[ previous ] [ next ] [ threads ]
 
 From:  "James F. Newberry" <jamesn at djcomputing dot net>
 To:  "Gary Barclay" <badimba at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSEC Problems
 Date:  Wed, 1 Jun 2005 22:44:02 -0500
Thanks for the time, but I think I have it working.  It turned out to be
the way I had one of my NAT rules setup.  I had to start using the
outbound option.  I ended up putting the config file from the problem
box on my third box that I got to work.  It stop working with this file.
I then started removing rules until it started working.

> James,
> I know you've been working on this extensively and I don't 
> want to suggest things that you have done time and time 
> again, but it's the only way...can you please provide the 
> logs from both the systems you are testing so that we can see 
> what is happening on both sides?
> Also can you try cutting and pasting identifiers and 
> preshared keys into each config so that there is no chance of 
> typos (I know your instant reaction to this will be neg but 
> sometimes we are so close to the problem that it is invisible to us).
> 
> I just spent 4 hours trying to get ipsec working between two 
> m0n0walls and found that my domain identifier had a typo in 
> it... I must have 'checked' it at both ends, at least 10 times!
> 
> Cheers
> Gary
> 
> On 01/06/05, James F. Newberry <jamesn at djcomputing dot net> wrote:
> > The machine in question is a Proliant 1850r with 3 fxp 
> NIC's (Compaq 
> > 10/100).  I'm using the Hard Drive image.  Everything has 
> been running 
> > great and stable until this issue.
> > 
> > > Tried all this and still no luck.  I went ahead and setup a third 
> > > m0n0wall box with the same ipsec settings and it worked.  
> At least I 
> > > know it's not the IPSEC settings.  The box I need it to 
> work on is 
> > > my production machine.  I have some 1:1 nat stuff going on and 
> > > server nat.
> > > Could this cause a problem with IPSEC?  The outside world 
> sees the 
> > > firewall as the IP number I'm using in IPSEC.  Could 
> hardware make a 
> > > difference?  Different NIC's?
> > >
> > >
> > > > Have you setup your preshared key both in the configuration
> > > editor as
> > > > well as the Pre-Shared Key tab ensuring there are no white
> > > spaces or
> > > > differences between them? I know I had an issue with
> > > whitespace or my
> > > > fat finger when I set the first couple up, I setup a 
> new key and 
> > > > things worked. Try a simple key to test and then move to a
> > > more random
> > > > key if the simple key works.
> > > > I am not sure if it is needed but I allowed ESP and AH
> > > traffic on my
> > > > WAN rulesets to the ip's that use the tunnel, I did that
> > > during a test
> > > > and never removed it to fully test it.
> > > > Just some random thoughts since it looks like your rules
> > > are ok, the
> > > > xml config might be the next thing to provide if 
> nothing else helps.
> > > >
> > > > Mike Mentges
> > > > Security Engineer/Architect
> > > > Global Security Technologies Inc.
> > > > mmentges at gstisecurity dot com
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > James F. Newberry wrote:
> > > >
> > > > >Here is the current setup.  I've tried many different ones.
> > > > Right now it is setup using cast128 with a dh_group of 1.
> > > > I've tried the others also with no luck.
> > > > >
> > > > >
> > > > >Box 1
> > > > >
> > > > >remote xx.xx.146.34 {
> > > > >exchange_mode aggressive;
> > > > >my_identifier address "xx.xx.146.43"; peers_identifier address 
> > > > >xx.xx.146.34; initial_contact on; support_proxy on; 
> > > > >proposal_check obey;
> > > > >
> > > > >proposal {
> > > > >encryption_algorithm cast128;
> > > > >hash_algorithm md5;
> > > > >authentication_method pre_shared_key; dh_group 1; lifetime
> > > time 28800
> > > > >secs; } lifetime time 28800 secs; }
> > > > >
> > > > >sainfo address 10.0.0.0/24 any address 10.1.1.0/24 any { 
> > > > >encryption_algorithm 3des; authentication_algorithm hmac_md5; 
> > > > >compression_algorithm deflate; pfs_group 2; lifetime time
> > > 7200 secs;
> > > > >
> > > > >Box 2
> > > > >
> > > > >remote xx.xx.146.43 {
> > > > >exchange_mode aggressive;
> > > > >my_identifier address "xx.xx.146.34"; peers_identifier address 
> > > > >xx.xx.146.43; initial_contact on; support_proxy on; 
> > > > >proposal_check obey;
> > > > >
> > > > >proposal {
> > > > >encryption_algorithm cast128;
> > > > >hash_algorithm md5;
> > > > >authentication_method pre_shared_key; dh_group 1; lifetime
> > > time 28800
> > > > >secs; } lifetime time 28800 secs; }
> > > > >
> > > > >sainfo address 10.1.1.0/24 any address 10.0.0.0/24 any { 
> > > > >encryption_algorithm 3des; authentication_algorithm hmac_md5; 
> > > > >compression_algorithm deflate; pfs_group 2; lifetime time
> > > > 7200 secs; }
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >Can you browse to the hidden exec.php script
> > > > (http://yourmonoip/exec.php) and provide the ipsec configs for 
> > > > each machine?
> > > > >You should be able to view it by typing this....       'cat
> > > > /var/etc/racoon.conf' unless there is something different with 
> > > > your install.. (I use CD)
> > > > >From there we can see if we can help. Make sure you take out
> > > > anything you might not want us to see such as passkeys and ip's
> > > > >
> > > > >Mike Mentges
> > > > >Security Engineer/Architect
> > > > >Global Security Technologies Inc.
> > > > >mmentges at gstisecurity dot com
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >James F. Newberry wrote:
> > > > >
> > > > >   I've checked the settings more times then I can count.
> > > > I've started over many times, I've tried different options.
> > > > It's very strange.
> > > > >
> > > > >   On Tuesday 31 May 2005 08:48, James F. Newberry wrote:
> > > > >
> > > > >
> > > > >           I just tried setting the MTU to 1400 with no
> > > > luck.  Right now I have
> > > > >           2 monowall boxes hooked to my WAN side switch
> > > > and they still can not
> > > > >           create an IPSEC link between the two of them.
> > > > I have tried the setup
> > > > >           guide in the Docs.  I have read as many posts
> > > > as I could find.  Any
> > > > >           other ideas?  Here is the log
> > > > >
> > > > >           May 31 07:47:41        racoon: INFO:
> > > > isakmp.c:813:isakmp_ph1begin_i():
> > > > >           begin Aggressive mode. May 31 07:47:41
> > > > racoon: INFO:
> > > > >           isakmp.c:808:isakmp_ph1begin_i(): initiate new
> > > > phase 1 negotiation:
> > > > >           64.233.146.34[500]<=>64.233.146.43[500] May 31
> > > > 07:47:41        racoon:
> > > > >           INFO: isakmp.c:1694:isakmp_post_acquire():
> > > > IPsec-SA request for
> > > > >           64.233.146.43 queued due to no phase1 found.
> > > > May 31 07:47:33   racoon:
> > > > >           INFO: isakmp.c:1791:isakmp_chkph1there():
> > > > delete phase 2 handler. May
> > > > >           31 07:47:33    racoon: ERROR:
> > > > isakmp.c:1786:isakmp_chkph1there():
> > > > >           phase2 negotiation failed due to time up
> > > > waiting for phase1. ESP
> > > > >           64.233.146.43->64.233.146.34 May 31 07:47:18
> > > > racoon: ERROR:
> > > > >           isakmp.c:1447:isakmp_ph1resend(): phase1
> > > > negotiation failed due to
> > > > >           time up. d38c8163638cd5fa:0000000000000000 May
> > > > 31 07:47:02     racoon:
> > > > >           INFO: isakmp.c:1713:isakmp_post_acquire():
> > > > request for establishing
> > > > >           IPsec-SA was queued due to no phase1 found. May
> > > > 31 07:46:49    racoon:
> > > > >           INFO: isakmp.c:1791:isakmp_chkph1there():
> > > > delete phase 2 handler. May
> > > > >           31 07:46:49    racoon: ERROR:
> > > > isakmp.c:1786:isakmp_chkph1there():
> > > > >           phase2 negotiation failed due to time up
> > > > waiting for phase1. ESP
> > > > >           64.233.146.43->64.233.146.34 May 31 07:46:18
> > > > racoon: INFO:
> > > > >           isakmp.c:813:isakmp_ph1begin_i(): begin 
> Aggressive mode.
> > > > >
> > > > >
> > > > >
> > > > >   Looking at your logs it seems that the tunnel is never
> > > > established.  My
> > > > >   problem was that big packets just got clipped but
> > > > _after_ the tunnel
> > > > >   was established.  I suspect that you have some mismatch
> > > > in parameters
> > > > >   at the two endpoints.
> > > > >
> > > > >   --george
> > > > >
> > > > >
> > > >
> > > 
> --------------------------------------------------------------------
> > > -
> > > > >   To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > > >   For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> > > 
> --------------------------------------------------------------------
> > > - To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > >
> > >
> > 
> > 
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> > 
> >
>