[ previous ] [ next ] [ threads ]
 From:  sylikc <sylikc at gmail dot com>
 To:  John Morgan Salomon <john at zog dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Very "Simple" IPSEC Question
 Date:  Fri, 15 Oct 2004 12:22:15 -0700

> I am trying to set up a very simple ipsec tunnel between
> two m0n0walls (m0n01 & m0n02) across a single IP segment.
> Unfortunately, regardless of where I initiate the tunnel,
> the m0n0 on the other end ends up blocking my IKE requests
> (UDP 500.)  ISAKMP phase 2 on the initiator times out, due to
> no phase 1 being around.  All outbound traffic from my green segments to
> the red segment works fine.
> Picture my environment:
> is a FreeBSD box, is a PC.
> The m0n0s' interfaces are, respectively
> m0n01: (green), (red)
> m0n02: (green), (red)
> I'm trying to ping from w/out
> success.
> I have no NAT rules at all on either m0n0, and each only
> has a rule permitting all outbound traffic.
> m0n01 has the following racoon.conf (m0n02's is an exact
> mirror image with the networks and my/peers_identifier reversed.
> The shared keys are also identical, I've triple-checked.)
> path pre_shared_key "/var/etc/psk.txt";
> remote {
>         exchange_mode aggressive;
>         my_identifier address "";
>         peers_identifier address;
>         initial_contact on;
>         support_proxy on;
>         proposal_check obey;
>         proposal {
>                 encryption_algorithm 3des;
>                 hash_algorithm md5;
>                 authentication_method pre_shared_key;
>                 dh_group 5;
>         }
> }
> sainfo address any address any {
>         encryption_algorithm 3des;
>         authentication_algorithm hmac_md5;
>         compression_algorithm deflate;
>         pfs_group 5;
> }
> It's driving me nuts, as I can't think of anything else I can do (I have
> tried explicit any-to-any rules on both WAN interfaces).  I'm sure I'm
> missing something incredibly moronic, and have been digging through
> docs & mailing lists for a few hours now to figure out what's up.  Anyone?

I'm not terribly good at reading configs, but the one thing I did
notice is that you are using aggressive mode.  I have a feeling it's
not necessary nor is it safe to do site2site VPNs in aggressive mode. 
Set both m0n0's to use MAIN mode and use "My IP Address" as the
identifier.  I've ran this setup in main mode many times and it's been