[ previous ] [ next ] [ threads ]
 
 From:  Gerry Weaver <gerryw at ctwa dot com>
 To:  "Jason J. Ellingson" <jason at ellingson dot com>, rnhan250 at san dot rr dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSec Help!!!
 Date:  Thu, 14 Oct 2004 23:55:22 -0500
Hi,

First let me say thank you, thank you, thank you. I needed to have this 
working for tomorrow. I have managed to get it working, but the solution 
is very strange. I put in the config that Jason specified in verbatim. 
It didn't work. I got id value / mismatch errors. I then started playing 
around with the identifier fields in the tunnel config and the preshared 
keys under the preshared keys tab. I was making small changes while 
watching a ping. I ended up with what SHOULD be a mismatch.

Box 1
=====
Tunnels: My Identifier:  User FQDN  |  firewall at domain1 dot com
Pre-shared keys: Identifier: firewall.domain2.com
Pre-shared key: HiFromBox2

Box2
=====

Tunnels: My Identifier:  Domain name  |  firewall.domain2.com
Pre-shared keys: Identifier: firewall.domain1.com
Pre-shared key: HelloFromBox1

The tunnel will not work if the mismatch between identifiers is 
corrected. When I realized this, I put fresh 1.1 images on both boxes 
and reconfigured from scratch. I got exactly the same result. I can only 
get the tunnel to pass traffic with the mismatch listed above. Anybody 
got any ideas about this? A bug in raccoon perhaps?

Thanks Again!
Gerry





Jason J. Ellingson wrote:

>Box 1 (firewall.domain1.com):
>=============================
>Tunnels tab...
>Edit tunnel...
>
>Mode: Tunnel
>Disabled: unchecked
>Auto-establish: unchecked
>Interface: WAN
>Local subnet: LAN subnet
>Remote Subnet: 192.168.4.0 / 24
>Remote Gateway: <Box 2's WAN IP>
>Description: domain2.net
>Negotiation mode: aggressive
>My identifier: Domain name | firewall.domain1.com
>Encryption algorithm: Blowfish
>Hash algorithm: SHA1
>DH key group: 2
>Lifetime: 28800
>Pre-Shared Key: HelloFromBox1
>Protocol: ESP
>Encryption algorithms: only Blowfish checked
>Hash algorithms: only SHA1 checked
>PFS key group: 2
>Lifetime: 86400
>--
>Pre-shared key tab...
>Edit key...
>
>Identifier: firewall.domain2.net
>Pre-shared key: HiFromBox2
>------------------------------------------------------------
>Box 2 (firewall.domain2.net):
>=============================
>Tunnels tab...
>Edit tunnel...
>
>Mode: Tunnel
>Disabled: unchecked
>Auto-establish: unchecked
>Interface: WAN
>Local subnet: LAN subnet
>Remote Subnet: 192.168.1.0 / 24
>Remote Gateway: <Box 1's WAN IP>
>Description: domain1.com
>Negotiation mode: aggressive
>My identifier: Domain name | firewall.domain2.net
>Encryption algorithm: Blowfish
>Hash algorithm: SHA1
>DH key group: 2
>Lifetime: 28800
>Pre-Shared Key: HiFromBox2
>Protocol: ESP
>Encryption algorithms: only Blowfish checked
>Hash algorithms: only SHA1 checked
>PFS key group: 2
>Lifetime: 86400
>--
>Pre-shared key tab...
>Edit key...
>
>Identifier: firewall.domain1.com
>Pre-shared key: HelloFromBox1
>------------------------------------------------------------
>Does this help everyone out?
>------------------------------------------------------------
>Jason J Ellingson
>Technical Consultant
>
>615.301.1682 : nashville
>612.605.1132 : minneapolis
>
>www.ellingson.com
>jason at ellingson dot com
>
>-----Original Message-----
>From: Gerry Weaver [mailto:gerryw at ctwa dot com] 
>Sent: Thursday, October 14, 2004 8:39 PM
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: [m0n0wall] IPSec Help!!!
>
>Hello All,
>
>I am trying to create an IPSEC VPN between two net4511's. I have read 
>the user guide as well as the list archive. I have checked and rechecked 
>the IPSec settings between the to boxes and they are identical. I  am 
>completely out of ideas. Would someone be so kind as to point me in the 
>right direction?  Any help would be much appreciated.
>
>Thanks in advance,
>Gerry
>
>The system log shows "failed to get sainfo" and "failed to preprocess 
>packet".
>
>My Config:
>
>(2) Net4511
>M0n0wall 1.1
>Each box has a public WAN address
>Box 1 network: 192.168.1.0/24
>Box 2 network: 192.168.4.0/24
>
>IPSec Seetings
>
>WAN
>LAN Subnet
>192.168.1.0/24
>xx.xx.xx.xx
>Test-1
>Aggressive
>My IP Address
>Blowfish
>MD5
>2
>28800
>vpn-test-secret
>ESP
>Blowfish
>MD5
>2
>43200
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>  
>

-- 
Gerry Weaver

IT-Pro Corp.

Office: (254) 883-9040
Mobile: (512) 663-9550
Fax   : (254) 883-9041