[ previous ] [ next ] [ threads ]
 
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC Monowall to Monowall
 Date:  Thu, 17 Nov 2005 02:12:25 +0100
The SA (Security Association) appears as the tunnel come up.

Mark Wass wrote:
> False alarm ladies and gentleman. It appears a I had a static route that 
> was preventing the tunnel.
> 
> One quick question though.
> 
> Do the SAD's only appear when a host on one end of the tunnel tries to 
> connect to a host on the other end? or is it when the tunnel gets created?
> 
> Thanks
> 
> Mark Wass wrote:
> 
>> Hi All
>>
>> I'm having trouble setting up a monowall to monowall IPSEC VPN. I have 
>> searched the Mail List and read the instructions on how to do it and, 
>> I'm still getting stuck with no SAD entries.
>>
>>
>> Here is my network layout. This is just setup in my lab for testing 
>> purposes.
>>
>> OPT1            OPT2                LAN
>> Real IP's       192.168.21.0/24     192.168.20.0/24
>> |               |                   |
>> |               |                   |
>> |               |                   |
>> -------------m0n0wall----------------
>>        Site 2 |WAN Static IP = 192.168.50.2
>>               |
>>               |
>>               |(Crossover cable)
>>               |
>>               |
>>        Site 1 |WAN Static IP = 192.168.50.1
>> -------------m0n0wall----------------
>> |               |                   |
>> |               |                   |
>> |               |                   |
>> OPT1            OPT2                 LAN
>> Real IP's       192.168.3.0/24       192.168.1.0/24
>>
>>
>> I want to an IPSEC VPN between the two OPT2 networks at either site. 
>> So far I can successfully ping the WAN interface between each site.
>>
>> Here are my settings.
>>
>> Firewall Rules Site 1:
>> ======================
>> WAN Interface.
>> I have opened up the WAN allowing all protocols from any to any.
>>
>> OPT2 Interface
>> I have opened up the OPT2 allowing all protocols from any to any.
>>
>> Firewall Rules Site 2:
>> ======================
>> WAN Interface.
>> I have opened up the WAN allowing all protocols from any to any.
>>
>> OPT2 Interface
>> I have opened up the OPT2 allowing all protocols from any to any.
>>
>> -------------------------------------------------------------------
>>
>> IPSEC Settings Site 1:
>> ======================
>> Mode: Tunnel
>> Disabled: Unchecked
>> Interface: WAN
>> Local subnet: Network 192.168.21.0/24
>> Remote Subnet: 192.168.3.0 / 24
>> Remote Gateway: 192.168.50.2
>> Description: Site1 to Site2
>> Negotiation mode: aggressive
>> My identifier: Domain name site1 at mydomain dot com
>> Encryption algorithm: Blowfish
>> Hash algorithm: SHA1
>> DH key group: 2
>> Lifetime: 28800
>> Pre-Shared Key: TesT123
>> Protocol: ESP
>> Encryption algorithms: only Blowfish checked
>> Hash algorithms: only SHA1 checked
>> PFS key group: 2
>> Lifetime: 86400
>>
>> IPSEC Settings Site 2:
>> ======================
>> Mode: Tunnel
>> Disabled: Unchecked
>> Interface: WAN
>> Local subnet: Network 192.168.3.0/24
>> Remote Subnet: 192.168.21.0 /24
>> Remote Gateway: 192.168.50.1
>> Description: Site2 to Site1
>> Negotiation mode: aggressive
>> My identifier: Domain name site2 at mydomain dot com
>> Encryption algorithm: Blowfish
>> Hash algorithm: SHA1
>> DH key group: 2
>> Lifetime: 28800
>> Pre-Shared Key: TesT123
>> Protocol: ESP
>> Encryption algorithms: only Blowfish checked
>> Hash algorithms: only SHA1 checked
>> PFS key group: 2
>> Lifetime: 86400
>>
>> -------------------------------------------------------------------
>>
>> Ok So after setting this up I get no SAD's and here is the resultant 
>> LOG entries from Site1
>>
>> Nov 17 20:17:34     racoon: INFO: session.c:319:check_sigreq(): caught 
>> signal 15
>> Nov 17 20:17:35     racoon: INFO: session.c:183:close_session(): 
>> racoon shutdown
>> Nov 17 20:17:36     racoon: INFO: main.c:172:main(): @(#)package 
>> version freebsd-20050510a
>> Nov 17 20:17:36     racoon: INFO: main.c:174:main(): @(#)internal 
>> version 20001216 sakane at kame dot net
>> Nov 17 20:17:36     racoon: INFO: main.c:175:main(): @(#)This product 
>> linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
>> Nov 17 20:17:36     racoon: INFO: isakmp.c:1368:isakmp_open(): 
>> 127.0.0.1[500] used as isakmp port (fd=7)
>> Nov 17 20:17:36     racoon: INFO: isakmp.c:1368:isakmp_open(): 
>> 192.168.3.1[500] used as isakmp port (fd=8)
>> Nov 17 20:17:36     racoon: INFO: isakmp.c:1368:isakmp_open(): 
>> 192.168.50.1[500] used as isakmp port (fd=9)
>> Nov 17 20:17:36     racoon: INFO: isakmp.c:1368:isakmp_open(): 
>> 192.168.1.23[500] used as isakmp port (fd=10)
>> Nov 17 20:17:36     racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
>> policy already exists. anyway replace it: 192.168.1.0/24[0] 
>> 192.168.1.23/32[0] proto=any dir=in
>> Nov 17 20:17:36     racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
>> policy already exists. anyway replace it: 192.168.21.0/24[0] 
>> 192.168.3.0/24[0] proto=any dir=in
>> Nov 17 20:17:36     racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
>> policy already exists. anyway replace it: 192.168.1.23/32[0] 
>> 192.168.1.0/24[0] proto=any dir=out
>> Nov 17 20:17:36     racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
>> policy already exists. anyway replace it: 192.168.3.0/24[0] 
>> 192.168.21.0/24[0] proto=any dir=out
>>
>> And here is the log entries for Site2
>>
>> Nov 17 21:23:48 racoon: INFO: session.c:319:check_sigreq(): caught 
>> signal 15
>> Nov 17 21:23:49 racoon: INFO: session.c:183:close_session(): racoon 
>> shutdown
>> Nov 17 21:23:50 racoon: INFO: main.c:172:main(): @(#)package version 
>> freebsd-20050510a
>> Nov 17 21:23:50 racoon: INFO: main.c:174:main(): @(#)internal version 
>> 20001216 sakane at kame dot net
>> Nov 17 21:23:50 racoon: INFO: main.c:175:main(): @(#)This product 
>> linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
>> Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open(): 
>> 127.0.0.1[500] used as isakmp port (fd=7)
>> Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open(): 
>> 192.168.21.1[500] used as isakmp port (fd=8)
>> Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open(): 
>> 192.168.50.2[500] used as isakmp port (fd=9)
>> Nov 17 21:23:50 racoon: INFO: isakmp.c:1368:isakmp_open(): 
>> 192.168.20.1[500] used as isakmp port (fd=10)
>> Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
>> policy already exists. anyway replace it: 192.168.20.0/24[0] 
>> 192.168.20.1/32[0] proto=any dir=in
>> Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
>> policy already exists. anyway replace it: 192.168.3.0/24[0] 
>> 192.168.21.0/24[0] proto=any dir=in
>> Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
>> policy already exists. anyway replace it: 192.168.20.1/32[0] 
>> 192.168.20.0/24[0] proto=any dir=out
>> Nov 17 21:23:50 racoon: ERROR: pfkey.c:2292:pk_recvspddump(): such 
>> policy already exists. anyway replace it: 192.168.21.0/24[0] 
>> 192.168.3.0/24[0] proto=any dir=out
>>
>> This is really driving me crazy as I cannot see what I'm missing in my 
>> config. Could someone please clue me up as to why this may not be 
>> working?
>>
>> Thanks
>>
>> Mark
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch