[ previous ] [ next ] [ threads ]
 
 From:  "Jai Ketteridge" <jai at innaloo dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Random lack of Dataflow over IPSEC VPN
 Date:  Wed, 20 Dec 2006 08:42:13 +0900
Hi Guys,

I have a bizzare problem whereby I get alot of intermittant dataflow issues
over a IPSEC VPN between two m0n0 1.22 generic pc boxes - however there is
almost always a SAD listing meaning the tunnel is up. One is in Australia
and the Other in Singapore, however they are setup slightly different as you
will be able to see below. There is about a 200ms ping between the two
sites. Here is my setup:

SINGAPORE
Dlink DSL604T Modem on Static IP (IPOA connection)
WAN IP 58.x.x.x -
LAN IP 192.168.1.1
Modem is configured to DMZ to 192.168.1.254 so that all traffic is passed to
the mono (is this the correct way to do it?)

firewall-sg m0n0wall
WAN 192.168.1.254 Gateway 192.168.1.1
LAN 10.1.0.1
OPT1 10.1.1.1.
OPT2 10.1.2.1
PPTP 10.1.4.1

AUSTRALIA
Linksys ADSL Modem set to Bridge Mode (so that m0n0 does PPPOE)
WAN IP 203.x.x.x (static)
LAN IP is irrelevant
Modem is configured to Bridge so WAN adaptor gets the ISP's static set IP

firewall-au m0n0wall
WAN 203.x.x.x
LAN 10.0.0.1
OPT1 10.0.1.1
OPT2 10.0.2.1
PPTP 10.0.4.1

Now, the IPSEC will work because the LAN subnets are different and it does
work occasionally...

Source	 Destination	 Direction	 Protocol	 Tunnel endpoints
10.1.0.0/24	 10.0.0.0/24	ESP	 58.x.x.x - 203.x.x.x
10.0.0.0/24	 10.1.0.0/24	ESP	 203.x.x.x 58.x.x.x

Basically even with a SAD link I cannot ping 10.1.0.1 from a machine on the
10.0.0.x network. Sometimes there is dataflow and other times there is not.
I check the System logs and there usually isnt any racoon entries around the
time the dataflow stops. Each locations WAN links arent going down because I
can access the webgui at the time.

Any advice would be great!

One thing to note is Blowfish SHA1 encryption seems to never actually
connect - however using 3DES does. Its so annoying as I trialed these boxes
before deploying them and they worked fine so Im skeptical of the way I have
setup the Singapore box as it doesnt use PPPOE etc.

Also, would you recommend that I perhaps turn the PPPOE mono into the same
setup as the Singapore one?

Here are some bizzare entries from my log files however.
Dec 19 21:10:30	 racoon: DEBUG: KEYMAT computed.
Dec 19 21:10:30	 racoon: DEBUG: call pk_sendupdate
Dec 19 21:10:30	 racoon: DEBUG: encryption(3des)
Dec 19 21:10:30	 racoon: DEBUG: hmac(hmac_sha1)
Dec 19 21:10:30	 racoon: DEBUG: call pfkey_send_update
Dec 19 21:10:30	 racoon: DEBUG: pfkey update sent.
Dec 19 21:10:30	 racoon: DEBUG: encryption(3des)
Dec 19 21:10:30	 racoon: DEBUG: hmac(hmac_sha1)
Dec 19 21:10:30	 racoon: DEBUG: call pfkey_send_add
Dec 19 21:10:30	 racoon: DEBUG: pfkey add sent.
Dec 19 21:10:30	 racoon: DEBUG: get pfkey UPDATE message
Dec 19 21:10:30	 racoon: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel
58.x.x.x[0]->203.x.x.x[0] spi=163770890(0x9c2f20a)
Dec 19 21:10:30	 racoon: INFO: IPsec-SA established: ESP/Tunnel
58.x.x.x[0]->203.x.x.x[0] spi=163770890(0x9c2f20a)
Dec 19 21:10:30	 racoon: DEBUG: ===
Dec 19 21:10:30	 racoon: DEBUG: get pfkey ADD message
Dec 19 21:10:30	 racoon: INFO: IPsec-SA established: ESP/Tunnel
203.x.x.x[0]->58.x.x.x[0] spi=59366062(0x389daae)
Dec 19 21:10:30	 racoon: DEBUG: ===
Dec 19 21:10:46	 racoon: DEBUG: msg 1 not interesting
Dec 19 21:38:23	 racoon: DEBUG: msg 1 not interesting
Dec 19 21:44:30	 last message repeated 2 times
Dec 20 01:11:08	 racoon: INFO: ISAKMP-SA expired
203.x.x.x[500]-58.x.x.x[500] spi:6a0a3f74c3a0b132:e1ce0bb6a634f25f
Dec 20 01:11:09	 racoon: INFO: ISAKMP-SA deleted
203.x.x.x[500]-58.x.x.x[500] spi:6a0a3f74c3a0b132:e1ce0bb6a634f25f
Dec 20 01:46:20	 racoon: DEBUG: ===
Dec 20 01:46:20	 racoon: DEBUG: 276 bytes message received from
203.162.163.45[500] to 203.x.x.x[500]

I DO NOT KNOW OF THE 203.162.163.45 IP TRYING TO CONNECT???

Dec 20 01:46:20	 racoon: DEBUG: (lots of numbers here)
Dec 20 01:46:20	 racoon: DEBUG: anonymous configuration selected for
203.162.163.45[500].
Dec 20 01:46:20	 racoon: ERROR: not acceptable Identity Protection mode
Dec 20 01:46:21	 racoon: DEBUG: ===

So from the logs it lookslike the ISAKMP-SA expired but it has not been
since renewed according to the logs. Is this an issue?

Thanks everyone!

Jai