[ previous ] [ next ] [ threads ]
 
 From:  "Ronni Jorgensen" <rhj underscore mail at rhj dot dk>
 To:  "'Jim Gifford'" <jim at giffords dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  SV: SV: [m0n0wall] VPN ipsec m0n0 to m0n0
 Date:  Sat, 27 Mar 2004 12:30:55 +0100
Hi,

I have tried both AH and ESP, and none of them is working!!
Is stil look like the m0n0 with the public ip, is denying the other one :(
PLEASE Help!

Ronni 

-----Oprindelig meddelelse-----
Fra: Jim Gifford [mailto:jim at giffords dot net] 
Sendt: 20. marts 2004 19:29
Til: m0n0wall at lists dot m0n0 dot ch
Emne: Re: SV: [m0n0wall] VPN ipsec m0n0 to m0n0

No, AH is Authenticated Header, which means that there is a cyptographic
signature for the packet headers.  So, when the packet headers get rewritten
(that's what NAT does), it invalidates the cryptographic signature for the
header.  AH can't possibly work correctly behind NAT.

jim

On Sat, Mar 20, 2004 at 07:22:15PM +0100, Ronni J?rgensen wrote:
> I have forwarded all ports/esp (AH don?t work behind NAT!)!!
> 
> -----Oprindelig meddelelse-----
> Fra: Falcor [mailto:falcor at netassassin dot com]
> Sendt: 20. marts 2004 16:50
> Til: Ronni Jorgensen
> Cc: m0n0wall at lists dot m0n0 dot ch
> Emne: Re: [m0n0wall] VPN ipsec m0n0 to m0n0
> 
> you need to forward ESP to the m0n0wall.  UDP/TCP/ICMP are not needed 
> as the tunnel will be negociated and established over ESP.  (You can 
> change this to AH if you want to.)
> 
> 
> Ronni Jorgensen wrote:
> 
> >Hi all
> >I have 2 m0n0walls, one with a static IP on the WAN port, and a 
> >secound m0n0 bihind a NAT router (also a static IP!)
> >---LAN---m0n0----WAN-------INTERNET-------WAN-----ROUTER----NAT----WA
> >N-
> >---m0
> >n0wall---LAN
> >
> >192.168.2.0/24----m0n0---80.122.254.21-----INTERNET-----212.242.22.21
> >-- -ROUT ER---10.0.0.0/24----m0n0wall---172.16.10.0
> >
> >I have forwardet all ports udp/tcp/icmp to the m0n0wall's WAN ip
> (10.0.0.2).
> >But when I configured a Ipsec connection betwin the 2 m0n0walls it's 
> >going bad! On the m0n0wall behind the NAT I get:
> >
> >???racoon: ERROR: isakmp.c:1776:isakmp_chkph1there(): phase2 
> >negotiation failed due to time up waiting for phase1. ESP
> >80.122.254.21->10.0.0.2
> >- in the logfile. And 10.0.0.2 i not the wan ip! So how can I get it 
> >working?
> >I olso have triede to change the the interface (???Select the 
> >interface for the local endpoint of this tunnel.) in the ipsec, to my 
> >LAN, but then the logfile i changing to 80.122.254.21->172.16.10.1 
> >(my lan ip)
> >
> >Please help!
> >
> >  
> >
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch