[ previous ] [ next ] [ threads ]
 
 From:  Eric Boudrand <eric at boudrand dot net>
 To:  m0n0wall - <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSEC Tunnel Died - Please Help!
 Date:  Mon, 06 Oct 2008 11:30:39 +0200
Hi Paul,

Lifetime for phase 2 should be shorter than lifetime for phase 1. Phase
1 is an authentication phase that is used for protecting phase 2. Phase
2 is an agreement between two endpoints concerning the IPsec service
that will be used as the protocol (ESP or AH). During phase 2, the
endpoints decide what algorithm will be used and generate encryption
keys. From a security point of view, phase 2 should be as short as
possible.

Avoid also aggressive mode. It is not a secure exchange. Use main mode
instead. In phase 1, the endpoints are exchanging their identity (ID
payload). In main mode, each identity is sent encrypted. In aggressive
mode, identity from the initiator is already sent in clear.

Can you get more debug traces ? There is a debug level in ipsec-tools.

Regards.
-  
Éric Boudrand


Le samedi 04 octobre 2008 à 12:30 +0100, Paul Rae a écrit :
> OK I have two sites, both running m0n0wall 1.235.
> 
> Site A is on a cable connection, dynamic ip (although hasn¹t changed
> in
> about a year)
> Site B is on a adsl connection with a static ip
> 
> Site A is running on a Soekris board
> Site B is running on a Wrap board
> Site B has a Linksys AM200 ADSL modem infront of it setup in
> halfbridge
> mode.
> 
> Both sites were connected using IPSec tunnel as per the m0n0 handbook.
> This
> setup has been up and running for well over a year with no problems at
> all.
> 
> However about 2 weeks ago I started to have problems with the tunnel.
> It
> would say it was up, but didn¹t seem to be passing any traffic. A
> reboot of
> one of the firewalls would bring it back up again. However for the
> past week
> it refuses to re-establish the connection. All other internet traffic
> (in
> and out flows fine).
> 
> I have restored config files on both ends, and recreated both configs
> from
> scratch and still have the exact same problem. I am at somewhat of a
> loss
> and really cannot figure out what is going on here. Things just don¹t
> stop
> working, but I¹ll be damned if I can work out what has changed. Prior
> to the
> problems there has been no network / router / config changes to
> anything.
> 
> Tired upgrading to latest version and recreating basic config but
> still the
> problems persists. I really don¹t think this can be a config problem,
> but
> cant think what else would cause this behaviour. Is it possible that
> something in the middle could be causing this?
> 
> Any one have any thoughts? Many virtual beer tokens to anyone that
> helps!
> 
> Site B IPSec config.xml
>     <ipsec>
>         <tunnel>
>             <interface>wan</interface>
>             <local-subnet>
>                 <network>lan</network>
>             </local-subnet>
>             <remote-subnet>192.168.1.0/24</remote-subnet>
>             <remote-gateway>82.16.105.143</remote-gateway>
>             <p1>
>                 <mode>aggressive</mode>
>                 <myident>
>                     <fqdn>router.impact</fqdn>
>                 </myident>
>                 <encryption-algorithm>blowfish</encryption-algorithm>
>                 <hash-algorithm>sha1</hash-algorithm>
>                 <dhgroup>2</dhgroup>
>                 <lifetime>28800</lifetime>
>                 <pre-shared-key>mysharedkey</pre-shared-key>
>                 <private-key/>
>                 <cert/>
>                 <peercert/>
>                 
> <authentication_method>pre_shared_key</authentication_method>
>             </p1>
>             <p2>
>                 <protocol>esp</protocol>
>                 
> <encryption-algorithm-option>blowfish</encryption-algorithm-option>
> 
> <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
>                 <pfsgroup>2</pfsgroup>
>                 <lifetime>86400</lifetime>
>             </p2>
>             <descr>VPN Link :: Burwell</descr>
>         </tunnel>
>         <enable/>
>     </ipsec>
> 
> Site A IPSec config.xml
>     <ipsec>
>         <enable/>
>         <tunnel>
>             <interface>wan</interface>
>             <local-subnet>
>                 <network>lan</network>
>             </local-subnet>
>             <remote-subnet>192.168.3.0/24</remote-subnet>
>             <remote-gateway>217.35.92.253</remote-gateway>
>             <p1>
>                 <mode>aggressive</mode>
>                 <myident>
>                     <fqdn>router.burwell</fqdn>
>                 </myident>
>                 <encryption-algorithm>blowfish</encryption-algorithm>
>                 <hash-algorithm>sha1</hash-algorithm>
>                 <dhgroup>2</dhgroup>
>                 <lifetime>28800</lifetime>
>                 <pre-shared-key>mysharedkey</pre-shared-key>
>                 <private-key/>
>                 <cert/>
>                 <peercert/>
>                 
> <authentication_method>pre_shared_key</authentication_method>
>             </p1>
>             <p2>
>                 <protocol>esp</protocol>
>                 
> <encryption-algorithm-option>3des</encryption-algorithm-option>
> 
> <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
>                 <pfsgroup>2</pfsgroup>
>                 <lifetime>86400</lifetime>
>             </p2>
>             <descr>IPSEC VPN Link :: Bathgate</descr>
>         </tunnel>
>     </ipsec>
> 
> Syslog Site B
> Oct 3 19:58:02    racoon: INFO: @(#)ipsec-tools 0.6.6
> (http://ipsec-tools.sourceforge.net)
> Oct 3 19:58:02    racoon: INFO: @(#)This product linked OpenSSL
> 0.9.7d-p1 17
> Mar 2004 (http://www.openssl.org/)
> Oct 3 19:58:02    racoon: INFO: 127.0.0.1[500] used as isakmp port
> (fd=7)
> Oct 3 19:58:02    racoon: INFO: 192.168.3.254[500] used as isakmp port
> (fd=8)
> Oct 3 19:58:02    racoon: INFO: 217.35.92.253[500] used as isakmp port
> (fd=9)
> Oct 3 19:58:03    dhclient: bound to 217.35.92.253 -- renewal in 75326
> seconds.
> Oct 3 19:58:18    dnsmasq[105]: reading /etc/resolv.conf
> Oct 3 19:58:18    dnsmasq[105]: using nameserver 194.72.0.114#53
> Oct 3 19:58:18    dnsmasq[105]: using nameserver 194.72.9.34#53
> Oct 3 19:59:28    racoon: INFO: IPsec-SA request for 82.16.105.143
> queued
> due to no phase1 found.
> Oct 3 19:59:28    racoon: INFO: initiate new phase 1 negotiation:
> 217.35.92.253[500]<=>82.16.105.143[500]
> Oct 3 19:59:28    racoon: INFO: begin Aggressive mode.
> Oct 3 19:59:30    racoon: INFO: received Vendor ID: DPD
> Oct 3 19:59:30    racoon: WARNING: No ID match.
> Oct 3 19:59:30    racoon: NOTIFY: couldn't find the proper pskey, try
> to get
> one by the peer's address.
> Oct 3 19:59:30    racoon: INFO: ISAKMP-SA established
> 217.35.92.253[500]-82.16.105.143[500]
> spi:d841a4f7d27e0984:6bf3abc56f1bfab3
> Oct 3 19:59:31    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 19:59:31    /kernel: WARNING: pseudo-random number generator
> used for
> IPsec processing
> Oct 3 20:00:01    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA
> due
> to time up to wait.
> Oct 3 20:00:05    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:00:35    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA
> due
> to time up to wait.
> Oct 3 20:00:39    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:01:09    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA
> due
> to time up to wait.
> Oct 3 20:01:13    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:01:43    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA
> due
> to time up to wait.
> Oct 3 20:01:47    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:02:17    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA
> due
> to time up to wait.
> Oct 3 20:02:21    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:02:51    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA
> due
> to time up to wait.
> Oct 3 20:02:55    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:02:56    /usr/local/bin/ez-ipupdate[108]: members.dyndns.org
> says
> that your IP address has not changed since the last update
> Oct 3 20:02:56    /usr/local/bin/ez-ipupdate[108]: successful update
> for
> sis0->217.35.92.253 (impact.dyndns.org)
> Oct 3 20:03:25    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA
> due
> to time up to wait.
> Oct 3 20:03:29    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:03:59    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA
> due
> to time up to wait.
> Oct 3 20:04:03    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:04:33    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA
> due
> to time up to wait.
> Oct 3 20:04:37    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:05:07    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA
> due
> to time up to wait.
> Oct 3 20:05:11    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> Oct 3 20:05:41    racoon: ERROR: 82.16.105.143 give up to get IPsec-SA
> due
> to time up to wait.
> Oct 3 20:05:45    racoon: INFO: initiate new phase 2 negotiation:
> 217.35.92.253[0]<=>82.16.105.143[0]
> 
> - 
> Regards,
> 
> Paul Rae
> Business Development Director
> 
> t : 08454 599930
> m : 07769 654302
> e : paul at impacttrainingsolutions dot co dot uk
> 
> Impact Training Solutions
> 36 Reid Road
> Bathgate
> West Lothian, EH48 2TX
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>