[ previous ] [ next ] [ threads ]
 
 From:  Chris K Ellsworth <ckellsworth at yahoo dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  ipsec tunnel setup
 Date:  Sun, 4 Feb 2007 13:24:46 -0800 
I am having a lot of difficulty on setting up IPsec tunnels

I have 3 monowall routers. two of the are V1.22 and the third one is  
1.3b2

I have setup a firewall rule that allows all traffic to the wan  
interface on each of the routers, from the other routers.

Each network is a different local lan Subnet.

here is the racoon config for 1 set of my tunnel
--- OFFICE (v1.22) ---
remote HOME {
	exchange_mode aggressive;
	my_identifier address "OFFICE";

	peers_identifier address 76.167.242.113;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm blowfish;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 86400 secs;
	}
	lifetime time 86400 secs;
}

sainfo address 192.168.65.0/24 any address 192.168.67.0/25 any {
	encryption_algorithm blowfish;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;
}

--- HOME (v1.3B2) ---
remote OFFICE {
	exchange_mode aggressive;
	my_identifier address "HOME";


	peers_identifier address OFFICE;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm blowfish;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 86400 secs;
	}
	lifetime time 86400 secs;
}

sainfo address 192.168.67.0/25 any address 192.168.65.0/24 any {
	encryption_algorithm blowfish;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;

---here is a copy from the log file from the office ---
Feb  4 12:34:00 m0n0wall racoon: DEBUG: compression algorithm can not  
be checked because sadb message doesn't support it.
Feb  4 12:34:00 m0n0wall racoon: DEBUG: hmac(modp1024)
Feb  4 12:34:00 m0n0wall racoon: DEBUG: compression algorithm can not  
be checked because sadb message doesn't support it.
Feb  4 12:34:00 m0n0wall racoon: DEBUG: my interface: 192.168.65.1 (vr0)
Feb  4 12:34:00 m0n0wall racoon: DEBUG: my interface: Office (vr1)
Feb  4 12:34:00 m0n0wall racoon: DEBUG: my interface: 127.0.0.1 (lo0)
Feb  4 12:34:00 m0n0wall racoon: DEBUG: configuring default isakmp port.
Feb  4 12:34:00 m0n0wall racoon: DEBUG: 3 addrs are configured  
successfully
Feb  4 12:34:00 m0n0wall racoon: INFO: 127.0.0.1[500] used as isakmp  
port (fd=6)
Feb  4 12:34:00 m0n0wall racoon: INFO: 71.103.254.30[500] used as  
isakmp port (fd=7)
Feb  4 12:34:00 m0n0wall racoon: INFO: 192.168.65.1[500] used as  
isakmp port (fd=8)
Feb  4 12:34:00 m0n0wall racoon: DEBUG: racoon: ERROR: such policy  
already exists. anyway replace it: l message
Feb  4 12:34:01 m0n0wall racoon: DEBUG: msg 1 not interesting
Feb  4 12:34:01 m0n0wall racoon: DEBUG: get pfkey X_SPDDUMP message
Feb  4 12:34:01 m0n0wall racoon: DEBUG: sub:0xbfbff704:  
192.168.61.0/24[0] 192.168.65.0/24[0] proto=any dir=in
Feb  4 12:34:01 m0n0wall racoon: DEBUG: db :0x80a5a08: 192.168.65.0/24 
[0] 192.168.65.1/32[0] proto=any dir=in
..........
Feb  4 12:34:01 m0n0wall racoon: DEBUG: get pfkey X_SPDDUMP message
Feb  4 12:34:01 m0n0wall racoon: DEBUG: sub:0xbfbff704:  
192.168.65.0/24[0] 192.168.67.0/25[0] proto=any dir=out
Feb  4 12:34:01 m0n0wall racoon: DEBUG: db :0x80a5a08: 192.168.65.0/24 
[0] 192.168.65.1/32[0] proto=any dir=in
Feb  4 12:34:01 m0n0wall racoon: DEBUG: sub:0xbfbff704:  
192.168.65.0/24[0] 192.168.67.0/25[0] proto=any dir=out
Feb  4 12:34:01 m0n0wall racoon: DEBUG: db :0x80a5c08: 192.168.61.0/24 
[0] 192.168.65.0/24[0] proto=any dir=in
Feb  4 12:34:01 m0n0wall racoon: DEBUG: sub:0xbfbff704:  
192.168.65.0/24[0] 192.168.67.0/25[0] proto=any dir=out
Feb  4 12:34:01 m0n0wall racoon: DEBUG: db :0x80ad008: 192.168.67.0/25 
[0] 192.168.65.0/24[0] proto=any dir=in
Feb  4 12:34:01 m0n0wall racoon: DEBUG: sub:0xbfbff704:  
192.168.65.0/24[0] 192.168.67.0/25[0] proto=any dir=out
Feb  4 12:34:01 m0n0wall racoon: DEBUG: db :0x80ad408: 192.168.65.1/32 
[0] 192.168.65.0/24[0] proto=any dir=out
Feb  4 12:34:01 m0n0wall racoon: DEBUG: sub:0xbfbff704:  
192.168.65.0/24[0] 192.168.67.0/25[0] proto=any dir=out
Feb  4 12:34:01 m0n0wall racoon: DEBUG: db :0x80ad608: 192.168.65.0/24 
[0] 192.168.61.0/24[0] proto=any dir=out
Feb  4 12:34:01 m0n0wall racoon: DEBUG: msg 1 not interesting
Feb  4 12:34:04 m0n0wall last message repeated 2 times

---here is a copy from the log file from the HOME  ---

Feb  4 12:34:12 m0n0wall racoon: INFO: @(#)ipsec-tools 0.6.6 (http:// 
ipsec-tools.sourceforge.net)
Feb  4 12:34:12 m0n0wall racoon: INFO: @(#)This product linked  
OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Feb  4 12:34:12 m0n0wall racoon: INFO: 127.0.0.1[500] used as isakmp  
port (fd=8)
Feb  4 12:34:12 m0n0wall racoon: INFO: 127.0.0.1[500] used for NAT-T
Feb  4 12:34:12 m0n0wall racoon: INFO: HOME [500] used as isakmp port  
(fd=9)
Feb  4 12:34:12 m0n0wall racoon: INFO: HOME [500] used for NAT-T
Feb  4 12:34:12 m0n0wall racoon: INFO: 192.168.67.1[500] used as  
isakmp port (fd=10)
Feb  4 12:34:12 m0n0wall racoon: INFO: 192.168.67.1[500] used for NAT-T
}