[ previous ] [ next ] [ threads ]
 
 From:  "S. Mindorf" <s dot mindorf at euroimmun dot de>
 To:  "'m0n0wall at lists dot m0n0 dot ch'" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  m0n0wall IPsec vs Astaro IPsec
 Date:  Mon, 20 Sep 2004 14:44:57 +0200
Hello,

I am a new user of the m0n0wall and I have a litte bit trouble.

I try to connect via IPsec to our office but it doesent work.

In our office we use Astaro Linux Firewall V5 
(http://www.astaro.de)

Here my configurations:

123.123.123.123  --> office public IP (static)
212.1.1.5            --> my public IP (static) (WAN)
192.168.4.0/24    --> local Network
10.10.10.0/24      --> remote Network
192.168.4.254    --> m0n0wall intern IP (LAN)


racoon.conf:
path pre_shared_key "/var/etc/psk.txt";

remote 123.123.123.123 {
	exchange_mode aggressive;
	my_identifier address "212.1.1.5";
	peers_identifier address 123.123.123.123;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm md5;
		authentication_method pre_shared_key;
		dh_group 5;
		lifetime time 7800 secs;
	}
	lifetime time 7800 secs;
}

sainfo address 192.168.4.0/24 any address 10.10.10.0/24 any {
	encryption_algorithm 3des,blowfish,cast128,rijndael;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
	pfs_group 5;
	lifetime time 3600 secs;
}

SPD:
192.168.4.0/24[any] 192.168.4.254[any] any
	in none
	spid=97 seq=3 pid=2582
	refcnt=1
10.10.10.0/24[any] 192.168.4.0/24[any] any
	in ipsec
	esp/tunnel/123.123.123.123-212.1.1.5/unique#16438
	spid=100 seq=2 pid=2582
	refcnt=1
192.168.4.254[any] 192.168.4.0/24[any] any
	out none
	spid=98 seq=1 pid=2582
	refcnt=1
192.168.4.0/24[any] 10.10.10.0/24[any] any
	out ipsec
	esp/tunnel/212.1.1.5-123.123.123/unique#16437
	spid=99 seq=0 pid=2582
	refcnt=1

Systemlog:
Sep 20 12:42:48 eurowall1 racoon: INFO: main.c:172:main(): 
@(#)package version freebsd-20040617a
Sep 20 12:42:48 eurowall1 racoon: INFO: main.c:174:main(): 
@(#)internal version 20001216 sakane at kame dot net
Sep 20 12:42:48 eurowall1 racoon: INFO: main.c:175:main(): @(#)This 
product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
Sep 20 12:42:48 eurowall1 racoon: INFO: 
isakmp.c:1368:isakmp_open(): 127.0.0.1[500] used as isakmp port 
(fd=7)
Sep 20 12:42:48 eurowall1 racoon: INFO: 
isakmp.c:1368:isakmp_open(): 212.1.1.5[500] used as isakmp port 
(fd=8)
Sep 20 12:42:48 eurowall1 racoon: INFO: 
isakmp.c:1368:isakmp_open(): 192.168.4.254[500] used as isakmp port 
(fd=9)
Sep 20 12:42:48 eurowall1 racoon: ERROR: 
pfkey.c:2292:pk_recvspddump(): such policy already exists. anyway 
replace it: 192.168.4.0/24[0] 192.168.4.254/32[0] proto=any dir=in
Sep 20 12:42:48 eurowall1 racoon: ERROR: 
pfkey.c:2292:pk_recvspddump(): such policy already exists. anyway 
replace it: 10.10.10.0/24[0] 192.168.4.0/24[0] proto=any dir=in
Sep 20 12:42:48 eurowall1 racoon: ERROR: 
pfkey.c:2292:pk_recvspddump(): such policy already exists. anyway 
replace it: 192.168.4.254/32[0] 192.168.4.0/24[0] proto=any dir=out
Sep 20 12:42:48 eurowall1 racoon: ERROR: 
pfkey.c:2292:pk_recvspddump(): such policy already exists. anyway 
replace it: 192.168.4.0/24[0] 192.168.10.0/24[0] proto=any dir=out

config.xml:
<ipsec>
        <tunnel>
            <interface>wan</interface>
            <local-subnet>
                <network>lan</network>
            </local-subnet>
            <remote-subnet>10.10.10.0/24</remote-subnet>
            <remote-gateway>123.123.123.123</remote-gateway>
            <p1>
                <mode>aggressive</mode>
                <myident>
                    <myaddress/>
                </myident>
                <encryption-algorithm>3des</encryption-algorithm>
                <hash-algorithm>md5</hash-algorithm>
                <dhgroup>5</dhgroup>
                <lifetime>7800</lifetime>
 
               <pre-shared-key>xxxxxxxxxxxxxxxxxxxxxxxxxxxxx</pr  
e-shared-key>
            </p1>
            <p2>
                <protocol>esp</protocol>
 
               <encryption-algorithm-option>3des</encryption-alg  
orithm-option>
 
               <encryption-algorithm-option>blowfish</encryption  
-algorithm-option>
                <encryption-algorithm-option>cast128</encryption  
-algorithm-option>
 
               <encryption-algorithm-option>rijndael</encryption  
-algorithm-option>
 
               <hash-algorithm-option>hmac_md5</hash-algorithm-o  
ption>
                <pfsgroup>5</pfsgroup>
                <lifetime>3600</lifetime>
            </p2>
            <descr>OfficeGW</descr>
        </tunnel>
         <enable/>
</ipsec>

Ok, I think thats it.

On the Astaro Linux I habe configured:



--

EUROIMMUN AG
Seekamp 31

Tel. 0451-5855-520
Fax. 0451-5855-591
E-Mail: s dot mindorf at euroimmun dot de
Homepage: www.euroimmun.de