[ previous ] [ next ] [ threads ]
 
 From:  Michael <monowall at encambio dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Problems with IPSec tunnel config
 Date:  Fri, 26 Mar 2010 20:48:46 +0100 
Hello list,

We have two embedded routers running M0n0wall 1.31. The mobile
clients config of VPN: IPsec: is correct, and connected IPSec
mobile clients are able to send and receive traffic.

Although the 'Tunnels' section of the two routers are configured
according to the handbook and match almost exactly the values in
the Mobile clients config, the tunnel is not working.

If I try to ping (Diagnostics menu) from one router with the LAN
address 192.168.10.0/24 to the other 192.168.13.0/24, I get no
answer:

  <192.168.10.10>$ ping 192.168.13.8
  No answer (host down)

Trying the same thing from my mobile IPSec client gives results:

  <192.168.11.12>$ ping 192.168.13.8
  64 bytes from 192.168.13.8: icmp_seq=0. time=27.155 ms

If anybody knows about the IPSec configuration of M0n0wall, please
tell me what is wrong with my config. Also, excuse me if I'm
enclosing too little or too much config.

Thanks,
Michael

racoon.conf:

remote 12.23.34.45 {
	exchange_mode aggressive;
	my_identifier address "98.87.76.65";

	peers_identifier address 12.23.34.45;
	initial_contact on;
	support_proxy on;
	proposal_check obey;
	dpd_delay 0;

	proposal {
		encryption_algorithm blowfish;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo address 192.168.13.0/24 any address 192.168.10.0/24 any {
	encryption_algorithm blowfish;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;
}

remote anonymous {
	exchange_mode aggressive;
	my_identifier address "98.87.76.65";
	nat_traversal on;

	initial_contact on;
	passive on;
	generate_policy on;
	support_proxy on;
	proposal_check obey;
	dpd_delay 0;

	proposal {
		encryption_algorithm blowfish;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
		lifetime time 28800 secs;
	}
	lifetime time 28800 secs;
}

sainfo anonymous {
	encryption_algorithm blowfish;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 2;
	lifetime time 86400 secs;
}


SPD:

192.168.13.0/24[any] 192.168.13.1[any] any
	in none
	spid=9 seq=3 pid=491
	refcnt=1
192.168.10.0/24[any] 192.168.13.0/24[any] any
	in ipsec
	esp/tunnel/12.23.34.45-98.87.76.65/unique#16390
	spid=12 seq=2 pid=491
	refcnt=1
192.168.13.1[any] 192.168.13.0/24[any] any
	out none
	spid=10 seq=1 pid=491
	refcnt=1
192.168.13.0/24[any] 192.168.10.0/24[any] any
	out ipsec
	esp/tunnel/98.87.76.65-12.23.34.45/unique#16389
	spid=11 seq=0 pid=491
	refcnt=1


Other XML config parts:

        <rule>
            <type>pass</type>
            <descr>Default IPsec VPN</descr>
            <interface>ipsec</interface>
            <source>
                <any/>
            </source>
            <destination>
                <any/>
            </destination>
        </rule>
        <tcpidletimeout/>
    </filter>

    <ipsec>
        <dns-interval/>
        <mobilekey>
            <ident>Something</ident>
            <pre-shared-key>xxxxx</pre-shared-key>
        </mobilekey>
        <mobileclients>
            <enable/>
            <natt/>
            <dpddelay/>
            <p1>
                <mode>aggressive</mode>
                <myident>
                    <myaddress/>
                </myident>
                <encryption-algorithm>blowfish</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>28800</lifetime>
                <private-key/>
                <cert/>
                <authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>2</pfsgroup>
                <lifetime>86400</lifetime>
            </p2>
        </mobileclients>
        <enable/>
        <tunnel>
            <dpddelay/>
            <interface>wan</interface>
            <local-subnet>
                <address>192.168.13.0/24</address>
            </local-subnet>
            <remote-subnet>192.168.10.0/24</remote-subnet>
            <remote-gateway>name1.host.com</remote-gateway>
            <p1>
                <mode>aggressive</mode>
                <myident>
                    <myaddress/>
                </myident>
                <encryption-algorithm>blowfish</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>28800</lifetime>
                <pre-shared-key>xxxxx</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
                <authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>2</pfsgroup>
                <lifetime>86400</lifetime>
            </p2>
            <descr>Some description 1</descr>
        </tunnel>
    </ipsec>