[ previous ] [ next ] [ threads ]
 
 From:  Francesco Peeters <francesco at fampeeters dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: IPsec VPN from SonicWALL XPRS (Standard mode behind NAT) to m0n0wall...
 Date:  Fri, 11 Sep 2009 12:55:37 +0200
Francesco Peeters wrote:
> Hi all,
>
> I have a question:
> I have to set up a tunnel between a SonicWALL XPRS in standard mode and
> m0n0wall, and it partially works.
>
> The SNWL shows the tunnel as up
> The m0n0wall shows the correct SPDs and SPAs
> The log shows some info on not finding the correct ID, trying by IP
> instead, but then does seem to work (unfortunately this info has already
> scrolled out of the logs, and I am currently unable to test again, due
> to the fact the SNWL is unreachable for remote mgmt, being behind NAT.
>
> Tracing on the SNWL shows data *is* being sent towards the m0n0wall, but
> no data is coming back.
> (A similar VPN between another SNWL (in NAT mode, directly connected to
> the Internet) and the m0n0wall *is* passing data!)
>
> The firewall rules for IPsec are set up (for now) to allow *and* log
> everything, but nothing shows up in the firewall log. (Not even for the
> VPNs that DO work!)
>
> Has anyone setup a similar scenario, and if so, any suggestions?
>
> PS: The m0n0wall replaces a SNWL TZ170 that died. The connection between
> the XPRS and TZ170 worked ok, so it is not likely anything in the
> NATting router that prevents this from working...
>
> TIA & BRgds,
>   
Found the logs in my syslog server (D'oh!):

Sep 10 16:04:32 m0n0wall.akpfin.com racoon: INFO: respond new phase 1
negotiation: 11.222.33.444[500]<=>55.666.777.88[10015]
Sep 10 16:04:32 m0n0wall.akpfin.com racoon: INFO: begin Identity
Protection mode.
Sep 10 16:04:32 m0n0wall.akpfin.com racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-00
Sep 10 16:04:33 m0n0wall.akpfin.com racoon: INFO: received Vendor ID:
draft-ietf-ipsra-isakmp-xauth-06.txt
Sep 10 16:04:33 m0n0wall.akpfin.com racoon: WARNING: No ID match.
Sep 10 16:04:33 m0n0wall.akpfin.com racoon: INFO: ISAKMP-SA established
11.222.33.444[500]-55.666.777.88[10015]
spi:c5c03e693299944e:740982d34dd4239f
Sep 10 16:04:33 m0n0wall.akpfin.com racoon: INFO: respond new phase 2
negotiation: 11.222.33.444[500]<=>55.666.777.88[10015]
Sep 10 16:04:33 m0n0wall.akpfin.com racoon: INFO: IPsec-SA established:
ESP/Tunnel 55.666.777.88[0]->11.222.33.444[0] spi=215970191(0xcdf718f)
Sep 10 16:04:33 m0n0wall.akpfin.com racoon: INFO: IPsec-SA established:
ESP/Tunnel 11.222.33.444[0]->55.666.777.88[0] spi=3237724971(0xc0fbc32b)

11.222.33.444 = m0n0wall
55.666.777.88 = public (NATted) IP of SNWL XPRS
(And yes, I am ware these anonymized IP addresses are impossible IRL!)

-- 
Francesco