We are running the latest beta 1.3b11, mostly because the NICs that our board has aren't supported in the latest stable release.
Using the device as a firewall works great (and very easy interface!), however we are having a hard time setting up the VPN tunnels between two sites.
Both sites are running the same exact hardware and the same version of m0n0wall. The IPSec tunnel was setup according to the documentation.
The problem is that the IPSec tunnel needs a manual trigger in order to start, and will die after a few minutes. The manual trigger is also very strange. I have to edit the IPSec tunnel and set the tunnel to "disabled", apply the settings and then enable it again. Only then will it work again.
However, even when I permanently transfer data over the tunnel, the tunnel will disconnect and the whole game has to be repeated. Just pinging the remote site is not enough to bring the tunnel up, it will just result in the messages below.
The only log entries that seem relevant are these:
May 13 00:41:02 racoon: ERROR: phase1 negotiation failed due to time up. 07e06b260bd069bf:0000000000000000 May 13 00:40:59 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found. May 13 00:40:43 racoon: INFO: delete phase 2 handler. May 13 00:40:43 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 67.33.143.62[0]->54.57.181.40[0] May 13 00:40:22 dhclient: bound to 54.57.181.40 -- renewal in 231 seconds. May 13 00:40:22 dhclient: New Broadcast Address: 54.57.181.255 May 13 00:40:22 dhclient: New Network Number: 54.57.181.0 May 13 00:40:04 kernel: arplookup 192.168.0.1 failed: host is not on local network May 13 00:40:22 dhclient: DHCPACK from 192.168.0.1 May 13 00:40:22 dhclient: DHCPREQUEST on vr0 to 192.168.0.1 port 67 May 13 00:40:12 racoon: INFO: begin Aggressive mode. May 13 00:40:12 racoon: INFO: initiate new phase 1 negotiation: 54.57.181.40[500]<=>67.33.143.62[500] May 13 00:40:12 racoon: INFO: IPsec-SA request for 67.33.143.62 queued due to no phase1 found.
These errors always show up when I try to bring the tunnel up.
One of the sites has a T1 line with a static IP, the other has a DSL line where the IP changes, but I use dyndns.com for that.
I'm really not sure how to proceed with this - does anybody have any ideas on how to troubleshoot or fix this? I can post the configuration, but it's completely standard according to the doc.
Thank you .... any help is appreciated.
|