RE: [m0n0wall] Multiple IPSEC tunnels between two endpoints

From:	"Marsh, Richard" <richard at cisltd dot com>
To:	"Andrew Cotter" <andrew dot cotter at somersetcapital dot com>, <m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] Multiple IPSEC tunnels between two endpoints
Date:	Fri, 27 Feb 2009 18:00:15 -0000
When i have setup vpns between watchguard and monowalls i have had to
make sure the lifetime or SA value is at 28800 every time....its looks
like maybe a timeout issue, have you checked these are all good?

rich

-----Original Message-----
From: Andrew Cotter [mailto:andrew dot cotter at somersetcapital dot com] 
Sent: 27 February 2009 17:53
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Multiple IPSEC tunnels between two endpoints

Hello,

I am trying to setup two IPSEC site-to-site tunnels between two
locations.
The reason for the two tunnels is the range of IP addresses are not able
to
be combined in a single tunnel.  We want the LANs to be able to talk and
the
iSCSI (Opt1) to be able to talk so our Equallogic SANs can replicate.  I
can
get either of the two tunnels to connect properly when the other is
disabled, but as soon as I enable the second tunnel both drop and will
not
come back regardless of what I try.

Here is the general config of what I have (scrubbed for real external
IPs)
and keep in mind that the tunnels do work when individually running so
encryption setting, lifetime, key, etc are correct.  Both IPSEC tunnels
use
INTERFACE=WAN.  Pinging works fine with a single tunnel up.

We are using watchguard x500 boxes, both running 1.235 (generic-pc
image)

SITE 1 - WG X500
-----
WAN: 64.252.1.1
LAN: 10.0.0.0/17
iSCSI: 172.16.30.0/24
(three other ports but not relevant for this)

SITE 2 - WG X500
-----
WAN: 64.252.2.2
LAN: 10.1.0.0/17
iSCSI: 172.16.40.0/24
(three other ports but not relevant for this)

The errors I see when I enable the second IPSEC VPN are as follows

Feb 27 12:24:35 	racoon: INFO: delete phase 2 handler.
Feb 27 12:24:35 	racoon: ERROR: phase2 negotiation failed due to
time
up waiting for phase1. ESP 64.252.2.2[0]->64.252.1.1[0]
....
Feb 27 12:24:04 	racoon: ERROR: HASH mismatched
Feb 27 12:24:04 	racoon: NOTIFY: couldn't find the proper pskey,
try
to get one by the peer's address.
Feb 27 12:24:04 	racoon: INFO: received Vendor ID: DPD
Feb 27 12:24:04 	racoon: INFO: begin Aggressive mode.
Feb 27 12:24:04 	racoon: INFO: initiate new phase 1 negotiation:
64.252.1.1[500]<=>64.252.2.2[500]
Feb 27 12:24:04 	racoon: INFO: IPsec-SA request for 64.252.2.2
queued
due to no phase1 found.
Feb 27 12:23:44 	racoon: INFO: ISAKMP-SA deleted
64.252.1.1[500]-64.252.2.2[500] spi:679e84ed3d3441b8:39182976d3dc27b8
Feb 27 12:23:43 	racoon: INFO: purged ISAKMP-SA
spi=679e34eded3441b8:39182974d3dc27b8.
Feb 27 12:23:43 	racoon: INFO: purged IPsec-SA spi=245980085.
Feb 27 12:23:43 	racoon: INFO: purging ISAKMP-SA
spi=679e84cded3441b8:39182976d3dc17b8.
Feb 27 12:23:42 	racoon: INFO: purged IPsec-SA proto_id=ESP
spi=185365844.


I see some old posts about sainfo, particularly
http://m0n0.ch/wall/list/showmsg.php?id=160/30 but I would need this to
survive a reboot.  

Any insight as to what I can do to work around this?

Thanks in advance!

Andrew



---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch



This message has been scanned for viruses by CIS Super Message Scanner