my_identifier address "xx.xx.146.34";
>peers_identifier address xx.xx.146.43;
>initial_contact on;
>support_proxy on;
>proposal_check obey;
>
>proposal {
>encryption_algorithm cast128;
>hash_algorithm md5;
>authentication_method pre_shared_key;
>dh_group 1;
>lifetime time 28800 secs;
>}
>lifetime time 28800 secs;
>}
>
>sainfo address 10.1.1.0/24 any address 10.0.0.0/24 any {
>encryption_algorithm 3des;
>authentication_algorithm hmac_md5;
>compression_algorithm deflate;
>pfs_group 2;
>lifetime time 7200 secs;
>}
>
>
>
> 
>Can you browse to the hidden exec.php script   (http://yourmonoip/exec.php) and provide the ipsec
configs for each machine?
>You should be able to view it by typing this....       'cat /var/etc/racoon.conf' unless there is
something different with your install.. (I use CD) 
>From there we can see if we can help. Make sure you take out anything you might not want us to see
such as passkeys and ip's
>
>Mike Mentges
>Security Engineer/Architect
>Global Security Technologies Inc.
>mmentges at gstisecurity dot com
>
>
>
>
>
>James F. Newberry wrote: 
>
>	I've checked the settings more times then I can count.  I've started over many times, I've tried
different options.  It's very strange.
>	 
>	On Tuesday 31 May 2005 08:48, James F. Newberry wrote:
>	  
>
>		I just tried setting the MTU to 1400 with no luck.  Right now I have
>		2 monowall boxes hooked to my WAN side switch and they still can not
>		create an IPSEC link between the two of them.  I have tried the setup
>		guide in the Docs.  I have read as many posts as I could find.  Any
>		other ideas?  Here is the log
>		
>		May 31 07:47:41        racoon: INFO: isakmp.c:813:isakmp_ph1begin_i():
>		begin Aggressive mode. May 31 07:47:41         racoon: INFO:
>		isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation:
>		64.233.146.34[500]<=>64.233.146.43[500] May 31 07:47:41        racoon:
>		INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for
>		64.233.146.43 queued due to no phase1 found. May 31 07:47:33   racoon:
>		INFO: isakmp.c:1791:isakmp_chkph1there(): delete phase 2 handler. May
>		31 07:47:33    racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
>		phase2 negotiation failed due to time up waiting for phase1. ESP
>		64.233.146.43->64.233.146.34 May 31 07:47:18   racoon: ERROR:
>		isakmp.c:1447:isakmp_ph1resend(): phase1 negotiation failed due to
>		time up. d38c8163638cd5fa:0000000000000000 May 31 07:47:02     racoon:
>		INFO: isakmp.c:1713:isakmp_post_acquire(): request for establishing
>		IPsec-SA was queued due to no phase1 found. May 31 07:46:49    racoon:
>		INFO: isakmp.c:1791:isakmp_chkph1there(): delete phase 2 handler. May
>		31 07:46:49    racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
>		phase2 negotiation failed due to time up waiting for phase1. ESP
>		64.233.146.43->64.233.146.34 May 31 07:46:18   racoon: INFO:
>		isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode.
>		
>		    
>
>	Looking at your logs it seems that the tunnel is never established.  My
>	problem was that big packets just got clipped but _after_ the tunnel
>	was established.  I suspect that you have some mismatch in parameters
>	at the two endpoints.
>	
>	--george
>	
>	---------------------------------------------------------------------
>	To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>	For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>	
>	
>	
>	  
>
>
>  
>