[ previous ] [ next ] [ threads ]
 
 From:  "Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
 To:  "sai" <sonicsai at gmail dot com>, "Gib Winter" <winterg+dated+1125087947 dot bea00c at gib dot cc>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>, "Marvin Scharwies" <marvin dash s at web dot de>
 Subject:  AW: [m0n0wall] Re: m0n0wall 1.2b9 IPSec issue
 Date:  Sun, 17 Jul 2005 22:31:40 +0200
Here is a small tutorial I wrote for IPSEC between static and dynamic endpoint. 
I originally made this one for pfsense but it is the same for m0n0.

http://pfsense.com/tutorials/mobile_ipsec

Hope this is helpful for someone,
Holger




Von: Gib Winter [mailto:winterg plus dated plus 1125087947 dot bea00c at gib dot cc]
Gesendet: Sonntag, 17. Juli 2005 22:26
An: sai
Cc: Marvin Scharwies; m0n0wall at lists dot m0n0 dot ch
Betreff: Re: [m0n0wall] Re: m0n0wall 1.2b9 IPSec issue


Well, I actually followed the various docs at:

http://m0n0.ch/wall/docbook/faq.html#id2602763
http://m0n0.ch/wall/docbook-current/ipsec.html
http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=121&actionargs[]=38
http://m0n0.ch/wall/docbook-current/ipsec-tunnels.html

But, to summarize...

Client "B" has the static IP and therefore needs to have IPSec enabled 
on the Tunnels page.  Nothing else on the tunnel page, since you plan on 
using a mobile client for the remote access.

Under the Mobile Clients Tab,

-Enable "Allow Mobile Clients"

PHASE 1 Section
-Negotiation mode: Use aggressive mode - main doesn't work for mobile 
since it only works with IP address (must be the same on both ends)
-My identifier: I use FQDN, but domain should work fine as well - this 
is unique to each endpoint.  Some folks try to set them the same.  I 
suggest using a unique (even if made up - email style address) 
mainoffice at madeup dot domain would be fine for the static IP m0n0wall. 
(Different on both ends)
-Encryption Algorithm: I use blowfish (must be the same on both ends)
-Hash Algorithm: I use SHA1 (must be the same on both ends)
-DH Key Group: I use "2" which is a decent blend between security and 
performance.  (must be the same on both ends)
-Lifetime: : I use "28800" (must be the same on both ends)

PHASE 2 Section
Protocol: Use ESP as AH only authenticates the packets (protects against 
modifications, but does not encrypt them).  (must be the same on both ends)
Encryption Algorithms: I deselect all but the single algorithm I plan on 
using - Blowfish.  Since I'm using software rather than a hardware 
accelerator Blowfish is reported to be the fastest.  Use what works best 
and is compatible with your remote clients.  (must be the same on both 
ends)
Hash Algorithms: Again, I deselect all except the one I'm using - SHA1. 
  Use what is compatible with your remote clients.  (must be the same on 
both ends).
PFS Key Group: I use "2", which is a decent blend between strong 
security and performance.  (must be the same on both ends)
Lifetime: I use "86400".  (must be the same on each end)

Under the Pre-shared keys tab,

You need a unique identifier and secret key for each remote mobile 
client.  In this case you would want to enter the remote identifier 
specified on the remote client.  I use FQDN and would recommend 
something like remoteclient at madeup dot domain.  Then enter the pre-shared 
key for that mobile client - something like "c@ntgu3ssm3".

That covers unit "B"

Unit "C" (the dynamic, mobile, remote client) will use the Tunnel Page 
to configure everything for the IPSec tunnel.  Make sure you enable 
IPSec on the tunnels page and the click "+" to add a new tunnel.

On that tunnel page configure the following:

Disable Tunnel:  Obviously, don't select disable this tunnel.
Interface:  I use WAN. Select the interface that faces your other VPN box. 	
Type:   		
Local subnet: Specify the local addresses you want accessible over the 
tunnel.  I use my entire local subnet by selecting "network" and 
specifying (10.67.10.0/24).
Remote subnet:  Specify the remote addresses you want accessible over 
the tunnel.  I use the entire remote subnet by selecting "network" and 
specifying (10.0.10.0/24).
[The two settings above are use to set up the Security Policies (like 
routing policies) between the remote locations)]
Remote gateway:  Enter the static IP address of  the static monowall (In 
this case I used the static WAN IP address of Unit "B" above.  A.B.C.D 	
Description:  Whatever you want for a description of the tunnel. 	

PHASE 1 Section
-Negotiation mode: Use aggressive mode - main doesn't work for mobile 
since it only works with IP address (must be the same on both ends)
-My identifier: I use FQDN, but domain should work fine as well - this 
is unique to each endpoint.  I suggest using a unique (even if made up - 
email style address)  remoteclient at madeup dot domain will work for the 
dynamic IP client end. (Different on both ends, but it MUST match what 
you entered on the other unit under Pre-shared keys for the remote's 
unique ID and associated key)
-Encryption Algorithm: I use blowfish (must be the same on both ends)
-Hash Algorithm: I use SHA1 (must be the same on both ends)
-DH Key Group: I use "2" which is a decent blend between security and 
performance.  (must be the same on both ends)
-Lifetime: : I use "28800" (must be the same on both ends)
-Authentication Method:  I used Pre-shared key
-Pre-shared Key: use the same value from Unit "B" associated with your 
unique identifier.  In this case, the value set was "c@ntgu3ssm3".
-Certificate stuff - (I don't use SSL Certs, so skip)

PHASE 2 Section
Protocol: Use ESP as AH only authenticates the packets (protects against 
modifications, but does not encrypt them).  (must be the same on both ends)
Encryption Algorithms: I deselect all but the single algorithm I plan on 
using - Blowfish.  Since I'm using software rather than a hardware 
accelerator Blowfish is reported to be the fastest.  Use what works best 
and is compatible with your remote clients.  (must be the same on both 
ends)
Hash Algorithms: Again, I deselect all except the one I'm using - SHA1. 
  Use what is compatible with your remote clients.  (must be the same on 
both ends).
PFS Key Group: I use "2", which is a decent blend between strong 
security and performance.  (must be the same on both ends)
Lifetime: I use "86400".  (must be the same on each end)

After hitting save, you should be able to start up your VPN tunnel. 
Remember, the static IP unit (unit B in this case), can not initiate the 
tunnel as it does not know your dynamic IP.  Therefore, connectivity 
must be initiated from the dynamic IP unit (unit c in this case).  So 
firing up a ping of an active IP at the mainoffice should fire up the 
tunnel and ICMP replies.  It may take a try or two to get ICMP echo 
relies as the tunnel is negotiating in the first few pings.

Use the logging and IPSec diagnostics to see if the Security Policies 
exist on the dynamic client.  They should show up under the "SPD" tab. 
There will also be Security Associations under the "SAD" tab if the 
tunnel is up and running.  The debug logs from racoon can be found under 
the Logs -> System tab.  One thing I've noticed is that is you resave an 
existing configuration, it is common to get a racoon error about 
existing security policy.  It is normal operation even though you get an 
error like this:

racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such policy already 
exists. anyway replace it: 10.67.10.0/24[0] 10.0.10.0/24[0] proto=any 
dir=out

Ignore it.  It is just replacing the same security policy that already 
existed.  I troubleshot this for a while only to find out that it was 
normal operations.

I hope this helps.  I haven't used a remote software client, but this 
works with a static and dynamic m0n0wall.

Gib



sai wrote:
> Gib,
> 
> I've been trying to understand how to setup an IPSEC tunnel between a
> static ip and a dynamic ip address. Could you post settings of both
> 'B' and 'C' , ie your EDIT TUNNEL page please?
> 
> TIA
> 
> sai
>  
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


____________
Virus checked by G DATA AntiVirusKit