[ previous ] [ next ] [ threads ]
 
 From:  Mark Wass <mark dot wass at market dash analyst dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSEC Monowall to Monowall
 Date:  Thu, 17 Nov 2005 10:32:36 +1000
Hi All

I'm having trouble setting up a monowall to monowall IPSEC VPN. I have 
searched the Mail List and read the instructions on how to do it and, 
I'm still getting stuck with no SAD entries.


Here is my network layout. This is just setup in my lab for testing 
purposes.

OPT1            OPT2                LAN
Real IP's       192.168.21.0/24     192.168.20.0/24
|               |                   |
|               |                   |
|               |                   |
-------------m0n0wall----------------
        Site 2 |WAN Static IP = 192.168.50.2
               |
               |
               |(Crossover cable)
               |
               |
        Site 1 |WAN Static IP = 192.168.50.1
-------------m0n0wall----------------
|               |                   |
|               |                   |
|               |                   |
OPT1            OPT2                 LAN
Real IP's       192.168.3.0/24       192.168.1.0/24


I want to an IPSEC VPN between the two OPT2 networks at either site. So 
far I can successfully ping the WAN interface between each site.

Here are my settings.

Firewall Rules Site 1:
======================
WAN Interface.
I have opened up the WAN allowing all protocols from any to any.

OPT2 Interface
I have opened up the OPT2 allowing all protocols from any to any.

Firewall Rules Site 2:
======================
WAN Interface.
I have opened up the WAN allowing all protocols from any to any.

OPT2 Interface
I have opened up the OPT2 allowing all protocols from any to any.

-------------------------------------------------------------------

IPSEC Settings Site 1:
======================
Mode: Tunnel
Disabled: Unchecked
Interface: WAN
Local subnet: Network 192.168.21.0/24
Remote Subnet: 192.168.3.0 / 24
Remote Gateway: 192.168.50.2
Description: Site1 to Site2
Negotiation mode: aggressive
My identifier: Domain name site1 at mydomain dot com
Encryption algorithm: Blowfish
Hash algorithm: SHA1
DH key group: 2
Lifetime: 28800
Pre-Shared Key: TesT123
Protocol: ESP
Encryption algorithms: only Blowfish checked
Hash algorithms: only SHA1 checked
PFS key group: 2
Lifetime: 86400

IPSEC Settings Site 2:
======================
Mode: Tunnel
Disabled: Unchecked
Interface: WAN
Local subnet: Network 192.168.3.0/24
Remote Subnet: 192.168.21.0 /24
Remote Gateway: 192.168.50.1
Description: Site2 to Site1
Negotiation mode: aggressive
My identifier: Domain name site2 at mydomain dot com
Encryption algorithm: Blowfish
Hash algorithm: SHA1
DH key group: 2
Lifetime: 28800
Pre-Shared Key: TesT123
Protocol: ESP
Encryption algorithms: only Blowfish checked
Hash algorithms: only SHA1 checked
PFS key group: 2
Lifetime: 86400

-------------------------------------------------------------------

Ok So after setting this up I get no SAD's and here is the resultant LOG 
entries from Site1

Nov 17 20:17:34     racoon: INFO: session.c:319:check_sigreq(): caught 
signal 15
Nov 17 20:17:35     racoon: INFO: session.c:183:close_session(): racoon 
shutdown
Nov 17 20:17:36     racoon: INFO: main.c:172:main(): @(#)package version 
freebsd-20050510a
Nov 17 20:17:36     racoon: INFO: main.c:174:main(): @(#)internal 
version 20001216 sakane at kame dot net
Nov 17 20:17:36     racoon: INFO: main.c:175:main(): @(#)This product 
linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
Nov 17 20:17:36     racoon: INFO: isakmp.c:1368:isakmp_open(): 
127.0.0.1[500] used as isakmp port (fd=7)
Nov 17 20:17:36     racoon: INFO: isakmp.c:1368:isakmp_open(): 
192.168.3.1[500] used as isakmp port (fd=8)
Nov 17 20:17:36     racoon: INFO: isakmp.c:1368:isakmp_open(): 
192.168.50.1[500] used as isakmp port (fd=9)
Nov 17 20:17:36     racoon: INFO: isakmp.c:1368:isakmp_open(): 
192.168.1.23[500] used as isakmp port (fd=10)
Nov 17 20:17:36     racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
policy already exists. anyway replace it: 192.168.1.0/24[0] 
192.168.1.23/32[0] proto=any dir=in
Nov 17 20:17:36     racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
policy already exists. anyway replace it: 192.168.21.0/24[0] 
192.168.3.0/24[0] proto=any dir=in
Nov 17 20:17:36     racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
policy already exists. anyway replace it: 192.168.1.23/32[0] 
192.168.1.0/24[0] proto=any dir=out
Nov 17 20:17:36     racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
policy already exists. anyway replace it: 192.168.3.0/24[0] 
192.168.21.0/24[0] proto=any dir=out

And here is the log entries for Site2

Nov 17 21:23:48 racoon: INFO: session.c:319:check_sigreq(): caught 
signal 15
Nov 17 21:23:49 racoon: INFO: session.c:183:close_session(): racoon 
shutdown
Nov 17 21:23:50 racoon: INFO: main.c:172:main(): @(#)package version 
freebsd-20050510a
Nov 17 21:23:50 racoon: INFO: main.c:174:main(): @(#)internal version 
20001216 sakane at kame dot net
Nov 17 21:23:50 racoon: INFO: main.c:175:main(): @(#)This product linked 
OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open(): 
127.0.0.1[500] used as isakmp port (fd=7)
Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open(): 
192.168.21.1[500] used as isakmp port (fd=8)
Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open(): 
192.168.50.2[500] used as isakmp port (fd=9)
Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open(): 
192.168.20.1[500] used as isakmp port (fd=10)
Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
policy already exists. anyway replace it: 192.168.20.0/24[0] 
192.168.20.1/32[0] proto=any dir=in
Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
policy already exists. anyway replace it: 192.168.3.0/24[0] 
192.168.21.0/24[0] proto=any dir=in
Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
policy already exists. anyway replace it: 192.168.20.1/32[0] 
192.168.20.0/24[0] proto=any dir=out
Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
policy already exists. anyway replace it: 192.168.21.0/24[0] 
192.168.3.0/24[0] proto=any dir=out

This is really driving me crazy as I cannot see what I'm missing in my 
config. Could someone please clue me up as to why this may not be working?

Thanks

Mark