[ previous ] [ next ] [ threads ]
 
 From:  sai <sonicsai at gmail dot com>
 To:  Holger Bauer <Holger dot Bauer at citec dash ag dot de>
 Cc:  Gib Winter <winterg+dated+1125087947 dot bea00c at gib dot cc>, m0n0wall at lists dot m0n0 dot ch, Marvin Scharwies <marvin dash s at web dot de>
 Subject:  Re: m0n0wall 1.2b9 IPSec issue
 Date:  Mon, 18 Jul 2005 13:38:58 +0500 
Thanks Gib, Holger.

sai

On 7/18/05, Holger Bauer <Holger dot Bauer at citec dash ag dot de> wrote:
> Here is a small tutorial I wrote for IPSEC between static and dynamic
> endpoint. 
> I originally made this one for pfsense but it is the same for m0n0.
> 
> http://pfsense.com/tutorials/mobile_ipsec
> 
> Hope this is helpful for someone,
> Holger
> 
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: Gib Winter [mailto:winterg plus dated plus 1125087947 dot bea00c at gib dot cc]
> Gesendet: Sonntag, 17. Juli 2005 22:26
> An: sai
> Cc: Marvin Scharwies; m0n0wall at lists dot m0n0 dot ch
> Betreff: Re: [m0n0wall] Re: m0n0wall 1.2b9 IPSec issue
> 
> 
> Well, I actually followed the various docs at:
> 
> http://m0n0.ch/wall/docbook/faq.html#id2602763
> http://m0n0.ch/wall/docbook-current/ipsec.html
> http://m0n0.ch/wall/list/?action=show_msg&actionargs[]=121&actionargs[]=38
> http://m0n0.ch/wall/docbook-current/ipsec-tunnels.html
> 
> But, to summarize...
> 
> Client "B" has the static IP and therefore needs to have IPSec enabled 
> on the Tunnels page.  Nothing else on the tunnel page, since you plan on 
> using a mobile client for the remote access.
> 
> Under the Mobile Clients Tab,
> 
> -Enable "Allow Mobile Clients"
> 
> PHASE 1 Section
> -Negotiation mode: Use aggressive mode - main doesn't work for mobile 
> since it only works with IP address (must be the same on both ends)
> -My identifier: I use FQDN, but domain should work fine as well - this 
> is unique to each endpoint.  Some folks try to set them the same.  I 
> suggest using a unique (even if made up - email style address) 
> mainoffice at madeup dot domain would be fine for the static IP m0n0wall. 
> (Different on both ends)
> -Encryption Algorithm: I use blowfish (must be the same on both ends)
> -Hash Algorithm: I use SHA1 (must be the same on both ends)
> -DH Key Group: I use "2" which is a decent blend between security and 
> performance.  (must be the same on both ends)
> -Lifetime: : I use "28800" (must be the same on both ends)
> 
> PHASE 2 Section
> Protocol: Use ESP as AH only authenticates the packets (protects against 
> modifications, but does not encrypt them).  (must be the same on both ends)
> Encryption Algorithms: I deselect all but the single algorithm I plan on 
> using - Blowfish.  Since I'm using software rather than a hardware 
> accelerator Blowfish is reported to be the fastest.  Use what works best 
> and is compatible with your remote clients.  (must be the same on both 
> ends)
> Hash Algorithms: Again, I deselect all except the one I'm using - SHA1. 
>   Use what is compatible with your remote clients.  (must be the same on 
> both ends).
> PFS Key Group: I use "2", which is a decent blend between strong 
> security and performance.  (must be the same on both ends)
> Lifetime: I use "86400".  (must be the same on each end)
> 
> Under the Pre-shared keys tab,
> 
> You need a unique identifier and secret key for each remote mobile 
> client.  In this case you would want to enter the remote identifier 
> specified on the remote client.  I use FQDN and would recommend 
> something like remoteclient at madeup dot domain.  Then enter the pre-shared 
> key for that mobile client - something like "c@ntgu3ssm3".
> 
> That covers unit "B"
> 
> Unit "C" (the dynamic, mobile, remote client) will use the Tunnel Page 
> to configure everything for the IPSec tunnel.  Make sure you enable 
> IPSec on the tunnels page and the click "+" to add a new tunnel.
> 
> On that tunnel page configure the following:
> 
> Disable Tunnel:  Obviously, don't select disable this tunnel.
> Interface:  I use WAN. Select the interface that faces your other VPN box.
> 	
> Type:   		
> Local subnet: Specify the local addresses you want accessible over the 
> tunnel.  I use my entire local subnet by selecting "network" and 
> specifying (10.67.10.0/24).
> Remote subnet:  Specify the remote addresses you want accessible over 
> the tunnel.  I use the entire remote subnet by selecting "network" and 
> specifying (10.0.10.0/24).
> [The two settings above are use to set up the Security Policies (like 
> routing policies) between the remote locations)]
> Remote gateway:  Enter the static IP address of  the static monowall (In 
> this case I used the static WAN IP address of Unit "B" above.  A.B.C.D 	
> Description:  Whatever you want for a description of the tunnel. 	
> 
> PHASE 1 Section
> -Negotiation mode: Use aggressive mode - main doesn't work for mobile 
> since it only works with IP address (must be the same on both ends)
> -My identifier: I use FQDN, but domain should work fine as well - this 
> is unique to each endpoint.  I suggest using a unique (even if made up - 
> email style address)  remoteclient at madeup dot domain will work for the 
> dynamic IP client end. (Different on both ends, but it MUST match what 
> you entered on the other unit under Pre-shared keys for the remote's 
> unique ID and associated key)
> -Encryption Algorithm: I use blowfish (must be the same on both ends)
> -Hash Algorithm: I use SHA1 (must be the same on both ends)
> -DH Key Group: I use "2" which is a decent blend between security and 
> performance.  (must be the same on both ends)
> -Lifetime: : I use "28800" (must be the same on both ends)
> -Authentication Method:  I used Pre-shared key
> -Pre-shared Key: use the same value from Unit "B" associated with your 
> unique identifier.  In this case, the value set was "c@ntgu3ssm3".
> -Certificate stuff - (I don't use SSL Certs, so skip)
> 
> PHASE 2 Section
> Protocol: Use ESP as AH only authenticates the packets (protects against 
> modifications, but does not encrypt them).  (must be the same on both ends)
> Encryption Algorithms: I deselect all but the single algorithm I plan on 
> using - Blowfish.  Since I'm using software rather than a hardware 
> accelerator Blowfish is reported to be the fastest.  Use what works best 
> and is compatible with your remote clients.  (must be the same on both 
> ends)
> Hash Algorithms: Again, I deselect all except the one I'm using - SHA1. 
>   Use what is compatible with your remote clients.  (must be the same on 
> both ends).
> PFS Key Group: I use "2", which is a decent blend between strong 
> security and performance.  (must be the same on both ends)
> Lifetime: I use "86400".  (must be the same on each end)
> 
> After hitting save, you should be able to start up your VPN tunnel. 
> Remember, the static IP unit (unit B in this case), can not initiate the 
> tunnel as it does not know your dynamic IP.  Therefore, connectivity 
> must be initiated from the dynamic IP unit (unit c in this case).  So 
> firing up a ping of an active IP at the mainoffice should fire up the 
> tunnel and ICMP replies.  It may take a try or two to get ICMP echo 
> relies as the tunnel is negotiating in the first few pings.
> 
> Use the logging and IPSec diagnostics to see if the Security Policies 
> exist on the dynamic client.  They should show up under the "SPD" tab. 
> There will also be Security Associations under the "SAD" tab if the 
> tunnel is up and running.  The debug logs from racoon can be found under 
> the Logs -> System tab.  One thing I've noticed is that is you resave an 
> existing configuration, it is common to get a racoon error about 
> existing security policy.  It is normal operation even though you get an 
> error like this:
> 
> racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such policy already 
> exists. anyway replace it: 10.67.10.0/24[0] 10.0.10.0/24[0] proto=any 
> dir=out
> 
> Ignore it.  It is just replacing the same security policy that already 
> existed.  I troubleshot this for a while only to find out that it was 
> normal operations.
> 
> I hope this helps.  I haven't used a remote software client, but this 
> works with a static and dynamic m0n0wall.
> 
> Gib
> 
> 
> 
> sai wrote:
> > Gib,
> > 
> > I've been trying to understand how to setup an IPSEC tunnel between a
> > static ip and a dynamic ip address. Could you post settings of both
> > 'B' and 'C' , ie your EDIT TUNNEL page please?
> > 
> > TIA
> > 
> > sai
> >  
> > 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> ____________
> Virus checked by G DATA AntiVirusKit
> 
>