Re: [m0n0wall] Very "Simple" IPSEC Question

From:	Jorma Spaziano <jspaziano at mileshealthcare dot org>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Very "Simple" IPSEC Question
Date:	Fri, 15 Oct 2004 13:13:24 -0400
On Friday 15 October 2004 01:03 pm, John Morgan Salomon wrote:
I had close to the same problem.
I had to have a route to the remote network on my core router and on the 
gateway that was on the same network as the core router.

172.20.2.0/23 <----[   DSL   ]-----> 172.20.26.0/23
|
|
-------[Core Router]
	 route add 172.20.26.0 /23 gw monowall.box.on.lan 

Thats what did it for me....hope it helps.
-J
> Hi there,
> 
> I'm a reasonably new m0n0wall user, but no stranger to
> ipsec or firewalls in general, and I'm having a seemingly
> incredibly stupid, but very irritating problem.
> 
> I am trying to set up a very simple ipsec tunnel between
> two m0n0walls (m0n01 & m0n02) across a single IP segment.
> Unfortunately, regardless of where I initiate the tunnel,
> the m0n0 on the other end ends up blocking my IKE requests
> (UDP 500.)  ISAKMP phase 2 on the initiator times out, due to
> no phase 1 being around.  All outbound traffic from my green segments to
> the red segment works fine.
> 
> Picture my environment:
> 
> 192.168.2.0/24--m0n01--192.168.1.0/24--m0n02--192.168.3.0/24
> 
> 192.168.2.10 is a FreeBSD box, 192.168.3.199 is a PC.
> The m0n0s' interfaces are, respectively
> 
> m0n01:  192.168.2.2 (green), 192.168.1.40 (red)
> m0n02:  192.168.3.1 (green), 192.168.1.37 (red)
> 
> I'm trying to ping 192.168.2.10 from 192.168.3.199 w/out
> success.
> 
> I have no NAT rules at all on either m0n0, and each only
> has a rule permitting all outbound traffic.
> 
> m0n01 has the following racoon.conf (m0n02's is an exact
> mirror image with the networks and my/peers_identifier reversed.
> The shared keys are also identical, I've triple-checked.)
> 
> path pre_shared_key "/var/etc/psk.txt";
> 
> remote 192.168.1.40 {
> 	exchange_mode aggressive;
> 	my_identifier address "192.168.1.37";
> 	peers_identifier address 192.168.1.40;
> 	initial_contact on;
> 	support_proxy on;
> 	proposal_check obey;
> 
> 	proposal {
> 		encryption_algorithm 3des;
> 		hash_algorithm md5;
> 		authentication_method pre_shared_key;
> 		dh_group 5;
> 	}
> }
> 
> sainfo address 192.168.3.0/24 any address 192.168.2.0/24 any {
> 	encryption_algorithm 3des;
> 	authentication_algorithm hmac_md5;
> 	compression_algorithm deflate;
> 	pfs_group 5;
> }
> 
> It's driving me nuts, as I can't think of anything else I can do (I have
> tried explicit any-to-any rules on both WAN interfaces).  I'm sure I'm
> missing something incredibly moronic, and have been digging through
> docs & mailing lists for a few hours now to figure out what's up.  Anyone?
> 
> Thanks,
> 
> -John
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>