First, I've noticed that the same entries show up in the log after saving/re-saving IPSEC settings -
so most of the errors you see are most likely not related to an attempt to establish a connection
(probably only the last entry is related to the tunnel)
I think that you have to define a LAN subnet before Monowall can connect -- If the other side of the
tunnel has a different subnet defined it won't connect (I know you have to do this to connect 2
Monowalls together)
Also, there has been some reported trouble keeping Monowall connected to Cisco - I have a client
that connects from Monowall 1.11 to Cisco and it works fine until the tunnel drops, then it can't be
re-established . . . . I haven't had a chance to upgrade them to 1.21 to see if it solves the
problem. I do beleive that the problem is not with Monowall but something with the configuration
settings.
-Dave Z
-------------- Original message --------------
From: George Farris <farrisg at mala dot bc dot ca>
> Greetings list.
> I'm fairly new to Monowall but have had a system up and running for a
> few months. Works great, thanks to all that contribute.
>
> I'm trying to get a site to site ipsec connection going and the docs are
> a bit confusing on a couple of points. Here is what I have.
>
> End point A
>
> 192.168.50.0/24 ----------
> | LAN
> +----------+
> | monowall |
> +----------+
> | WAN 142.x.x.4
> |
> Internet
> |
> | WAN 64.x.x.19
> +----------+
> | Cisco box|
> +----------+
> | LAN
> 192.168.50.0/24 ----------
> End point B
>
> I just want a connection from monowall to cisco so my config looks like
> so:
>
> path pre_shared_key "/var/etc/psk.txt";
>
> path certificate "/var/etc";
>
> remote 64.x.x.19 {
> exchange_mode aggressive;
> my_identifier address "142.x.x.4";
>
> peers_identifier address 64.x.x.19;
> initial_contact on;
> support_proxy on;
> proposal_check obey;
>
> proposal {
> encryption_algorithm 3des;
> hash_algorithm md5;
> authentication_method pre_shared_key;
> dh_group 2;
> lifetime time 28800 secs;
> }
> lifetime time 28800 secs;
> }
>
> sainfo address 142.x.x.4/32 any address 198.162.241.51/32 any {
> encryption_algorithm 3des;
> authentication_algorithm hmac_md5;
> compression_algorithm deflate;
> lifetime time 86400 secs;
> }
>
>
> I get racoon errors like so:
> Jan 6 10:42:34 fw racoon: INFO: caught signal 15
> Jan 6 10:42:35 fw racoon: INFO: racoon shutdown
> Jan 6 10:42:36 fw racoon: INFO: @(#)ipsec-tools 0.6.4
> (http://ipsec-tools.sourceforge.net)
> Jan 6 10:42:36 fw racoon: INFO: @(#)This product linked OpenSSL 0.9.7d-p1 17
> Mar 2004 (http://www.openssl.org/)
> Jan 6 10:42:36 fw racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
> Jan 6 10:42:36 fw racoon: INFO: 142.x.x.4[500] used as isakmp port (fd=8)
> Jan 6 10:42:36 fw racoon: INFO: 192.168.50.1[500] used as isakmp port (fd=9)
> Jan 6 10:42:36 fw racoon: ERROR: such policy already exists. anyway replace it:
> 192.168.50.0/24[0] 192.168.50.1/32[0] proto=any dir=in
> Jan 6 10:42:36 fw racoon: ERROR: such policy already exists. anyway replace it:
> 198.162.241.51/32[0] 142.x.x.4/32[0] proto=any dir=in
> Jan 6 10:42:36 fw racoon: ERROR: such policy already exists. anyway replace it:
> 192.168.50.1/32[0] 192.168.50.0/24[0] proto=any dir=out
> Jan 6 10:42:36 fw racoon: ERROR: such policy already exists. anyway replace it:
> 142.x.x.4/32[0] 198.162.241.51/32[0] proto=any dir=out
> Jan 6 10:42:53 fw racoon: ERROR: failed to get sainfo.
>
> Can anyone shed some light on what might be happening? I haven't
> included the LAN net all I want is a site to site link.
>
> Any help or pointers greatly appreciated.
>
> --
> George Farris farrisg at mala dot bc dot ca
> Malaspina University-College
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> | 