News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  VPN
linktree Topic: problems ipsec connection
Pages: [1]
Topic: problems ipsec connection  (Read 6210 times)
« on: May 15, 2007, 08:42:20 »
homegrown *
Posts: 6
HI all

I have two M0n0wall systems ( vs 1.231), spread over 2 networks, we want to connect this two offices to each other with ipsec.  The problem that we have is, the 2 m0n0's are behind a speedtouch 510 and a etech modem / router.  In the modems we set the default server to the m0n0wall.

When we set up the ipsec connection in the log we see this error:

racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.0.0/24[0] proto=any dir=out
May 13 10:44:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=out
May 13 10:44:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.4/32[0] 192.168.2.0/24[0] proto=any dir=out
May 13 10:44:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.0.0/24[0] 192.168.2.0/24[0] proto=any dir=in
May 13 10:44:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in
May 13 10:44:23 racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.2.4/32[0] proto=any dir=in

De settings of the  monowall's are:
Interface: Wan
Local subnet : Lan subnet
Remote subnet : 192.1268.0.0
Remote ip:  wan ip of the other office
Neogation mode: aggressive
My identifier: mlk.local
Encryption : blowfish
Hash: sha1
DH keygroup: 2
Lifetime: 86400
Pre shared key: test

PHASE 2

Protocol: esp
Encryption: blowfish ( selected)
Hash : SHA1
Pfs key group: 2
Lifetime : 86400

The  Tab Pre shared Key  has also the identifier name and the same pre shared key as the tunnel.

So I think that the setting on my M0n0's are good, and that the modems not accepting the ipsec connection. I've also tried to open al the ipsec ports and forward them to the M0n0's.


« Reply #1 on: May 17, 2007, 22:03:53 »
darklogic *
Posts: 45
Switch the version 1.3b2 for the NAT T support.
« Reply #2 on: May 20, 2007, 14:39:41 »
homegrown *
Posts: 6
Quote from: darklogic on May 17, 2007, 22:03:53
Switch the version 1.3b2 for the NAT T support.

I switched to 1.3b2, it's not  working Cry  in front of the monowall is a speedtouch 510i router in the router i set the default server to the m0n0wall.


here a graphic of the network situation, it has to be at the office
(http://www.itefficiency.nl/casus.jpg)

these are the settings of the both m0n0wall's.
Because we want to test if the nat modems causes the problem with the ipsec connection, we moved the both monowall's to another location. In this situation both m0n0wall's gets there wanip from the isp directly, and guess what the ipsec is not coming up.

(http://www.itefficiency.nl/monowall.gif)

go to the link to enlarge

http://www.itefficiency.nl/monowall.gif
« Last Edit: May 20, 2007, 16:42:45 by homegrown »
« Reply #3 on: May 20, 2007, 15:23:50 »
homegrown *
Posts: 6
 Cool
« Last Edit: May 20, 2007, 16:43:23 by homegrown »
« Reply #4 on: June 03, 2007, 20:10:09 »
darklogic *
Posts: 45
I looked at the image and I was going to suggest something for testing reasons. Try changing the My identifier to MY IP instead of the domain. I think this might be where the issue is. NAT-T is enabled and You have a remote IP set for both ends, and I know you want to do this by domain name, but I have had issues with that before. If both sides have a static IP give it a shot. If one has a static and the other does not you can still attempt this. Also note that the routers in front of the Firewalls will need IPsec/ and L2TP passthrough enabled. Also try adding your network subnet to both sides. Example 192.168.1.0/24 or 10.1.1.0/24. This is kind of a must from what I have seen and done. One other thing. Both local and remote networks can not be on the same network subnet. Example: 192.168.1.0/24 and 192.168.1.0/24 will not talk to each other. If this is the case you will need to use network mapping, which is not a feature in monowall.

I also noticed in your diagram that you have the same WAN IP as your routers sitting in front of the monowall box. Is this a mistype. Are the routers doing any NAT or are they simply passthrough routers, in other words like a switch.

Make sure to check your identifiers.
« Last Edit: June 04, 2007, 05:11:40 by darklogic »
« Reply #5 on: June 10, 2007, 13:49:00 »
rudivd *
Posts: 8
Hi,

I have ipsec all over the place using thomson modems (speedtouch 510, 516, 546) doing
sip_spoof. By then you have the WAN IP# on your m0n0wall box (needs some <shellcmd>
manually to be added in the m0n0wall config). Then setting up IPsec is very simple. I use
ip address as identifier all the time. (running the latest 1.231 version).

If you can get rid of the e-tech, this should be a preferred setup I think.

Setting up m0n0wall to use the sip_spoof is described here:

http://m0n0.ch/wall/list/showmsg.php?id=172/46

templates for putting the modem in sip_spoof can be found here: 

http://jp.dhs.org/~jp/ (dutch, use the fish... if needed)

Note if you use some of the newer modems you have to disable the firewall
in the modem, older versions of the firmware do not have a firewall.

Rudi
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines