[ previous ] [ next ] [ threads ]
 
 From:  Mark Wass <mark dot wass at market dash analyst dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC Monowall to Monowall
 Date:  Thu, 17 Nov 2005 10:51:12 +1000
Slight error below.

My identifier should read

My identifier: Domain name site1.mydomain.com   for site 1

and

My identifier: Domain name site2.mydomain.com  for site 2

I have also made sure to allow private addressing over the WAN in the 
genreal settings.

Mark Wass wrote:

> Hi All
>
> I'm having trouble setting up a monowall to monowall IPSEC VPN. I have 
> searched the Mail List and read the instructions on how to do it and, 
> I'm still getting stuck with no SAD entries.
>
>
> Here is my network layout. This is just setup in my lab for testing 
> purposes.
>
> OPT1            OPT2                LAN
> Real IP's       192.168.21.0/24     192.168.20.0/24
> |               |                   |
> |               |                   |
> |               |                   |
> -------------m0n0wall----------------
>        Site 2 |WAN Static IP = 192.168.50.2
>               |
>               |
>               |(Crossover cable)
>               |
>               |
>        Site 1 |WAN Static IP = 192.168.50.1
> -------------m0n0wall----------------
> |               |                   |
> |               |                   |
> |               |                   |
> OPT1            OPT2                 LAN
> Real IP's       192.168.3.0/24       192.168.1.0/24
>
>
> I want to an IPSEC VPN between the two OPT2 networks at either site. 
> So far I can successfully ping the WAN interface between each site.
>
> Here are my settings.
>
> Firewall Rules Site 1:
> ======================
> WAN Interface.
> I have opened up the WAN allowing all protocols from any to any.
>
> OPT2 Interface
> I have opened up the OPT2 allowing all protocols from any to any.
>
> Firewall Rules Site 2:
> ======================
> WAN Interface.
> I have opened up the WAN allowing all protocols from any to any.
>
> OPT2 Interface
> I have opened up the OPT2 allowing all protocols from any to any.
>
> -------------------------------------------------------------------
>
> IPSEC Settings Site 1:
> ======================
> Mode: Tunnel
> Disabled: Unchecked
> Interface: WAN
> Local subnet: Network 192.168.21.0/24
> Remote Subnet: 192.168.3.0 / 24
> Remote Gateway: 192.168.50.2
> Description: Site1 to Site2
> Negotiation mode: aggressive
> My identifier: Domain name site1 at mydomain dot com
> Encryption algorithm: Blowfish
> Hash algorithm: SHA1
> DH key group: 2
> Lifetime: 28800
> Pre-Shared Key: TesT123
> Protocol: ESP
> Encryption algorithms: only Blowfish checked
> Hash algorithms: only SHA1 checked
> PFS key group: 2
> Lifetime: 86400
>
> IPSEC Settings Site 2:
> ======================
> Mode: Tunnel
> Disabled: Unchecked
> Interface: WAN
> Local subnet: Network 192.168.3.0/24
> Remote Subnet: 192.168.21.0 /24
> Remote Gateway: 192.168.50.1
> Description: Site2 to Site1
> Negotiation mode: aggressive
> My identifier: Domain name site2 at mydomain dot com
> Encryption algorithm: Blowfish
> Hash algorithm: SHA1
> DH key group: 2
> Lifetime: 28800
> Pre-Shared Key: TesT123
> Protocol: ESP
> Encryption algorithms: only Blowfish checked
> Hash algorithms: only SHA1 checked
> PFS key group: 2
> Lifetime: 86400
>
> -------------------------------------------------------------------
>
> Ok So after setting this up I get no SAD's and here is the resultant 
> LOG entries from Site1
>
> Nov 17 20:17:34     racoon: INFO: session.c:319:check_sigreq(): caught 
> signal 15
> Nov 17 20:17:35     racoon: INFO: session.c:183:close_session(): 
> racoon shutdown
> Nov 17 20:17:36     racoon: INFO: main.c:172:main(): @(#)package 
> version freebsd-20050510a
> Nov 17 20:17:36     racoon: INFO: main.c:174:main(): @(#)internal 
> version 20001216 sakane at kame dot net
> Nov 17 20:17:36     racoon: INFO: main.c:175:main(): @(#)This product 
> linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
> Nov 17 20:17:36     racoon: INFO: isakmp.c:1368:isakmp_open(): 
> 127.0.0.1[500] used as isakmp port (fd=7)
> Nov 17 20:17:36     racoon: INFO: isakmp.c:1368:isakmp_open(): 
> 192.168.3.1[500] used as isakmp port (fd=8)
> Nov 17 20:17:36     racoon: INFO: isakmp.c:1368:isakmp_open(): 
> 192.168.50.1[500] used as isakmp port (fd=9)
> Nov 17 20:17:36     racoon: INFO: isakmp.c:1368:isakmp_open(): 
> 192.168.1.23[500] used as isakmp port (fd=10)
> Nov 17 20:17:36     racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
> policy already exists. anyway replace it: 192.168.1.0/24[0] 
> 192.168.1.23/32[0] proto=any dir=in
> Nov 17 20:17:36     racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
> policy already exists. anyway replace it: 192.168.21.0/24[0] 
> 192.168.3.0/24[0] proto=any dir=in
> Nov 17 20:17:36     racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
> policy already exists. anyway replace it: 192.168.1.23/32[0] 
> 192.168.1.0/24[0] proto=any dir=out
> Nov 17 20:17:36     racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
> policy already exists. anyway replace it: 192.168.3.0/24[0] 
> 192.168.21.0/24[0] proto=any dir=out
>
> And here is the log entries for Site2
>
> Nov 17 21:23:48 racoon: INFO: session.c:319:check_sigreq(): caught 
> signal 15
> Nov 17 21:23:49 racoon: INFO: session.c:183:close_session(): racoon 
> shutdown
> Nov 17 21:23:50 racoon: INFO: main.c:172:main(): @(#)package version 
> freebsd-20050510a
> Nov 17 21:23:50 racoon: INFO: main.c:174:main(): @(#)internal version 
> 20001216 sakane at kame dot net
> Nov 17 21:23:50 racoon: INFO: main.c:175:main(): @(#)This product 
> linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
> Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open(): 
> 127.0.0.1[500] used as isakmp port (fd=7)
> Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open(): 
> 192.168.21.1[500] used as isakmp port (fd=8)
> Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open(): 
> 192.168.50.2[500] used as isakmp port (fd=9)
> Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open(): 
> 192.168.20.1[500] used as isakmp port (fd=10)
> Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
> policy already exists. anyway replace it: 192.168.20.0/24[0] 
> 192.168.20.1/32[0] proto=any dir=in
> Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
> policy already exists. anyway replace it: 192.168.3.0/24[0] 
> 192.168.21.0/24[0] proto=any dir=in
> Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
> policy already exists. anyway replace it: 192.168.20.1/32[0] 
> 192.168.20.0/24[0] proto=any dir=out
> Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
> policy already exists. anyway replace it: 192.168.21.0/24[0] 
> 192.168.3.0/24[0] proto=any dir=out
>
> This is really driving me crazy as I cannot see what I'm missing in my 
> config. Could someone please clue me up as to why this may not be 
> working?
>
> Thanks
>
> Mark
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>