News: This forum is now permanently frozen.
Pages: [1]
Topic: Site-to-Site VPN with IPSEC using M0n0wall  (Read 2256 times)
« on: December 04, 2008, 12:08:35 »
r00ster *
Posts: 5

Guys,

As a school assignment i have to build a site-to-site VPN between two monowall firewalls. I've tried setting this up using verious manuals but it doesn't seem to work so far. The general idea is to have to companys to be connected to each other network.

I'm able to ping both firewalls (on the WAN side) with the build in ping utility in the web-interface of Monowall so I can conclude that the connection itself is there. Also i read somewhere to allow ESP traffic, so i've applied the rule that on the WAN interface to pass the protocol ESP from any source on any port from any destination on both firewalls.

So i don't know if my initial config is right:

SuperStar-GAT01
WAN IP: 192.168.1.2
Subnet: 255.255.255.0 (/24)

LAN IP: 192.168.3.1
Subnet: 255.255.255.0 (/24)

DMZ ip: 192.168.2.1
Subnet: 255.255.255.0 (/24) (shouldn't be in the site-to-site VPN)



SuperStar-GAT02
WAN IP: 192.168.1.3
Subnet: 255.255.255.0 (/24)

LAN IP: 192.168.3.2
Subnet: 255.255.255.0 (/24)

Both machines are connected to a linksys router which has the IP 192.168.1.1 (gateway of both firewalls)

I've setup both machines using the same settings except the Remote subnet and Remote gateway.


The config of SuperStar-GAT01
Mode: Tunnel
Disabled: not checked
Interface: WAN
Local Subnet: Type: Lan Subnet

Remote subnet: 192.168.3.0 / 24
Remote gateway: 192.168.1.3               (The WAN IP of SuperStar-GAT02)

Phase 1
Negotion mode: Aggressive
My identifier: My IP address
Encryption algorithm: 3DES
Hash Algorithm: SHA1
DH Key Group: 2
Lifetime:                                                   (Blank)
Authentication mode: Pre-Shared key
Pre-Shared key: EIC7APNb                      (the firewall won't be reachable over the internet so....)

Certificate: (Blank)
Key: (Blank)
Peer cerificate: (Blank)

Phase 2
Protocol: ESP

Encryption algorithms:
  • DES                              (so not checked)
  • [v] 3DES
    [v] Blowfish
    [v] CAST128
    [v] Rijndael (AES)

    Hash algorithm:
    [v] SHA1
    [v] MD5

    PFs key group: off
    Lifetime: (Blank)


The config of SuperStar-GAT02
Mode: Tunnel
Disabled: not checked
Interface: WAN
Local Subnet: Type: Lan Subnet

Remote subnet: 192.168.3.0 / 24
Remote gateway: 192.168.1.2               (The WAN IP of SuperStar-GAT01)

Phase 1
Negotion mode: Aggressive
My identifier: My IP address
Encryption algorithm: 3DES
Hash Algorithm: SHA1
DH Key Group: 2
Lifetime:                                                   (Blank)
Authentication mode: Pre-Shared key
Pre-Shared key: EIC7APNb                      (the same as SuperStar-GAT01)

Certificate: (Blank)
Key: (Blank)
Peer cerificate: (Blank)

Phase 2
Protocol: ESP

Encryption algorithms:
  • DES                              (so not checked)
  • [v] 3DES
    [v] Blowfish
    [v] CAST128
    [v] Rijndael (AES)

    Hash algorithm:
    [v] SHA1
    [v] MD5

    PFs key group: off
    Lifetime: (Blank)


    I've saved the config and applied it, but there is no way to see if the connection is made, i cannot ping from one workstation form one network to the other network.

    Please help me out here,

    Thanks,
    r00ster
« Reply #1 on: December 04, 2008, 15:39:27 »
Fred Grayson *****
Posts: 994

I see is that on both sides you have the LANs in the same network. This is not allowed. Change one of them.


--
Google is your friend and Bob's your uncle.
« Reply #2 on: December 04, 2008, 16:43:45 »
knightmb ****
Posts: 341

LAN IP need to be different,

Try 192.168.4.1 for the second machine.

Radius Service for m0n0wall Captive Portal - http://amaranthinetech.com
« Reply #3 on: December 04, 2008, 17:42:45 »
r00ster *
Posts: 5

I changed the IP of SuperStar-GAT02 and it works!

Thanks for the help!

r00ster
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines