[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  =?ISO-8859-1?Q?Vincent_H=E4mmerli_-_EXES_s=E0rl?= <vhaemmerli at exes dot ch>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSec problem between m0n0wall and Zyxel firewall using dynamic IP
 Date:  Mon, 25 Aug 2008 20:49:57 +0200
Hello Vincent,

On 25.08.2008, at 20:34, Vincent Hämmerli - EXES sàrl wrote:

> The problem is located in the racoon.conf file, the field
> "peers_identifier address" is fill with the Dynamic IP of the remote  
> gateway
> <remote-gateway>xyz2.dyndns.org</remote-gateway> = remote yyy.yyy. 
> 28.169
> = peers_identifier address yyy.yyy.28.169;

Hmm, I don't think that the peers_identifier setting is to blame,  
because verify_identifier defaults to off. It could probably even be  
omitted. However, the problem seems to be that in main mode, only the  
IP address can be used to identify the peer (IIRC racoon looks for the  
identifier immediately following the "remote" keyword). From RFC 2409:

"When using pre-shared key authentication with Main Mode the key can  
only be identified by the IP address of the peers since HASH_I must be  
computed before the initiator has processed IDir."

I'm not sure how it works with ZyWALL <-> ZyWALL tunnels, but that  
might be a vendor-specific extension. You could try aggressive mode  
(where it should work), but that is nowadays usually considered not  
secure enough.

If you have some time to spare, you could try fiddling with the  
racoon.conf on m0n0wall directly (e.g. to change/remove the  
peers_identifier statement). Run a "ps xauww" to find the exact  
command line used to start racoon, then kill racoon using "killall  
racoon". Download the config (/var/etc/racoon.conf), modify it, upload  
it back and "mv" it into place, then start racoon again.

Please let us know if you find a solution by modifying racoon.conf, so  
that these changes can be integrated into the function in m0n0wall  
that generates it.

- Manuel