[ previous ] [ next ] [ threads ]
 
 From:  Space Fan <spacefan2 at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Monowall to Netscreen VPN problem.
 Date:  Thu, 14 Jul 2005 21:27:34 -0500
Hi monowall fans!

I have an odd problem that I hope someone can help with. I have been a
Systems Admin for over 13 years now and have never had so many
problems getting a VPN connection working. What I am thinking is that
I may have missed something on the netscreen side or maybe even the
monowall side that is causing the problem.

I have tried all possible combinations I can think of for Phase 1 and
phase 2.  The strange thing is that I don't seem to be getting any
sign of any VPN communications showing up in the log files on the
Netscreen side either.  My netscreen at work is a 5G. I am running my
monowall (V 1.2b9 and 1.11) on a middle of the road celeron with
plenty of RAM and 2 - 3Com NICs.

No matter what I try I see the following errors in the monowall logs:

Jul 14 21:12:43 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 10.10.10.0/24[0]
10.0.0.0/24[0] proto=any dir=out
Jul 14 21:12:43 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 10.10.10.1/32[0]
10.10.10.0/24[0] proto=any dir=out
Jul 14 21:12:43 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 10.0.0.0/24[0]
10.10.10.0/24[0] proto=any dir=in
Jul 14 21:12:43 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 10.10.10.0/24[0]
10.10.10.1/32[0] proto=any dir=in

After I see the above nothing else ever shows up concerning IPsec.

If I disable IPSec and re-enable it, I get the following information:

Jul 14 21:14:31 racoon: INFO: isakmp.c:1368:isakmp_open():
10.10.10.1[500] used as isakmp port (fd=9)
Jul 14 21:14:31 racoon: INFO: isakmp.c:1368:isakmp_open():
127.0.0.1[500] used as isakmp port (fd=8)
Jul 14 21:14:31 racoon: INFO: isakmp.c:1368:isakmp_open():
aa.bb.cc.dd[500] used as isakmp port (fd=7)
Jul 14 21:14:31 racoon: INFO: main.c:175:main(): @(#)This product
linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
Jul 14 21:14:31 racoon: INFO: main.c:174:main(): @(#)internal version
20001216 sakane at kame dot net
Jul 14 21:14:31 racoon: INFO: main.c:172:main(): @(#)package version
freebsd-20040818a

Again, I never see anything after the above information.

I have setup rules on both ends to allow all traffic to and from each
end of the vpn.

Under Diag - IPsec I see the typical SPDs but I never see any SADs show up.

I have a stable VPN connection running from the Netscreen at work to
the Netscreen 25 at our colo so I know the Netscreen 5g is fine.

Does anyone have any hints on what to look for to determine what part
of the vpn is failing when I don't get much to go by in the logs?

Thanks in advance for any help.  

Spacefan