RE: [m0n0wall] Multiple IPSEC tunnels between two endpoints

From:	"Andrew Cotter" <andrew dot cotter at somersetcapital dot com>
To:	"'David Kitchens'" <spider at webweaver dot com>, <m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] Multiple IPSEC tunnels between two endpoints
Date:	Fri, 6 Mar 2009 21:54:55 -0500
Dave,

Your assumptions were correct, however I did try what you said.  No luck.  I
can get either tunnel up when the other is disabled.

Is there an issue with two tunnels going to the same box?  

                 ---IPSEC A---
M0n0 1 WAN IP ---|           |----- M0n0 2 WAN IP
                 ---IPSEC B---

Maybe I am missing something with the "My Identifier" field.   On 

m0n0 1/Tunnel 1
My Identifier = My IP Address

m0n0 1/Tunnel 2
My Identifier = (Tried the following and then some)
	IP Address = {WAN IP}
	Domain name = {resolveable domain to WAN IP}
	Domain name = {something made up}
	User FQDN = {user@resolvable domain for WAN IP)
	User FQDN = (my email)

m0n0 2/Tunnel 1
My Identifier = My IP Address

m0n0 2/Tunnel 2
My Identifier = (Tried the following and then some)
	IP Address = {WAN IP}
	IP Address = 
	Domain name = {resolveable domain to WAN IP}
	Domain name = {something made up}
	User FQDN = {user@resolvable domain for WAN IP)
	User FQDN = (my email)	 

If I am not user "My IP Address", what should I be using?  Both sides have
static IP address.  

I am really at a loss here.

Thanks,

Andrew



> -----Original Message-----
> From: David Kitchens [mailto:spider at webweaver dot com] 
> Sent: Saturday, February 28, 2009 7:39 PM
> To: 'Andrew Cotter'
> Subject: RE: [m0n0wall] Multiple IPSEC tunnels between two endpoints
> 
> Andrew,
> So I have this straight, you need LAN1 to talk to LAN2 and 
> iSCSI1 to talk to iSCSI2, correct? Does LAN1 need to talk to 
> iSCSI2 at all? Or vice-verce? I wouldn't think so from your 
> description. I'm not an ipsec expert by any means but I've 
> got some weird things working in the past. I would make two 
> tunnels, one lan to lan, and one scsi to scsi but make the 
> phase1 identifiers different and use different encryption 
> algos, 3DES for LAN, Blowfish for iSCSI, use different keys 
> and then only check the box you need in phase2 for 3des on 
> lan and blowfish for scsi, do not leave them all checked. 
> Making different hash algos in phase2 as well may help. I do 
> remember that my problems seemed to be close to yours, and by 
> specifying different settings for each tunnel it finally worked. 
> 
> Dave
> 
> -----Original Message-----
> From: Andrew Cotter [mailto:andrew dot cotter at somersetcapital dot com]
> Sent: Friday, February 27, 2009 12:53 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] Multiple IPSEC tunnels between two endpoints
> 
> Hello,
> 
> I am trying to setup two IPSEC site-to-site tunnels between 
> two locations.
> The reason for the two tunnels is the range of IP addresses 
> are not able to be combined in a single tunnel.  We want the 
> LANs to be able to talk and the iSCSI (Opt1) to be able to 
> talk so our Equallogic SANs can replicate.  I can get either 
> of the two tunnels to connect properly when the other is 
> disabled, but as soon as I enable the second tunnel both drop 
> and will not come back regardless of what I try.
> 
> Here is the general config of what I have (scrubbed for real 
> external IPs) and keep in mind that the tunnels do work when 
> individually running so encryption setting, lifetime, key, 
> etc are correct.  Both IPSEC tunnels use INTERFACE=WAN.  
> Pinging works fine with a single tunnel up.
> 
> We are using watchguard x500 boxes, both running 1.235 
> (generic-pc image)
> 
> SITE 1 - WG X500
> -----
> WAN: 64.252.1.1
> LAN: 10.0.0.0/17
> iSCSI: 172.16.30.0/24
> (three other ports but not relevant for this)
> 
> SITE 2 - WG X500
> -----
> WAN: 64.252.2.2
> LAN: 10.1.0.0/17
> iSCSI: 172.16.40.0/24
> (three other ports but not relevant for this)
> 
> The errors I see when I enable the second IPSEC VPN are as follows
> 
> Feb 27 12:24:35 	racoon: INFO: delete phase 2 handler.
> Feb 27 12:24:35 	racoon: ERROR: phase2 negotiation 
> failed due to time
> up waiting for phase1. ESP 64.252.2.2[0]->64.252.1.1[0] ....
> Feb 27 12:24:04 	racoon: ERROR: HASH mismatched
> Feb 27 12:24:04 	racoon: NOTIFY: couldn't find the 
> proper pskey, try
> to get one by the peer's address.
> Feb 27 12:24:04 	racoon: INFO: received Vendor ID: DPD
> Feb 27 12:24:04 	racoon: INFO: begin Aggressive mode.
> Feb 27 12:24:04 	racoon: INFO: initiate new phase 1 negotiation:
> 64.252.1.1[500]<=>64.252.2.2[500]
> Feb 27 12:24:04 	racoon: INFO: IPsec-SA request for 
> 64.252.2.2 queued
> due to no phase1 found.
> Feb 27 12:23:44 	racoon: INFO: ISAKMP-SA deleted
> 64.252.1.1[500]-64.252.2.2[500] spi:679e84ed3d3441b8:39182976d3dc27b8
> Feb 27 12:23:43 	racoon: INFO: purged ISAKMP-SA
> spi=679e34eded3441b8:39182974d3dc27b8.
> Feb 27 12:23:43 	racoon: INFO: purged IPsec-SA spi=245980085.
> Feb 27 12:23:43 	racoon: INFO: purging ISAKMP-SA
> spi=679e84cded3441b8:39182976d3dc17b8.
> Feb 27 12:23:42 	racoon: INFO: purged IPsec-SA proto_id=ESP
> spi=185365844.
> 
> 
> I see some old posts about sainfo, particularly 
> http://m0n0.ch/wall/list/showmsg.php?id=160/30 but I would 
> need this to survive a reboot.  
> 
> Any insight as to what I can do to work around this?
> 
> Thanks in advance!
> 
> Andrew
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>