[ previous ] [ next ] [ threads ]
 
 From:  chris schlaepfer <cssowiso at gmx dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Site To Site Ipsec won't come up
 Date:  Sun, 07 Aug 2005 14:34:09 +0200
Hi,
Since hours I try to establish a Site to Site IPSEC-Tunnel according to 
the documentation on the m0n0wall-page.
Unfortunately after the setting-up of the tunnel on the IPSEC-Diagnostic 
page there are no SAD shown "No IPsec security association" and 
therefore I guess it doesn't exist any tunnel. Though there exists two 
entries in SPD
Disclosed I'll write my settings and tasks I've done. It would be nice 
if somebody could give me an answer if you can see an obvious mistake 
which I
can't see.

Networkconfiguration:
Net1 (192.168.119.0) ------119.1 |  m0n0wall1 | 117.106(DHCP) 
------middlenet-------- 117.105(DHCP) | m0n0wall2 | 
118.1---------Net2(192.168.118.0)
-> the middlenet (192.168.117.0/24) is connected to the internet through 
the GW 192.168.117.64

Monowall set-up:
Before I created the IPSec-tunnel I reseted the m0n0wall with the 
factory setting of FW 1.11 and only set the IP-Adress according to the 
networkconfiguration above. LAN static, WAN DHCP with turned off the 
option "block private adress".
I didn't change anything on the firewall rules or the Nat settings.

IPSec-configuration: (m0n0wall1-m0n0wall2)
m0n0wall1:
Interface: WAN
Type: LAN subnet
Remote subnet: 192.168.118.0/24
remote gateway: 192.168.117.105
Negotiation mode: aggressive
My Identifier: Domain name: blabla.com (My IP-Adress didn't work either)
Encryption algorithm:   3DES
Hash algorithm: MD5
Dh key group: 2
Lifetime: 28800
pre-shared secret: 1234 (the final would be stronger)
Protocol: ESP
Encryption algoritm: 3DES
Hash-algoritm: MD5
PFS key group: 2
Lifetime: 86400

m0n0wall2:
Interface: WAN
Type: LAN subnet
Remote subnet: 192.168.119.0/24
remote gateway: 192.168.117.106
Negotiation mode: aggressive
My Identifier: Domain name: blubblub.com (My IP-Adress didn't work either)
Encryption algorithm:   3DES
Hash algorithm: MD5
Dh key group: 2
Lifetime: 28800
pre-shared secret: 1234 (the final would be stronger)
Protocol: ESP
Encryption algoritm: 3DES
Hash-algoritm: MD5
PFS key group: 2
Lifetime: 86400

Diagnostics: IPsec
SAD: No IPsec security associations
SPD:
   m0n0wall1:
     sc:192.168.118.0/24 dest: 192.168.119.0/24 incoming ESP endpoints. 
192.168.117.105 - 192.168.117.106
     sc:192.168.119.0/24 dest: 192.168.118.0/24 outgoing ESP endpoints. 
192.168.117.106 - 192.168.117.105
   m0n0wall2:
     sc:192.168.119.0/24 dest: 192.168.118.0/24 incoming ESP endpoints. 
192.168.117.106 - 192.168.117.105
     sc:192.168.118.0/24 dest: 192.168.119.0/24 outgoing ESP endpoints. 
192.168.117.105 - 192.168.117.106


thanks chris