Greetings, I have a problem, that I can't connect to M0n0wall using Shrew. :-( M0n0wall allways logs "racoon: ERROR: phase1 negotiation failed due to time up."
First of all I have to say, that my knowledge about vpn's is still a bit weak.
Setup of my network: =============== My home-network is pretty simple. Just two computers and a printer connected to a Fritz!Box Fon WLAN 7270 (firmware up to date). The WAN-port of my m0n0wall is in the same network (I'll explain that later). The LAN-port of the m0n0wall isn't used at all. Default gateway and DNS server of the m0n0wall is my Fritz!Box (firmware-check works, so everything should be fine here).
What I want to do: ============== I want to connect to the m0n0wall through the Fritz!Box using Shrew. The reason is, that I not only want to have access to my network from outside, but I also want to access the internet through the vpn-tunnel (I don't want everyone in my comapany to see, what I'm doing in the internet. And no, it's not for illegal things or porn.). I know Fritz!Box has VPN-support, but I only can access the LAN, not the internet. What I want to do: * resolve the external IP of my Fritz!Box by using Dyndns * adding an appropriate entry to c:\windows\system32\drivers\etc\hosts * setting one single route to this external IP via the default gateway of my current location and build up the tunnel * setting DNS and default gateway of my current computer to the internal IP-adress of my Fritz!Box. So this way the whole internet traffic should be routed through the vpn-tunnel. That's how it always worked using Openvpn.
VPN/IPsec-Setup: ======== * created certificates using xca and set up m0n0wall and shrew with the help of several tutorials. * forwarded UPD500/4500 and ESP from my Fritz!Box to m0n0wall. * opened ports/protocolls from above for the WAN-port of my m0n0wall
M0n0wall-Setup: --------------------- "Allow Mobile Clients" checked "Enable NAT Traversal (NAT-T)" checked DPD interval 60 sec Phase1 Negotiation Mode: aggressive My identifier: my ip address Encryption algorithm: 3DES hash algorithm: SHA1 DH key group: 2 Lifetime: [empty] Authentication Method: RSA signature Phase 2 Protocol: ESP Encryption algorithms: 3DES, Blowfish, CAST128, Rijndael(AES) Hash algorithm: SHA1 PFS key group: 2 Lifetime: [empty]
Shrew-Setup: ----------------- Host: DynDns-address of my Fritz!Box, Port 500 Auto config: ike config pull Local Host adress method: use virtual adapter (and set up an ip address of the unused LAN of the m0n0wall MTU 1492 ----------------- Client NAT-T enabled Client NATT Port 4500 Client keep-alive Packet rate 15 IKE Fragmentation disabled Enable DPD and ISAKMP Failure Notifications both enabled Client Login Banner disabled ----------------- Under Name Resolution WINS and DNS disabled ----------------- Authentication: Mutual RSA Local Identity: ASN.1 Distinguished Name ANS.1 DN String: "Use the subject in the client certificate" checked Remote Identity: Any Credentials: well, I chose the neccesary files, Server CA, client cert and client private key ----------------- Phase1 Exchange type: aggressive DH Exchange: group2 Cipher algorithm: 3DES Cipher key length: [empty] Hash Algorithm: sha1 Key Life Time limit: 54600sec Key Life Date limit: 0 KB check point compatible vendor ID enabled ----------------- Phase2 Transform Algorithm: esp-3des Transform Key Length: [empty] HMAC Algorithm: sha1 PFS Exchange: group2 Compress algorithm: disabled Key Life Time limit: 28800sec Key Life Data Limit: 0KB ----------------- Policy Maintain persistent security associations disabled Obtain Topology Automatically disabled Remote Network Resource: 192.168.0.0/24 (LAN-side of my m0n0wall, not my real LAN)
Failures: ====== * I can contact the WebGUI from the internet. So portforwarding in general should work. * I can build up and establish the tunnel, when the shrew client is in the same network using the WAN-IP of M0n0wall. * I can build up and establish the tunnel, when the shrew client is in the same network using the external IP of Fritz!Box. (For testing port forwarding).
*BUT: When I try to build up the tunnel from outside the the external IP of my Fritz!Box, I always get these Errors:
Shrew: "negotiation timout occurred" Shrew-Trace: 10/08/10 12:34:41 DB : new phase1 ( ISAKMP initiator ) 10/08/10 12:34:41 DB : exchange type is aggressive 10/08/10 12:34:41 DB : xxx.xxx.xxx.xxx:500 <-> xxx.xxx.xxx.xxx:500 10/08/10 12:34:41 DB : 2802b7a0d931ae66:0000000000000000 10/08/10 12:34:41 DB : phase1 added ( obj count = 1 ) 10/08/10 12:34:41 >> : security association payload 10/08/10 12:34:41 >> : - proposal #1 payload 10/08/10 12:34:41 >> : -- transform #1 payload 10/08/10 12:34:41 >> : key exchange payload 10/08/10 12:34:41 >> : nonce payload 10/08/10 12:34:41 >> : cert request payload 10/08/10 12:34:41 >> : identification payload 10/08/10 12:34:41 >> : vendor id payload 10/08/10 12:34:41 ii : local supports nat-t ( draft v00 ) 10/08/10 12:34:41 >> : vendor id payload 10/08/10 12:34:41 ii : local supports nat-t ( draft v01 ) 10/08/10 12:34:41 >> : vendor id payload 10/08/10 12:34:41 ii : local supports nat-t ( draft v02 ) 10/08/10 12:34:41 >> : vendor id payload 10/08/10 12:34:41 ii : local supports nat-t ( draft v03 ) 10/08/10 12:34:41 >> : vendor id payload 10/08/10 12:34:41 ii : local supports nat-t ( rfc ) 10/08/10 12:34:41 >> : vendor id payload 10/08/10 12:34:41 ii : local supports DPDv1 10/08/10 12:34:41 >> : vendor id payload 10/08/10 12:34:41 ii : local is SHREW SOFT compatible 10/08/10 12:34:41 >> : vendor id payload 10/08/10 12:34:41 ii : local is NETSCREEN compatible 10/08/10 12:34:41 >> : vendor id payload 10/08/10 12:34:41 ii : local is SIDEWINDER compatible 10/08/10 12:34:41 >> : vendor id payload 10/08/10 12:34:41 ii : local is CISCO UNITY compatible 10/08/10 12:34:41 >> : vendor id payload 10/08/10 12:34:41 ii : local is CHECKPOINT compatible 10/08/10 12:34:41 >= : cookies 2802b7a0d931ae66:0000000000000000 10/08/10 12:34:41 >= : message 00000000 10/08/10 12:34:41 -> : send IKE packet xxx.xxx.xxx.xxx:500 -> xxx.xxx.xxx.xxx:500 ( 732 bytes ) 10/08/10 12:34:41 DB : phase1 resend event scheduled ( ref count = 2 ) 10/08/10 12:34:46 -> : resend 1 phase1 packet(s) xxx.xxx.xxx.xxx:500 -> xxx.xxx.xxx.xxx:500 10/08/10 12:34:51 -> : resend 1 phase1 packet(s) xxx.xxx.xxx.xxx:500 -> xxx.xxx.xxx.xxx:500 10/08/10 12:34:56 -> : resend 1 phase1 packet(s) xxx.xxx.xxx.xxx:500 -> xxx.xxx.xxx.xxx:500 10/08/10 12:35:01 ii : resend limit exceeded for phase1 exchange 10/08/10 12:35:01 ii : phase1 removal before expire time 10/08/10 12:35:01 DB : phase1 deleted ( obj count = 0 )
M0n0wall-Logs: racoon: ERROR: phase1 negotiation failed due to time up. last message repeated 2 times racoon: NOTIFY: the packet is retransmitted by xxx.xxx.xxx.xxx[500] (1).
It's like m0n0wall can't answer these UDP-500-requests.
I tried: * lowering the MTU-setting (my ISP supports MTU 1492) * changing the incoming Ports 500 and 4500 on the Fritz!Box (e.g. incoming port UDP 61000 forwarded to m0n0wall port 500), and changed the ports on shrew * added many forwardings I've read about on the internet (i guess, most of them where for other protocols, authentication methods) like UDP/TCP 1723/1701, GRE, TCP 10000, ... * even activated m0n0wall as an exposed host on my Fritz!Box, so all requests from outside will be directly forwarded to m0n0wall.
And here I am, with no clue whats still missing. :-(
Any help would be appreciated.
regards, Kor
|