[ previous ] [ next ] [ threads ]
 
 From:  sylikc <sylikc at gmail dot com>
 To:  John Morgan Salomon <john at zog dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Very "Simple" IPSEC Question
 Date:  Fri, 15 Oct 2004 12:22:15 -0700
John,

> I am trying to set up a very simple ipsec tunnel between
> two m0n0walls (m0n01 & m0n02) across a single IP segment.
> Unfortunately, regardless of where I initiate the tunnel,
> the m0n0 on the other end ends up blocking my IKE requests
> (UDP 500.)  ISAKMP phase 2 on the initiator times out, due to
> no phase 1 being around.  All outbound traffic from my green segments to
> the red segment works fine.
> 
> Picture my environment:
> 
> 192.168.2.0/24--m0n01--192.168.1.0/24--m0n02--192.168.3.0/24
> 
> 192.168.2.10 is a FreeBSD box, 192.168.3.199 is a PC.
> The m0n0s' interfaces are, respectively
> 
> m0n01:  192.168.2.2 (green), 192.168.1.40 (red)
> m0n02:  192.168.3.1 (green), 192.168.1.37 (red)
> 
> I'm trying to ping 192.168.2.10 from 192.168.3.199 w/out
> success.
> 
> I have no NAT rules at all on either m0n0, and each only
> has a rule permitting all outbound traffic.
> 
> m0n01 has the following racoon.conf (m0n02's is an exact
> mirror image with the networks and my/peers_identifier reversed.
> The shared keys are also identical, I've triple-checked.)
> 
> path pre_shared_key "/var/etc/psk.txt";
> 
> remote 192.168.1.40 {
>         exchange_mode aggressive;
>         my_identifier address "192.168.1.37";
>         peers_identifier address 192.168.1.40;
>         initial_contact on;
>         support_proxy on;
>         proposal_check obey;
> 
>         proposal {
>                 encryption_algorithm 3des;
>                 hash_algorithm md5;
>                 authentication_method pre_shared_key;
>                 dh_group 5;
>         }
> }
> 
> sainfo address 192.168.3.0/24 any address 192.168.2.0/24 any {
>         encryption_algorithm 3des;
>         authentication_algorithm hmac_md5;
>         compression_algorithm deflate;
>         pfs_group 5;
> }
> 
> It's driving me nuts, as I can't think of anything else I can do (I have
> tried explicit any-to-any rules on both WAN interfaces).  I'm sure I'm
> missing something incredibly moronic, and have been digging through
> docs & mailing lists for a few hours now to figure out what's up.  Anyone?

I'm not terribly good at reading configs, but the one thing I did
notice is that you are using aggressive mode.  I have a feeling it's
not necessary nor is it safe to do site2site VPNs in aggressive mode. 
Set both m0n0's to use MAIN mode and use "My IP Address" as the
identifier.  I've ran this setup in main mode many times and it's been
flawless.


/sylikc