[ previous ] [ next ] [ threads ]
 
 From:  "dasz" <daszylstra at comcast dot net>
 To:  "Sean Waite" <swaite at sbn dash services dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSEC VPN -No traffic pass through
 Date:  Wed, 21 Dec 2005 00:14:08 -0500
I had a similar issue . . . . . Monowall 1.1 and Cisco (not sure of model) . 
. . any disruption in the connection would cause it to not be able to 
reconnect (it would seem as though it was connected, but no traffic would 
pass).

I found that if you go into Diagnostics --> IPSEC --> SAD tab and delete all 
entries that have the source or destination IP of the Cisco, then 
re-establish the tunnel and see if traffic passes.

As I was doing a lot of config changes over a week's time I found that this 
consistently worked - i.e. I would make a change that would drop all the 
tunnels, the admin of the Cisco would then call within 20 minutes saying the 
tunnel dropped then reconnected and no traffic was getting through, I would 
then delete the SAD entries for his IP, the tunnel would then reconnect and 
work fine until the next change . . . . .

On the last drop we dug deeper into the logs and found that the lifetime for 
Phase 2 didn't match on both sides (the Cisco would connect and pass 
traffic, but logged something about the phase 2 lifetime).

One indicator that put me on to deleting the SAD entries was that there were 
multiple entries for the Cisco IP in each column.

I am not sure if we resolved the issue as there have been no changes or 
disruption in our service recently . . . .

David Z
----- Original Message ----- 
From: "Sean Waite" <swaite at sbn dash services dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, December 20, 2005 10:44 PM
Subject: [m0n0wall] IPSEC VPN -No traffic pass through


> Last week the internet was shut down temporarily disconecting my VPN. At 
> the one end is a Cisco PIX 506, the other is m0n0wall 1.2.
> When I got back home where the m0n0wall box is I could not get the tunnel 
> back up. Now at this point both the PIX and the m0n0wall box
> report an IPSEC tunnel. The problem is no traffic is going through. Until 
> now the VPN tunnel had worked for about 2-3 months without
> issue. Although from time to time when my IP address at home would change 
> I would have to set the new one in the PIX as my identifier.
>
> I am relatively new to IPSEC VPNs, especially with m0nowall. The first 
> error message "/kernel: WARNING: pseudo-random number generator
> used for IPsec processing" has never affected the tunnel. The second 
> "ignore RESPONDER-LIFETIME notification" I have not been able to
> diagnose, as all lifetimes are set to 86400 on both ends. The last one 
> "ipsec_doi.c:918:cmp_aproppair_i(): attribute has been modified"
> is new to me, but I believe is the cause of the problem. Thus far I have 
> not been able to find any information on this.
>
> Any tips, ideas, or help would be very much appriciated.
>
> Below is the log and racoon.conf:
>
______________________________________________________________________________________________________________________________________
> RACOON.CONF:
> path pre_shared_key "/var/etc/psk.txt";
>
> path certificate  "/var/etc";
>
> remote 6*.***.***.** {
> exchange_mode aggressive;
> my_identifier address "7*.***.***.**";
>
> peers_identifier address 6*.***.***.**;
> initial_contact on;
> support_proxy on;
> proposal_check obey;
>
> proposal {
> encryption_algorithm des;
> hash_algorithm md5;
> authentication_method pre_shared_key;
> dh_group 1;
> lifetime time 86400 secs;
> }
> lifetime time 86400 secs;
> }
>
> sainfo address 192.168.2.0/24 any address 192.168.1.0/24 any {
> encryption_algorithm des,3des;
> authentication_algorithm hmac_sha1,hmac_md5;
> compression_algorithm deflate;
> lifetime time 86400 secs;
> }
>
______________________________________________________________________________________________________________________________________
> SPD:
>
> 192.168.2.0/24[any] 192.168.2.1[any] any
> in none
> spid=1 seq=3 pid=363
> refcnt=1
> 192.168.1.0/24[any] 192.168.2.0/24[any] any
> in ipsec
> esp/tunnel/6*.***.***.**-7*.***.***.**/unique#16386
> spid=4 seq=2 pid=363
> refcnt=1
> 192.168.2.1[any] 192.168.2.0/24[any] any
> out none
> spid=2 seq=1 pid=363
> refcnt=1
> 192.168.2.0/24[any] 192.168.1.0/24[any] any
> out ipsec
> esp/tunnel/7*.***.***.**-6*.***.***.**/unique#16385
> spid=3 seq=0 pid=363
> refcnt=1
>
______________________________________________________________________________________________________________________________________
> SAD:
> 7*.***.*** 6*.***.***.**
> esp mode=tunnel spi=1875021408(0x6fc28e60) reqid=16385(0x00004001)
> E: des-cbc  ******** ********
> A: hmac-sha1  ******** ******** ******** ******** ********
> seq=0x00000f62 replay=4 flags=0x00000000 state=mature
> created: Dec 20 22:44:37 2005 current: Dec 21 03:32:16 2005
> diff: 17259(s) hard: 86400(s) soft: 69120(s)
> last: Dec 21 03:32:13 2005 hard: 0(s) soft: 0(s)
> current: 1834784(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 3938 hard: 0 soft: 0
> sadb_seq=1 pid=365 refcnt=2
> 6*.***.***.** 7*.***.***
> esp mode=tunnel spi=158474755(0x09722203) reqid=16386(0x00004002)
> E: des-cbc  ******** ********
> A: hmac-sha1  ******** ******** ******** ******** ********
> seq=0x00000000 replay=4 flags=0x00000000 state=mature
> created: Dec 20 22:44:37 2005 current: Dec 21 03:32:16 2005
> diff: 17259(s) hard: 86400(s) soft: 69120(s)
> last: Dec 21 03:31:21 2005 hard: 0(s) soft: 0(s)
> current: 73430(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 788 hard: 0 soft: 0
> sadb_seq=0 pid=365 refcnt=1
>
______________________________________________________________________________________________________________________________________
> LOG:
> Dec 20 22:44:21 racoon: INFO: main.c:172:main(): @(#)package version 
> freebsd-20050510a
> Dec 20 22:44:21 racoon: INFO: main.c:174:main(): @(#)internal version 
> 20001216 sakane at kame dot net
> Dec 20 22:44:21 racoon: INFO: main.c:175:main(): @(#)This product linked 
> OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
> Dec 20 22:44:21 racoon: INFO: isakmp.c:1368:isakmp_open(): 127.0.0.1[500] 
> used as isakmp port (fd=7)
> Dec 20 22:44:21 racoon: INFO: isakmp.c:1368:isakmp_open(): 
> 7*.***.***.**[500] used as isakmp port (fd=8)
> Dec 20 22:44:21 racoon: INFO: isakmp.c:1368:isakmp_open(): 
> 192.168.2.1[500] used as isakmp port (fd=9)
> Dec 20 22:44:36 racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): 
> IPsec-SA request for 6*.***.***.** queued due to no phase1 found.
> Dec 20 22:44:36 racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate 
> new phase 1 negotiation: 7*.***.***.**[500]<=>6*.***.***.**[500]
> Dec 20 22:44:36 racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin 
> Aggressive mode.
> Dec 20 22:44:36 racoon: NOTIFY: oakley.c:2102:oakley_skeyid(): couldn't 
> find the proper pskey, try to get one by the peer's address.
> Dec 20 22:44:36 racoon: INFO: isakmp.c:2459:log_ph1established(): 
> ISAKMP-SA established 7*.***.***.**[500]-6*.***.***.**[500]
> spi:*********************************
> Dec 20 22:44:37 racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): initiate 
> new phase 2 negotiation: 7*.***.***.**[0]<=>6*.***.***.**[0]
> Dec 20 22:44:37 /kernel: WARNING: pseudo-random number generator used for 
> IPsec processing
> Dec 20 22:44:37 racoon: WARNING: isakmp_inf.c:1340:isakmp_check_notify(): 
> ignore RESPONDER-LIFETIME notification.
> Dec 20 22:44:37 racoon: WARNING: ipsec_doi.c:918:cmp_aproppair_i(): 
> attribute has been modified.
> Dec 20 22:44:37 racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA 
> established: ESP/Tunnel 6*.***.***.**->7*.***.***.**
> spi=158474755(0x9722203)
> Dec 20 22:44:37 racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA 
> established: ESP/Tunnel 7*.***.***.**->6*.***.***.**
> spi=1875021408(0x6fc28e60)
> Dec 20 22:46:21 dnsmasq[97]: reading /etc/resolv.conf
> Dec 20 22:46:21 dnsmasq[97]: using nameserver 2*.**.***.***#53
>
>
>
> Sean
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>