so I added a new route to the linux box:
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.2.254 dev eth1
and the routing table is now:
netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
64.27.17.64 0.0.0.0 255.255.255.224 U 0 0 0
eth0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.1.0 192.168.2.254 255.255.255.0 UG 0 0 0
eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 64.27.17.65 0.0.0.0 UG 0 0 0
eth0
But sadly, I cannot ping 192.168.2.2 from 192.168.1.4 or vice versa.
FYI, I've rebooted the two firewalls several times and triple check my
settings against the examples, but seems to be no idea why this is not
working.
I also noticed the following message:
Sep 8 00:27:07 racoon: INFO: isakmp.c:1368:isakmp_open():
127.0.0.1[500] used as isakmp port (fd=6)
Sep 8 00:27:07 racoon: INFO: isakmp.c:1368:isakmp_open():
64.27.17.75[500] used as isakmp port (fd=7)
Sep 8 00:27:07 racoon: INFO: isakmp.c:1368:isakmp_open():
192.168.2.254[500] used as isakmp port (fd=8)
Sep 8 00:30:02 racoon: INFO: isakmp.c:1694:isakmp_post_acquire():
IPsec-SA request for 69.39.193.19 queued due to no phase1 found.
Sep 8 00:30:02 racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate
new phase 1 negotiation: 64.27.17.75[500]<=>69.39.193.19[500]
Sep 8 00:30:02 racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
Aggressive mode.
Sep 8 00:30:33 racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
phase2 negotiation failed due to time up waiting for phase1. ESP
69.39.193.19->64.27.17.75
Sep 8 00:30:33 racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete
phase 2 handler.
Sep 8 00:31:03 racoon: ERROR: isakmp.c:1447:isakmp_ph1resend(): phase1
negotiation failed due to time up. 5f60cc8aa3564685:0000000000000000
and
racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for
67.27.17.75 queued due to no phase1 found.
Sep 8 00:25:55 racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate
new phase 1 negotiation: 69.39.193.19[500]<=>67.27.17.75[500]
Sep 8 00:25:55 racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
Aggressive mode.
Sep 8 00:26:26 racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
phase2 negotiation failed due to time up waiting for phase1. ESP
67.27.17.75->69.39.193.19
Sep 8 00:26:26 racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete
phase 2 handler.
Sep 8 00:26:55 racoon: ERROR: isakmp.c:1447:isakmp_ph1resend(): phase1
negotiation failed due to time up. 9591d65f69fee93a:0000000000000000
Sep 8 00:29:14 racoon: INFO: isakmp.c:1694:isakmp_post_acquire():
IPsec-SA request for 67.27.17.75 queued due to no phase1 found.
Sep 8 00:29:14 racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate
new phase 1 negotiation: 69.39.193.19[500]<=>67.27.17.75[500]
Sep 8 00:29:14 racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
Aggressive mode.
Sep 8 00:29:45 racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
phase2 negotiation failed due to time up waiting for phase1. ESP
67.27.17.75->69.39.193.19
Sep 8 00:29:45 racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete
phase 2 handler.
Sep 8 00:29:47 racoon: INFO: isakmp.c:1713:isakmp_post_acquire():
request for establishing IPsec-SA was queued due to no phase1 found.
Sep 8 00:30:10 racoon: ERROR: isakmp.c:861:isakmp_ph1begin_r():
couldn't find configuration.
Sep 8 00:30:14 racoon: ERROR: isakmp.c:1447:isakmp_ph1resend(): phase1
negotiation failed due to time up. d1dee0a586c3deab:0000000000000000
Sep 8 00:30:18 racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
phase2 negotiation failed due to time up waiting for phase1. ESP
67.27.17.75->69.39.193.19
Sep 8 00:30:18 racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete
phase 2 handler.
Sep 8 00:30:21 racoon: ERROR: isakmp.c:861:isakmp_ph1begin_r():
couldn't find configuration.
Sep 8 00:31:00 last message repeated 4 times
Any suggestions would be greatly appreciated....
John Tran wrote:
> Hello all, any thoughts on how I can solve this problem?
>
> I have two monowall boxes at two locations, each with it's own subnet,
> and I am interesting in accessing between the two subnets using
> IPSEC. I've configured the two monowall boxes according to
> http://www.m0n0.ch/wall/docbook/ipsec-tunnels.html
>
> But here is a small twist, on the second subnet, on one of the nodes,
> running Linux, I also have a second NIC with real IP assigned to
> eth0. For some reason, I cannot seem to ping between the two. Here
> is the complete setting:
>
> Site 1:
> monowall
> WAN = 11.22.33.17 (not real ip of course)
> LAN = 192.168.1.0/24
> compute nodes
> 192.168.1.{4,5,6}
>
> Site 2:
> monowall
> WAN = 99.88.77.65 (not real ip of course)
> LAN = 192.168.2.0/24
> compute node
> eth1: 192.168.2.1
> eth0: 99.88.77.66 (not real ip of course)
>
> I was able to connect ping between the two nodes when I did not have
> eth0 on the compute node at site 2. Any thoughts or suggestion would
> be greatly appreicated. Oh btw, the routing table is as followed:
>
> route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref
> Use Iface
> 99.88.77.64 0.0.0.0 255.255.255.224 U 0 0
> 0 eth0
> 192.168.2.0 0.0.0.0 255.255.255.0 U 0 0
> 0 eth1
> 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0
> 0 lo
> 0.0.0.0 99.88.77.65 0.0.0.0 UG 0 0
> 0 eth0
>
> (not using real ip's of course)
>
> Thanks,
>
> John
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
| 