[ previous ] [ next ] [ threads ]
 
 From:  George Farris <farrisg at mala dot bc dot ca>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Site to site ipsec with same local net ip.
 Date:  Fri, 06 Jan 2006 11:18:09 -0800
Greetings list.
I'm fairly new to Monowall but have had a system up and running for a
few months.  Works great, thanks to all that contribute.

I'm trying to get a site to site ipsec connection going and the docs are
a bit confusing on a couple of points.  Here is what I have.

End point A

192.168.50.0/24 ----------
                          | LAN
                    +----------+
                    | monowall |
                    +----------+
                          | WAN  142.x.x.4
                          |
                       Internet
                          |
                          | WAN  64.x.x.19
                    +----------+
                    | Cisco box|
                    +----------+
                          | LAN                       
192.168.50.0/24 ----------
End point B

I just want a connection from monowall to cisco so my config looks like
so:

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 64.x.x.19 {
	exchange_mode aggressive;
	my_identifier address "142.x.x.4";

	peers_identifier address 64.x.x.19;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm md5;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo address 142.x.x.4/32 any address 198.162.241.51/32 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
	lifetime time 86400 secs;
}


I get racoon errors like so:
Jan  6 10:42:34 fw racoon: INFO: caught signal 15
Jan  6 10:42:35 fw racoon: INFO: racoon shutdown
Jan  6 10:42:36 fw racoon: INFO: @(#)ipsec-tools 0.6.4 (http://ipsec-tools.sourceforge.net)
Jan  6 10:42:36 fw racoon: INFO: @(#)This product linked OpenSSL 0.9.7d-p1 17 Mar 2004
(http://www.openssl.org/)
Jan  6 10:42:36 fw racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
Jan  6 10:42:36 fw racoon: INFO: 142.x.x.4[500] used as isakmp port (fd=8)
Jan  6 10:42:36 fw racoon: INFO: 192.168.50.1[500] used as isakmp port (fd=9)
Jan  6 10:42:36 fw racoon: ERROR: such policy already exists. anyway replace it: 192.168.50.0/24[0]
192.168.50.1/32[0] proto=any dir=in
Jan  6 10:42:36 fw racoon: ERROR: such policy already exists. anyway replace it:
198.162.241.51/32[0] 142.x.x.4/32[0] proto=any dir=in
Jan  6 10:42:36 fw racoon: ERROR: such policy already exists. anyway replace it: 192.168.50.1/32[0]
192.168.50.0/24[0] proto=any dir=out
Jan  6 10:42:36 fw racoon: ERROR: such policy already exists. anyway replace it: 142.x.x.4/32[0]
198.162.241.51/32[0] proto=any dir=out
Jan  6 10:42:53 fw racoon: ERROR: failed to get sainfo.

Can anyone shed some light on what might be happening?  I haven't
included the LAN net all I want is a site to site link.

Any help or pointers greatly appreciated.

-- 
George Farris   farrisg at mala dot bc dot ca
Malaspina University-College