[ previous ] [ next ] [ threads ]
 
 From:  Paul Rae <paul at impacttrainingsolutions dot co dot uk>
 To:  m0n0wall - <m0n0wall at lists dot m0n0 dot ch>
 Subject:  IPSEC Tunnel Died - Please Help!
 Date:  Sat, 04 Oct 2008 12:30:21 +0100
OK I have two sites, both running m0n0wall 1.235.


about a year)
Site B is on a adsl connection with a static ip

Site A is running on a Soekris board
Site B is running on a Wrap board
Site B has a Linksys AM200 ADSL modem infront of it setup in halfbridge
mode.

Both sites were connected using IPSec tunnel as per the m0n0 handbook. This
setup has been up and running for well over a year with no problems at all.

However about 2 weeks ago I started to have problems with the tunnel. It

one of the firewalls would bring it back up again. However for the past week
it refuses to re-establish the connection. All other internet traffic (in
and out flows fine).

I have restored config files on both ends, and recreated both configs from
scratch and still have the exact same problem. I am at somewhat of a loss


problems there has been no network / router / config changes to anything.

Tired upgrading to latest version and recreating basic config but still the

cant think what else would cause this behaviour. Is it possible that
something in the middle could be causing this?

Any one have any thoughts? Many virtual beer tokens to anyone that helps!

Site B IPSec config.xml
    <ipsec>
        <tunnel>
            <interface>wan</interface>
            <local-subnet>
                <network>lan</network>
            </local-subnet>
            <remote-subnet>192.168.1.0/24</remote-subnet>
            <remote-gateway>82.16.105.143</remote-gateway>
            <p1>
                <mode>aggressive</mode>
                <myident>
                    <fqdn>router.impact</fqdn>
                </myident>
                <encryption-algorithm>blowfish</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>28800</lifetime>
                <pre-shared-key>mysharedkey</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
                
<authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
                
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>2</pfsgroup>
                <lifetime>86400</lifetime>
            </p2>
            <descr>VPN Link :: Burwell</descr>
        </tunnel>
        <enable/>
    </ipsec>

Site A IPSec config.xml
    <ipsec>
        <enable/>
        <tunnel>
            <interface>wan</interface>
            <local-subnet>
                <network>lan</network>
            </local-subnet>
            <remote-subnet>192.168.3.0/24</remote-subnet>
            <remote-gateway>217.35.92.253</remote-gateway>
            <p1>
                <mode>aggressive</mode>
                <myident>
                    <fqdn>router.burwell</fqdn>
                </myident>
                <encryption-algorithm>blowfish</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>28800</lifetime>
                <pre-shared-key>mysharedkey</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
                
<authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
                
<encryption-algorithm-option>3des</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>2</pfsgroup>
                <lifetime>86400</lifetime>
            </p2>
            <descr>IPSEC VPN Link :: Bathgate</descr>
        </tunnel>
    </ipsec>

Syslog Site B
Oct 3 19:58:02    racoon: INFO: @(#)ipsec-tools 0.6.6
(http://ipsec-tools.sourceforge.net)
Oct 3 19:58:02    racoon: INFO: @(#)This product linked OpenSSL 0.9.7d-p1 17
Mar 2004 (http://www.openssl.org/)
Oct 3 19:58:02    racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
Oct 3 19:58:02    racoon: INFO: 192.168.3.254[500] used as isakmp port
(fd=8)
Oct 3 19:58:02    racoon: INFO: 217.35.92.253[500] used as isakmp port
(fd=9)
Oct 3 19:58:03    dhclient: bound to 217.35.92.253 -- renewal in 75326
seconds.
Oct 3 19:58:18    dnsmasq[105]: reading /etc/resolv.conf
Oct 3 19:58:18    dnsmasq[105]: using nameserver 194.72.0.114#53
Oct 3 19:58:18    dnsmasq[105]: using nameserver 194.72.9.34#53
Oct 3 19:59:28    racoon: INFO: IPsec-SA request for 82.16.105.143 queued
due to no phase1 found.
Oct 3 19:59:28    racoon: INFO: initiate new phase 1 negotiation:
217.35.92.253[500]<=>82.16.105.143[500]
Oct 3 19:59:28    racoon: INFO: begin Aggressive mode.
Oct 3 19:59:30    racoon: INFO: received Vendor ID: DPD
Oct 3 19:59:30    racoon: WARNING: No ID match.
Oct 3 19:59:30    racoon: NOTIFY: couldn't find the proper pskey, try to get
one by the peer's address.
Oct 3 19:59:30    racoon: INFO: ISAKMP-SA established
217.35.92.253[500]-82.16.105.143[500] spi:d841a4f7d27e0984:6bf3abc56f1bfab3
Oct 3 19:59:31    racoon: INFO: initiate new phase 2 negotiation:
217.35.92.253[0]<=>82.16.105.143[0]
Oct 3 19:59:31    /kernel: WARNING: pseudo-random number generator used for
IPsec processing
Oct 3 20:00:01    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA due
to time up to wait.
Oct 3 20:00:05    racoon: INFO: initiate new phase 2 negotiation:
217.35.92.253[0]<=>82.16.105.143[0]
Oct 3 20:00:35    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA due
to time up to wait.
Oct 3 20:00:39    racoon: INFO: initiate new phase 2 negotiation:
217.35.92.253[0]<=>82.16.105.143[0]
Oct 3 20:01:09    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA due
to time up to wait.
Oct 3 20:01:13    racoon: INFO: initiate new phase 2 negotiation:
217.35.92.253[0]<=>82.16.105.143[0]
Oct 3 20:01:43    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA due
to time up to wait.
Oct 3 20:01:47    racoon: INFO: initiate new phase 2 negotiation:
217.35.92.253[0]<=>82.16.105.143[0]
Oct 3 20:02:17    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA due
to time up to wait.
Oct 3 20:02:21    racoon: INFO: initiate new phase 2 negotiation:
217.35.92.253[0]<=>82.16.105.143[0]
Oct 3 20:02:51    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA due
to time up to wait.
Oct 3 20:02:55    racoon: INFO: initiate new phase 2 negotiation:
217.35.92.253[0]<=>82.16.105.143[0]
Oct 3 20:02:56    /usr/local/bin/ez-ipupdate[108]: members.dyndns.org says
that your IP address has not changed since the last update
Oct 3 20:02:56    /usr/local/bin/ez-ipupdate[108]: successful update for
sis0->217.35.92.253 (impact.dyndns.org)
Oct 3 20:03:25    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA due
to time up to wait.
Oct 3 20:03:29    racoon: INFO: initiate new phase 2 negotiation:
217.35.92.253[0]<=>82.16.105.143[0]
Oct 3 20:03:59    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA due
to time up to wait.
Oct 3 20:04:03    racoon: INFO: initiate new phase 2 negotiation:
217.35.92.253[0]<=>82.16.105.143[0]
Oct 3 20:04:33    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA due
to time up to wait.
Oct 3 20:04:37    racoon: INFO: initiate new phase 2 negotiation:
217.35.92.253[0]<=>82.16.105.143[0]
Oct 3 20:05:07    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA due
to time up to wait.
Oct 3 20:05:11    racoon: INFO: initiate new phase 2 negotiation:
217.35.92.253[0]<=>82.16.105.143[0]
Oct 3 20:05:41    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA due
to time up to wait.
Oct 3 20:05:45    racoon: INFO: initiate new phase 2 negotiation:
217.35.92.253[0]<=>82.16.105.143[0]

- 
Regards,

Paul Rae
Business Development Director

t : 08454 599930
m : 07769 654302
e : paul at impacttrainingsolutions dot co dot uk

Impact Training Solutions
36 Reid Road
Bathgate
West Lothian, EH48 2TX