[ previous ] [ next ] [ threads ]
 
 From:  Michel Servaes <michel at mcmc dot be>
 To:  Monowall User List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  1.3b9 | Blowfish or 3DES IPSEC vpn
 Date:  Tue, 12 Feb 2008 22:36:47 +0100
I have this strong impression that when I use 3DES on the monowall, that 
my VPN connection times out every day... I can reactivate the tunnel by 
disabling IPSEC completely, and reactivating it in my monowall.
I am using a PentiumIII 600MHz / 384MB RAM (RAM overkill seems).  
(Compaq Deskpro EP)
The other side is currently a DLINK DFL-200  (it's at my office, and I 
am planning on installing a monowall as well - that machine will be a 
Pentium4 - 1,6GHz (Compaq Deskpro EVO))

This morning I changed the tunnel on both sides to Blowfish, and for now 
it seems ok...


I am missing an IPSEC logging feature... I can go into the system log, 
but this is a bit harsh to read in between for IPSEC traffic.


btw: what is the limit of IPSEC tunnels to be made... I guess this will 
be machine specific, but what are your expectations on my Pentium 
III-600MHz, and on the Pentium4-1,6GHz ??




what I tried :

restart the DFL-200 - tunnel does not come up
kill all the tunnels in diagnostics on my monowall - tunnel does not come up
shutdown ipsec, re-enable ipsec on my monowall - tunnel fires up without 
an issue...

the system log tells me something about Phase1 not being completed yet, 
and that Phase2 is too early in trying to connect... since Phase1 is 
still busy

<DFL-200-IPWAN> is the WAN IP of my DFL-200 at the office
<m0n0wall-IPWAN> is my monowall at home
172.16.0.0/24 is my LAN
192.168.10.0/23 is the LAN at the office.

Feb 12 19:17:07 	racoon: INFO: unsupported PF_KEY message REGISTER
Feb 12 19:17:02 	racoon: INFO: unsupported PF_KEY message REGISTER
Feb 12 19:16:27 	racoon: ERROR: <DFL-200-IPWAN> give up to get IPsec-SA 
due to time up to wait.
Feb 12 19:16:17 	last message repeated 2 times
Feb 12 19:15:58 	racoon: ERROR: unknown notify message, no phase2 handle 
found.
Feb 12 19:15:57 	racoon: INFO: initiate new phase 2 negotiation: 
<m0n0wall-IPWAN>[500]<=><DFL-200-IPWAN>[500]
Feb 12 19:15:56 	racoon: INFO: ISAKMP-SA established 
<m0n0wall-IPWAN>[500]-<DFL-200-IPWAN>[500] 
spi:a5e61bb0c5bcb5a1:f1c9854cb63679fe
Feb 12 19:15:56 	racoon: INFO: received Vendor ID: DPD
Feb 12 19:15:54 	racoon: INFO: request for establishing IPsec-SA was 
queued due to no phase1 found.
Feb 12 19:15:46 	racoon: INFO: delete phase 2 handler.
Feb 12 19:15:46 	racoon: ERROR: phase2 negotiation failed due to time up 
waiting for phase1. AH <DFL-200-IPWAN>[500]-><m0n0wall-IPWAN>[500]
Feb 12 19:15:36 	last message repeated 2 times
Feb 12 19:15:15 	racoon: ERROR: reject the packet, received unexpecting 
payload type 0.
Feb 12 19:15:15 	racoon: INFO: begin Identity Protection mode.
Feb 12 19:15:15 	racoon: INFO: initiate new phase 1 negotiation: 
<m0n0wall-IPWAN>[500]<=><DFL-200-IPWAN>[500]
Feb 12 19:15:15 	racoon: INFO: IPsec-SA request for <DFL-200-IPWAN> 
queued due to no phase1 found.
Feb 12 19:14:47 	racoon: ERROR: such policy already exists. anyway 
replace it: 172.16.0.0/24[0] 192.168.10.0/23[0] proto=any dir=out
Feb 12 19:14:47 	racoon: ERROR: such policy already exists. anyway 
replace it: 172.16.0.253/32[0] 172.16.0.0/24[0] proto=any dir=out
Feb 12 19:14:47 	racoon: ERROR: such policy already exists. anyway 
replace it: 192.168.10.0/23[0] 172.16.0.0/24[0] proto=any dir=in
Feb 12 19:14:47 	racoon: ERROR: such policy already exists. anyway 
replace it: 172.16.0.0/24[0] 172.16.0.253/32[0] proto=any dir=in