[ previous ] [ next ] [ threads ]
 
 From:  Ian Cartwright <ian351c at cox dot net>
 To:  "Chad R. Larson" <clarson at eldocomp dot com>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] ipf and IPSEC
 Date:  Fri, 02 Jan 2004 11:39:44 -0700
On Thu, 2004-01-01 at 16:19, Ian Cartwright wrote:
> On Wed, 2003-12-31 at 18:38, Chad R. Larson wrote:
> > At 05:23 PM 12/31/2003, Ian Cartwright wrote:
> > >I set up a m0n0wall box today and I am having issues with IPSEC. I am able 
> > >to configure an IPSEC tunnel and configure rules that allow traffic 
> > >through the tunnel, however, I do not receive a response from any hosts on 
> > >the other side of the tunnel.
> > 
> > I have an IKE/IPsec tunnel up with a Sun E250 running Checkpoint Firewall-1 
> > on the remote end.  It took nothing fancy.
> > 
> >          -crl
> 
> Chad,
> 
> That's good news. Are you NATing all of your outbound traffic through
> your m0n0wall box per chance?
> 
> Ian
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
All,

I figured this one out finally. The issue is that in replicating my
existing IPSec config, I put in multiple encryption and hash algorithms
for Phase 2 (i.e. Rijndael 256 and 3DES). What I didn't realize is that
the ordering was different when I used the M0n0wall GUI versus my old
racoon.conf file. This meant that the proposal chosen by Phase 2 did not
match the encryption requirements of the rules on the far side of the
tunnel. The fix in this case was to choose just the encryption and hash
algorithms necessary to meet the requirements of the other gateway and
leave nothing else enabled.

Thanks for your earlier response Chad.

Cheers,

Ian