News: This forum is now permanently frozen.
Pages: [1]
Topic: ipsec 2 monowall boxes  (Read 2834 times)
« on: January 20, 2009, 21:03:02 »
daanemans *
Posts: 1

Hi All

we use monowall 2 monowall ipsec tunnels. We have about 20 boxes in the field. normaly is the ipsec no problem, untill today  Huh

today we had to setup 2 new systems with the latest version,
Config box 1 headoffice

Lan ip          ->192.168.0.1
Subnet          -> 255.255.255.0
Wan ip          -> isp wan ip

local subnet type    -> lan subnet
remote subnet        -> 10.224.86.0/24
remote gateway       -> wan ip suboffice

Phase 1

negotation mode    -> aggressive
my identifier       -> My Ip adress
EA          -> 3DES
Hash algorithms      -> SHA1
DH Key          -> 2
lifetime       -> 28800
Authentication Method    -> preshared key
bla bla bla
certificate      -> Empty
key         -> Empty
peer certificate    -> EMPTY

Phase 2

Protocol       -> ESP
Encryption
algorithms       [ ]DES  not checked
                  [v]3DES
                  [v]Blowfish
             [v]CAST128
             [v]Rijndael
Hash algorithms      -> MD5
PSF Key       -> off
Lifetime       -> 86400


box 2 Suboffice

Lan ip          -> 10.224.86.1
subnetmask       -> 255.255.255.0
wan ip          -> from isp

local subnet type    -> lan subnet
remote subnet        -> 192.168.0.0/24
remote gateway       -> wan ip headoffice

Phase 1


Phase 1

negotation mode    -> aggressive
my identifier       -> My Ip adress
EA          -> 3DES
HA          -> SHA1
DH Key          -> 2
lifetime       -> 28800
Authentication Method    -> preshared key
bla bla bla
certificate       -> empty
key          -> empty
peer certificate    -> EMPTY

Phase 2

Protocol       -> ESP
Encryption
algorithms       [ ]DES  not checked
                  [v]3DES
                  [v]Blowfish
             [v]CAST128
             [v]Rijndael
Hash algotithm      -> MD5
PSF Key       -> off
Lifetime       -> 86400

It seems to me this has to work but the log says:

racoon: ERROR: such policy already exists. anyway replace it: 10.224.86.0/24[0] 10.224.86.1/32[0] proto=any dir=in
 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 10.224.86.0/24[0] proto=any dir=in
racoon: ERROR: such policy already exists. anyway replace it: 10.224.86.1/32[0] 10.224.86.0/24[0] proto=any dir=out
 racoon: ERROR: such policy already exists. anyway replace it: 10.224.86.0/24[0] 192.168.0.0/24[0] proto=any dir=out

can someone help me, because i'm eating my hair out

greets
Daan
« Last Edit: January 20, 2009, 21:26:58 by daanemans »
« Reply #1 on: March 10, 2009, 07:16:03 »
jl.server *
Posts: 1

Suggest you changed the setting my identifier to a My Domain name and used a domain name or email address , such as test@test.com , please try .
« Reply #2 on: March 10, 2009, 22:27:08 »
ChainSaw
Guest

I would upgrade to 1.3b15 and make the following changes and give it a try:

DPD interval -> 60

Phase 1:
negotation mode    -> main
EA                           -> AES
lifetime                    -> 172800

Phase 2:
Encryption algorithms - only Rijndael (AES) checked
Hash algorithms      -> SHA1
PSF Key                   -> 2

CS...
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines