News: This forum is now permanently frozen.
Pages: [1]
Topic: IPSEC VPN starts only one way  (Read 2665 times)
« on: May 21, 2008, 00:36:41 »
ET *
Posts: 25

Hi.
I have 4 sites with 1.3b11 m0n0 as main firewall / router. All four sites have static public IP.
Site A is the main office and site B, C and D are branch offices.
At site A I have a main DNS server and a syslog server.
M0n0 at site B, C and D have static routes through IPSEC VPN to site A, so they can ping hosts on site A and send logs to main syslog server and also resolve names in main DNS server.
The problem is that when I reboot the m0n0 at site A, site B, C and D can't start the vpn tunnel.
Only when I ping from site A a host on a branch office the vpn goes up.
This doesn't work when I ping from any branch office to site A. The vpn just won't go up  Undecided
The only thing that helps after rebooting site A m0n0 is to delete SAD from m0n0 machines on branch offices.
I can provide logs if it would help to fix this problem.

Any help is appreciated.

UPDATE.

When I reboot any branch office m0n0 the vpn to site A goes up just fine.
« Last Edit: May 21, 2008, 00:44:53 by ET »
« Reply #1 on: May 21, 2008, 15:08:46 »
knightmb ****
Posts: 341

I understand this as a star configuration then, I have a customer with a similar setup. When the main site is rebooted (usually only for an update), then the others take a minute or two to reconnect, but I've never had to ping the other sites for this to happen as it was all automatic.

What IPSec settings are you using?

Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #2 on: May 21, 2008, 16:03:55 »
ET *
Posts: 25

Yes this is a star configuration.

My general settings are:

- first dns server in a branch office m0n0 is the main office dns server on lan subnet

- additional static routes are made to enable communication from branch office m0n0 to the main office hosts on lan subnet

- branch office m0n0 are using also a main syslog server at the main office lan subnet

- the same goes for a radius server for pptp vpn on branch office m0n0

As for my ipsec config on main office:

        <tunnel>
            <dpddelay>60</dpddelay>
            <interface>wan</interface>
            <local-subnet>
                <network>lan</network>
            </local-subnet>
            <remote-subnet>192.168.2.0/24</remote-subnet>
            <remote-gateway>xxx</remote-gateway>
            <p1>
                <mode>main</mode>
                <myident>
                    <myaddress/>
                </myident>
                <encryption-algorithm>aes</encryption-algorithm>
                <hash-algorithm>sha1</hash-algorithm>
                <dhgroup>5</dhgroup>
                <lifetime/>
                <pre-shared-key>xxxxx</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
                <authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
                <encryption-algorithm-option>rijndael</encryption-algorithm-option>
                <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
                <pfsgroup>5</pfsgroup>
                <lifetime/>
            </p2>
            <descr>description</descr>
        </tunnel>

The config on branch offices looks the same, the only thing that changes is the remote-gateway IP and remote-subnet.

Strange thing to me is that the ipsec tunnel should go up when the branch office m0n0 is trying to resolve something in dns or send logs to the main syslog server. But this isn't happening. Also when I ping from m0n0 on any branch office to main office lan subnet there's no tunnel going up. But when I try to connect from main office host or ping from main office m0n0 to branch office lan subnet the tunnel goes up.

As for lifetime in phase 1 and 2 they are empty because when I set them according to m0n0 ipsec documentation, after 1-1,5 days the tunnel will fail and no traffic will pass the ipsec vpn.

From what I saw already when I reboot the main office m0n0, the branch offices m0n0 still have their old SAD and it looks like they don't know that main office m0n0 has been rebooted.

When rebooting main office m0n0 I have two entries in branch office m0n0 logs:

racoon: INFO: ISAKMP-SA expired xxx[500]-xxx[500] spi:cb2b3bbe4bd3d423:08480b08b3165819

and

racoon: INFO: ISAKMP-SA deleted xxx[500]-xxx[500] spi:cb2b3bbe4bd3d423:08480b08b3165819

But after this entries in logs there's no reaction to traffic from branch office to main office, that should pass IPSEC tunnel.

The main office shows no racoon messages in logs.
« Reply #3 on: June 02, 2008, 13:42:14 »
ET *
Posts: 25

Well the problem for me was the <dpddelay>60</dpddelay> setting.
In my case when set to 60 seconds the tunnel would never reestablish.
When set to 10 seconds the tunnel would reestablish after 20 - 30 minutes.
After experimenting with settings for dpddelay I noticed that disabling this function reduced the time between reestablishing the tunnel to 2 minutes.
My only wish is that the tunnel would reestablish when traffic passes the vpn that I don't have to wait 2 minutes for the vpn to work.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines