[ previous ] [ next ] [ threads ]
 
 From:  "Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
 To:  "Aaron Cleaver" <aaron dot cleaver at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: [m0n0wall] vpn with a twist
 Date:  Fri, 24 Jun 2005 10:59:46 +0200
You were nearly right with the two tunnels. Each tunnel needs a unique identifier for this to work
though (m0n0 get's confused if the identifier of the second tunnel is the same as it also comes from
the same source IP). Generate a pair of identifiers and use those for the second tunnel. Should work
after that.

Holger


Von: Aaron Cleaver [mailto:aaron dot cleaver at gmail dot com]
Gesendet: Freitag, 24. Juni 2005 10:42
An: m0n0wall at lists dot m0n0 dot ch
Betreff: [m0n0wall] vpn with a twist


Hi all,

I've done a quick search and haven't spotted anything to resolve my
problem exactly.

I'm trying to connect to sites with vpn with on of the sites having two subnets

ie site 1
(internet adsl)
        |
172.25.1.0/24 
          |   (router)
172.25.2.0/24

site 2 
(internet adsl)
     |
172.25.3.0/24

I've managed to do this previously with linksys befvp41's by creating
two seperate tunnels and by placing a static route in the internet
adsl router in site one.

when I attempt to replicate this with mono the "extra" tunnel for the
non-immediate subnet doesn't seem to connect properly while the tunnel
for the immediate subnet works with minimal fuss.

couple of notes.
I can ping the internet router in site 1 from a machine in the x.2
subnet so the routing is right.

log from the linksys when attempting to iniatiate a connection from site 2
------------------------------------
2005-06-24 18:35:46 IKE[6] Tx >> MM_I1 : site.one.public.ip SA 
2005-06-24 18:35:47 IKE[6] Rx << MM_R1 : site.one.public.ip SA, VID 
2005-06-24 18:35:47 IKE[6] ISAKMP SA CKI=[4656fdae 859c58b6]
CKR=[b3d9667 55b04e4b]
2005-06-24 18:35:47 IKE[6] ISAKMP SA 3DES / SHA / PreShared /
MODP_1024 / 28800 sec (*28800 sec)
2005-06-24 18:35:47 IKE[6] Tx >> MM_I2 : site.one.public.ip KE, NONCE 
2005-06-24 18:35:47 IKE[6] Rx << MM_R2 : site.one.public.ip KE, NONCE, VID 
2005-06-24 18:35:47 IKE[6] Tx >> MM_I3 : site.one.public.ip ID, HASH 
2005-06-24 18:35:47 IKE[73] Rx << MM_R2 : site.one.public.ip KE, NONCE, VID 
2005-06-24 18:35:47 IKE[73] Tx >> MM_I3 : site.one.public.ip ID, HASH 
2005-06-24 18:35:57 IKE[6] Rx << MM_R2 : site.one.public.ip KE, NONCE, VID 
2005-06-24 18:35:57 IKE[6] Tx >> MM_I3 : site.one.public.ip ID, HASH 
2005-06-24 18:35:57 IKE[73] Rx << MM_R2 : site.one.public.ip KE, NONCE, VID 
2005-06-24 18:35:57 IKE[73] Tx >> MM_I3 : site.one.public.ip ID, HASH
-----------------------------------------------------------------------------



from mono sys log
------------------------------
Jun 24 18:40:00 racoon: ERROR: isakmp.c:1447:isakmp_ph1resend():
phase1 negotiation failed due to time up.
b2b928e4ded1a222:b5f2e11387eaf600
Jun 24 18:39:57 racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin
Identity Protection mode.
Jun 24 18:39:57 racoon: INFO: isakmp.c:904:isakmp_ph1begin_r():
respond new phase 1 negotiation:
site.one.public.ip[500]<=>site.two.public.ip[500]
Jun 24 18:39:48 racoon: ERROR: isakmp.c:1447:isakmp_ph1resend():
phase1 negotiation failed due to time up.
0d5b981a93a25777:b06c4c6bfe430953
-------------------------------------------------------



I guess what I'm asking is has anyone managed to get this going before?


Thanks,

Aaron

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


____________
Virus checked by G DATA AntiVirusKit