[ previous ] [ next ] [ threads ]
 
 From:  "James F. Newberry" <jamesn at djcomputing dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSEC Problems
 Date:  Wed, 1 Jun 2005 12:58:43 -0500
Tried all this and still no luck.  I went ahead and setup a third
m0n0wall box with the same ipsec settings and it worked.  At least I
know it's not the IPSEC settings.  The box I need it to work on is my
production machine.  I have some 1:1 nat stuff going on and server nat.
Could this cause a problem with IPSEC?  The outside world sees the
firewall as the IP number I'm using in IPSEC.  Could hardware make a
difference?  Different NIC's?


> Have you setup your preshared key both in the configuration 
> editor as well as the Pre-Shared Key tab ensuring there are 
> no white spaces or differences between them? I know I had an 
> issue with whitespace or my fat finger when I set the first 
> couple up, I setup a new key and things worked. Try a simple 
> key to test and then move to a more random key if the simple 
> key works.
> I am not sure if it is needed but I allowed ESP and AH 
> traffic on my WAN rulesets to the ip's that use the tunnel, I 
> did that during a test and never removed it to fully test it.
> Just some random thoughts since it looks like your rules are 
> ok, the xml config might be the next thing to provide if 
> nothing else helps.
> 
> Mike Mentges
> Security Engineer/Architect
> Global Security Technologies Inc.
> mmentges at gstisecurity dot com
> 
> 
> 
> 
> 
> 
> James F. Newberry wrote:
> 
> >Here is the current setup.  I've tried many different ones.  
> Right now it is setup using cast128 with a dh_group of 1.  
> I've tried the others also with no luck.
> > 
> > 
> >Box 1
> > 
> >remote xx.xx.146.34 {
> >exchange_mode aggressive;
> >my_identifier address "xx.xx.146.43";
> >peers_identifier address xx.xx.146.34;
> >initial_contact on;
> >support_proxy on;
> >proposal_check obey;
> >
> >proposal {
> >encryption_algorithm cast128;
> >hash_algorithm md5;
> >authentication_method pre_shared_key;
> >dh_group 1;
> >lifetime time 28800 secs;
> >}
> >lifetime time 28800 secs;
> >}
> >
> >sainfo address 10.0.0.0/24 any address 10.1.1.0/24 any { 
> >encryption_algorithm 3des; authentication_algorithm hmac_md5; 
> >compression_algorithm deflate; pfs_group 2; lifetime time 7200 secs;
> > 
> >Box 2
> > 
> >remote xx.xx.146.43 {
> >exchange_mode aggressive;
> >my_identifier address "xx.xx.146.34";
> >peers_identifier address xx.xx.146.43;
> >initial_contact on;
> >support_proxy on;
> >proposal_check obey;
> >
> >proposal {
> >encryption_algorithm cast128;
> >hash_algorithm md5;
> >authentication_method pre_shared_key;
> >dh_group 1;
> >lifetime time 28800 secs;
> >}
> >lifetime time 28800 secs;
> >}
> >
> >sainfo address 10.1.1.0/24 any address 10.0.0.0/24 any { 
> >encryption_algorithm 3des; authentication_algorithm hmac_md5; 
> >compression_algorithm deflate; pfs_group 2; lifetime time 
> 7200 secs; }
> >
> >
> >
> > 
> >Can you browse to the hidden exec.php script   
> (http://yourmonoip/exec.php) and provide the ipsec configs 
> for each machine?
> >You should be able to view it by typing this....       'cat 
> /var/etc/racoon.conf' unless there is something different 
> with your install.. (I use CD) 
> >From there we can see if we can help. Make sure you take out 
> anything you might not want us to see such as passkeys and ip's
> >
> >Mike Mentges
> >Security Engineer/Architect
> >Global Security Technologies Inc.
> >mmentges at gstisecurity dot com
> >
> >
> >
> >
> >
> >James F. Newberry wrote: 
> >
> >	I've checked the settings more times then I can count.  
> I've started over many times, I've tried different options.  
> It's very strange.
> >	 
> >	On Tuesday 31 May 2005 08:48, James F. Newberry wrote:
> >	  
> >
> >		I just tried setting the MTU to 1400 with no 
> luck.  Right now I have
> >		2 monowall boxes hooked to my WAN side switch 
> and they still can not
> >		create an IPSEC link between the two of them.  
> I have tried the setup
> >		guide in the Docs.  I have read as many posts 
> as I could find.  Any
> >		other ideas?  Here is the log
> >		
> >		May 31 07:47:41        racoon: INFO: 
> isakmp.c:813:isakmp_ph1begin_i():
> >		begin Aggressive mode. May 31 07:47:41         
> racoon: INFO:
> >		isakmp.c:808:isakmp_ph1begin_i(): initiate new 
> phase 1 negotiation:
> >		64.233.146.34[500]<=>64.233.146.43[500] May 31 
> 07:47:41        racoon:
> >		INFO: isakmp.c:1694:isakmp_post_acquire(): 
> IPsec-SA request for
> >		64.233.146.43 queued due to no phase1 found. 
> May 31 07:47:33   racoon:
> >		INFO: isakmp.c:1791:isakmp_chkph1there(): 
> delete phase 2 handler. May
> >		31 07:47:33    racoon: ERROR: 
> isakmp.c:1786:isakmp_chkph1there():
> >		phase2 negotiation failed due to time up 
> waiting for phase1. ESP
> >		64.233.146.43->64.233.146.34 May 31 07:47:18   
> racoon: ERROR:
> >		isakmp.c:1447:isakmp_ph1resend(): phase1 
> negotiation failed due to
> >		time up. d38c8163638cd5fa:0000000000000000 May 
> 31 07:47:02     racoon:
> >		INFO: isakmp.c:1713:isakmp_post_acquire(): 
> request for establishing
> >		IPsec-SA was queued due to no phase1 found. May 
> 31 07:46:49    racoon:
> >		INFO: isakmp.c:1791:isakmp_chkph1there(): 
> delete phase 2 handler. May
> >		31 07:46:49    racoon: ERROR: 
> isakmp.c:1786:isakmp_chkph1there():
> >		phase2 negotiation failed due to time up 
> waiting for phase1. ESP
> >		64.233.146.43->64.233.146.34 May 31 07:46:18   
> racoon: INFO:
> >		isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode.
> >		
> >		    
> >
> >	Looking at your logs it seems that the tunnel is never 
> established.  My
> >	problem was that big packets just got clipped but 
> _after_ the tunnel
> >	was established.  I suspect that you have some mismatch 
> in parameters
> >	at the two endpoints.
> >	
> >	--george
> >	
> >	
> ---------------------------------------------------------------------
> >	To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> >	For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >	
> >	
> >	
> >	  
> >
> >
> >  
> >
>