[ previous ] [ next ] [ threads ]
 
 From:  Gary Barclay <badimba at gmail dot com>
 To:  "James F. Newberry" <jamesn at djcomputing dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC Problems
 Date:  Wed, 1 Jun 2005 23:31:27 +0100
James,
I know you've been working on this extensively and I don't want to
suggest things that you have done time and time again, but it's the
only way...can you please provide the logs from both the systems you
are testing so that we can see what is happening on both sides?
Also can you try cutting and pasting identifiers and preshared keys
into each config so that there is no chance of typos (I know your
instant reaction to this will be neg but sometimes we are so close to
the problem that it is invisible to us).

I just spent 4 hours trying to get ipsec working between two m0n0walls
and found that my domain identifier had a typo in it... I must have
'checked' it at both ends, at least 10 times!

Cheers
Gary

On 01/06/05, James F. Newberry <jamesn at djcomputing dot net> wrote:
> The machine in question is a Proliant 1850r with 3 fxp NIC's (Compaq
> 10/100).  I'm using the Hard Drive image.  Everything has been running
> great and stable until this issue.
> 
> > Tried all this and still no luck.  I went ahead and setup a
> > third m0n0wall box with the same ipsec settings and it
> > worked.  At least I know it's not the IPSEC settings.  The
> > box I need it to work on is my production machine.  I have
> > some 1:1 nat stuff going on and server nat.
> > Could this cause a problem with IPSEC?  The outside world
> > sees the firewall as the IP number I'm using in IPSEC.  Could
> > hardware make a difference?  Different NIC's?
> >
> >
> > > Have you setup your preshared key both in the configuration
> > editor as
> > > well as the Pre-Shared Key tab ensuring there are no white
> > spaces or
> > > differences between them? I know I had an issue with
> > whitespace or my
> > > fat finger when I set the first couple up, I setup a new key and
> > > things worked. Try a simple key to test and then move to a
> > more random
> > > key if the simple key works.
> > > I am not sure if it is needed but I allowed ESP and AH
> > traffic on my
> > > WAN rulesets to the ip's that use the tunnel, I did that
> > during a test
> > > and never removed it to fully test it.
> > > Just some random thoughts since it looks like your rules
> > are ok, the
> > > xml config might be the next thing to provide if nothing else helps.
> > >
> > > Mike Mentges
> > > Security Engineer/Architect
> > > Global Security Technologies Inc.
> > > mmentges at gstisecurity dot com
> > >
> > >
> > >
> > >
> > >
> > >
> > > James F. Newberry wrote:
> > >
> > > >Here is the current setup.  I've tried many different ones.
> > > Right now it is setup using cast128 with a dh_group of 1.
> > > I've tried the others also with no luck.
> > > >
> > > >
> > > >Box 1
> > > >
> > > >remote xx.xx.146.34 {
> > > >exchange_mode aggressive;
> > > >my_identifier address "xx.xx.146.43"; peers_identifier address
> > > >xx.xx.146.34; initial_contact on; support_proxy on; proposal_check
> > > >obey;
> > > >
> > > >proposal {
> > > >encryption_algorithm cast128;
> > > >hash_algorithm md5;
> > > >authentication_method pre_shared_key; dh_group 1; lifetime
> > time 28800
> > > >secs; } lifetime time 28800 secs; }
> > > >
> > > >sainfo address 10.0.0.0/24 any address 10.1.1.0/24 any {
> > > >encryption_algorithm 3des; authentication_algorithm hmac_md5;
> > > >compression_algorithm deflate; pfs_group 2; lifetime time
> > 7200 secs;
> > > >
> > > >Box 2
> > > >
> > > >remote xx.xx.146.43 {
> > > >exchange_mode aggressive;
> > > >my_identifier address "xx.xx.146.34"; peers_identifier address
> > > >xx.xx.146.43; initial_contact on; support_proxy on; proposal_check
> > > >obey;
> > > >
> > > >proposal {
> > > >encryption_algorithm cast128;
> > > >hash_algorithm md5;
> > > >authentication_method pre_shared_key; dh_group 1; lifetime
> > time 28800
> > > >secs; } lifetime time 28800 secs; }
> > > >
> > > >sainfo address 10.1.1.0/24 any address 10.0.0.0/24 any {
> > > >encryption_algorithm 3des; authentication_algorithm hmac_md5;
> > > >compression_algorithm deflate; pfs_group 2; lifetime time
> > > 7200 secs; }
> > > >
> > > >
> > > >
> > > >
> > > >Can you browse to the hidden exec.php script
> > > (http://yourmonoip/exec.php) and provide the ipsec configs for each
> > > machine?
> > > >You should be able to view it by typing this....       'cat
> > > /var/etc/racoon.conf' unless there is something different with your
> > > install.. (I use CD)
> > > >From there we can see if we can help. Make sure you take out
> > > anything you might not want us to see such as passkeys and ip's
> > > >
> > > >Mike Mentges
> > > >Security Engineer/Architect
> > > >Global Security Technologies Inc.
> > > >mmentges at gstisecurity dot com
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >James F. Newberry wrote:
> > > >
> > > >   I've checked the settings more times then I can count.
> > > I've started over many times, I've tried different options.
> > > It's very strange.
> > > >
> > > >   On Tuesday 31 May 2005 08:48, James F. Newberry wrote:
> > > >
> > > >
> > > >           I just tried setting the MTU to 1400 with no
> > > luck.  Right now I have
> > > >           2 monowall boxes hooked to my WAN side switch
> > > and they still can not
> > > >           create an IPSEC link between the two of them.
> > > I have tried the setup
> > > >           guide in the Docs.  I have read as many posts
> > > as I could find.  Any
> > > >           other ideas?  Here is the log
> > > >
> > > >           May 31 07:47:41        racoon: INFO:
> > > isakmp.c:813:isakmp_ph1begin_i():
> > > >           begin Aggressive mode. May 31 07:47:41
> > > racoon: INFO:
> > > >           isakmp.c:808:isakmp_ph1begin_i(): initiate new
> > > phase 1 negotiation:
> > > >           64.233.146.34[500]<=>64.233.146.43[500] May 31
> > > 07:47:41        racoon:
> > > >           INFO: isakmp.c:1694:isakmp_post_acquire():
> > > IPsec-SA request for
> > > >           64.233.146.43 queued due to no phase1 found.
> > > May 31 07:47:33   racoon:
> > > >           INFO: isakmp.c:1791:isakmp_chkph1there():
> > > delete phase 2 handler. May
> > > >           31 07:47:33    racoon: ERROR:
> > > isakmp.c:1786:isakmp_chkph1there():
> > > >           phase2 negotiation failed due to time up
> > > waiting for phase1. ESP
> > > >           64.233.146.43->64.233.146.34 May 31 07:47:18
> > > racoon: ERROR:
> > > >           isakmp.c:1447:isakmp_ph1resend(): phase1
> > > negotiation failed due to
> > > >           time up. d38c8163638cd5fa:0000000000000000 May
> > > 31 07:47:02     racoon:
> > > >           INFO: isakmp.c:1713:isakmp_post_acquire():
> > > request for establishing
> > > >           IPsec-SA was queued due to no phase1 found. May
> > > 31 07:46:49    racoon:
> > > >           INFO: isakmp.c:1791:isakmp_chkph1there():
> > > delete phase 2 handler. May
> > > >           31 07:46:49    racoon: ERROR:
> > > isakmp.c:1786:isakmp_chkph1there():
> > > >           phase2 negotiation failed due to time up
> > > waiting for phase1. ESP
> > > >           64.233.146.43->64.233.146.34 May 31 07:46:18
> > > racoon: INFO:
> > > >           isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode.
> > > >
> > > >
> > > >
> > > >   Looking at your logs it seems that the tunnel is never
> > > established.  My
> > > >   problem was that big packets just got clipped but
> > > _after_ the tunnel
> > > >   was established.  I suspect that you have some mismatch
> > > in parameters
> > > >   at the two endpoints.
> > > >
> > > >   --george
> > > >
> > > >
> > >
> > ---------------------------------------------------------------------
> > > >   To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > >   For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>