[ previous ] [ next ] [ threads ]
 
 From:  "Don Munyak" <don dot munyak at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch, mobicult at gmail dot com
 Subject:  Fwd: [m0n0wall] m0n0wall <--> m0n0wall VPN doesn't autoconnect
 Date:  Wed, 27 Dec 2006 17:06:32 -0500
---------- Forwarded message ----------
From: Roy <mobicult at gmail dot com>
Date: Dec 27, 2006 10:44 AM
Subject: [m0n0wall] m0n0wall <--> m0n0wall VPN doesn't autoconnect
To: m0n0wall at lists dot m0n0 dot ch


hope someone can help me with the following problem. I connected
three sites A, B and C with an IPsec VPN. I searched the archives, but
didn't find a solution.

Site A (m0n0wall)and site B (d-link di-804hv) are auto-reconnected
when the connection is down (option in d-link vpn router) and are
working just fine. The problem is that the IPsec VPN between A
(m0n0wall) and B (m0n0wall) doesn't come up automatically. After a
ping from one of the m0n0wall's on the LAN interface to the other
subnet(diagnostic menu; no response offcourse) the connection is up
for some time and drops after a period of time (not the lifetime for
phase 1/2...I think).

B<--->WAN<--->A<--->WAN<--->C

The subnets do not overlap!
VPN settings m0n0wall:
phase 1:
- aggressive
- blowfish
- sha1
- DH-key 2
- lifetime 28800
phase 2:
- ESP
- blowfish
- sha1
- PFS key 2
- lifetime 3600


I don't know if it would make a difference, but have you tried making
the lifetimes different for B <--> A versus A <--> C

For what is worth here's my working config for just two m0n0<-->m0n0
<ipsec>
	<tunnel>
		<interface>wan</interface>
		<local-subnet>
			<network>lan</network>
		</local-subnet>
		<remote-subnet>192.168.18.0/24</remote-subnet>
		<remote-gateway>x.x.x.250</remote-gateway>
		<p1>
			<mode>main</mode>
			<myident>
				<myaddress/>
			</myident>
			<encryption-algorithm>blowfish</encryption-algorithm>
			<hash-algorithm>sha1</hash-algorithm>
			<dhgroup>2</dhgroup>
			<lifetime>86400</lifetime>
			<pre-shared-key>***************</pre-shared-key>
			<private-key/>
			<cert/>
			<peercert/>
			<authentication_method>pre_shared_key</authentication_method>
		</p1>
		<p2>
			<protocol>esp</protocol>
			<encryption-algorithm-option>blowfish</encryption-algorithm-option>
			<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
			<pfsgroup>2</pfsgroup>
			<lifetime>14400</lifetime>
		</p2>
		<descr>ipsec tunnel</descr>
	</tunnel>
	<enable/>
</ipsec>

<ipsec>
	<tunnel>
		<interface>wan</interface>
		<local-subnet>
			<network>lan</network>
		</local-subnet>
		<remote-subnet>192.168.222.0/24</remote-subnet>
		<remote-gateway>x.x.x.45</remote-gateway>
		<p1>
			<mode>main</mode>
			<myident>
				<myaddress/>
			</myident>
			<encryption-algorithm>blowfish</encryption-algorithm>
			<hash-algorithm>sha1</hash-algorithm>
			<dhgroup>2</dhgroup>
			<lifetime>86400</lifetime>
			<pre-shared-key>***************</pre-shared-key>
			<private-key/>
			<cert/>
			<peercert/>
			<authentication_method>pre_shared_key</authentication_method>
		</p1>
		<p2>
			<protocol>esp</protocol>
			<encryption-algorithm-option>blowfish</encryption-algorithm-option>
			<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
			<pfsgroup>2</pfsgroup>
			<lifetime>14400</lifetime>
		</p2>
		<descr>ipsec tunnel</descr>
	</tunnel>
	<enable/>
</ipsec>