Re: [m0n0wall] Problem with IPSEC site2site VPN

From:	"Paolo Rossi Tiller" <prt at teko dot it>
To:	Claude Hecker <hecker at ifina dot de>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Problem with IPSEC site2site VPN
Date:	Fri, 24 Feb 2006 11:13:13 +0100
> can you show us your racoon.conf settings from both, please!

Sure :-) Thx

Ps. I've seen that there are NO SAD entries in my local monowall..? 

---------------- REmote monowall ----------------
racoon.conf 
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 81.208.26.190 {
	exchange_mode aggressive;
	my_identifier address "62.245.239.78";

	peers_identifier address 81.208.26.190;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm blowfish;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo address 192.168.41.0/24 any address 192.168.42.254/24 any {
	encryption_algorithm blowfish;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;
}

SPD 
192.168.41.0/24[any] 192.168.41.253[any] any
	in none
	spid=5 seq=3 pid=405
	refcnt=1
192.168.42.254/24[any] 192.168.41.0/24[any] any
	in ipsec
	esp/tunnel/81.208.26.190-62.245.239.78/unique#16388
	spid=8 seq=2 pid=405
	refcnt=1
192.168.41.253[any] 192.168.41.0/24[any] any
	out none
	spid=6 seq=1 pid=405
	refcnt=1
192.168.41.0/24[any] 192.168.42.254/24[any] any
	out ipsec
	esp/tunnel/62.245.239.78-81.208.26.190/unique#16387
	spid=7 seq=0 pid=405
	refcnt=1

SAD 
81.208.26.190 62.245.239.78
	esp mode=tunnel spi=151545507(0x090866a3) 
reqid=16388(0x00004004)
	seq=0x00000000 replay=0 flags=0x00000000 state=larval
	sadb_seq=0 pid=407 refcnt=1

------------------- Local Monowall ------------------

racoon.conf 
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 62.245.239.78 {
	exchange_mode aggressive;
	my_identifier address "81.208.26.190";

	peers_identifier address 62.245.239.78;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm blowfish;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo address 192.168.42.0/24 any address 192.168.41.254/24 any {
	encryption_algorithm blowfish;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;
}

 
SPD 
192.168.42.0/24[any] 192.168.42.100[any] any
	in none
	spid=5 seq=3 pid=734
	refcnt=1
192.168.41.254/24[any] 192.168.42.0/24[any] any
	in ipsec
	esp/tunnel/62.245.239.78-81.208.26.190/unique#16388
	spid=8 seq=2 pid=734
	refcnt=1
192.168.42.100[any] 192.168.42.0/24[any] any
	out none
	spid=6 seq=1 pid=734
	refcnt=1
192.168.42.0/24[any] 192.168.41.254/24[any] any
	out ipsec
	esp/tunnel/81.208.26.190-62.245.239.78/unique#16387
	spid=7 seq=0 pid=734
	refcnt=1
 


SAD 
No SAD entries.
Paolo Rossi Tiller
IT Manager
Teko Spa