News: This forum is now permanently frozen.
Pages: [1]
Topic: m0n0=>m0n0 IPSec behide NAT  (Read 2421 times)
« on: September 03, 2009, 10:44:25 »
nobita *
Posts: 1

i am now using 1.3b18 for both m0n0
one side of the m0n0 is behide an debian firewall
i just keep fail in linking up 2 m0n0

Site 1:  Outside IP: ***.92.99.3/24
           Outside Gateway:  ***.92.99.1
           Inside IP: 192.168.1.0/24

Site 2:  Outside IP: 218.188.2.19/(unknow subnet)
           Outside Gateway:  unkown(is it necessary?)
           IP between m0n0/debian:  10.128.70.15/21
           Outside Gateway:  10.128.64.2
           Inside IP: 192.168.2.0/24

Site1
Interface : WAN
NAT-T: Enable NAT Traversal (NAT-T)
DPD interval: 60s
Local Subnet : Type : LAN Subnet
Remote Subnet :192.168.2.0/24
Remote Gateway : 218.188.2.19
Description : VPN FW 2

Phase1 proposal
Negotiation mode : aggressive
My identifier : My IP address
Encryption algorithm :3DES
Hash algorithm : SHA1
DH key group : 2
Lifetime : 28800
Authentication method : Pre-shared key
Pre-Shared Key : password
Phase 2 proposal (SA/Key Exchange)
Protocol : ESP

Encryption algorithms :
3DES
Blowfish
CAST128
Rijndael (AES)

Hash algorithms :
SHA1
MD5

PFS key group : 2
Lifetime : 28800

===============================

Site2
Interface : WAN
NAT-T: Enable NAT Traversal (NAT-T)
DPD interval: 60s
Local Subnet : Type : LAN Subnet
Remote Subnet : 192.168.1.0/24
Remote Gateway : ***.92.99.3
Description : VPN FW 1
Phase1 proposal
Negotiation mode : aggressive
My identifier : My IP address
Encryption algorithm :3DES
Hash algorithm : SHA1
DH key group : 2
Lifetime : 28800
Authentication method : Pre-shared key
Pre-Shared Key : password

Phase 2 proposal (SA/Key Exchange)
Protocol : ESP

Encryption algorithms :
3DES
Blowfish
CAST128
Rijndael (AES)

Hash algorithms :
SHA1
MD5

PFS key group : 2
Lifetime : 28800

==========================

Site1
Diagnostics: IPsec

    * SAD
No IPsec security associations.

    * SPD
Source    Destination    Direction    Protocol    Tunnel endpoints    
192.168.2.0/24    192.168.1.0/24       ESP    218.188.2.19 -***.92.99.3
192.168.1.0/24    192.168.2.0/24       ESP    ***.92.99.3 -218.188.2.19

Site2
Diagnostics: IPsec

    * SAD
No IPsec security associations.

    * SPD
Source    Destination    Direction    Protocol    Tunnel endpoints    
192.168.1.0/24    192.168.2.0/24       ESP    ***.92.99.3 -10.128.70.15
192.168.2.0/24    192.168.1.0/24       ESP    10.128.70.15 -***.92.99.3

(Any thing wrong with the coloured IP?)

================================================
ERROR LOGs

Site1
Sep 3 16:43:39    racoon: ERROR: phase1 negotiation failed due to time up. f3b28eabc6a275cb:0000000000000000
Sep 3 16:43:20    racoon: INFO: delete phase 2 handler.
Sep 3 16:43:20    racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 218.188.2.19[0]->***.92.99.3[0]
Sep 3 16:42:49    racoon: INFO: begin Aggressive mode.
Sep 3 16:42:49    racoon: INFO: initiate new phase 1 negotiation: ***.92.99.3[500]<=>218.188.2.19[500]
Sep 3 16:42:49    racoon: INFO: IPsec-SA request for 218.188.2.19 queued due to no phase1 found.
Sep 3 16:40:49    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
Sep 3 16:40:49    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
Sep 3 16:40:49    racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
Sep 3 16:40:48    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in
Sep 3 16:40:48    racoon: INFO: ***.92.99.3[4500] used for NAT-T
Sep 3 16:40:48    racoon: INFO: ***.92.99.3[4500] used as isakmp port (fd=13)
Sep 3 16:40:48    racoon: INFO: ***.92.99.3[500] used for NAT-T
Sep 3 16:40:48    racoon: INFO: ***.92.99.3[500] used as isakmp port (fd=12)
Sep 3 16:40:48    racoon: INFO: 192.168.1.1[4500] used for NAT-T
Sep 3 16:40:48    racoon: INFO: 192.168.1.1[4500] used as isakmp port (fd=11)
Sep 3 16:40:48    racoon: INFO: 192.168.1.1[500] used for NAT-T
Sep 3 16:40:48    racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=10)
Sep 3 16:40:48    racoon: INFO: 127.0.0.1[4500] used for NAT-T
Sep 3 16:40:48    racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=9)
Sep 3 16:40:48    racoon: INFO: 127.0.0.1[500] used for NAT-T
Sep 3 16:40:48    racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Sep 3 16:40:48    racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Sep 3 16:40:48    racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Sep 3 16:40:48    racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Sep 3 16:40:48    racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
Sep 3 16:40:47    racoon: INFO: racoon shutdown
Sep 3 16:40:46    racoon: INFO: caught signal 15

----------------------------------------
Site2
Sep 3 16:43:55    racoon: ERROR: phase1 negotiation failed due to time up. 85a92cd4c2249058:0000000000000000
Sep 3 16:43:36    racoon: INFO: delete phase 2 handler.
Sep 3 16:43:36    racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP ***.92.99.3[0]->10.128.70.15[0]
Sep 3 16:43:04    racoon: INFO: begin Aggressive mode.
Sep 3 16:43:04    racoon: INFO: initiate new phase 1 negotiation: 10.128.70.15[500]<=>***.92.99.3[500]
Sep 3 16:43:04    racoon: INFO: IPsec-SA request for ***.92.99.3 queued due to no phase1 found.
Sep 3 16:40:04    racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=out
Sep 3 16:40:04    racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.1/32[0] 192.168.2.0/24[0] proto=any dir=out
Sep 3 16:40:04    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in
Sep 3 16:40:04    racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.2.1/32[0] proto=any dir=in
Sep 3 16:40:04    racoon: INFO: 10.128.70.15[4500] used for NAT-T
Sep 3 16:40:04    racoon: INFO: 10.128.70.15[4500] used as isakmp port (fd=13)
Sep 3 16:40:04    racoon: INFO: 10.128.70.15[500] used for NAT-T
Sep 3 16:40:04    racoon: INFO: 10.128.70.15[500] used as isakmp port (fd=12)
Sep 3 16:40:04    racoon: INFO: 192.168.2.1[4500] used for NAT-T
Sep 3 16:40:04    racoon: INFO: 192.168.2.1[4500] used as isakmp port (fd=11)
Sep 3 16:40:04    racoon: INFO: 192.168.2.1[500] used for NAT-T
Sep 3 16:40:04    racoon: INFO: 192.168.2.1[500] used as isakmp port (fd=10)
Sep 3 16:40:04    racoon: INFO: 127.0.0.1[4500] used for NAT-T
Sep 3 16:40:04    racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=9)
Sep 3 16:40:04    racoon: INFO: 127.0.0.1[500] used for NAT-T
Sep 3 16:40:04    racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Sep 3 16:40:04    racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Sep 3 16:40:04    racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Sep 3 16:40:04    racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Sep 3 16:40:04    racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
Sep 3 00:40:03    racoon: INFO: racoon shutdown
Sep 3 00:40:02    racoon: INFO: caught signal 15
« Last Edit: September 03, 2009, 11:13:08 by nobita »
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines