[ previous ] [ next ] [ threads ]
 
 From:  Aaron Cleaver <aaron dot cleaver at gmail dot com>
 To:  Holger Bauer <Holger dot Bauer at citec dash ag dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] vpn with a twist
 Date:  Tue, 28 Jun 2005 16:56:43 +1000
Thanks for the quick reply Holger,

Could you give me a bit of clarification on "Generate a pair of identifiers"???
I assumed that this is refering to the "My identifier" part of the
Phase 1 settings.  I tried changing this to the fqdn of our external
IP but I'm still getting the same issues with the whole thing timing
out.

other than that I was hoping to keep the linksys routers at the other
location for now, do you know if this is possible with that hardware?

Thanks, Aaron

On 6/24/05, Holger Bauer <Holger dot Bauer at citec dash ag dot de> wrote:
> 
> You were nearly right with the two tunnels. Each tunnel needs a unique identifier for this to work
though (m0n0 get's confused if the identifier of the second tunnel is the same as it also comes from
the same source IP). Generate a pair of identifiers and use those for the second tunnel. Should work
after that.
> 
> Holger
> 

> Von: Aaron Cleaver [mailto:aaron dot cleaver at gmail dot com]
> Gesendet: Freitag, 24. Juni 2005 10:42
> An: m0n0wall at lists dot m0n0 dot ch
> Betreff: [m0n0wall] vpn with a twist
> 
> 
> Hi all,
> 
> I've done a quick search and haven't spotted anything to resolve my
> problem exactly.
> 
> I'm trying to connect to sites with vpn with on of the sites having two subnets
> 
> ie site 1
> (internet adsl)
>         |
> 172.25.1.0/24
>           |   (router)
> 172.25.2.0/24
> 
> site 2
> (internet adsl)
>      |
> 172.25.3.0/24
> 
> I've managed to do this previously with linksys befvp41's by creating
> two seperate tunnels and by placing a static route in the internet
> adsl router in site one.
> 
> when I attempt to replicate this with mono the "extra" tunnel for the
> non-immediate subnet doesn't seem to connect properly while the tunnel
> for the immediate subnet works with minimal fuss.
> 
> couple of notes.
> I can ping the internet router in site 1 from a machine in the x.2
> subnet so the routing is right.
> 
> log from the linksys when attempting to iniatiate a connection from site 2
> ------------------------------------
> 2005-06-24 18:35:46 IKE[6] Tx >> MM_I1 : site.one.public.ip SA
> 2005-06-24 18:35:47 IKE[6] Rx << MM_R1 : site.one.public.ip SA, VID
> 2005-06-24 18:35:47 IKE[6] ISAKMP SA CKI=[4656fdae 859c58b6]
> CKR=[b3d9667 55b04e4b]
> 2005-06-24 18:35:47 IKE[6] ISAKMP SA 3DES / SHA / PreShared /
> MODP_1024 / 28800 sec (*28800 sec)
> 2005-06-24 18:35:47 IKE[6] Tx >> MM_I2 : site.one.public.ip KE, NONCE
> 2005-06-24 18:35:47 IKE[6] Rx << MM_R2 : site.one.public.ip KE, NONCE, VID
> 2005-06-24 18:35:47 IKE[6] Tx >> MM_I3 : site.one.public.ip ID, HASH
> 2005-06-24 18:35:47 IKE[73] Rx << MM_R2 : site.one.public.ip KE, NONCE, VID
> 2005-06-24 18:35:47 IKE[73] Tx >> MM_I3 : site.one.public.ip ID, HASH
> 2005-06-24 18:35:57 IKE[6] Rx << MM_R2 : site.one.public.ip KE, NONCE, VID
> 2005-06-24 18:35:57 IKE[6] Tx >> MM_I3 : site.one.public.ip ID, HASH
> 2005-06-24 18:35:57 IKE[73] Rx << MM_R2 : site.one.public.ip KE, NONCE, VID
> 2005-06-24 18:35:57 IKE[73] Tx >> MM_I3 : site.one.public.ip ID, HASH
> -----------------------------------------------------------------------------
> 
> 
> 
> from mono sys log
> ------------------------------
> Jun 24 18:40:00 racoon: ERROR: isakmp.c:1447:isakmp_ph1resend():
> phase1 negotiation failed due to time up.
> b2b928e4ded1a222:b5f2e11387eaf600
> Jun 24 18:39:57 racoon: INFO: isakmp.c:909:isakmp_ph1begin_r(): begin
> Identity Protection mode.
> Jun 24 18:39:57 racoon: INFO: isakmp.c:904:isakmp_ph1begin_r():
> respond new phase 1 negotiation:
> site.one.public.ip[500]<=>site.two.public.ip[500]
> Jun 24 18:39:48 racoon: ERROR: isakmp.c:1447:isakmp_ph1resend():
> phase1 negotiation failed due to time up.
> 0d5b981a93a25777:b06c4c6bfe430953
> -------------------------------------------------------
> 
> 
> 
> I guess what I'm asking is has anyone managed to get this going before?
> 
> 
> Thanks,
> 
> Aaron
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> ____________
> Virus checked by G DATA AntiVirusKit
> 
>