VPN

Hi all,

I am trying to connect two offices through Monowall routers (both Soekris net4803 based) with an IPSEC tunnel.
Since a first attempt failed I created an easy to understand and implement local setup, hoping to be abe to transfer a final solution to the real world scenario.
This is the setup:
 
Monowall1: Soekris net4803 based, running 1.32,
Monowall2: Generic PC 1.34 on a Pentium 4 PC

I connect the 2 monowall's WAN ports via a WLAN router's LAN ports.
Each of the Monowall's LAN ports has a linux computer PC1/PC2 (Ubuntu/CentOS) attached.
I have another computer (PC3)  connected to the WLAN router wirelessly.

setup:
PC1-monowall1-WLAN-monowall2-PC2
                               |
                             PC3

IP setup:
PC1: 192.168.236.100 (via DHCP)
Monowall1-LAN 192.168.236.1, DHCP is enabled
Monowall1-WAN 192.168.1.100, DHCP|static
WLAN router: 192.168.1.1, DHCP|static
Monowall2-WAN 192.168.1.101, DHCP|static
Monowall2-LAN 192.168.4.1, DHCP is enabled
PC2: 192.168.4.100 (via DHCP)

PC3: 192.168.1.102, wireless, via DHCP

* The firewall rules in the monowall routers allow each protocol, source or destination.
* The monowall WAN interfaces go to the wired LAN ports of the WLAN router,  so there is no firewall between the Monowalls, but for good measure I disabled it in the WLAN router anyway.

working:
PPTP VPN between PC1 and PC2 and I connect either direction.
WEBgui access from PC3 through the WAN interface to both Monowalls to ahve the interface side by side on the screen.

I can do this with the WLAN router in either DHCP mode (-> Monowalls WAN interfacs get their IP dynamically assigned) or with static IP addresses.

not working:
IPSEC tunnel between the two monowall routers.

In the tunnel definition I follow the instructions in http://doc.m0n0.ch/handbook/ipsec-tunnels.html.
The diagnostics:IPsec:SPD tunnel endpoints show the IP addresses of respective other monowall-WAN interface. Those are the ones that I defined as 'Remote Gateway'

I tried several (if not all) settings for Phase1/Phase2 making sure that I always apply the same settings on either Monowall (using PC3 looking at the Webgui interfaces  side-by-side).

What am I missing here?
How often will the Monowall routers try to establish a connection?
Is there a way to trigger the routers to try to establish a connection?
What is triggering a connection attempt  internally?
I defined the rules (that allow each packet in either direction!) to be logged but I hardly see any log activity.

In the system log I see 'racoon: ERROR: such policy already exists. anyway replace it:xxxxxx' with mirrored  IP settings on either end of the failing tunnel.

Are there any incompatibilities between the GenericPC based 1.34 version and the embedded 1.32 version that prevent the routers to talk to one another?

I looked through the postings in this forum, but all I found was incorrect subnet definitions on either end, this is not the case here, but what is it?

Thanks in advance for any suggestions.
-Steffen

update:
I enabled remote logging on the attached computers and this is the log output when I hit the 'Save' button on the VPN:IPsec Tunnels page:
I also list the content of the racoon.conf file(s)
PC1:
Feb 15 01:28:11 pcbasedrouter.domain236 racoon: INFO: caught signal 15
Feb 15 01:28:12 pcbasedrouter.domain236 racoon: INFO: racoon shutdown
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 192.168.236.31[500] used as isakmp port (fd=8)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 192.168.236.31[500] used for NAT-T
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 192.168.236.31[4500] used as isakmp port (fd=9)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 192.168.236.31[4500] used for NAT-T
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: fe80::2e0:4cff:feeb:c9b8%ng1[500] used as isakmp port (fd=10)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: fe80::2e0:4cff:feeb:c9b8%ng1[4500] used as isakmp port (fd=11)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=12)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: fe80::1%lo0[4500] used as isakmp port (fd=13)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: ::1[500] used as isakmp port (fd=14)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: ::1[4500] used as isakmp port (fd=15)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=16)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 127.0.0.1[500] used for NAT-T
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=17)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 127.0.0.1[4500] used for NAT-T
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: fe80::21b:2fff:fe34:d4d1%rg0[500] used as isakmp port (fd=18)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: fe80::21b:2fff:fe34:d4d1%rg0[4500] used as isakmp port (fd=19)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 192.168.236.1[500] used as isakmp port (fd=20)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 192.168.236.1[500] used for NAT-T
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 192.168.236.1[4500] used as isakmp port (fd=21)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 192.168.236.1[4500] used for NAT-T
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: fe80::240:5ff:fe7e:5a76%rl1[500] used as isakmp port (fd=22)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: fe80::240:5ff:fe7e:5a76%rl1[4500] used as isakmp port (fd=23)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 192.168.1.100[500] used as isakmp port (fd=24)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 192.168.1.100[500] used for NAT-T
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: INFO: 192.168.1.100[4500] used as isakmp port (fd=25)
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: ERROR: such policy already exists. anyway replace it: 192.168.236.0/24[0] 192.168.236.1/32[0] proto=any dir=in
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.236.0/24[0] proto=any dir=in
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: ERROR: such policy already exists. anyway replace it: 192.168.236.1/32[0] 192.168.236.0/24[0] proto=any dir=out
Feb 15 01:28:13 pcbasedrouter.domain236 racoon: ERROR: such policy already exists. anyway replace it: 192.168.236.0/24[0] 192.168.4.0/24[0] proto=any dir=out

PC2:
Feb 15 01:28:13 192.168.4.1 racoon: INFO: caught signal 15
Feb 15 01:28:14 192.168.4.1 racoon: INFO: racoon shutdown
Feb 15 01:28:16 192.168.4.1 racoon: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Feb 15 01:28:16 192.168.4.1 racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Feb 15 01:28:16 192.168.4.1 racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=8)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: fe80::1%lo0[4500] used as isakmp port (fd=9)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: ::1[500] used as isakmp port (fd=10)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: ::1[4500] used as isakmp port (fd=11)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=12)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: 127.0.0.1[500] used for NAT-T
Feb 15 01:28:16 192.168.4.1 racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=13)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: 127.0.0.1[4500] used for NAT-T
Feb 15 01:28:16 192.168.4.1 racoon: INFO: fe80::200:24ff:fec8:6449%sis1[500] used as isakmp port (fd=14)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: fe80::200:24ff:fec8:6449%sis1[4500] used as isakmp port (fd=15)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: 192.168.4.1[500] used as isakmp port (fd=16)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: 192.168.4.1[500] used for NAT-T
Feb 15 01:28:16 192.168.4.1 racoon: INFO: 192.168.4.1[4500] used as isakmp port (fd=17)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: 192.168.4.1[4500] used for NAT-T
Feb 15 01:28:16 192.168.4.1 racoon: INFO: fe80::200:24ff:fec8:6448%sis0[500] used as isakmp port (fd=18)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: fe80::200:24ff:fec8:6448%sis0[4500] used as isakmp port (fd=19)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: 192.168.1.101[500] used as isakmp port (fd=20)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: 192.168.1.101[500] used for NAT-T
Feb 15 01:28:16 192.168.4.1 racoon: INFO: 192.168.1.101[4500] used as isakmp port (fd=21)
Feb 15 01:28:16 192.168.4.1 racoon: INFO: 192.168.1.101[4500] used for NAT-T
Feb 15 01:28:16 192.168.4.1 racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.4.1/32[0] proto=any dir=in
Feb 15 01:28:16 192.168.4.1 racoon: ERROR: such policy already exists. anyway replace it: 192.168.236.0/24[0] 192.168.4.0/24[0] proto=any dir=in
Feb 15 01:28:16 192.168.4.1 racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.1/32[0] 192.168.4.0/24[0] proto=any dir=out
Feb 15 01:28:16 192.168.4.1 racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.236.0/24[0] proto=any dir=out

content of /var/etc/racoon.conf on monowall 1:
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 192.168.1.101 {
   exchange_mode main;
   my_identifier user_fqdn "localuser@localdomain";
   nat_traversal on;
   
   peers_identifier address 192.168.1.101;
   initial_contact on;
   support_proxy on;
   proposal_check obey;
   dpd_delay 0;

   proposal {
      encryption_algorithm des;
      hash_algorithm sha1;
      authentication_method pre_shared_key;
      dh_group 2;
      lifetime time 28800 secs;
   }
   lifetime time 28800 secs;
}

sainfo address 192.168.236.0/24 any address 192.168.4.0/24 any {
   encryption_algorithm des,3des,blowfish,cast128,rijndael;
   authentication_algorithm hmac_sha1,hmac_md5;
   compression_algorithm deflate;
   pfs_group 2;
   lifetime time 86400 secs;
}

content of /var/etc/racoon.conf on monowall 2:
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 192.168.1.100 {
   exchange_mode main;
   my_identifier user_fqdn "localuser@localdomain";
   nat_traversal on;
   
   peers_identifier address 192.168.1.100;
   initial_contact on;
   support_proxy on;
   proposal_check obey;
   dpd_delay 0;

   proposal {
      encryption_algorithm des;
      hash_algorithm sha1;
      authentication_method pre_shared_key;
      dh_group 2;
      lifetime time 28800 secs;
   }
   lifetime time 28800 secs;
}

sainfo address 192.168.4.0/24 any address 192.168.236.0/24 any {
   encryption_algorithm des,3des,blowfish,cast128;
   authentication_algorithm hmac_sha1,hmac_md5;
   compression_algorithm deflate;
   pfs_group 2;
   lifetime time 86400 secs;
}

The psk.txt files  contain the 2 entries in one line, first the IP address of the respective other Monowall's WAN port, followed by the _ identical_ preshared key.

One of the routers (mono1) further logs these events which may rather be related to the VPN from PC2 to PC1.

Also, both M0n0walls have the same version 1.34.

Are there any other log files of interest?

-Steffen