RE: [m0n0wall] Error messages on an IPSec VPN

From:	friscom at tin dot it
To:	m0n0wall at lists dot m0n0 dot ch
Cc:	"Terry Miller" <terry at millfam dot org>
Subject:	RE: [m0n0wall] Error messages on an IPSec VPN - more details
Date:	Mon, 6 Sep 2004 15:35:53 +0200

Terry and others,
I understand I better specify with more details my configurations.
Basic HW is 2 Soekris 4501 boxes with m0n0wall 1.0 installed.

Such hw includes 3 ethernet ports each, named: eth0 (sis0), eth1(sis1),...

I configured it in the follwoing manner:
FW1				          FW2
eth0 (LAN)-192.168.1.22		eth0 (LAN)-192.168.2.24
eth1 (OPT)-176.20.0.22		eth1 (OPT)-176.20.0.24
eth2 (WAN)-10.0.0.22		eth2 (WAN)-10.0.0.24

There is a crosscable between the two OPT interfaces.

Both configurations use the following IPSec settings:
Interface 	OPT (both)
Local Subnet 	LAN (both)
Remote subnet	192.168.2.0/24	192.168.1.0/24
Remote gateway	176.20.0.24	176.20.0.22

Phase 1
Negotiation-	aggesssive
My identifier- 	(My address)
Encryption- 	3DES
hash-		MD5
DH key - 	type 5
PSK-		testVPN
lifetime-	28800

Phase 2
Protocol-	ESP
Encryption-	AES
hash-		MD5
PSF key group-	off
lifetime-	86400

Identifier: two (different and) valid email addresses
Preshared keys: different per each configuration
		mono1VPN	mono2VPN	

The SPD reports the correct configuration for the VPN tunnel as per above
The SAD err message is: "No IPsec security association"

Thanks to everyone willing to share their knowledge
Francesco