[ previous ] [ next ] [ threads ]
 
 From:  Jeff Rhys-Jones <jeff at acc dash international dot co dot uk>
 To:  m0n0wall - <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSEC Tunnel Died - Please Help!
 Date:  Sat, 4 Oct 2008 14:33:00 +0100 
Just a hunch, but I think I remember reading something else somewhere  
- where there can be issues when the P1 lifetime is shorter from the  
P2 lifetime.

So perhaps try to set the P2 lifetimes to 28800?

The only other thing I can think of is that you say this has worked  
fine for a year, and the IP address of site A has been the same for a  
year.

Coincidence?

Jeff

On 4 Oct 2008, at 12:30, Paul Rae wrote:

> OK I have two sites, both running m0n0wall 1.235.
>
> Site A is on a cable connection, dynamic ip (although hasn’t changed  
> in
> about a year)
> Site B is on a adsl connection with a static ip
>
> Site A is running on a Soekris board
> Site B is running on a Wrap board
> Site B has a Linksys AM200 ADSL modem infront of it setup in  
> halfbridge
> mode.
>
> Both sites were connected using IPSec tunnel as per the m0n0  
> handbook. This
> setup has been up and running for well over a year with no problems  
> at all.
>
> However about 2 weeks ago I started to have problems with the  
> tunnel. It
> would say it was up, but didn’t seem to be passing any traffic. A  
> reboot of
> one of the firewalls would bring it back up again. However for the  
> past week
> it refuses to re-establish the connection. All other internet  
> traffic (in
> and out flows fine).
>
> I have restored config files on both ends, and recreated both  
> configs from
> scratch and still have the exact same problem. I am at somewhat of a  
> loss
> and really cannot figure out what is going on here. Things just  
> don’t stop
> working, but I’ll be damned if I can work out what has changed.  
> Prior to the
> problems there has been no network / router / config changes to  
> anything.
>
> Tired upgrading to latest version and recreating basic config but  
> still the
> problems persists. I really don’t think this can be a config  
> problem, but
> cant think what else would cause this behaviour. Is it possible that
> something in the middle could be causing this?
>
> Any one have any thoughts? Many virtual beer tokens to anyone that  
> helps!
>
> Site B IPSec config.xml
>    <ipsec>
>        <tunnel>
>            <interface>wan</interface>
>            <local-subnet>
>                <network>lan</network>
>            </local-subnet>
>            <remote-subnet>192.168.1.0/24</remote-subnet>
>            <remote-gateway>82.16.105.143</remote-gateway>
>            <p1>
>                <mode>aggressive</mode>
>                <myident>
>                    <fqdn>router.impact</fqdn>
>                </myident>
>                <encryption-algorithm>blowfish</encryption-algorithm>
>                <hash-algorithm>sha1</hash-algorithm>
>                <dhgroup>2</dhgroup>
>                <lifetime>28800</lifetime>
>                <pre-shared-key>mysharedkey</pre-shared-key>
>                <private-key/>
>                <cert/>
>                <peercert/>
>
> <authentication_method>pre_shared_key</authentication_method>
>            </p1>
>            <p2>
>                <protocol>esp</protocol>
>
> <encryption-algorithm-option>blowfish</encryption-algorithm-option>
>                <hash-algorithm-option>hmac_sha1</hash-algorithm- 
> option>
>                <pfsgroup>2</pfsgroup>
>                <lifetime>86400</lifetime>
>            </p2>
>            <descr>VPN Link :: Burwell</descr>
>        </tunnel>
>        <enable/>
>    </ipsec>
>
> Site A IPSec config.xml
>    <ipsec>
>        <enable/>
>        <tunnel>
>            <interface>wan</interface>
>            <local-subnet>
>                <network>lan</network>
>            </local-subnet>
>            <remote-subnet>192.168.3.0/24</remote-subnet>
>            <remote-gateway>217.35.92.253</remote-gateway>
>            <p1>
>                <mode>aggressive</mode>
>                <myident>
>                    <fqdn>router.burwell</fqdn>
>                </myident>
>                <encryption-algorithm>blowfish</encryption-algorithm>
>                <hash-algorithm>sha1</hash-algorithm>
>                <dhgroup>2</dhgroup>
>                <lifetime>28800</lifetime>
>                <pre-shared-key>mysharedkey</pre-shared-key>
>                <private-key/>
>                <cert/>
>                <peercert/>
>
> <authentication_method>pre_shared_key</authentication_method>
>            </p1>
>            <p2>
>                <protocol>esp</protocol>
>
> <encryption-algorithm-option>3des</encryption-algorithm-option>
>                <hash-algorithm-option>hmac_sha1</hash-algorithm- 
> option>
>                <pfsgroup>2</pfsgroup>
>                <lifetime>86400</lifetime>
>            </p2>
>            <descr>IPSEC VPN Link :: Bathgate</descr>
>        </tunnel>
>    </ipsec>
>
> Syslog Site B
> Oct 3 19:58:02    racoon: INFO: @(#)ipsec-tools 0.6.6
> (http://ipsec-tools.sourceforge.net)
> Oct 3 19:58:02    racoon: INFO: @(#)This product linked OpenSSL  
> 0.9.7d-p1 17
> Mar 2004 (http://www.openssl.org/)
> Oct 3 19:58:02    racoon: INFO: 127.0.0.1[500] used as isakmp port  
> (fd=7)
> Oct 3 19:58:02    racoon: INFO: 192.168.3.254[500] used as isakmp port
> (fd=8)
> Oct 3 19:58:02    racoon: INFO: 217.35.92.253[500] used as isakmp port
> (fd=9)
> Oct 3 19:58:03    dhclient: bound to 217.35.92.253 -- renewal in 75326
> seconds.
> Oct 3 19:58:18    dnsmasq[105]: reading /etc/resolv.conf
> Oct 3 19:58:18    dnsmasq[105]: using nameserver 194.72.0.114#53
> Oct 3 19:58:18    dnsmasq[105]: using nameserver 194.72.9.34#53
> Oct 3 19:59:28    racoon: INFO: IPsec-SA request for 82.16.105.143  
> queued
> due to no phase1 found.
> Oct 3 19:59:28    racoon: INFO: initiate new phase 1 negotiation:
> 217.35.92.253[500]<=>82.16.105.143[500]
> Oct 3 19:59:28    racoon: INFO: begin Aggressive mode.
> Oct 3 19:59:30    racoon: INFO: received Vendor ID: DPD
> Oct 3 19:59:30    racoon: WARNING: No ID match.
> Oct 3 19:59:30    racoon: NOTIFY: couldn't find the proper pskey,  
> try to get
> one by the peer's address.
> Oct 3 19:59:30    racoon: INFO: ISAKMP-SA established
> 217.35.92.253[500]-82.16.105.143[500]  
> spi:d841a4f7d27e0984:6bf3abc56f1bfab3
> Oct 3 19:59:31    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 19:59:31    /kernel: WARNING: pseudo-random number generator  
> used for
> IPsec processing
> Oct 3 20:00:01    racoon: ERROR: 82.16.105.143 give up to get IPsec- 
> SA due
> to time up to wait.
> Oct 3 20:00:05    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:00:35    racoon: ERROR: 82.16.105.143 give up to get IPsec- 
> SA due
> to time up to wait.
> Oct 3 20:00:39    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:01:09    racoon: ERROR: 82.16.105.143 give up to get IPsec- 
> SA due
> to time up to wait.
> Oct 3 20:01:13    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:01:43    racoon: ERROR: 82.16.105.143 give up to get IPsec- 
> SA due
> to time up to wait.
> Oct 3 20:01:47    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:02:17    racoon: ERROR: 82.16.105.143 give up to get IPsec- 
> SA due
> to time up to wait.
> Oct 3 20:02:21    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:02:51    racoon: ERROR: 82.16.105.143 give up to get IPsec- 
> SA due
> to time up to wait.
> Oct 3 20:02:55    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:02:56    /usr/local/bin/ez-ipupdate[108]:  
> members.dyndns.org says
> that your IP address has not changed since the last update
> Oct 3 20:02:56    /usr/local/bin/ez-ipupdate[108]: successful update  
> for
> sis0->217.35.92.253 (impact.dyndns.org)
> Oct 3 20:03:25    racoon: ERROR: 82.16.105.143 give up to get IPsec- 
> SA due
> to time up to wait.
> Oct 3 20:03:29    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:03:59    racoon: ERROR: 82.16.105.143 give up to get IPsec- 
> SA due
> to time up to wait.
> Oct 3 20:04:03    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:04:33    racoon: ERROR: 82.16.105.143 give up to get IPsec- 
> SA due
> to time up to wait.
> Oct 3 20:04:37    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:05:07    racoon: ERROR: 82.16.105.143 give up to get IPsec- 
> SA due
> to time up to wait.
> Oct 3 20:05:11    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:05:41    racoon: ERROR: 82.16.105.143 give up to get IPsec- 
> SA due
> to time up to wait.
> Oct 3 20:05:45    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
>
> -
> Regards,
>
> Paul Rae
> Business Development Director
>
> t : 08454 599930
> m : 07769 654302
> e : paul at impacttrainingsolutions dot co dot uk
>
> Impact Training Solutions
> 36 Reid Road
> Bathgate
> West Lothian, EH48 2TX
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>