[ previous ] [ next ] [ threads ]
 
 From:  John Morgan Salomon <john at zog dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Very "Simple" IPSEC Question
 Date:  Fri, 15 Oct 2004 19:03:46 +0200
Hi there,

I'm a reasonably new m0n0wall user, but no stranger to
ipsec or firewalls in general, and I'm having a seemingly
incredibly stupid, but very irritating problem.

I am trying to set up a very simple ipsec tunnel between
two m0n0walls (m0n01 & m0n02) across a single IP segment.
Unfortunately, regardless of where I initiate the tunnel,
the m0n0 on the other end ends up blocking my IKE requests
(UDP 500.)  ISAKMP phase 2 on the initiator times out, due to
no phase 1 being around.  All outbound traffic from my green segments to
the red segment works fine.

Picture my environment:

192.168.2.0/24--m0n01--192.168.1.0/24--m0n02--192.168.3.0/24

192.168.2.10 is a FreeBSD box, 192.168.3.199 is a PC.
The m0n0s' interfaces are, respectively

m0n01:  192.168.2.2 (green), 192.168.1.40 (red)
m0n02:  192.168.3.1 (green), 192.168.1.37 (red)

I'm trying to ping 192.168.2.10 from 192.168.3.199 w/out
success.

I have no NAT rules at all on either m0n0, and each only
has a rule permitting all outbound traffic.

m0n01 has the following racoon.conf (m0n02's is an exact
mirror image with the networks and my/peers_identifier reversed.
The shared keys are also identical, I've triple-checked.)

path pre_shared_key "/var/etc/psk.txt";

remote 192.168.1.40 {
	exchange_mode aggressive;
	my_identifier address "192.168.1.37";
	peers_identifier address 192.168.1.40;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm md5;
		authentication_method pre_shared_key;
		dh_group 5;
	}
}

sainfo address 192.168.3.0/24 any address 192.168.2.0/24 any {
	encryption_algorithm 3des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
	pfs_group 5;
}

It's driving me nuts, as I can't think of anything else I can do (I have
tried explicit any-to-any rules on both WAN interfaces).  I'm sure I'm
missing something incredibly moronic, and have been digging through
docs & mailing lists for a few hours now to figure out what's up.  Anyone?

Thanks,

-John