News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  VPN
linktree Topic: m0n0 to m0n0 ipsec vpn, can only ping......
Pages: [1]
Topic: m0n0 to m0n0 ipsec vpn, can only ping......  (Read 2868 times)
« on: June 27, 2013, 23:19:45 »
mrcola *
Posts: 7
Hi

I have got ipsec vpn setup between two m0n0walls. It ended up with ping only but can not access aby other things

Local LAN 192.168.50.0/24, default gateway 192.168.50.2
Remote LAN 192.168.60.0/24 default gateway 192.168.60.2

I can ping IPs from remote LAN IP, and can access remote m0n0 (192.168.60.2) from the web gui

IPsec logs
Jun 27 23:07:16    racoon: INFO: IPsec-SA established: ESP/Tunnel 87.127.X.X[500]->180.154.X.X[500] spi=229355714(0xdabb0c2)
Jun 27 23:07:16    racoon: INFO: IPsec-SA established: ESP/Tunnel 180.154.X.X[0]->87.127.X.X[0] spi=180456609(0xac18ca1)
Jun 27 23:07:15    racoon: INFO: respond new phase 2 negotiation: 87.127.X.X[500]<=>180.154.X.X[500]
Jun 27 23:07:15    racoon: INFO: purging spi=118498215.
Jun 27 23:07:15    racoon: INFO: ISAKMP-SA established 87.127.X.X[500]-180.154.X.X[500] spi:3f884f9617055081:93690d36d00a29aa
Jun 27 23:07:14    racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Jun 27 23:07:14    racoon: INFO: received Vendor ID: DPD
Jun 27 23:07:14    racoon: INFO: begin Aggressive mode.
Jun 27 23:07:14    racoon: INFO: respond new phase 1 negotiation: 87.127.X.X[500]<=>180.154.X.X[500]
Jun 27 23:07:10    racoon: INFO: purged IPsec-SA proto_id=ESP spi=238907307.
Jun 27 23:07:05    racoon: INFO: IPsec-SA established: ESP/Tunnel 87.127.X.X[500]->180.154.X.X[500] spi=238907307(0xe3d6fab)
Jun 27 23:07:05    racoon: INFO: IPsec-SA established: ESP/Tunnel 180.154.X.X[0]->87.127.X.X[0] spi=118498215(0x71023a7)
Jun 27 23:07:05    racoon: INFO: initiate new phase 2 negotiation: 87.127.X.X[500]<=>180.154.X.X[500]
Jun 27 23:07:05    racoon: INFO: ISAKMP-SA established 87.127.X.X[500]-180.154.X.X[500] spi:a0cdb8ebf83d8cfb:17afdbd6ea0a6b82
Jun 27 23:07:05    racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Jun 27 23:07:05    racoon: INFO: received Vendor ID: DPD
Jun 27 23:07:03    racoon: INFO: begin Aggressive mode.
Jun 27 23:07:03    racoon: INFO: initiate new phase 1 negotiation: 87.127.X.X[500]<=>180.154.X.X[500]
Jun 27 23:07:03    racoon: INFO: IPsec-SA request for 180.154.X.X queued due to no phase1 found.
Jun 27 23:07:02    racoon: ERROR: such policy already exists. anyway replace it: 192.168.50.0/24[0] 192.168.60.0/24[0] proto=any dir=out
Jun 27 23:07:02    racoon: ERROR: such policy already exists. anyway replace it: 192.168.50.2/32[0] 192.168.50.0/24[0] proto=any dir=out
Jun 27 23:07:02    racoon: ERROR: such policy already exists. anyway replace it: 192.168.60.0/24[0] 192.168.50.0/24[0] proto=any dir=in
Jun 27 23:07:02    racoon: ERROR: such policy already exists. anyway replace it: 192.168.50.0/24[0] 192.168.50.2/32[0] proto=any dir=in
Jun 27 23:07:02    racoon: INFO: 192.168.50.2[500] used for NAT-T
Jun 27 23:07:02    racoon: INFO: 192.168.50.2[500] used as isakmp port (fd=15)
Jun 27 23:07:02    racoon: INFO: fe80::215:5dff:fe32:a20%de0[500] used as isakmp port (fd=14)
Jun 27 23:07:02    racoon: INFO: fe80::215:5dff:fe32:a21%de1[500] used as isakmp port (fd=13)
Jun 27 23:07:02    racoon: INFO: 127.0.0.1[500] used for NAT-T
Jun 27 23:07:02    racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=12)
Jun 27 23:07:02    racoon: INFO: ::1[500] used as isakmp port (fd=11)
Jun 27 23:07:02    racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=10)
Jun 27 23:07:02    racoon: INFO: fe80::215:5dff:fe32:a20%ng0[500] used as isakmp port (fd=9)
Jun 27 23:07:02    racoon: INFO: 87.127.X.X[500] used for NAT-T
Jun 27 23:07:02    racoon: INFO: 87.127.X.X[500] used as isakmp port (fd=8)
Jun 27 23:07:02    racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Jun 27 23:07:02    racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Jun 27 23:07:02    racoon: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)

both settings are almost identical apart from the remote subnet and remote gateway

Phase 1
Negotiation mode  Aggressive (tried both)
Encryption algorithm 3DES
Hash algorithm SHA1
DH key group 5 (tried 2 as well)
Authentication method pre-shared key

Phase 2
Protocol ESP
Encryption algorithms 3DES
Hash algorithms md5
PFS key group off
Lifetime 14400

Please help

Thanks

Regards RW
« Reply #1 on: June 28, 2013, 17:46:50 »
Lee Sharp *****
Posts: 517
If you can ping, you have link. How are you trying to "access" other things?  Could this be a name resolution issue?
« Reply #2 on: July 01, 2013, 11:20:28 »
mrcola *
Posts: 7
Hi

It was my mistake, the remote IP I tried to access didn't have the default gateway setup

Stupid error

Thanks for that
« Reply #3 on: July 01, 2013, 20:34:34 »
Lee Sharp *****
Posts: 517
That will do it!  Grin  And we all do the stupid mistake from time to time.  How about setting a default gateway in a different subnet?  Done it...  Doh!
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines