[ previous ] [ next ] [ threads ]
 
 From:  "Joerg Horchler" <joerg dot horchler at coremedia dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  purged SAs without error :-(
 Date:  Thu, 1 Sep 2005 17:07:17 +0200
Hi all, 

I wan't to configure a more compley scenario to establish an IPSec-Tunnel between the LAN of my
company and the LAN of one of our customers. First a short description:

We wan't to use two machines in our LAN to access several services in the LAN of our customer. The
customers policy forces us to use a network that we don't use (as explained later). So we have to
NAT the IPs of our two machines. We do this on a firewall. After the firewall the traffic passes our
m0n0wall which has to protect the traffic with ESP. Here is a short graphic. 

Internal LAN: 10.x.x.x/24
DMZ: 192.168.1.x/24
Enforced NAT Pool: 192.168.2.x/28
External LAN:x.x.x.x/x

+--------------+
|    box01     |
| 10.x.x.25/24 |
+--------------+
       |
       +----------------+
                        |
+--------------+        |
|    box02     |        |
| 10.x.x.26/24 |        |
+--------------+        |
       |                |
       +----------------+
                        |
                        |eth0:10.x.x.27/24
                  +----------------+
                  |    firewall    |
                  +----------------+
                          |eth1:192.168.1.250/24
                          |eth1:1:192.168.2.65/28
                          |
                          |
                          |
                          |vr0:192.168.1.251/24
                  +----------------+
                  |    m0n0wall    |
                  +----------------+
                          |vr1:x.x.x.x/x
                          |
                          |
                          |
                          |x.x.x.x/x
                  +----------------+
                  |    CiscoVPN    |
                  +----------------+
                          |x.x.x.x/x
                          |
                          |
          +---------------+
          |               |
          |               |
  +---------------+       |
  |    box01      |       |
  | 217.x.x.26/24 |       |
  +---------------+       |
                          |
  +---------------+       |
  |    box02      |-------+
  | 217.x.x.27/24 |
  +---------------+ 

I try to access 217.x.x.26 via SSH from 10.x.x.25. The source address is NATed on our firewall to
192.168.2.65. On the m0n0wall I configured a policy to protect every traffic from 192.168.2.x/28 to
217.x.x.26/24 with ESP via the Cisco VPN appliance (remote gateway). The connection with this setup
times out. The log on our syslog-server has logged

Sep  1 14:15:21 m0n0wall racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for
x.x.x.x queued due to no phase1 found.
Sep  1 14:15:21 m0n0wall racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1
negotiation: x.x.x.x[500]<=>x.x.x.x[500]
Sep  1 14:15:21 m0n0wall racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode.
Sep  1 14:15:21 m0n0wall racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't find the proper
pskey, try to get one by the peer's address.
Sep  1 14:15:21 m0n0wall racoon: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA established
x.x.x.x[500]-x.x.x.x[500] spi:ea64dfd3aa29dc62:121857c2df384193
Sep  1 14:15:22 m0n0wall racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2
negotiation: x.x.x.x[0]<=>x.x.x.x[0]
Sep  1 14:15:22 m0n0wall racoon: INFO: isakmp_inf.c:887:purge_isakmp_spi(): purged ISAKMP-SA
proto_id=ISAKMP spi=ea64dfd3aa29dc62:121857c2df384193.
Sep  1 14:15:52 m0n0wall racoon: ERROR: pfkey.c:804:pfkey_timeover(): x.x.x.x give up to get
IPsec-SA due to time up to wait.
Sep  1 14:15:52 m0n0wall racoon: INFO: isakmp.c:1574:isakmp_ph1delete(): ISAKMP-SA deleted
x.x.x.x[500]-x.x.x.x[500] spi:ea64dfd3aa29dc62:121857c2df384193

As no error message is given here I'm a little bit confused about what is going on here. 

Perhaps someone has in idea. 

Cheers