On Wed, 08 Sep 2004 01:07:28 -0700, John Tran <jtran at pcwerk dot com> wrote:
> But sadly, I cannot ping 192.168.2.2 from 192.168.1.4 or vice versa.
>
> FYI, I've rebooted the two firewalls several times and triple check my
> settings against the examples, but seems to be no idea why this is not
> working.
>
> I also noticed the following message:
>
> Sep 8 00:27:07 racoon: INFO: isakmp.c:1368:isakmp_open():
> 127.0.0.1[500] used as isakmp port (fd=6)
> Sep 8 00:27:07 racoon: INFO: isakmp.c:1368:isakmp_open():
> 64.27.17.75[500] used as isakmp port (fd=7)
> Sep 8 00:27:07 racoon: INFO: isakmp.c:1368:isakmp_open():
> 192.168.2.254[500] used as isakmp port (fd=8)
> Sep 8 00:30:02 racoon: INFO: isakmp.c:1694:isakmp_post_acquire():
> IPsec-SA request for 69.39.193.19 queued due to no phase1 found.
> Sep 8 00:30:02 racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate
> new phase 1 negotiation: 64.27.17.75[500]<=>69.39.193.19[500]
> Sep 8 00:30:02 racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
> Aggressive mode.
> Sep 8 00:30:33 racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
> phase2 negotiation failed due to time up waiting for phase1. ESP
> 69.39.193.19->64.27.17.75
> Sep 8 00:30:33 racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete
> phase 2 handler.
> Sep 8 00:31:03 racoon: ERROR: isakmp.c:1447:isakmp_ph1resend(): phase1
> negotiation failed due to time up. 5f60cc8aa3564685:0000000000000000
>
> and
>
> racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for
> 67.27.17.75 queued due to no phase1 found.
> Sep 8 00:25:55 racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate
> new phase 1 negotiation: 69.39.193.19[500]<=>67.27.17.75[500]
> Sep 8 00:25:55 racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
> Aggressive mode.
> Sep 8 00:26:26 racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
> phase2 negotiation failed due to time up waiting for phase1. ESP
> 67.27.17.75->69.39.193.19
> Sep 8 00:26:26 racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete
> phase 2 handler.
> Sep 8 00:26:55 racoon: ERROR: isakmp.c:1447:isakmp_ph1resend(): phase1
> negotiation failed due to time up. 9591d65f69fee93a:0000000000000000
> Sep 8 00:29:14 racoon: INFO: isakmp.c:1694:isakmp_post_acquire():
> IPsec-SA request for 67.27.17.75 queued due to no phase1 found.
> Sep 8 00:29:14 racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate
> new phase 1 negotiation: 69.39.193.19[500]<=>67.27.17.75[500]
> Sep 8 00:29:14 racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
> Aggressive mode.
> Sep 8 00:29:45 racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
> phase2 negotiation failed due to time up waiting for phase1. ESP
> 67.27.17.75->69.39.193.19
> Sep 8 00:29:45 racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete
> phase 2 handler.
> Sep 8 00:29:47 racoon: INFO: isakmp.c:1713:isakmp_post_acquire():
> request for establishing IPsec-SA was queued due to no phase1 found.
> Sep 8 00:30:10 racoon: ERROR: isakmp.c:861:isakmp_ph1begin_r():
> couldn't find configuration.
> Sep 8 00:30:14 racoon: ERROR: isakmp.c:1447:isakmp_ph1resend(): phase1
> negotiation failed due to time up. d1dee0a586c3deab:0000000000000000
> Sep 8 00:30:18 racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
> phase2 negotiation failed due to time up waiting for phase1. ESP
> 67.27.17.75->69.39.193.19
> Sep 8 00:30:18 racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete
> phase 2 handler.
> Sep 8 00:30:21 racoon: ERROR: isakmp.c:861:isakmp_ph1begin_r():
> couldn't find configuration.
> Sep 8 00:31:00 last message repeated 4 times
>
> Any suggestions would be greatly appreciated....
>
>
Your routes look fine at a glance. The problem is (according to those
logs) your tunnel isn't coming up. Check your phase 1 settings, make
sure everything other than "my identifier" is identical on both. Also
make sure you've added the pre-shared keys on the appropriate tab on
both sides, using the identifier of the remote m0n0wall. There is
something wrong or missing in there somewhere.
-Chris | 