[ previous ] [ next ] [ threads ]
 
 From:  daszylstra at comcast dot net
 To:  George Farris <farrisg at mala dot bc dot ca>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Site to site ipsec with same local net ip.
 Date:  Fri, 06 Jan 2006 19:37:56 +0000
First, I've noticed that the same entries show up in the log after saving/re-saving IPSEC settings -
so most of the errors you see are most likely not related to an attempt to establish a connection
(probably only the last entry is related to the tunnel)

I think that you have to define a LAN subnet before Monowall can connect -- If the other side of the
tunnel has a different subnet defined it won't connect (I know you have to do this to connect 2
Monowalls together)

Also, there has been some reported trouble keeping Monowall connected to Cisco - I have a client
that connects from Monowall 1.11 to Cisco and it works fine until the tunnel drops, then it can't be
re-established . . . . I haven't had a chance to upgrade them to 1.21 to see if it solves the
problem.  I do beleive that the problem is not with Monowall but something with the configuration
settings.

-Dave Z
-------------- Original message -------------- 
From: George Farris <farrisg at mala dot bc dot ca> 

> Greetings list. 
> I'm fairly new to Monowall but have had a system up and running for a 
> few months. Works great, thanks to all that contribute. 
> 
> I'm trying to get a site to site ipsec connection going and the docs are 
> a bit confusing on a couple of points. Here is what I have. 
> 
> End point A 
> 
> 192.168.50.0/24 ---------- 
> | LAN 
> +----------+ 
> | monowall | 
> +----------+ 
> | WAN 142.x.x.4 
> | 
> Internet 
> | 
> | WAN 64.x.x.19 
> +----------+ 
> | Cisco box| 
> +----------+ 
> | LAN 
> 192.168.50.0/24 ---------- 
> End point B 
> 
> I just want a connection from monowall to cisco so my config looks like 
> so: 
> 
> path pre_shared_key "/var/etc/psk.txt"; 
> 
> path certificate "/var/etc"; 
> 
> remote 64.x.x.19 { 
> exchange_mode aggressive; 
> my_identifier address "142.x.x.4"; 
> 
> peers_identifier address 64.x.x.19; 
> initial_contact on; 
> support_proxy on; 
> proposal_check obey; 
> 
> proposal { 
> encryption_algorithm 3des; 
> hash_algorithm md5; 
> authentication_method pre_shared_key; 
> dh_group 2; 
> lifetime time 28800 secs; 
> } 
> lifetime time 28800 secs; 
> } 
> 
> sainfo address 142.x.x.4/32 any address 198.162.241.51/32 any { 
> encryption_algorithm 3des; 
> authentication_algorithm hmac_md5; 
> compression_algorithm deflate; 
> lifetime time 86400 secs; 
> } 
> 
> 
> I get racoon errors like so: 
> Jan 6 10:42:34 fw racoon: INFO: caught signal 15 
> Jan 6 10:42:35 fw racoon: INFO: racoon shutdown 
> Jan 6 10:42:36 fw racoon: INFO: @(#)ipsec-tools 0.6.4 
> (http://ipsec-tools.sourceforge.net) 
> Jan 6 10:42:36 fw racoon: INFO: @(#)This product linked OpenSSL 0.9.7d-p1 17 
> Mar 2004 (http://www.openssl.org/) 
> Jan 6 10:42:36 fw racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7) 
> Jan 6 10:42:36 fw racoon: INFO: 142.x.x.4[500] used as isakmp port (fd=8) 
> Jan 6 10:42:36 fw racoon: INFO: 192.168.50.1[500] used as isakmp port (fd=9) 
> Jan 6 10:42:36 fw racoon: ERROR: such policy already exists. anyway replace it: 
> 192.168.50.0/24[0] 192.168.50.1/32[0] proto=any dir=in 
> Jan 6 10:42:36 fw racoon: ERROR: such policy already exists. anyway replace it: 
> 198.162.241.51/32[0] 142.x.x.4/32[0] proto=any dir=in 
> Jan 6 10:42:36 fw racoon: ERROR: such policy already exists. anyway replace it: 
> 192.168.50.1/32[0] 192.168.50.0/24[0] proto=any dir=out 
> Jan 6 10:42:36 fw racoon: ERROR: such policy already exists. anyway replace it: 
> 142.x.x.4/32[0] 198.162.241.51/32[0] proto=any dir=out 
> Jan 6 10:42:53 fw racoon: ERROR: failed to get sainfo. 
> 
> Can anyone shed some light on what might be happening? I haven't 
> included the LAN net all I want is a site to site link. 
> 
> Any help or pointers greatly appreciated. 
> 
> -- 
> George Farris farrisg at mala dot bc dot ca 
> Malaspina University-College 
> 
> 
> 
> 
> --------------------------------------------------------------------- 
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch 
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch 
>