[ previous ] [ next ] [ threads ]
 
 From:  =?WINDOWS-1252?B?lSCV?= <googl3meister at gmail dot com>
 To:  ejask at aim dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] CORRECTED: Can't Connect A Simple IPSec VPN
 Date:  Thu, 28 Jul 2005 19:13:14 +1000
On 7/28/05, Seth Martin <SethM at turbinegenerator dot com> wrote:
> 10.172.1.235 is a private IP address...
> 
> -----Original Message-----
> From: ejask at aim dot com [mailto:ejask at aim dot com]
> Sent: Wednesday, July 27, 2005 2:28 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] CORRECTED: Can't Connect A Simple IPSec VPN
> 
> My last post had some errors in the ip addresses. Here is the corrected
> 
> 
> I am having trouble connecting two monowall firewalls thru a IPSec vpn
> tunnel. I
> want to create a network between 4 computers located at two different
> sites.
> There are only 2 computers located at each site and all have static ip
> addresses. The monowall wan addressess uses a dhcp server to obtain an
> ip, but
> it obtains the same ip address ever time.
> 
> Here are my lan setups
> 
> Computer 1: 192.168.100.101     Computer 2: 192.168.100.102
>             \                                                   /
>              -------\                            /-------
>                         ------\         /------
>                         Monowall A Lan: 192.168.100.100
>                         Monowall A Wan: 10.172.1.235
>                                        |
>                                   Internet
>                                        |
>                         Monowall B Wan: 12.147.205.62
>                          Monowall B Lan: 192.168.200.100
>                         ------/         \------
>              -------/                            \-------
>             /                                                   \
> Computer 1: 192.168.200.101     Computer 2: 192.168.200.102
> 
> Here are the configurations I used in the VPN: IPsec: Edit Tunnel Screen
> 
> Monowall A: Interface: WAN
>                  Local Subnet: LAN Subnet
>                  Remote Subnet: 192.168.200.0/24
>                  Remote Gateway: 12.147.205.62
>    Phase 1
>                  Negotiation Mode: Aggresive
>                  My Identifier: My IP Address
>                  Encryption Algorithm: 3DES
>                  Hash Algorithm: SHA1
>                  DH Key Group: 2
>                  Authentification Method: Pre-shared key
>                  Pre-Shared Key:  "Same Key on Both"
>    Phase 2
>                  Protocol: ESP
>                  Encryption Algorithms: 3DES
>                  Hash Algorithms: SHA1
>                  PFS Key Group: off
> 
> 
> Monowall B Interface: WAN
>                  Local Subnet: LAN Subnet
>                  Remote Subnet: 192.168.100.0/24
>                  Remote Gateway: 10.172.1.235
>    Phase 1
>                  Negotiation Mode: Aggresive
>                  My Identifier: My IP Address
>                  Encryption Algorithm: 3DES
>                  Hash Algorithm: SHA1
>                  DH Key Group: 2
>                  Authentification Method: Pre-shared key
>                  Pre-Shared Key:  "Same Key on Both"
>    Phase 2
>                  Protocol: ESP
>                  Encryption Algorithms: 3DES
>                  Hash Algorithms: SHA1
>                  PFS Key Group: off
> 
> For some reason, I can not get the two to connect to each other and
> Computer 1
> in LAN A can not ping either computer in LAN B and vise versa.
> 


As Seth advised, the 10.x address will not be routed (correctly at
least) across the public internet.

And if m0n0 "always" gets the same DHCP WAN address, then it's worth
contacting your ISP to confirm it will never change.  It is quite
likely that the DHCP lease has not expired (even by half) and so:
a) the DHCP protocol will try to reuse the address when it reconnects
(assuming no reboot of m0n0)

or,

b) the server will reassign your previous address (m0n0 reboot and
reconnect in less than half DHCP lease time).  This is because the
lease is still valid as far as the DHCP server is concerned.

If you verify your lease time and force disconnect for longer than at
least half the expiry time, do you still get the same address?  I
would imagine that after the ISP DHCP server does not here from m0n0
in time, it will mark the address as available and be ready to assign
it to someone else per it's assignment algorithm, either LRU or 1st
free in the pool.

--g'luck
gm