[ previous ] [ next ] [ threads ]
 From:  Jim Gifford <jim at giffords dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] need help with DMZ setup, and broken ipsec tunnels
 Date:  Wed, 3 Mar 2004 14:53:21 -0500
On Wed, Mar 03, 2004 at 02:16:52PM -0500, Jim Gifford wrote:
> A little background:
>  I've been playing with lots of the features of
> m0n0wall, and testing various configurations, using a cable modem and
> a dsl connection in my home for several months now.  The cable modem
> connection provides the IP address via DHCP, and tends to change the IP
> only when the DHCP client is offline for a few days.  The DSL provides
> the IP address via PPPoE, and they like the change the IP address within
> a 2 to 4 week period of time.
> Pre-1.0 release, I had an IPSec tunnel working between the cable modem
> and the DSL.  I even upgraded the 4801 on the cable modem connection over
> the VPN connection.  This worked great, and the VPN kept working after
> the upgrade.  The DSL end was a 4511-20, and wouldn't upgrade due to
> insufficient memory.  I downloaded the configuration, and plugged in the
> test 4801 as a replacement for the 4511, and restored the configuration
> to it.  Everything seemed to be fine.  I don't remember if I tested the
> IPSec tunnel at that point or not.
> I later unconfigured that IPSec tunnel while I was trying to configure
> IPSec to a FreeBSD machine I have at a colo facility.  I was never
> successful getting that to work, and sent an email to this list asking
> for help but never got any helpful response.
> Fast forward to this weekend:

[...DMZ problems removed...]

> I finally got tired of standing in front of the keyboard and monitor of
> this setup in a cigarette smoke filled room, and tried to set up a IPSec
> tunnel back to my DSL line so I could work from my laptop at home to get
> this working.  I followed the same options I did when I first set up the
> IPSec tunnel between my cable and dsl connection, with no joy.  I also
> set up a temporary inbound nat of port 22 on the WAN address to go to the
> DMZ host, and also another rule to permit all DMZ addressess full access
> to the LAN addresses (so I can access the m0n0wall web gui remotely).
> After having no luck getting the IPSec tunnel going between the T1
> connected m0n0wall and my DSL connection, I tried to delete everything to
> do with that connection and create a new tunnel between the cable modem
> and the dsl modem again.  When that didn't work, I tried cable modem to
> T1 machine, again with no luck.  I tried all the different options
> available in the GUI, making sure both ends matched good, and still no
> luck.  Since this was so trivial the first time I did it, I think
> something in 1.0 (which all these machines are using) must be broke for
> creating new IPSec tunnels.
> This is the IPSec error I keep getting:
>     racoon: ERROR: pfkey.c:741:pfkey_timeover(): give up to
>     get IPsec-SA due to time up to wait.

Going with the theory that a tunnel newly set up might function
differently than one in a stored config file, I dug up an old config file
from when ipsec was working fine for me between the dsl and cable.  I
changed the IP addresses to match the current config, downloaded each
m0n0wall systems config.xml, replaced the <ipsec>...</ipsec> sections
with the ones I just hacked up, restored, waited for reboot, and the
tunnel works again.

I might be able to follow this same procedure to get the tunnel working
between these 2 m0n0wall boxes and the 3rd box.

I wish I had a diff of the config from a 1.0 gui created config vs a
manually created config.  I'll keep experimenting and see if I can track
down the differences.

I'm still having all kinds of problems with the DMZ stuff though.