[ previous ] [ next ] [ threads ]
 From:  John Morgan Salomon <john at zog dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Very "Simple" IPSEC Question
 Date:  Fri, 15 Oct 2004 19:03:46 +0200
Hi there,

I'm a reasonably new m0n0wall user, but no stranger to
ipsec or firewalls in general, and I'm having a seemingly
incredibly stupid, but very irritating problem.

I am trying to set up a very simple ipsec tunnel between
two m0n0walls (m0n01 & m0n02) across a single IP segment.
Unfortunately, regardless of where I initiate the tunnel,
the m0n0 on the other end ends up blocking my IKE requests
(UDP 500.)  ISAKMP phase 2 on the initiator times out, due to
no phase 1 being around.  All outbound traffic from my green segments to
the red segment works fine.

Picture my environment: is a FreeBSD box, is a PC.
The m0n0s' interfaces are, respectively

m0n01: (green), (red)
m0n02: (green), (red)

I'm trying to ping from w/out

I have no NAT rules at all on either m0n0, and each only
has a rule permitting all outbound traffic.

m0n01 has the following racoon.conf (m0n02's is an exact
mirror image with the networks and my/peers_identifier reversed.
The shared keys are also identical, I've triple-checked.)

path pre_shared_key "/var/etc/psk.txt";

remote {
	exchange_mode aggressive;
	my_identifier address "";
	peers_identifier address;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm md5;
		authentication_method pre_shared_key;
		dh_group 5;

sainfo address any address any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
	pfs_group 5;

It's driving me nuts, as I can't think of anything else I can do (I have
tried explicit any-to-any rules on both WAN interfaces).  I'm sure I'm
missing something incredibly moronic, and have been digging through
docs & mailing lists for a few hours now to figure out what's up.  Anyone?