[ previous ] [ next ] [ threads ]
 
 From:  "Rodman Frowert" <frowertr at i dash 1 dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Static route question
 Date:  Wed, 8 Sep 2004 14:38:13 -0500 
As some of you may know, I have been unable to ping or talk to any DMZ 
machine from inside my LAN.  I have setup a static route from my LAN -> my 
DMZ and still nothing.  I have also added a rule into the DMZ that would 
allow any traffic from the LAN to the DMZ.  But still, no dice...

My question is, do I have to have a static route back from the DMZ to the 
LAN?  I mean, if I try to ping a machine in the DMZ, does there need to be a 
static route saying "DMZ -> LAN" so that the ping packet can find its way 
back?  I have actually tried to set two static routes like described, but 
still didn't get it to work.  But I wanted to ask to see if perhaps this is 
even necessary.

/still trying but getting frustrated...

Rodman
----- Original Message ----- 
From: "Chris Buechler" <cbuechler at gmail dot com>
To: "John Tran" <jtran at pcwerk dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, September 08, 2004 2:20 PM
Subject: Re: [m0n0wall] interesting routing issue


> On Wed, 08 Sep 2004 01:07:28 -0700, John Tran <jtran at pcwerk dot com> wrote:
>> But sadly, I cannot ping 192.168.2.2 from 192.168.1.4 or vice versa.
>>
>> FYI, I've rebooted the two firewalls several times and triple check my
>> settings against the examples, but seems to be no idea why this is not
>> working.
>>
>> I also noticed the following message:
>>
>> Sep 8 00:27:07  racoon: INFO: isakmp.c:1368:isakmp_open():
>> 127.0.0.1[500] used as isakmp port (fd=6)
>> Sep 8 00:27:07  racoon: INFO: isakmp.c:1368:isakmp_open():
>> 64.27.17.75[500] used as isakmp port (fd=7)
>> Sep 8 00:27:07  racoon: INFO: isakmp.c:1368:isakmp_open():
>> 192.168.2.254[500] used as isakmp port (fd=8)
>> Sep 8 00:30:02  racoon: INFO: isakmp.c:1694:isakmp_post_acquire():
>> IPsec-SA request for 69.39.193.19 queued due to no phase1 found.
>> Sep 8 00:30:02  racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate
>> new phase 1 negotiation: 64.27.17.75[500]<=>69.39.193.19[500]
>> Sep 8 00:30:02  racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
>> Aggressive mode.
>> Sep 8 00:30:33  racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
>> phase2 negotiation failed due to time up waiting for phase1. ESP
>> 69.39.193.19->64.27.17.75
>> Sep 8 00:30:33  racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete
>> phase 2 handler.
>> Sep 8 00:31:03  racoon: ERROR: isakmp.c:1447:isakmp_ph1resend(): phase1
>> negotiation failed due to time up. 5f60cc8aa3564685:0000000000000000
>>
>> and
>>
>> racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for
>> 67.27.17.75 queued due to no phase1 found.
>> Sep 8 00:25:55  racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate
>> new phase 1 negotiation: 69.39.193.19[500]<=>67.27.17.75[500]
>> Sep 8 00:25:55  racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
>> Aggressive mode.
>> Sep 8 00:26:26  racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
>> phase2 negotiation failed due to time up waiting for phase1. ESP
>> 67.27.17.75->69.39.193.19
>> Sep 8 00:26:26  racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete
>> phase 2 handler.
>> Sep 8 00:26:55  racoon: ERROR: isakmp.c:1447:isakmp_ph1resend(): phase1
>> negotiation failed due to time up. 9591d65f69fee93a:0000000000000000
>> Sep 8 00:29:14  racoon: INFO: isakmp.c:1694:isakmp_post_acquire():
>> IPsec-SA request for 67.27.17.75 queued due to no phase1 found.
>> Sep 8 00:29:14  racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate
>> new phase 1 negotiation: 69.39.193.19[500]<=>67.27.17.75[500]
>> Sep 8 00:29:14  racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
>> Aggressive mode.
>> Sep 8 00:29:45  racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
>> phase2 negotiation failed due to time up waiting for phase1. ESP
>> 67.27.17.75->69.39.193.19
>> Sep 8 00:29:45  racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete
>> phase 2 handler.
>> Sep 8 00:29:47  racoon: INFO: isakmp.c:1713:isakmp_post_acquire():
>> request for establishing IPsec-SA was queued due to no phase1 found.
>> Sep 8 00:30:10  racoon: ERROR: isakmp.c:861:isakmp_ph1begin_r():
>> couldn't find configuration.
>> Sep 8 00:30:14  racoon: ERROR: isakmp.c:1447:isakmp_ph1resend(): phase1
>> negotiation failed due to time up. d1dee0a586c3deab:0000000000000000
>> Sep 8 00:30:18  racoon: ERROR: isakmp.c:1786:isakmp_chkph1there():
>> phase2 negotiation failed due to time up waiting for phase1. ESP
>> 67.27.17.75->69.39.193.19
>> Sep 8 00:30:18  racoon: INFO: isakmp.c:1791:isakmp_chkph1there(): delete
>> phase 2 handler.
>> Sep 8 00:30:21  racoon: ERROR: isakmp.c:861:isakmp_ph1begin_r():
>> couldn't find configuration.
>> Sep 8 00:31:00  last message repeated 4 times
>>
>> Any suggestions would be greatly appreciated....
>>
>>
>
> Your routes look fine at a glance.  The problem is (according to those
> logs) your tunnel isn't coming up.  Check your phase 1 settings, make
> sure everything other than "my identifier" is identical on both.  Also
> make sure you've added the pre-shared keys on the appropriate tab on
> both sides, using the identifier of the remote m0n0wall.  There is
> something wrong or missing in there somewhere.
>
> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>