Hi All
I'm having trouble setting up a monowall to monowall IPSEC VPN. I have
searched the Mail List and read the instructions on how to do it and,
I'm still getting stuck with no SAD entries.
Here is my network layout. This is just setup in my lab for testing
purposes.
OPT1 OPT2 LAN
Real IP's 192.168.21.0/24 192.168.20.0/24
| | |
| | |
| | |
-------------m0n0wall----------------
Site 2 |WAN Static IP = 192.168.50.2
|
|
|(Crossover cable)
|
|
Site 1 |WAN Static IP = 192.168.50.1
-------------m0n0wall----------------
| | |
| | |
| | |
OPT1 OPT2 LAN
Real IP's 192.168.3.0/24 192.168.1.0/24
I want to an IPSEC VPN between the two OPT2 networks at either site. So
far I can successfully ping the WAN interface between each site.
Here are my settings.
Firewall Rules Site 1:
======================
WAN Interface.
I have opened up the WAN allowing all protocols from any to any.
OPT2 Interface
I have opened up the OPT2 allowing all protocols from any to any.
Firewall Rules Site 2:
======================
WAN Interface.
I have opened up the WAN allowing all protocols from any to any.
OPT2 Interface
I have opened up the OPT2 allowing all protocols from any to any.
-------------------------------------------------------------------
IPSEC Settings Site 1:
======================
Mode: Tunnel
Disabled: Unchecked
Interface: WAN
Local subnet: Network 192.168.21.0/24
Remote Subnet: 192.168.3.0 / 24
Remote Gateway: 192.168.50.2
Description: Site1 to Site2
Negotiation mode: aggressive
My identifier: Domain name site1 at mydomain dot com
Encryption algorithm: Blowfish
Hash algorithm: SHA1
DH key group: 2
Lifetime: 28800
Pre-Shared Key: TesT123
Protocol: ESP
Encryption algorithms: only Blowfish checked
Hash algorithms: only SHA1 checked
PFS key group: 2
Lifetime: 86400
IPSEC Settings Site 2:
======================
Mode: Tunnel
Disabled: Unchecked
Interface: WAN
Local subnet: Network 192.168.3.0/24
Remote Subnet: 192.168.21.0 /24
Remote Gateway: 192.168.50.1
Description: Site2 to Site1
Negotiation mode: aggressive
My identifier: Domain name site2 at mydomain dot com
Encryption algorithm: Blowfish
Hash algorithm: SHA1
DH key group: 2
Lifetime: 28800
Pre-Shared Key: TesT123
Protocol: ESP
Encryption algorithms: only Blowfish checked
Hash algorithms: only SHA1 checked
PFS key group: 2
Lifetime: 86400
-------------------------------------------------------------------
Ok So after setting this up I get no SAD's and here is the resultant LOG
entries from Site1
Nov 17 20:17:34 racoon: INFO: session.c:319:check_sigreq(): caught
signal 15
Nov 17 20:17:35 racoon: INFO: session.c:183:close_session(): racoon
shutdown
Nov 17 20:17:36 racoon: INFO: main.c:172:main(): @(#)package version
freebsd-20050510a
Nov 17 20:17:36 racoon: INFO: main.c:174:main(): @(#)internal
version 20001216 sakane at kame dot net
Nov 17 20:17:36 racoon: INFO: main.c:175:main(): @(#)This product
linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
Nov 17 20:17:36 racoon: INFO: isakmp.c:1368:isakmp_open():
127.0.0.1[500] used as isakmp port (fd=7)
Nov 17 20:17:36 racoon: INFO: isakmp.c:1368:isakmp_open():
192.168.3.1[500] used as isakmp port (fd=8)
Nov 17 20:17:36 racoon: INFO: isakmp.c:1368:isakmp_open():
192.168.50.1[500] used as isakmp port (fd=9)
Nov 17 20:17:36 racoon: INFO: isakmp.c:1368:isakmp_open():
192.168.1.23[500] used as isakmp port (fd=10)
Nov 17 20:17:36 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 192.168.1.0/24[0]
192.168.1.23/32[0] proto=any dir=in
Nov 17 20:17:36 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 192.168.21.0/24[0]
192.168.3.0/24[0] proto=any dir=in
Nov 17 20:17:36 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 192.168.1.23/32[0]
192.168.1.0/24[0] proto=any dir=out
Nov 17 20:17:36 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 192.168.3.0/24[0]
192.168.21.0/24[0] proto=any dir=out
And here is the log entries for Site2
Nov 17 21:23:48 racoon: INFO: session.c:319:check_sigreq(): caught
signal 15
Nov 17 21:23:49 racoon: INFO: session.c:183:close_session(): racoon
shutdown
Nov 17 21:23:50 racoon: INFO: main.c:172:main(): @(#)package version
freebsd-20050510a
Nov 17 21:23:50 racoon: INFO: main.c:174:main(): @(#)internal version
20001216 sakane at kame dot net
Nov 17 21:23:50 racoon: INFO: main.c:175:main(): @(#)This product linked
OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open():
127.0.0.1[500] used as isakmp port (fd=7)
Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open():
192.168.21.1[500] used as isakmp port (fd=8)
Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open():
192.168.50.2[500] used as isakmp port (fd=9)
Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open():
192.168.20.1[500] used as isakmp port (fd=10)
Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 192.168.20.0/24[0]
192.168.20.1/32[0] proto=any dir=in
Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 192.168.3.0/24[0]
192.168.21.0/24[0] proto=any dir=in
Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 192.168.20.1/32[0]
192.168.20.0/24[0] proto=any dir=out
Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such
policy already exists. anyway replace it: 192.168.21.0/24[0]
192.168.3.0/24[0] proto=any dir=out
This is really driving me crazy as I cannot see what I'm missing in my
config. Could someone please clue me up as to why this may not be working?
Thanks
Mark | 