News: This forum is now permanently frozen.
Pages: [1]
Topic: m0n0wall to PIX IPSEC VPN Problem  (Read 1683 times)
« on: February 26, 2009, 17:23:22 »
mjs *
Posts: 4

I'm trying to get a m0n0wall to establish IPSEC 3DES vpn tunnels to 3 pix firewalls. 

I can get them to come up and pass traffic, but after a while, they go down, sometimes after 15 to 30 minutes, sometimes hours later.  The only way to get them to come back up, is to clear the tunnels either on the m0n0 or the pix.

I thought that maybe with 3 concurrent connections that I might be over taxing the m0n0wall, but this happens even with only one tunnel up.

On the pix, a "sh crypto isa sa" shows the tunnel state to be 'MM_NO_STATE'. 

Does anyone know what may be causing this?

pix config:
access-list 90 permit ip 172.16.8.0 255.255.255.0 172.16.4.0 255.255.255.0
access-list nonat permit ip 172.16.8.0 255.255.255.0 172.16.4.0 255.255.255.0
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
crypto ipsec transform-set strong-des esp-3des esp-md5-hmac
crypto dynamic-map dynmap 20 set transform-set strong-des
crypto map statmap 10 ipsec-isakmp
crypto map statmap 10 match address 90
crypto map statmap 10 set peer x.x.x.x
crypto map statmap 10 set transform-set strong-des
crypto map statmap 20 ipsec-isakmp dynamic dynmap
crypto map statmap interface outside
isakmp enable outside
isakmp key ******** address x.x.x.x netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

m0n0 config
Phase 1
Negotiation aggressive
identifier - my ip address
Enc Alg - 3DES
Hash Alg - md5
dh key group 2
lifetime 86400
authen - psk

Phase 2
Protocol - ESP
Enc Alg - 3DES only
Hash Alg - MD5
pfs key group 2
lifetime 86400
« Reply #1 on: February 26, 2009, 18:01:50 »
mjs *
Posts: 4

The tunnel appears to be constantly re-establishing itself.  Here is a snippet from the logs:

Also under ipsec diags on the m0n0, there are multiple SA's for the same tunnel, should there not only be just one?

Feb 26 10:58:39 172.16.4.1 racoon: ERROR: failed to get sainfo.
Feb 26 10:58:39 172.16.4.1 racoon: ERROR: failed to get sainfo.
Feb 26 10:58:39 172.16.4.1 racoon: ERROR: failed to pre-process packet.
Feb 26 10:58:39 172.16.4.1 racoon: INFO: respond new phase 2 negotiation: xxxxx[0]<=>xxxx[0]
Feb 26 10:58:39 172.16.4.1 racoon: WARNING: ignore RESPONDER-LIFETIME notification.
Feb 26 10:58:39 172.16.4.1 racoon: WARNING: attribute has been modified.
Feb 26 10:58:39 172.16.4.1 racoon: INFO: IPsec-SA established: ESP/Tunnel xxxx[0]->xxxx[0] spi=86206644(0x52368b4)
Feb 26 10:58:39 172.16.4.1 racoon: INFO: purging ISAKMP-SA spi=f416664dbbd18840:d356447a50809494.
Feb 26 10:58:39 172.16.4.1 racoon: INFO: keeping IPsec-SA spi=1413705062 - found valid ISAKMP-SA spi=f416664d3dd2d429:7b65ec0a74495ba6.
Feb 26 10:58:39 172.16.4.1 racoon: INFO: keeping IPsec-SA spi=86206644 - found valid ISAKMP-SA spi=f416664d3dd2d429:7b65ec0a74495ba6.
Feb 26 10:58:39 172.16.4.1 racoon: INFO: purged ISAKMP-SA spi=f416664dbbd18840:d356447a50809494.
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines