VPN

Greetings,
I have a problem, that I can't connect to M0n0wall using Shrew. :-( M0n0wall allways logs "racoon: ERROR: phase1 negotiation failed due to time up."

First of all I have to say, that my knowledge about vpn's is still a bit weak.

Setup of my network:
===============
My home-network is pretty simple. Just two computers and a printer connected to a Fritz!Box Fon WLAN 7270 (firmware up to date). The WAN-port of my m0n0wall is in the same network (I'll explain that later). The LAN-port of the m0n0wall isn't used at all. Default gateway and DNS server of the m0n0wall is my Fritz!Box (firmware-check works, so everything should be fine here).

What I want to do:
==============
I want to connect to the m0n0wall through the Fritz!Box using Shrew. The reason is, that I not only want to have access to my network from outside, but I also want to access the internet through the vpn-tunnel (I don't want everyone in my comapany to see, what I'm doing in the internet. And no, it's not for illegal things or porn.). I know Fritz!Box has VPN-support, but I only can access the LAN, not the internet.
What I want to do:
* resolve the external IP of my Fritz!Box by using Dyndns
* adding an appropriate entry to c:\windows\system32\drivers\etc\hosts
* setting one single route to this external IP via the default gateway of my current location and build up the tunnel
* setting DNS and default gateway of my current computer to the internal IP-adress of my Fritz!Box. So this way the whole internet traffic should be routed through the vpn-tunnel. That's how it always worked using Openvpn.

VPN/IPsec-Setup:
========
* created certificates using xca and set up m0n0wall and shrew with the help of several tutorials.
* forwarded UPD500/4500 and ESP from my Fritz!Box to m0n0wall.
* opened ports/protocolls from above for the WAN-port of my m0n0wall

M0n0wall-Setup:
---------------------
"Allow Mobile Clients" checked
"Enable NAT Traversal (NAT-T)" checked
DPD interval 60 sec
Phase1
Negotiation Mode: aggressive
My identifier: my ip address
Encryption algorithm: 3DES
hash algorithm: SHA1
DH key group: 2
Lifetime: [empty]
Authentication Method: RSA signature
Phase 2
Protocol: ESP
Encryption algorithms: 3DES, Blowfish, CAST128, Rijndael(AES)
Hash algorithm: SHA1
PFS key group: 2
Lifetime: [empty]

Shrew-Setup:
-----------------
Host: DynDns-address of my Fritz!Box, Port 500
Auto config: ike config pull
Local Host adress method: use virtual adapter (and set up an ip address of the unused LAN of the m0n0wall
MTU 1492
-----------------
Client NAT-T enabled
Client NATT Port 4500
Client keep-alive Packet rate 15
IKE Fragmentation disabled
Enable DPD and ISAKMP Failure Notifications both enabled
Client Login Banner disabled
-----------------
Under Name Resolution WINS and DNS disabled
-----------------
Authentication: Mutual RSA
Local Identity: ASN.1 Distinguished Name
ANS.1 DN String: "Use the subject in the client certificate" checked
Remote Identity: Any
Credentials: well, I chose the neccesary files, Server CA, client cert and client private key
-----------------
Phase1
Exchange type: aggressive
DH Exchange: group2
Cipher algorithm: 3DES
Cipher key length: [empty]
Hash Algorithm: sha1
Key Life Time limit: 54600sec
Key Life Date limit: 0 KB
check point compatible vendor ID enabled
-----------------
Phase2
Transform Algorithm: esp-3des
Transform Key Length: [empty]
HMAC Algorithm: sha1
PFS Exchange: group2
Compress algorithm: disabled
Key Life Time limit: 28800sec
Key Life Data Limit: 0KB
-----------------
Policy
Maintain persistent security associations disabled
Obtain Topology Automatically disabled
Remote Network Resource: 192.168.0.0/24 (LAN-side of my m0n0wall, not my real LAN)


Failures:
======
* I can contact the WebGUI from the internet. So portforwarding in general should work.
* I can build up and establish the tunnel, when the shrew client is in the same network using the WAN-IP of M0n0wall.
* I can build up and establish the tunnel, when the shrew client is in the same network using the external IP of Fritz!Box. (For testing port forwarding).

*BUT: When I try to build up the tunnel from outside the the external IP of my Fritz!Box, I always get these Errors:

Shrew: "negotiation timout occurred"
Shrew-Trace:
10/08/10 12:34:41 DB : new phase1 ( ISAKMP initiator )
10/08/10 12:34:41 DB : exchange type is aggressive
10/08/10 12:34:41 DB : xxx.xxx.xxx.xxx:500 <-> xxx.xxx.xxx.xxx:500
10/08/10 12:34:41 DB : 2802b7a0d931ae66:0000000000000000
10/08/10 12:34:41 DB : phase1 added ( obj count = 1 )
10/08/10 12:34:41 >> : security association payload
10/08/10 12:34:41 >> : - proposal #1 payload
10/08/10 12:34:41 >> : -- transform #1 payload
10/08/10 12:34:41 >> : key exchange payload
10/08/10 12:34:41 >> : nonce payload
10/08/10 12:34:41 >> : cert request payload
10/08/10 12:34:41 >> : identification payload
10/08/10 12:34:41 >> : vendor id payload
10/08/10 12:34:41 ii : local supports nat-t ( draft v00 )
10/08/10 12:34:41 >> : vendor id payload
10/08/10 12:34:41 ii : local supports nat-t ( draft v01 )
10/08/10 12:34:41 >> : vendor id payload
10/08/10 12:34:41 ii : local supports nat-t ( draft v02 )
10/08/10 12:34:41 >> : vendor id payload
10/08/10 12:34:41 ii : local supports nat-t ( draft v03 )
10/08/10 12:34:41 >> : vendor id payload
10/08/10 12:34:41 ii : local supports nat-t ( rfc )
10/08/10 12:34:41 >> : vendor id payload
10/08/10 12:34:41 ii : local supports DPDv1
10/08/10 12:34:41 >> : vendor id payload
10/08/10 12:34:41 ii : local is SHREW SOFT compatible
10/08/10 12:34:41 >> : vendor id payload
10/08/10 12:34:41 ii : local is NETSCREEN compatible
10/08/10 12:34:41 >> : vendor id payload
10/08/10 12:34:41 ii : local is SIDEWINDER compatible
10/08/10 12:34:41 >> : vendor id payload
10/08/10 12:34:41 ii : local is CISCO UNITY compatible
10/08/10 12:34:41 >> : vendor id payload
10/08/10 12:34:41 ii : local is CHECKPOINT compatible
10/08/10 12:34:41 >= : cookies 2802b7a0d931ae66:0000000000000000
10/08/10 12:34:41 >= : message 00000000
10/08/10 12:34:41 -> : send IKE packet xxx.xxx.xxx.xxx:500 -> xxx.xxx.xxx.xxx:500 ( 732 bytes )
10/08/10 12:34:41 DB : phase1 resend event scheduled ( ref count = 2 )
10/08/10 12:34:46 -> : resend 1 phase1 packet(s) xxx.xxx.xxx.xxx:500 -> xxx.xxx.xxx.xxx:500
10/08/10 12:34:51 -> : resend 1 phase1 packet(s) xxx.xxx.xxx.xxx:500 -> xxx.xxx.xxx.xxx:500
10/08/10 12:34:56 -> : resend 1 phase1 packet(s) xxx.xxx.xxx.xxx:500 -> xxx.xxx.xxx.xxx:500
10/08/10 12:35:01 ii : resend limit exceeded for phase1 exchange
10/08/10 12:35:01 ii : phase1 removal before expire time
10/08/10 12:35:01 DB : phase1 deleted ( obj count = 0 )

M0n0wall-Logs:
racoon: ERROR: phase1 negotiation failed due to time up.
last message repeated 2 times
racoon: NOTIFY: the packet is retransmitted by xxx.xxx.xxx.xxx[500] (1).

It's like m0n0wall can't answer these UDP-500-requests.

I tried:
* lowering the MTU-setting (my ISP supports MTU 1492)
* changing the incoming Ports 500 and 4500 on the Fritz!Box (e.g. incoming port UDP 61000 forwarded to m0n0wall port 500), and changed the ports on shrew
* added many forwardings I've read about on the internet (i guess, most of them where for other protocols, authentication methods) like UDP/TCP 1723/1701, GRE, TCP 10000, ...
* even activated m0n0wall as an exposed host on my Fritz!Box, so all requests from outside will be directly forwarded to m0n0wall.

And here I am, with no clue whats still missing. :-(

Any help would be appreciated.

regards,
Kor

Hi @ all,

a colleague finally gave my the hint to check the packet size since M0n0wall sent fragmented packages.

Well after activating packet fragmentation on M0n0wall (System --> Advanced --> IPSec fragmented packets enabled) as well as on Shrew (Modify --> Client --> IKE fragmentation enabled) it finally works like a charm. =))