[ previous ] [ next ] [ threads ]
 
 From:  "James F. Newberry" <jamesn at djcomputing dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSEC Problems
 Date:  Wed, 1 Jun 2005 16:22:18 -0500
The machine in question is a Proliant 1850r with 3 fxp NIC's (Compaq
10/100).  I'm using the Hard Drive image.  Everything has been running
great and stable until this issue.

> Tried all this and still no luck.  I went ahead and setup a 
> third m0n0wall box with the same ipsec settings and it 
> worked.  At least I know it's not the IPSEC settings.  The 
> box I need it to work on is my production machine.  I have 
> some 1:1 nat stuff going on and server nat.
> Could this cause a problem with IPSEC?  The outside world 
> sees the firewall as the IP number I'm using in IPSEC.  Could 
> hardware make a difference?  Different NIC's?
> 
> 
> > Have you setup your preshared key both in the configuration 
> editor as 
> > well as the Pre-Shared Key tab ensuring there are no white 
> spaces or 
> > differences between them? I know I had an issue with 
> whitespace or my 
> > fat finger when I set the first couple up, I setup a new key and 
> > things worked. Try a simple key to test and then move to a 
> more random 
> > key if the simple key works.
> > I am not sure if it is needed but I allowed ESP and AH 
> traffic on my 
> > WAN rulesets to the ip's that use the tunnel, I did that 
> during a test 
> > and never removed it to fully test it.
> > Just some random thoughts since it looks like your rules 
> are ok, the 
> > xml config might be the next thing to provide if nothing else helps.
> > 
> > Mike Mentges
> > Security Engineer/Architect
> > Global Security Technologies Inc.
> > mmentges at gstisecurity dot com
> > 
> > 
> > 
> > 
> > 
> > 
> > James F. Newberry wrote:
> > 
> > >Here is the current setup.  I've tried many different ones.  
> > Right now it is setup using cast128 with a dh_group of 1.  
> > I've tried the others also with no luck.
> > > 
> > > 
> > >Box 1
> > > 
> > >remote xx.xx.146.34 {
> > >exchange_mode aggressive;
> > >my_identifier address "xx.xx.146.43"; peers_identifier address 
> > >xx.xx.146.34; initial_contact on; support_proxy on; proposal_check 
> > >obey;
> > >
> > >proposal {
> > >encryption_algorithm cast128;
> > >hash_algorithm md5;
> > >authentication_method pre_shared_key; dh_group 1; lifetime 
> time 28800 
> > >secs; } lifetime time 28800 secs; }
> > >
> > >sainfo address 10.0.0.0/24 any address 10.1.1.0/24 any { 
> > >encryption_algorithm 3des; authentication_algorithm hmac_md5; 
> > >compression_algorithm deflate; pfs_group 2; lifetime time 
> 7200 secs;
> > > 
> > >Box 2
> > > 
> > >remote xx.xx.146.43 {
> > >exchange_mode aggressive;
> > >my_identifier address "xx.xx.146.34"; peers_identifier address 
> > >xx.xx.146.43; initial_contact on; support_proxy on; proposal_check 
> > >obey;
> > >
> > >proposal {
> > >encryption_algorithm cast128;
> > >hash_algorithm md5;
> > >authentication_method pre_shared_key; dh_group 1; lifetime 
> time 28800 
> > >secs; } lifetime time 28800 secs; }
> > >
> > >sainfo address 10.1.1.0/24 any address 10.0.0.0/24 any { 
> > >encryption_algorithm 3des; authentication_algorithm hmac_md5; 
> > >compression_algorithm deflate; pfs_group 2; lifetime time
> > 7200 secs; }
> > >
> > >
> > >
> > > 
> > >Can you browse to the hidden exec.php script   
> > (http://yourmonoip/exec.php) and provide the ipsec configs for each 
> > machine?
> > >You should be able to view it by typing this....       'cat 
> > /var/etc/racoon.conf' unless there is something different with your 
> > install.. (I use CD)
> > >From there we can see if we can help. Make sure you take out
> > anything you might not want us to see such as passkeys and ip's
> > >
> > >Mike Mentges
> > >Security Engineer/Architect
> > >Global Security Technologies Inc.
> > >mmentges at gstisecurity dot com
> > >
> > >
> > >
> > >
> > >
> > >James F. Newberry wrote: 
> > >
> > >	I've checked the settings more times then I can count.  
> > I've started over many times, I've tried different options.  
> > It's very strange.
> > >	 
> > >	On Tuesday 31 May 2005 08:48, James F. Newberry wrote:
> > >	  
> > >
> > >		I just tried setting the MTU to 1400 with no
> > luck.  Right now I have
> > >		2 monowall boxes hooked to my WAN side switch
> > and they still can not
> > >		create an IPSEC link between the two of them.  
> > I have tried the setup
> > >		guide in the Docs.  I have read as many posts
> > as I could find.  Any
> > >		other ideas?  Here is the log
> > >		
> > >		May 31 07:47:41        racoon: INFO: 
> > isakmp.c:813:isakmp_ph1begin_i():
> > >		begin Aggressive mode. May 31 07:47:41         
> > racoon: INFO:
> > >		isakmp.c:808:isakmp_ph1begin_i(): initiate new
> > phase 1 negotiation:
> > >		64.233.146.34[500]<=>64.233.146.43[500] May 31
> > 07:47:41        racoon:
> > >		INFO: isakmp.c:1694:isakmp_post_acquire(): 
> > IPsec-SA request for
> > >		64.233.146.43 queued due to no phase1 found. 
> > May 31 07:47:33   racoon:
> > >		INFO: isakmp.c:1791:isakmp_chkph1there(): 
> > delete phase 2 handler. May
> > >		31 07:47:33    racoon: ERROR: 
> > isakmp.c:1786:isakmp_chkph1there():
> > >		phase2 negotiation failed due to time up
> > waiting for phase1. ESP
> > >		64.233.146.43->64.233.146.34 May 31 07:47:18   
> > racoon: ERROR:
> > >		isakmp.c:1447:isakmp_ph1resend(): phase1
> > negotiation failed due to
> > >		time up. d38c8163638cd5fa:0000000000000000 May
> > 31 07:47:02     racoon:
> > >		INFO: isakmp.c:1713:isakmp_post_acquire(): 
> > request for establishing
> > >		IPsec-SA was queued due to no phase1 found. May
> > 31 07:46:49    racoon:
> > >		INFO: isakmp.c:1791:isakmp_chkph1there(): 
> > delete phase 2 handler. May
> > >		31 07:46:49    racoon: ERROR: 
> > isakmp.c:1786:isakmp_chkph1there():
> > >		phase2 negotiation failed due to time up
> > waiting for phase1. ESP
> > >		64.233.146.43->64.233.146.34 May 31 07:46:18   
> > racoon: INFO:
> > >		isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode.
> > >		
> > >		    
> > >
> > >	Looking at your logs it seems that the tunnel is never
> > established.  My
> > >	problem was that big packets just got clipped but
> > _after_ the tunnel
> > >	was established.  I suspect that you have some mismatch
> > in parameters
> > >	at the two endpoints.
> > >	
> > >	--george
> > >	
> > >	
> > 
> ---------------------------------------------------------------------
> > >	To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > >	For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >	
> > >	
> > >	
> > >	  
> > >
> > >
> > >  
> > >
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>