[ previous ] [ next ] [ threads ]
 From:  peter dot hirsch at emprise dot de
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  ipsec tunnel between m0n0wall and Watchguard Firebox 700 hangup ?
 Date:  Thu, 14 Sep 2006 14:16:48 +0200
Hi to all m0n0wall friends,

i've got a strange problem in a site to site ipsec vpn 
site A: monowall generic pc image 1.22
site B: Watchguard Firebox 700 with System Manager 7.4

Negotiation Mode: Main
Encryption: 3des
Hash: SHA1
DH Group: 2
Lifetime: 86400
Protocol: ESP
Encryption: 3des
Hash: SHA1
PFS Group: off
Lifetime: 86400

The Tunnel comes up , but in diagnostic -Ipsec SAD there are frequently 
generate Entries for this Tunnel.
It files up with theese entries until the monowall stops serving VPN 

Source Destination Protocol SPI Enc. alg. Auth. alg. ESP bb4b5e53 3des-cbc hmac-md5 ---------->
Tunnel to DLINK ESP 0453afdb 3des-cbc hmac-md5  ---------->
Tunnel to DLINK ----> Only this two entries ESP f4046d2c 3des-cbc hmac-sha1---------> ESP f304e521 3des-cbc hmac-sha1 ESP f2040839 3des-cbc hmac-sha1  Tunnel to 
Watchguard, filles up until VPN Hangs. ESP f1045277 3des-cbc hmac-sha1 ESP 0b21be18 3des-cbc hmac-sha1 ESP 0650932e 3des-cbc hmac-sha1 ESP 043e3ca8 3des-cbc hmac-sha1 ESP 0a43dbb7 3des-cbc hmac-sha1--------->

The Tunnel to a DLINK DFL1100 is working without problems and got only the 
expected entries after the Tunnel comes up.
But is involved in case of the  hangups from the Tunnel to the Watchguard.

What kind of problem is it? Still can connect via Browser to that PC and 
after reboot tunnels are coming back again.
Tried also the switch Prefer OLD SA in Generel Setup.

Any sugguestions?

Kind Regards

Peter Hirsch
Emprise AG