On 25.08.2008, at 20:34, Vincent Hämmerli - EXES sàrl wrote:
> The problem is located in the racoon.conf file, the field
> "peers_identifier address" is fill with the Dynamic IP of the remote
> <remote-gateway>xyz2.dyndns.org</remote-gateway> = remote yyy.yyy.
> = peers_identifier address yyy.yyy.28.169;
Hmm, I don't think that the peers_identifier setting is to blame,
because verify_identifier defaults to off. It could probably even be
omitted. However, the problem seems to be that in main mode, only the
IP address can be used to identify the peer (IIRC racoon looks for the
identifier immediately following the "remote" keyword). From RFC 2409:
"When using pre-shared key authentication with Main Mode the key can
only be identified by the IP address of the peers since HASH_I must be
computed before the initiator has processed IDir."
I'm not sure how it works with ZyWALL <-> ZyWALL tunnels, but that
might be a vendor-specific extension. You could try aggressive mode
(where it should work), but that is nowadays usually considered not
If you have some time to spare, you could try fiddling with the
racoon.conf on m0n0wall directly (e.g. to change/remove the
peers_identifier statement). Run a "ps xauww" to find the exact
command line used to start racoon, then kill racoon using "killall
racoon". Download the config (/var/etc/racoon.conf), modify it, upload
it back and "mv" it into place, then start racoon again.
Please let us know if you find a solution by modifying racoon.conf, so
that these changes can be integrated into the function in m0n0wall
that generates it.