[ previous ] [ next ] [ threads ]
 
 From:  Chris K Ellsworth <ckellsworth at yahoo dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] ipsec tunnel setup
 Date:  Tue, 6 Feb 2007 10:58:59 -0800
Did not see any answers.

but I got it working,  I had let it sit for a couple of hours and  
when i came back to start working on this issue the tunnel was up and  
working.  not to sure why. but it working now.

very strange.

Chris K Ellsworth


On Feb 4, 2007, at 1:24 PM, Chris K Ellsworth wrote:

> I am having a lot of difficulty on setting up IPsec tunnels
>
> I have 3 monowall routers. two of the are V1.22 and the third one  
> is 1.3b2
>
> I have setup a firewall rule that allows all traffic to the wan  
> interface on each of the routers, from the other routers.
>
> Each network is a different local lan Subnet.
>
> here is the racoon config for 1 set of my tunnel
> --- OFFICE (v1.22) ---
> remote HOME {
> 	exchange_mode aggressive;
> 	my_identifier address "OFFICE";
>
> 	peers_identifier address 76.167.242.113;
> 	initial_contact on;
> 	support_proxy on;
> 	proposal_check obey;
>
> 	proposal {
> 		encryption_algorithm blowfish;
> 		hash_algorithm sha1;
> 		authentication_method pre_shared_key;
> 		dh_group 2;
> 		lifetime time 86400 secs;
> 	}
> 	lifetime time 86400 secs;
> }
>
> sainfo address 192.168.65.0/24 any address 192.168.67.0/25 any {
> 	encryption_algorithm blowfish;
> 	authentication_algorithm hmac_sha1;
> 	compression_algorithm deflate;
> 	pfs_group 2;
> 	lifetime time 86400 secs;
> }
>
> --- HOME (v1.3B2) ---
> remote OFFICE {
> 	exchange_mode aggressive;
> 	my_identifier address "HOME";
>
>
> 	peers_identifier address OFFICE;
> 	initial_contact on;
> 	support_proxy on;
> 	proposal_check obey;
>
> 	proposal {
> 		encryption_algorithm blowfish;
> 		hash_algorithm sha1;
> 		authentication_method pre_shared_key;
> 		dh_group 2;
> 		lifetime time 86400 secs;
> 	}
> 	lifetime time 86400 secs;
> }
>
> sainfo address 192.168.67.0/25 any address 192.168.65.0/24 any {
> 	encryption_algorithm blowfish;
> 	authentication_algorithm hmac_sha1;
> 	compression_algorithm deflate;
> 	pfs_group 2;
> 	lifetime time 86400 secs;
>
> ---here is a copy from the log file from the office ---
> Feb  4 12:34:00 m0n0wall racoon: DEBUG: compression algorithm can  
> not be checked because sadb message doesn't support it.
> Feb  4 12:34:00 m0n0wall racoon: DEBUG: hmac(modp1024)
> Feb  4 12:34:00 m0n0wall racoon: DEBUG: compression algorithm can  
> not be checked because sadb message doesn't support it.
> Feb  4 12:34:00 m0n0wall racoon: DEBUG: my interface: 192.168.65.1  
> (vr0)
> Feb  4 12:34:00 m0n0wall racoon: DEBUG: my interface: Office (vr1)
> Feb  4 12:34:00 m0n0wall racoon: DEBUG: my interface: 127.0.0.1 (lo0)
> Feb  4 12:34:00 m0n0wall racoon: DEBUG: configuring default isakmp  
> port.
> Feb  4 12:34:00 m0n0wall racoon: DEBUG: 3 addrs are configured  
> successfully
> Feb  4 12:34:00 m0n0wall racoon: INFO: 127.0.0.1[500] used as  
> isakmp port (fd=6)
> Feb  4 12:34:00 m0n0wall racoon: INFO: 71.103.254.30[500] used as  
> isakmp port (fd=7)
> Feb  4 12:34:00 m0n0wall racoon: INFO: 192.168.65.1[500] used as  
> isakmp port (fd=8)
> Feb  4 12:34:00 m0n0wall racoon: DEBUG: racoon: ERROR: such policy  
> already exists. anyway replace it: l message
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: msg 1 not interesting
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: get pfkey X_SPDDUMP message
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: sub:0xbfbff704:  
> 192.168.61.0/24[0] 192.168.65.0/24[0] proto=any dir=in
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: db :0x80a5a08:  
> 192.168.65.0/24[0] 192.168.65.1/32[0] proto=any dir=in
> ..........
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: get pfkey X_SPDDUMP message
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: sub:0xbfbff704:  
> 192.168.65.0/24[0] 192.168.67.0/25[0] proto=any dir=out
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: db :0x80a5a08:  
> 192.168.65.0/24[0] 192.168.65.1/32[0] proto=any dir=in
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: sub:0xbfbff704:  
> 192.168.65.0/24[0] 192.168.67.0/25[0] proto=any dir=out
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: db :0x80a5c08:  
> 192.168.61.0/24[0] 192.168.65.0/24[0] proto=any dir=in
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: sub:0xbfbff704:  
> 192.168.65.0/24[0] 192.168.67.0/25[0] proto=any dir=out
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: db :0x80ad008:  
> 192.168.67.0/25[0] 192.168.65.0/24[0] proto=any dir=in
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: sub:0xbfbff704:  
> 192.168.65.0/24[0] 192.168.67.0/25[0] proto=any dir=out
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: db :0x80ad408:  
> 192.168.65.1/32[0] 192.168.65.0/24[0] proto=any dir=out
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: sub:0xbfbff704:  
> 192.168.65.0/24[0] 192.168.67.0/25[0] proto=any dir=out
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: db :0x80ad608:  
> 192.168.65.0/24[0] 192.168.61.0/24[0] proto=any dir=out
> Feb  4 12:34:01 m0n0wall racoon: DEBUG: msg 1 not interesting
> Feb  4 12:34:04 m0n0wall last message repeated 2 times
>
> ---here is a copy from the log file from the HOME  ---
>
> Feb  4 12:34:12 m0n0wall racoon: INFO: @(#)ipsec-tools 0.6.6  
> (http://ipsec-tools.sourceforge.net)
> Feb  4 12:34:12 m0n0wall racoon: INFO: @(#)This product linked  
> OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
> Feb  4 12:34:12 m0n0wall racoon: INFO: 127.0.0.1[500] used as  
> isakmp port (fd=8)
> Feb  4 12:34:12 m0n0wall racoon: INFO: 127.0.0.1[500] used for NAT-T
> Feb  4 12:34:12 m0n0wall racoon: INFO: HOME [500] used as isakmp  
> port (fd=9)
> Feb  4 12:34:12 m0n0wall racoon: INFO: HOME [500] used for NAT-T
> Feb  4 12:34:12 m0n0wall racoon: INFO: 192.168.67.1[500] used as  
> isakmp port (fd=10)
> Feb  4 12:34:12 m0n0wall racoon: INFO: 192.168.67.1[500] used for  
> NAT-T
> }
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>