VPN

 

I am trying to set up a VPN tunnel from my m0n0wall to a partner company; they use an Astaro gateway device.

Locally, m0n0wall is doing DHCP at 15.1.1.1 for my LAN.  WAN IP is one provided by AT&T for our DSL (static, non-PPPoe).  When we were evaluating an Astaro gateway, the IPSEC tunnel worked, but not now.

Here's my setup:

Tunnel:
Interface: WAN
Local subnet: LAN subnet
Remote subnet: 192.168.111.0 / 24
Remote gateway: xxx.xxx.xxx.xxx (partner's remote gateway)

Phase 1: Main
IP address: (my WAN IP address)
Encryption Algorithm: 3DES
Hash Algorithm: MD5
DH key group: 2
Lifetime: 7800 seconds
Authentication: Pre-shared key: supposedly_correct_key

Phase 2 proposal:
Protocol: ESP
Encryption Algorithm: 3DES
Hash Algorithm: MD5
PFS key group: off
Lifetime: 7800 seconds

I get this on my side:
Apr 5 11:48:10    racoon: INFO: IPsec-SA request for [remote Astaro IP] queued due to no phase1 found.
Apr 5 11:48:10    racoon: INFO: initiate new phase 1 negotiation: [My WAN IP][500]<=>[Remote Astaro IP][500]
Apr 5 11:48:10    racoon: INFO: begin Identity Protection mode.
Apr 5 11:48:16    racoon: ERROR: couldn't find configuration.
Apr 5 11:48:36    racoon: ERROR: couldn't find configuration.
Apr 5 11:48:41    racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP [Remote Astaro IP][0]->[My WAN IP][0]
Apr 5 11:48:41    racoon: INFO: delete phase 2 handler.
Apr 5 11:49:10    racoon: ERROR: phase1 negotiation failed due to time up. 6b40c833db7d5e3d:0000000000000000

Now, on his end, he has said he has an identical setup (except in reverse where it matters, of course) and gets this in his logs:

STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 15s; nodpd

I really want to get this working.  Where do I start trying to troubleshoot this?  What should I do?

Thanks

ok here's a start, you are using dsl, I think the standard mtu for dsl is like 1200 most other ISP's range from 1400 - 1500. It almost seems to be a couple of issues. I noticed your configuration is correct. Under the advanced tab check the box that states allow fragmented packets. If the mtu is something different this may clear up your issues. If not check to see what your mtu is and make corrections if needed.

Also I would try to change maybe a few things on you IPsec config. Yes it is correct on how you have the monowall setup, but try changing phase 1 from main to aggressive

Also try changing hash to SHA1 from md5.

None of these suggestions worked.

In the diagnostics area, for IPSec, there are no security associations listed, which I read somewhere was a problem.

Now, is there any way I can use /exec.php to find out additional information?

What else could I try?

Thanks

ok here's a start, you are using dsl, I think the standard mtu for dsl is like 1200 most other ISP's range from 1400 - 1500. It almost seems to be a couple of issues. I noticed your configuration is correct. Under the advanced tab check the box that states allow fragmented packets. If the mtu is something different this may clear up your issues. If not check to see what your mtu is and make corrections if needed.

Also I would try to change maybe a few things on you IPsec config. Yes it is correct on how you have the monowall setup, but try changing phase 1 from main to aggressive

Also try changing hash to SHA1 from md5.

If you don't have any SA's, you have a setting mismatch somewhere.

If you don't have any SA's, you have a setting mismatch somewhere.

It turned out our business partner's IP was wrong.

Then after we got that working, he was using a 3DES setting incompatible with mine.  We switched to Blowfish and all is well.

Wow.  Go m0n0wall!  Just saved my company a few thousand bucks instead of using a commercial product.

--Gabe