[ previous ] [ next ] [ threads ]
 
 From:  Vincent Fleuranceau <vincent at bikost dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSec VPN Problem on Monowall 1.0
 Date:  Mon, 02 Aug 2004 14:34:17 +0200 
> It seems that the IPSec features of m0nowall are not useable until this
> issue is fixed.

I have the same problem, but not with mobile clients.

I have 2 sites connected via a IPsec VPN. Both tunnel ends use exactly 
the same config (running 1.1b16).

If I manually reboot the remote IPSec gateway (to simulate a power loss, 
for example), the tunnel is unable to re-establish itself. I have to 
reboot *both* machines! If I reboot only one machines, it seems some 
buggy persistent SA prevent the racoon to go further.

Here are the logs:

Aug 2 11:37:27 	racoon: INFO: isakmp.c:1368:isakmp_open(): W.X.Y.Z[500] 
used as isakmp port (fd=6)
Aug 2 11:37:27 	racoon: INFO: isakmp.c:1368:isakmp_open(): 
127.0.0.1[500] used as isakmp port (fd=7)
Aug 2 11:37:27 	racoon: INFO: isakmp.c:1368:isakmp_open(): 
192.168.1.254[500] used as isakmp port (fd=8)
Aug 2 11:37:29 	racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): 
IPsec-SA request for A.B.C.D queued due to no phase1 found.
Aug 2 11:37:29 	racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate 
new phase 1 negotiation: W.X.Y.Z[500]<=>A.B.C.D[500]
Aug 2 11:37:29 	racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin 
Aggressive mode.
Aug 2 11:38:00 	racoon: ERROR: isakmp.c:1786:isakmp_chkph1there(): 
phase2 negotiation failed due to time up waiting for phase1. ESP 
A.B.C.D->W.X.Y.Z
Aug 2 11:38:00 	racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete 
phase 2 handler.
Aug 2 11:38:19 	racoon: INFO: isakmp.c:1713:isakmp_post_acquire(): 
request for establishing IPsec-SA was queued due to no phase1 found.
Aug 2 11:38:30 	racoon: ERROR: isakmp.c:1447:isakmp_ph1resend(): phase1 
negotiation failed due to time up. 9535936735318ef2:0000000000000000
Aug 2 11:38:50 	racoon: ERROR: isakmp.c:1786:isakmp_chkph1there(): 
phase2 negotiation failed due to time up waiting for phase1. ESP 
A.B.C.D->W.X.Y.Z
Aug 2 11:38:50 	racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete 
phase 2 handler.
Aug 2 11:39:11 	racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): 
IPsec-SA request for A.B.C.D queued due to no phase1 found.

And so on...

I first thought I had misconfigured the lifetimes values (see my 
previous posts), but it seems it works very well 24/24 if no machine has 
to bee rebooted. On the other hand, I can reproduce the error 80% of the 
time.

Is anyone working on this? Is OpenVPN more stable and a better option 
for m0n0wall?

Comments are welcome!

-- Vincent