VPN

Hi all. I can not get right with IPSEC tunnel between two m0n0walls with 1.3b13 m0n0wall version installed.

Both machines has public IP addressess. On both I have established IP SEC tunnel on older version of m0n0wall.

After upgrading to the 1.3b13 version tunnel does not go up.
I have removed tunnels and configure it again, but without success. No IPsec security associations.
I can not see nothing in logs failles which can show that m0n0wall try to start IPSEC.
How to debug it?
Is it possible to manually restart IPSEC?

With best regards to all....


I have found something like below in log files after restarting IPSEC.
I do not know what could be the source of:
"racoon: ERROR: such policy already exists. anyway replace it:" error. I'm not able to find any duplicated rules in firewall or network configuration.
I have no enablet NAT T in IPSEC tunnel configuration.

my m0n0wall has 192.168.111.0/24 network on LAN side with 192.168.111.10 IP address and it is configured for use in IPSEC

Jul 31 14:29:38 192.168.111.10 racoon: INFO: @(#)ipsecf-tools 0.7 (http://ipsec-tools.sourceforge.net)
Jul 31 14:29:38 192.168.111.10 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Jul 31 14:29:38 192.168.111.10 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 10.100.100.100[500] used as isakmp port (fd=8)
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 10.100.100.100[500] used for NAT-T
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 192.168.101.10[500] used as isakmp port (fd=9)
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 192.168.101.10[500] used for NAT-T
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 172.21.50.10[500] used as isakmp port (fd=10)
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 172.21.50.10[500] used for NAT-T
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 192.168.10.253[500] used as isakmp port (fd=11)
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 192.168.10.253[500] used for NAT-T
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=12)
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 127.0.0.1[500] used for NAT-T
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 87.xxx.18.1[500] used as isakmp port (fd=13)
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 87.xxx.18.1[500] used for NAT-T
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 192.168.111.10[500] used as isakmp port (fd=14)
Jul 31 14:29:38 192.168.111.10 racoon: INFO: 192.168.111.10[500] used for NAT-T
Jul 31 14:29:38 192.168.111.10 racoon: ERROR: such policy already exists. anyway replace it: 192.168.111.0/24[0] 192.168.111.10/32[0] proto=any dir=in
Jul 31 14:29:38 192.168.111.10 racoon: ERROR: such policy already exists. anyway replace it: 192.168.111.10/32[0] 192.168.111.0/24[0] proto=any dir=ou                t



Strange thing is, that on the second m0n0wall I have similar message in log:
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.231/32[0] 192.168.1.0/24[0] proto=any dir=out
The 192.168.1.0/24 is the LAN of this m0n0wall and .231 is LAN interface ip address

...any suggestion?

I really don't know what could be wrong.
Tunnels are configured correctly Both sides have public IP on WAN.
Both sides have different LAN subnets and this subnets are sets as ends of tunnels.
Firewall is opened for ESP AH and IKE for both sides and for LAN subnets of ends of tunnel.
One m0n0wall is based on generic PC version 1.3b13 the second on alix motherboard and
1.3b13 too.
 
All other IPSEC parameters are identical on both ends.

And on both ends  this same racoon error appears in log:

ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.231/32[0] proto=any dir=in
Aug 10 21:43:27 192.168.1.231 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.231/32[0] 192.168.1.0/24[0] proto=any dir=out

and second m0n0wall:
racoon: ERROR: such policy already exists. anyway replace it: 192.168.11.1/32[0] 192.168.11.0/24[0] proto=any dir=out
Aug 10 19:43:42 racoon: ERROR: such policy already exists. anyway replace it: 192.168.11.0/24[0] 192.168.1.0/24[0] proto=any dir=out

This error appears always when I try to do some changes in IPSEC and restart tunnel. It is no mater what subnet I try set in IPSEC as local end of tunnel. Racoon always shows errors due to "existing policy" and LAN IP and LAN subnet.


Does somebody know what this error means?
I have no other errors which could be the reason why IP sec does not work.

might be helpful if you could post a typical tunnel configuration.

CS...

might be helpful if you could post a typical tunnel configuration.

CS...

m0n0wall_1:
LAN: 192.168.1.0/24 IP LAN 192.168.1.231
WAN 79.1XX.XXX.1/24

DPD 10 sec
IPSEC Interface WAN
Local Net - LAN subnet
Remote subnet: 192.168.11.0/24
Remote gateway: 89.1XX.XXX.10/24 (WAN IP of m0n0wall_2)
Description: m0n0-to-m0n0-test


Phase 1
Negotiation mode Agressive
My identifier My IP address
Encryption Algoritm 3Des
hash Algorithm SHA1
DH key group 2
Lifetime 28800
Auth method PSK
PSK mypsk@testm0n0

Phase2
Protocol ESP
Encryption Algorithm: 3DES, Blowfish
Hash algorithms SHA1, MD5
PFS key group 2
Lifetime 64400 

m0n0wall_2:
LAN: 192.168.11.0/24 IP LAN 192.168.11.1
WAN 89.1XX.XXX.10/24

DPD 10 sec
IPSEC Interface WAN
Local Net - LAN subnet
Remote subnet: 192.168.1.0/24
Remote gateway: 79.1XX.XXX.1/24 (WAN IP of m0n0wall_1)
Description: m0n0-to-m0n0-test

Phase 1
Negotiation mode Agressive
My identifier My IP address
Encryption Algoritm 3Des
hash Algorithm SHA1
DH key group 2
Lifetime 28800
Auth method PSK
PSK mypsk@testm0n0

Phase2
Protocol ESP
Encryption Algorithm: 3DES, Blowfish
Hash algorithms SHA1, MD5
PFS key group 2
Lifetime 64400 

policy m0n0_1
IPSEC policy open any to any
LAN policy
from LAN to any pass
from remote subnet to LAN open any
WAN:
pass ESP, AH, UDP port 500

policy m0n0_2
IPSEC policy open any to any
LAN policy
from LAN to any pass
from remote subnet to LAN open any
WAN:
pass ESP, AH, UDP port 500