[ previous ] [ next ] [ threads ]
 
 From:  Kenman Wong <kenman dot wong at iaspec dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Mobile IPsec Hub and Spoke help needed
 Date:  Fri, 26 May 2006 16:55:42 +0800 
Dear All,

I've been looking for some help setting up a hub-and-spoke VPN here at 
work.  So far I have seen two threads  on the M0n0wall list that shows 
it can be done but I could not find out any more details in 
configuration. In my case, both the spokes are also Dynamic IP's for WAN 
so I use remote IPsec to connect them.

My current setting looks like this

Remote or                  Hub                           Remote or
"Spoke" 1                                                   "Spoke" 2

10.11.0.0/16 <-----> 10.12.0.0/16 <-----> 10.13.0.0/16

For the Hub I have:
    Enable IPsec, enabled
    Allowed mobile clients, enabled
    Phase 1
        Negotiation, aggressive
        My Identifier, My IP address
        Encrypt alg, 3DES
        Hash, SHA1
        DH, 2
        Lifetime 1200
        Authentication method, pre-shared key
    Phase 2
       Protocol: ESP
       Encrypt, 3DES
       Hash, SHA1
       PFS key group, 2
       lifetime 300

I then created a pair of Identifiers and Pre-shared keys for the two spokes.

For spoke 1:
    tunnel 1
        Interface: WAN
        Local Subnet, Network, 10.11.0.0 / 16
        Remote Subnet, 10.12.0.0 /16
        Remote GW, Hub's public IP
        Description, spoke 1 <-> hub tunnel
        Phase 1
            Negotiation, aggressive
            My Identifier, User FQDN, vpn1 at spoke1 dash forexample dot com
           ...

    tunnel 2
       Interface: WAN
       Local Subnet, Network, 10.11.0.0 / 16
       Remote Subnet, 10.13.0.0 / 16
       Remote GW, Hub's public IP
       Description, spoke 1 <-> spoke 2 tunnel
       Phase 1
          Negotiation, aggressive
          My Identifier, User FQDN, vpn2 at spoke1 dash forexample dot com

Spoke 2 has the same settings but had the local subnet and remote 
subnets altered.

If I do not enable tunnel 2, the tunnel from spoke 1 and spoke 2 can 
communicate with the hub without any further issue. Once I enable tunnel 
2 though, then both tunnels will refuse to connect and I get logs that 
read like this.

May 26 16:52:01 	racoon: ERROR: ignore information because ISAKMP-SA has 
not been established yet.
May 26 16:52:01 	racoon: DEBUG: 6a73b0e9 bc47a0b2 b0723ef4 a344d896 
08100501 c359c5f6 00000044 905bb718 cc771c49 b698e950 2f45d6d0 5653a2a3 
980d10de 5d648abf ee282673 99bf4531 c8889518
May 26 16:52:01 	racoon: DEBUG: decrypted.
May 26 16:52:01 	racoon: DEBUG: skip to trim padding.
May 26 16:52:01 	racoon: DEBUG: padding len=25
May 26 16:52:01 	racoon: DEBUG: 905bb718 cc771c49 b698e950 2f45d6d0 
5653a2a3 980d10de 5d648abf ee282673 99bf4531 c8889518
May 26 16:52:01 	racoon: DEBUG: decrypted payload, but not trimed.


Anyone got any suggestions?

-- 
Kenman Wong
Systems Engineer

iASPEC Technologies and Services 

Tel: (852) 3125-9000
Fax: (852) 2668-2166
Ext: (852) 3125-9157

**This email and any file attachments transmitted with it contains privileged and confidential
information intended only for the use of the individual's) or entity to which it is addressed.
Neither the confidentiality of nor any privilege in this email message is waived, lost, or destroyed
by reason that it has been transmitted other than to the addressee. If you are not the intended
recipient of this email message you are hereby notified that you must not copy or take any action in
reliance on it. If you have received this email message in error, please notify iASPEC Technologies
and Services as soon as possible and remove it immediately from your system.**