[ previous ] [ next ] [ threads ]
 
 From:  Lee Sharp <leesharp at hal dash pc dot org>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Multiple IPSEC tunnels between two endpoints
 Date:  Fri, 27 Feb 2009 12:07:27 -0600
You only need one tunnel, and appropriate routes and rules.  The tunnel 
is between the core router and the core router.

             Lee

Andrew Cotter wrote:
> Hello,
> 
> I am trying to setup two IPSEC site-to-site tunnels between two locations.
> The reason for the two tunnels is the range of IP addresses are not able to
> be combined in a single tunnel.  We want the LANs to be able to talk and the
> iSCSI (Opt1) to be able to talk so our Equallogic SANs can replicate.  I can
> get either of the two tunnels to connect properly when the other is
> disabled, but as soon as I enable the second tunnel both drop and will not
> come back regardless of what I try.
> 
> Here is the general config of what I have (scrubbed for real external IPs)
> and keep in mind that the tunnels do work when individually running so
> encryption setting, lifetime, key, etc are correct.  Both IPSEC tunnels use
> INTERFACE=WAN.  Pinging works fine with a single tunnel up.
> 
> We are using watchguard x500 boxes, both running 1.235 (generic-pc image)
> 
> SITE 1 - WG X500
> -----
> WAN: 64.252.1.1
> LAN: 10.0.0.0/17
> iSCSI: 172.16.30.0/24
> (three other ports but not relevant for this)
> 
> SITE 2 - WG X500
> -----
> WAN: 64.252.2.2
> LAN: 10.1.0.0/17
> iSCSI: 172.16.40.0/24
> (three other ports but not relevant for this)
> 
> The errors I see when I enable the second IPSEC VPN are as follows
> 
> Feb 27 12:24:35 	racoon: INFO: delete phase 2 handler.
> Feb 27 12:24:35 	racoon: ERROR: phase2 negotiation failed due to time
> up waiting for phase1. ESP 64.252.2.2[0]->64.252.1.1[0]
> ....
> Feb 27 12:24:04 	racoon: ERROR: HASH mismatched
> Feb 27 12:24:04 	racoon: NOTIFY: couldn't find the proper pskey, try
> to get one by the peer's address.
> Feb 27 12:24:04 	racoon: INFO: received Vendor ID: DPD
> Feb 27 12:24:04 	racoon: INFO: begin Aggressive mode.
> Feb 27 12:24:04 	racoon: INFO: initiate new phase 1 negotiation:
> 64.252.1.1[500]<=>64.252.2.2[500]
> Feb 27 12:24:04 	racoon: INFO: IPsec-SA request for 64.252.2.2 queued
> due to no phase1 found.
> Feb 27 12:23:44 	racoon: INFO: ISAKMP-SA deleted
> 64.252.1.1[500]-64.252.2.2[500] spi:679e84ed3d3441b8:39182976d3dc27b8
> Feb 27 12:23:43 	racoon: INFO: purged ISAKMP-SA
> spi=679e34eded3441b8:39182974d3dc27b8.
> Feb 27 12:23:43 	racoon: INFO: purged IPsec-SA spi=245980085.
> Feb 27 12:23:43 	racoon: INFO: purging ISAKMP-SA
> spi=679e84cded3441b8:39182976d3dc17b8.
> Feb 27 12:23:42 	racoon: INFO: purged IPsec-SA proto_id=ESP
> spi=185365844.
> 
> 
> I see some old posts about sainfo, particularly
> http://m0n0.ch/wall/list/showmsg.php?id=160/30 but I would need this to
> survive a reboot.  
> 
> Any insight as to what I can do to work around this?
> 
> Thanks in advance!
> 
> Andrew
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>