[ previous ] [ next ] [ threads ]
 
 From:  "Beat Scholl" <Beat dot Scholl at secude dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  strange site2site VPN behaviour
 Date:  Thu, 16 Feb 2006 14:11:51 +0100
Hello all,

We do have some issues with m0n0wall and racoon.

We set up a site2site VPN with preshared-keys and everything is working
fine as long as site A establishes the tunnel.

As soon as site B establish the tunnel it's not possible to send data
from B to A as long as there is no data sent from A to B. it needs just
1 ping from A to B and B can send data.

The other thing is that the tunnel is closed after 2 minutes.

config.xml Site A

   <ipsec>
        <enable/>
        <tunnel>
            <interface>wan</interface>
            <local-subnet>
                <address>10.41.128.0/21</address>
            </local-subnet>
            <remote-subnet>10.49.0.0/21</remote-subnet>
            <remote-gateway>213.xxx.xxx.167</remote-gateway>
            <p1>
                <mode>main</mode>
                <myident>
                    <myaddress/>
                </myident>
                <encryption-algorithm>3des</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>3600</lifetime>
                <pre-shared-key>xxxxx</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
 
<authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
 
<encryption-algorithm-option>3des</encryption-algorithm-option>
 
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
 
<encryption-algorithm-option>cast128</encryption-algorithm-option>
 
<encryption-algorithm-option>rijndael</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <hash-algorithm-option>hmac_md5</hash-algorithm-option>
                <pfsgroup>2</pfsgroup>
                <lifetime>3600</lifetime>
            </p2>
            <descr/>
        </tunnel>
    </ipsec>


config.xml Site B

<ipsec>
        <enable/>
        <tunnel>
            <disabled/>
            <interface>wan</interface>
            <local-subnet>
                <address>10.49.0.0/21</address>
            </local-subnet>
            <remote-subnet>10.41.128.0/21</remote-subnet>
            <remote-gateway>212.xxx.xxx.2</remote-gateway>
            <p1>
                <mode>main</mode>
                <myident>
                    <myaddress/>
                </myident>
                <encryption-algorithm>3des</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>3600</lifetime>
                <pre-shared-key>xxxxx</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
 
<authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
 
<encryption-algorithm-option>3des</encryption-algorithm-option>
 
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
 
<encryption-algorithm-option>cast128</encryption-algorithm-option>
 
<encryption-algorithm-option>rijndael</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <hash-algorithm-option>hmac_md5</hash-algorithm-option>
                <pfsgroup>2</pfsgroup>
                <lifetime>3600</lifetime>
            </p2>
            <descr/>
        </tunnel>
        <tunnel>
            <interface>wan</interface>
            <local-subnet>
                <address>10.49.0.0/21</address>
            </local-subnet>
            <remote-subnet>10.41.128.0/21</remote-subnet>
            <remote-gateway>212.xxx.xxx.2</remote-gateway>
            <p1>
                <mode>main</mode>
                <myident>
                    <myaddress/>
                </myident>
                <encryption-algorithm>3des</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime/>
                <pre-shared-key>xxxxx</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
 
<authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
 
<encryption-algorithm-option>3des</encryption-algorithm-option>
 
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
 
<encryption-algorithm-option>cast128</encryption-algorithm-option>
 
<encryption-algorithm-option>rijndael</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <hash-algorithm-option>hmac_md5</hash-algorithm-option>
                <pfsgroup>0</pfsgroup>
                <lifetime/>
            </p2>
            <descr/>
        </tunnel>
        <mobileclients>
            <p1>
                <mode>aggressive</mode>
                <myident>
                    <myaddress/>
                </myident>
                <encryption-algorithm>3des</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>3600</lifetime>
                <private-key/>
                <cert/>
 
<authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
 
<encryption-algorithm-option>3des</encryption-algorithm-option>
 
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
 
<encryption-algorithm-option>cast128</encryption-algorithm-option>
 
<encryption-algorithm-option>rijndael</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <hash-algorithm-option>hmac_md5</hash-algorithm-option>
                <pfsgroup>2</pfsgroup>
                <lifetime>3600</lifetime>
            </p2>
        </mobileclients>
    </ipsec>