[ previous ] [ next ] [ threads ]
 
 From:  "Andrew Cotter" <andrew dot cotter at somersetcapital dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Multiple IPSEC tunnels between two endpoints
 Date:  Fri, 27 Feb 2009 12:53:04 -0500
Hello,

I am trying to setup two IPSEC site-to-site tunnels between two locations.
The reason for the two tunnels is the range of IP addresses are not able to
be combined in a single tunnel.  We want the LANs to be able to talk and the
iSCSI (Opt1) to be able to talk so our Equallogic SANs can replicate.  I can
get either of the two tunnels to connect properly when the other is
disabled, but as soon as I enable the second tunnel both drop and will not
come back regardless of what I try.

Here is the general config of what I have (scrubbed for real external IPs)
and keep in mind that the tunnels do work when individually running so
encryption setting, lifetime, key, etc are correct.  Both IPSEC tunnels use
INTERFACE=WAN.  Pinging works fine with a single tunnel up.

We are using watchguard x500 boxes, both running 1.235 (generic-pc image)

SITE 1 - WG X500
-----
WAN: 64.252.1.1
LAN: 10.0.0.0/17
iSCSI: 172.16.30.0/24
(three other ports but not relevant for this)

SITE 2 - WG X500
-----
WAN: 64.252.2.2
LAN: 10.1.0.0/17
iSCSI: 172.16.40.0/24
(three other ports but not relevant for this)

The errors I see when I enable the second IPSEC VPN are as follows

Feb 27 12:24:35 	racoon: INFO: delete phase 2 handler.
Feb 27 12:24:35 	racoon: ERROR: phase2 negotiation failed due to time
up waiting for phase1. ESP 64.252.2.2[0]->64.252.1.1[0]
....
Feb 27 12:24:04 	racoon: ERROR: HASH mismatched
Feb 27 12:24:04 	racoon: NOTIFY: couldn't find the proper pskey, try
to get one by the peer's address.
Feb 27 12:24:04 	racoon: INFO: received Vendor ID: DPD
Feb 27 12:24:04 	racoon: INFO: begin Aggressive mode.
Feb 27 12:24:04 	racoon: INFO: initiate new phase 1 negotiation:
64.252.1.1[500]<=>64.252.2.2[500]
Feb 27 12:24:04 	racoon: INFO: IPsec-SA request for 64.252.2.2 queued
due to no phase1 found.
Feb 27 12:23:44 	racoon: INFO: ISAKMP-SA deleted
64.252.1.1[500]-64.252.2.2[500] spi:679e84ed3d3441b8:39182976d3dc27b8
Feb 27 12:23:43 	racoon: INFO: purged ISAKMP-SA
spi=679e34eded3441b8:39182974d3dc27b8.
Feb 27 12:23:43 	racoon: INFO: purged IPsec-SA spi=245980085.
Feb 27 12:23:43 	racoon: INFO: purging ISAKMP-SA
spi=679e84cded3441b8:39182976d3dc17b8.
Feb 27 12:23:42 	racoon: INFO: purged IPsec-SA proto_id=ESP
spi=185365844.


I see some old posts about sainfo, particularly
http://m0n0.ch/wall/list/showmsg.php?id=160/30 but I would need this to
survive a reboot.  

Any insight as to what I can do to work around this?

Thanks in advance!

Andrew