[ previous ] [ next ] [ threads ]
 
 From:  "Jai Ketteridge" <jai at innaloo dot net>
 To:  <peter dot hirsch at emprise dot de>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] ipsec tunnel between m0n0wall and Watchguard Firebox 700 hangup ?
 Date:  Thu, 14 Sep 2006 21:36:49 +0800 
The best practice for Monowall is to set the negotiation lifetime to 14400
and the Encryption lifetime to 86400

JK

-----Original Message-----
From: peter dot hirsch at emprise dot de [mailto:peter dot hirsch at emprise dot de]
Sent: Thursday, 14 September 2006 8:17 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] ipsec tunnel between m0n0wall and Watchguard Firebox
700 hangup ?


Hi to all m0n0wall friends,

i've got a strange problem in a site to site ipsec vpn
site A: monowall generic pc image 1.22
site B: Watchguard Firebox 700 with System Manager 7.4

Setup:
Phase1
Negotiation Mode: Main
Encryption: 3des
Hash: SHA1
DH Group: 2
Lifetime: 86400
Phase2
Protocol: ESP
Encryption: 3des
Hash: SHA1
PFS Group: off
Lifetime: 86400

The Tunnel comes up , but in diagnostic -Ipsec SAD there are frequently
generate Entries for this Tunnel.
It files up with theese entries until the monowall stops serving VPN
Tunnels.

Eg:
Source Destination Protocol SPI Enc. alg. Auth. alg.
62.206.25.226 195.227.43.253 ESP bb4b5e53 3des-cbc hmac-md5 ---------->
Tunnel to DLINK
195.227.43.253 62.206.25.226 ESP 0453afdb 3des-cbc hmac-md5  ---------->
Tunnel to DLINK ----> Only this two entries
62.206.25.226 87.139.21.123 ESP f4046d2c 3des-cbc hmac-sha1--------->
62.206.25.226 87.139.21.123 ESP f304e521 3des-cbc hmac-sha1
62.206.25.226 87.139.21.123 ESP f2040839 3des-cbc hmac-sha1  Tunnel to
Watchguard, filles up until VPN Hangs.
62.206.25.226 87.139.21.123 ESP f1045277 3des-cbc hmac-sha1
87.139.21.123 62.206.25.226 ESP 0b21be18 3des-cbc hmac-sha1
87.139.21.123 62.206.25.226 ESP 0650932e 3des-cbc hmac-sha1
87.139.21.123 62.206.25.226 ESP 043e3ca8 3des-cbc hmac-sha1
87.139.21.123 62.206.25.226 ESP 0a43dbb7 3des-cbc hmac-sha1--------->

The Tunnel to a DLINK DFL1100 is working without problems and got only the
expected entries after the Tunnel comes up.
But is involved in case of the  hangups from the Tunnel to the Watchguard.


What kind of problem is it? Still can connect via Browser to that PC and
after reboot tunnels are coming back again.
Tried also the switch Prefer OLD SA in Generel Setup.

Any sugguestions?

Kind Regards

Peter Hirsch
Emprise AG