[ previous ] [ next ] [ threads ]
 
 From:  =?ISO-8859-1?Q?Vincent_H=E4mmerli_-_EXES_s=E0rl?= <vhaemmerli at exes dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSec problem between m0n0wall and Zyxel firewall using dynamic IP
 Date:  Mon, 25 Aug 2008 20:34:24 +0200
Hi all,

I'm working with m0n0wall since a couple of weeks and now I'm trying to
do an IPSec VPN between the m0n0wall and an Zyxel firewall.

With an static IP in the Zywall and an dynamic IP in the m0n0wall no
problems, it works perfectly.
Note : the static IP must be in the Zywall side if not it doesn't work.

But with two dynamic IP impossible to make the IPSec VPN.
I think I have found why but I'm not sure.

In this example, I have 2 IPSec configuration, the first with the static
IP in the Zywall the second with the dynamic IP in the Zywall.
The m0n0wall always have dynamic IP

*m0n0wall config file IPSec section :*

    <ipsec>
        <enable/>
        <tunnel>
            <dpddelay/>
            <interface>wan</interface>
            <local-subnet>
                <address>192.168.173.1/24</address>
            </local-subnet>
            <remote-subnet>192.168.10.1/24</remote-subnet>
            <remote-gateway>gateway.mydomain.com</remote-gateway> 
//static IP (zywall)
            <p1>
                <mode>main</mode>
                <myident>
                    <fqdn>xyz1.dyndns.org</fqdn>  //dynamic IP (m0n0wall)
                </myident>
                <encryption-algorithm>des</encryption-algorithm>
                <hash-algorithm>md5</hash-algorithm>
                <dhgroup>1</dhgroup>
                <lifetime>28800</lifetime>
                <pre-shared-key>vpnpsk</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
               
<authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
               
<encryption-algorithm-option>des</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>0</pfsgroup>
                <lifetime>28800</lifetime>
            </p2>
            <descr>IPSec VPN 1 - Static IP</descr>
        </tunnel>
        <tunnel>
            <dpddelay/>
            <interface>wan</interface>
            <local-subnet>
                <address>192.168.173.1/24</address>
            </local-subnet>
            <remote-subnet>192.168.21.1/24</remote-subnet>
            <remote-gateway>xyz2.dyndns.org</remote-gateway>  //dynamic
IP (zywall)
            <p1>
                <mode>main</mode>
                <myident>
                    <fqdn>xyz1.dyndns.tv</fqdn>  //dynamic IP (m0n0wall)
                </myident>
                <encryption-algorithm>des</encryption-algorithm>
                <hash-algorithm>md5</hash-algorithm>
                <dhgroup>1</dhgroup>
                <lifetime>28800</lifetime>
                <pre-shared-key>vpnpsk</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
               
<authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
               
<encryption-algorithm-option>des</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>0</pfsgroup>
                <lifetime>28800</lifetime>
            </p2>
            <descr>IPSec VPN 2 - Dynamic IP</descr>
        </tunnel>
        <dns-interval/>
    </ipsec>

*m0n0wall racoon.conf file :*

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote xxx.xxx.143.3 {   //gateway.mydomain.com with static IP
    exchange_mode main;
    my_identifier fqdn "xyz1.dyndns.org";
    
    
    peers_identifier address xxx.xxx.143.3;
    initial_contact on;
    support_proxy on;
    proposal_check obey;
    dpd_delay 0;

    proposal {
        encryption_algorithm des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group 1;
        lifetime time 28800 secs;
    }
    lifetime time 28800 secs;
}

sainfo address 192.168.173.1/24 any address 192.168.10.1/24 any {
    encryption_algorithm des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    lifetime time 28800 secs;
}

remote yyy.yyy.28.169 {
    exchange_mode main;
    my_identifier fqdn "xyz1.dyndns.org";
    
    
    *peers_identifier address yyy.yyy.28.169;*
    initial_contact on;
    support_proxy on;
    proposal_check obey;
    dpd_delay 0;

    proposal {
        encryption_algorithm des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group 1;
        lifetime time 28800 secs;
    }
    lifetime time 28800 secs;
}

sainfo address 192.168.173.1/24 any address 192.168.21.1/24 any {
    encryption_algorithm des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    lifetime time 28800 secs;
}


*Zywall peer config*

Authentication Key
 

	Pre-Shared Key 	

	Certificate 	(See My Certificates <Cert_MyCert.html>)


	Local ID Type 	

	Content 	

	Peer ID Type 	

	Content 	



*M0n0wall log

*
Aug 25 19:54:50 	racoon: ERROR: invalid ID payload.
Aug 25 19:54:50 	racoon: ERROR: Expecting IP address type in main mode,
but FQDN.
Aug 25 19:54:50 	racoon: WARNING: ignore INITIAL-CONTACT notification,
because it is only accepted after phase1.
Aug 25 19:54:50 	racoon: INFO: received Vendor ID: DPD
Aug 25 19:54:50 	racoon: INFO: begin Identity Protection mode.
Aug 25 19:54:50 	racoon: INFO: initiate new phase 1 negotiation:
xxx.xxx.169.70[500]<=>yyy.yyy.28.169[500]
Aug 25 19:54:50 	racoon: INFO: IPsec-SA request for yyy.yyy.28.169
queued due to no phase1 found.



*My conclusions
*
The problem is located in the racoon.conf file, the field
"peers_identifier address" is fill with the Dynamic IP of the remote gateway
<remote-gateway>xyz2.dyndns.org</remote-gateway> = remote yyy.yyy.28.169
= peers_identifier address yyy.yyy.28.169;

In the Zywall, we need to configure the IPSec with one Local ID and one
Peer ID with 3 different things (IP, DNS or Email)
In my case, I fill it with the two dynamic DNS
But when the two firewalls are trying to do the VPN, the m0n0wall has
the IP for peer content and the Zywall has the DNS
so that why we have this error in m0n0wall log. Unable to match the rules.

Note : if I replace the xyz2.dyndns.org with the IP in Zywall peer
config it works. But only for a few hours, until the dynamic IP change.

Any idea for solution ?
Is it possible to have the choice of the peer ID type in the m0n0wall ?
Like in the Zywall

Note : I'm using 1.3b14 in an Alix board

Thanks in advance
Regards

Vincent**
smime.p7s (3.8 KB, application/x-pkcs7-signature)