|
||||||||
Hi Guys, I have a bizzare problem whereby I get alot of intermittant dataflow issues over a IPSEC VPN between two m0n0 1.22 generic pc boxes - however there is almost always a SAD listing meaning the tunnel is up. One is in Australia and the Other in Singapore, however they are setup slightly different as you will be able to see below. There is about a 200ms ping between the two sites. Here is my setup: SINGAPORE Dlink DSL604T Modem on Static IP (IPOA connection) WAN IP 58.x.x.x - LAN IP 192.168.1.1 Modem is configured to DMZ to 192.168.1.254 so that all traffic is passed to the mono (is this the correct way to do it?) firewall-sg m0n0wall WAN 192.168.1.254 Gateway 192.168.1.1 LAN 10.1.0.1 OPT1 10.1.1.1. OPT2 10.1.2.1 PPTP 10.1.4.1 AUSTRALIA Linksys ADSL Modem set to Bridge Mode (so that m0n0 does PPPOE) WAN IP 203.x.x.x (static) LAN IP is irrelevant Modem is configured to Bridge so WAN adaptor gets the ISP's static set IP firewall-au m0n0wall WAN 203.x.x.x LAN 10.0.0.1 OPT1 10.0.1.1 OPT2 10.0.2.1 PPTP 10.0.4.1 Now, the IPSEC will work because the LAN subnets are different and it does work occasionally... Source Destination Direction Protocol Tunnel endpoints 10.1.0.0/24 10.0.0.0/24 ESP 58.x.x.x - 203.x.x.x 10.0.0.0/24 10.1.0.0/24 ESP 203.x.x.x 58.x.x.x Basically even with a SAD link I cannot ping 10.1.0.1 from a machine on the 10.0.0.x network. Sometimes there is dataflow and other times there is not. I check the System logs and there usually isnt any racoon entries around the time the dataflow stops. Each locations WAN links arent going down because I can access the webgui at the time. Any advice would be great! One thing to note is Blowfish SHA1 encryption seems to never actually connect - however using 3DES does. Its so annoying as I trialed these boxes before deploying them and they worked fine so Im skeptical of the way I have setup the Singapore box as it doesnt use PPPOE etc. Also, would you recommend that I perhaps turn the PPPOE mono into the same setup as the Singapore one? Here are some bizzare entries from my log files however. Dec 19 21:10:30 racoon: DEBUG: KEYMAT computed. Dec 19 21:10:30 racoon: DEBUG: call pk_sendupdate Dec 19 21:10:30 racoon: DEBUG: encryption(3des) Dec 19 21:10:30 racoon: DEBUG: hmac(hmac_sha1) Dec 19 21:10:30 racoon: DEBUG: call pfkey_send_update Dec 19 21:10:30 racoon: DEBUG: pfkey update sent. Dec 19 21:10:30 racoon: DEBUG: encryption(3des) Dec 19 21:10:30 racoon: DEBUG: hmac(hmac_sha1) Dec 19 21:10:30 racoon: DEBUG: call pfkey_send_add Dec 19 21:10:30 racoon: DEBUG: pfkey add sent. Dec 19 21:10:30 racoon: DEBUG: get pfkey UPDATE message Dec 19 21:10:30 racoon: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel 58.x.x.x[0]->203.x.x.x[0] spi=163770890(0x9c2f20a) Dec 19 21:10:30 racoon: INFO: IPsec-SA established: ESP/Tunnel 58.x.x.x[0]->203.x.x.x[0] spi=163770890(0x9c2f20a) Dec 19 21:10:30 racoon: DEBUG: === Dec 19 21:10:30 racoon: DEBUG: get pfkey ADD message Dec 19 21:10:30 racoon: INFO: IPsec-SA established: ESP/Tunnel 203.x.x.x[0]->58.x.x.x[0] spi=59366062(0x389daae) Dec 19 21:10:30 racoon: DEBUG: === Dec 19 21:10:46 racoon: DEBUG: msg 1 not interesting Dec 19 21:38:23 racoon: DEBUG: msg 1 not interesting Dec 19 21:44:30 last message repeated 2 times Dec 20 01:11:08 racoon: INFO: ISAKMP-SA expired 203.x.x.x[500]-58.x.x.x[500] spi:6a0a3f74c3a0b132:e1ce0bb6a634f25f Dec 20 01:11:09 racoon: INFO: ISAKMP-SA deleted 203.x.x.x[500]-58.x.x.x[500] spi:6a0a3f74c3a0b132:e1ce0bb6a634f25f Dec 20 01:46:20 racoon: DEBUG: === Dec 20 01:46:20 racoon: DEBUG: 276 bytes message received from 203.162.163.45[500] to 203.x.x.x[500] I DO NOT KNOW OF THE 203.162.163.45 IP TRYING TO CONNECT??? Dec 20 01:46:20 racoon: DEBUG: (lots of numbers here) Dec 20 01:46:20 racoon: DEBUG: anonymous configuration selected for 203.162.163.45[500]. Dec 20 01:46:20 racoon: ERROR: not acceptable Identity Protection mode Dec 20 01:46:21 racoon: DEBUG: === So from the logs it lookslike the ISAKMP-SA expired but it has not been since renewed according to the logs. Is this an issue? Thanks everyone! Jai |