On Wed, Mar 03, 2004 at 02:16:52PM -0500, Jim Gifford wrote:
> A little background:
> I've been playing with lots of the features of
> m0n0wall, and testing various configurations, using a cable modem and
> a dsl connection in my home for several months now. The cable modem
> connection provides the IP address via DHCP, and tends to change the IP
> only when the DHCP client is offline for a few days. The DSL provides
> the IP address via PPPoE, and they like the change the IP address within
> a 2 to 4 week period of time.
> Pre-1.0 release, I had an IPSec tunnel working between the cable modem
> and the DSL. I even upgraded the 4801 on the cable modem connection over
> the VPN connection. This worked great, and the VPN kept working after
> the upgrade. The DSL end was a 4511-20, and wouldn't upgrade due to
> insufficient memory. I downloaded the configuration, and plugged in the
> test 4801 as a replacement for the 4511, and restored the configuration
> to it. Everything seemed to be fine. I don't remember if I tested the
> IPSec tunnel at that point or not.
> I later unconfigured that IPSec tunnel while I was trying to configure
> IPSec to a FreeBSD machine I have at a colo facility. I was never
> successful getting that to work, and sent an email to this list asking
> for help but never got any helpful response.
> Fast forward to this weekend:
[...DMZ problems removed...]
> I finally got tired of standing in front of the keyboard and monitor of
> this setup in a cigarette smoke filled room, and tried to set up a IPSec
> tunnel back to my DSL line so I could work from my laptop at home to get
> this working. I followed the same options I did when I first set up the
> IPSec tunnel between my cable and dsl connection, with no joy. I also
> set up a temporary inbound nat of port 22 on the WAN address to go to the
> DMZ host, and also another rule to permit all DMZ addressess full access
> to the LAN addresses (so I can access the m0n0wall web gui remotely).
> After having no luck getting the IPSec tunnel going between the T1
> connected m0n0wall and my DSL connection, I tried to delete everything to
> do with that connection and create a new tunnel between the cable modem
> and the dsl modem again. When that didn't work, I tried cable modem to
> T1 machine, again with no luck. I tried all the different options
> available in the GUI, making sure both ends matched good, and still no
> luck. Since this was so trivial the first time I did it, I think
> something in 1.0 (which all these machines are using) must be broke for
> creating new IPSec tunnels.
> This is the IPSec error I keep getting:
> racoon: ERROR: pfkey.c:741:pfkey_timeover(): 220.127.116.11 give up to
> get IPsec-SA due to time up to wait.
Going with the theory that a tunnel newly set up might function
differently than one in a stored config file, I dug up an old config file
from when ipsec was working fine for me between the dsl and cable. I
changed the IP addresses to match the current config, downloaded each
m0n0wall systems config.xml, replaced the <ipsec>...</ipsec> sections
with the ones I just hacked up, restored, waited for reboot, and the
tunnel works again.
I might be able to follow this same procedure to get the tunnel working
between these 2 m0n0wall boxes and the 3rd box.
I wish I had a diff of the config from a 1.0 gui created config vs a
manually created config. I'll keep experimenting and see if I can track
down the differences.
I'm still having all kinds of problems with the DMZ stuff though.