i am now using 1.3b18 for both m0n0
one side of the m0n0 is behide an debian firewall
i just keep fail in linking up 2 m0n0
Site 1: Outside IP: ***.92.99.3/24
Outside Gateway: ***.92.99.1
Inside IP: 192.168.1.0/24
Site 2: Outside IP: 218.188.2.19/(unknow subnet)
Outside Gateway: unkown(is it necessary?)
IP between m0n0/debian: 10.128.70.15/21
Outside Gateway: 10.128.64.2
Inside IP: 192.168.2.0/24
Site1
Interface : WAN
NAT-T: Enable NAT Traversal (NAT-T)
DPD interval: 60s
Local Subnet : Type : LAN Subnet
Remote Subnet :192.168.2.0/24
Remote Gateway : 218.188.2.19
Description : VPN FW 2
Phase1 proposal
Negotiation mode : aggressive
My identifier : My IP address
Encryption algorithm :3DES
Hash algorithm : SHA1
DH key group : 2
Lifetime : 28800
Authentication method : Pre-shared key
Pre-Shared Key : password
Phase 2 proposal (SA/Key Exchange)
Protocol : ESP
Encryption algorithms :
3DES
Blowfish
CAST128
Rijndael (AES)
Hash algorithms :
SHA1
MD5
PFS key group : 2
Lifetime : 28800
===============================
Site2
Interface : WAN
NAT-T: Enable NAT Traversal (NAT-T)
DPD interval: 60s
Local Subnet : Type : LAN Subnet
Remote Subnet : 192.168.1.0/24
Remote Gateway : ***.92.99.3
Description : VPN FW 1
Phase1 proposal
Negotiation mode : aggressive
My identifier : My IP address
Encryption algorithm :3DES
Hash algorithm : SHA1
DH key group : 2
Lifetime : 28800
Authentication method : Pre-shared key
Pre-Shared Key : password
Phase 2 proposal (SA/Key Exchange)
Protocol : ESP
Encryption algorithms :
3DES
Blowfish
CAST128
Rijndael (AES)
Hash algorithms :
SHA1
MD5
PFS key group : 2
Lifetime : 28800
==========================
Site1
Diagnostics: IPsec
* SAD
No IPsec security associations.
* SPD
Source Destination Direction Protocol Tunnel endpoints
192.168.2.0/24 192.168.1.0/24 ESP
218.188.2.19 -***.92.99.3192.168.1.0/24 192.168.2.0/24 ESP
***.92.99.3 -218.188.2.19Site2
Diagnostics: IPsec
* SAD
No IPsec security associations.
* SPD
Source Destination Direction Protocol Tunnel endpoints
192.168.1.0/24 192.168.2.0/24 ESP
***.92.99.3 -10.128.70.15 192.168.2.0/24 192.168.1.0/24 ESP
10.128.70.15 -***.92.99.3 (Any thing wrong with the coloured IP?)
================================================
ERROR LOGs
Site1
Sep 3 16:43:39 racoon: ERROR: phase1 negotiation failed due to time up. f3b28eabc6a275cb:0000000000000000
Sep 3 16:43:20 racoon: INFO: delete phase 2 handler.
Sep 3 16:43:20 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 218.188.2.19[0]->***.92.99.3[0]
Sep 3 16:42:49 racoon: INFO: begin Aggressive mode.
Sep 3 16:42:49 racoon: INFO: initiate new phase 1 negotiation: ***.92.99.3[500]<=>218.188.2.19[500]
Sep 3 16:42:49 racoon: INFO: IPsec-SA request for 218.188.2.19 queued due to no phase1 found.
Sep 3 16:40:49 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
Sep 3 16:40:49 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
Sep 3 16:40:49 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
Sep 3 16:40:48 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in
Sep 3 16:40:48 racoon: INFO: ***.92.99.3[4500] used for NAT-T
Sep 3 16:40:48 racoon: INFO: ***.92.99.3[4500] used as isakmp port (fd=13)
Sep 3 16:40:48 racoon: INFO: ***.92.99.3[500] used for NAT-T
Sep 3 16:40:48 racoon: INFO: ***.92.99.3[500] used as isakmp port (fd=12)
Sep 3 16:40:48 racoon: INFO: 192.168.1.1[4500] used for NAT-T
Sep 3 16:40:48 racoon: INFO: 192.168.1.1[4500] used as isakmp port (fd=11)
Sep 3 16:40:48 racoon: INFO: 192.168.1.1[500] used for NAT-T
Sep 3 16:40:48 racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=10)
Sep 3 16:40:48 racoon: INFO: 127.0.0.1[4500] used for NAT-T
Sep 3 16:40:48 racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=9)
Sep 3 16:40:48 racoon: INFO: 127.0.0.1[500] used for NAT-T
Sep 3 16:40:48 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Sep 3 16:40:48 racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Sep 3 16:40:48 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Sep 3 16:40:48 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (
http://www.openssl.org/)
Sep 3 16:40:48 racoon: INFO: @(#)ipsec-tools 0.7.2 (
http://ipsec-tools.sourceforge.net)
Sep 3 16:40:47 racoon: INFO: racoon shutdown
Sep 3 16:40:46 racoon: INFO: caught signal 15
----------------------------------------
Site2
Sep 3 16:43:55 racoon: ERROR: phase1 negotiation failed due to time up. 85a92cd4c2249058:0000000000000000
Sep 3 16:43:36 racoon: INFO: delete phase 2 handler.
Sep 3 16:43:36 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP ***.92.99.3[0]->10.128.70.15[0]
Sep 3 16:43:04 racoon: INFO: begin Aggressive mode.
Sep 3 16:43:04 racoon: INFO: initiate new phase 1 negotiation: 10.128.70.15[500]<=>***.92.99.3[500]
Sep 3 16:43:04 racoon: INFO: IPsec-SA request for ***.92.99.3 queued due to no phase1 found.
Sep 3 16:40:04 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=out
Sep 3 16:40:04 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.1/32[0] 192.168.2.0/24[0] proto=any dir=out
Sep 3 16:40:04 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in
Sep 3 16:40:04 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.2.1/32[0] proto=any dir=in
Sep 3 16:40:04 racoon: INFO: 10.128.70.15[4500] used for NAT-T
Sep 3 16:40:04 racoon: INFO: 10.128.70.15[4500] used as isakmp port (fd=13)
Sep 3 16:40:04 racoon: INFO: 10.128.70.15[500] used for NAT-T
Sep 3 16:40:04 racoon: INFO: 10.128.70.15[500] used as isakmp port (fd=12)
Sep 3 16:40:04 racoon: INFO: 192.168.2.1[4500] used for NAT-T
Sep 3 16:40:04 racoon: INFO: 192.168.2.1[4500] used as isakmp port (fd=11)
Sep 3 16:40:04 racoon: INFO: 192.168.2.1[500] used for NAT-T
Sep 3 16:40:04 racoon: INFO: 192.168.2.1[500] used as isakmp port (fd=10)
Sep 3 16:40:04 racoon: INFO: 127.0.0.1[4500] used for NAT-T
Sep 3 16:40:04 racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=9)
Sep 3 16:40:04 racoon: INFO: 127.0.0.1[500] used for NAT-T
Sep 3 16:40:04 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Sep 3 16:40:04 racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Sep 3 16:40:04 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Sep 3 16:40:04 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (
http://www.openssl.org/)
Sep 3 16:40:04 racoon: INFO: @(#)ipsec-tools 0.7.2 (
http://ipsec-tools.sourceforge.net)
Sep 3 00:40:03 racoon: INFO: racoon shutdown
Sep 3 00:40:02 racoon: INFO: caught signal 15