VPN

I have two identical soekris 4801 platforms, They are both running m0n0wall 1.34. This is not the first time I've set up ipsec on m0n0wall, but this is the first time I've run into issues that I can't diagnose.

Here's excerpts from the xml dumps  of the config on one host

 <interface>wan</interface>
<network>lan</network>
<remote-subnet>172.16.168.0/24</remote-subnet>
<remote-gateway>666.666.666.666</remote-gateway>
<p1>
<mode>main</mode>
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>md5</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>28800</lifetime>
<pre-shared-key>areallylongstringisinhere</pre-shared-key>
<authentication_method>pre_shared_key</authentication_method>
</p1>
<p2>
<protocol>esp</protocol>
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>3600</lifetime>
</p2>

And the other host
<interface>wan</interface>
<local-subnet>
<network>lan</network>
</local-subnet>
<remote-subnet>10.1.1.0/24</remote-subnet>
<remote-gateway>555.555.555.555</remote-gateway>
<p1>
<mode>main</mode>
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>md5</hash-algorithm>
<dhgroup>2</dhgroup>
<dhgroup>2</dhgroup>
<lifetime>28800</lifetime>
<pre-shared-key>samereallylongstringisinhere</pre-shared-key>
<authentication_method>pre_shared_key</authentication_method>
</p1>
<p2>
<protocol>esp</protocol>
<encryption-algorithm-option>blowfish</encryption-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>3600</lifetime>
</p2>

Traceroute from one to the other looks like this.

traceroute to 555.555.555.555 (555.555.555.555), 18 hops max, 40 byte packets
 1  555-555-555-233.static.provider.net (555.555.555.233)  1.588 ms  3.167 ms  1.530 ms
 2  555-555-555-158.static.provider.net (555.555.555.158)  5.264 ms  4.187 ms  4.548 ms
 3  xe-7-1-0.edge2.LosAngeles9.Level3.net (4.53.230.61)  4.204 ms  4.235 ms  4.341 ms
 4  ae-3-80.edge3.LosAngeles1.Level3.net (4.69.144.137)  4.262 ms
    ae-2-70.edge3.LosAngeles1.Level3.net (4.69.144.73)  4.318 ms
    ae-3-80.edge3.LosAngeles1.Level3.net (4.69.144.137)  7.125 ms
 5  AMERICAN-IN.edge3.LosAngeles1.Level3.net (4.53.122.14)  7.831 ms  11.102 ms  9.150 ms
 6  ar01-gi8-12.sdtc.provider2.net (666.666.666.198)  7.558 ms  7.496 ms  7.364 ms
 7  sdtc.ar01.fa1-44.host2.5229.provider.net (666.666.666.67)  7.634 ms  7.737 ms  8.064 ms

The tunnel came up once, it took almost three days. I disabled the tunnel due to other issues in the network. I re-enabled it and I see messages in the logs that show racoon starting up. No errors in the logs. After a week the tunnel still didn't come back up. I've spoken to both network providers to check if they are blocking port 500 or disabling protocol 50 and 51. Everyone tells me their providing bare internet without filtering. Any ideas how I can diagnose this? I've run out of ideas on my end.

What kind of device do you have at the ends providing Ethernet handoff?

One end connects directly to a cisco 3600? router port. That router hands off to fiber. The other end is switched network inside the data center. It's routed to the internet through that connection. Do I need more specific information than that?

And both ends have real IP addresses with no NAT between them, correct?

What is in the logs when you spin up and when you ping?  Can you ping the remote firewall from the local LANs?

No NAT'ed interfaces on either end. But I'm unable to force sis1 into full duplex using instructions someone posted in this thread. It's negotiating with a Cisco router on the other end. I'll have to get the model number when  I speak to the ISP network guy again later today.

The configuration I uploaded has this stanza for the interface.

                <wan>
                        <if>sis1</if>
                        <blockpriv/>
                        <media>100BaseTX</media>
                        <mediaopt>full-duplex </mediaopt>
                        <ipaddr>666.666.666.666</ipaddr>
                        <subnet>29</subnet>
                        <gateway>666.666.666.666</gateway>
                        <spoofmac/>
                </wan>

I changed the IP to protect the innocent. :-) But, it's not going into full-duplex. Still shows in the web interface as being in half-duplex and I'm seeing errors

In/out errors    0/1119

<mediaopt>full-duplex </mediaopt>

Do you really have a space after "full-duplex" and before "<" ?

Roy...

Thanks for catching that! I did indeed have a space there. I'll try again at the end of the day to upload the configuration and see if that changes it. I'll have to wait so I don't interfere with other peoples work.

OK, solved the half-duplex problem. Ended up having to insert  a switch in the circuit.

However so far the IPSEC tunnel isn't coming up. I don't remember having this problem in the past. Going to go over the configuration once more and see if it makes any difference. Everything else seems to work fine, but I can't bring the tunnel up.

I just confirmed I can ping and traceroute both directions, from gateway to gateway. Time  seems to be pretty consistent at around 7.5 ms - 8.5 ms.

Local Subnet LAN Subnet
My identifier My IP address
Encryption algorithm 3DES
Hash algorithm MD5
DH key group 768 Bit
Lifetime 28800
Authentication method pre-shared key
Protocol ESP
Encryption algorithms 3DES
Hash algorithms MD5
PFS key group 768 Bit
Lifetime 3600

Still no SAD

Can you post the relevant chunks of each config file?  Just need the ipsec portions.

[Gateway 1]

<ipsec>
                <dns-interval/>
                <tunnel>
                        <disabled/>
                        <dpddelay/>
                        <interface>wan</interface>
                        <natt/>
                        <local-subnet>
                                <network>lan</network>
                        </local-subnet>
                        <remote-subnet>10.1.1.0/24</remote-subnet>
                        <remote-gateway>666.666.666.666</remote-gateway>
                        <p1>
                                <mode>main</mode>
                                <myident>
                                        <myaddress/>
                                </myident>
                                <encryption-algorithm>3des</encryption-algorithm>
                                <hash-algorithm>md5</hash-algorithm>
                                <dhgroup>2</dhgroup>
                                <lifetime>28800</lifetime>
                                <pre-shared-key>somerandomedatagoeshere</pre-shared-key>
                                <private-key/>
                                <cert/>
                                <peercert/>
                                <authentication_method>pre_shared_key</authentication_method>
                        </p1>
                        <p2>
                                <protocol>esp</protocol>
                                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                                <hash-algorithm-option>hmac_md5</hash-algorithm-option>
                                <pfsgroup>2</pfsgroup>
                                <lifetime>3600</lifetime>
                        </p2>
                        <descr>LAN to LAN VPN</descr>
                </tunnel>
                <enable/>
        </ipsec>

[Gateway 2]

<ipsec>
                <tunnel>
                        <disabled/>
                        <dpddelay/>
                        <interface>wan</interface>
                        <natt/>
                        <local-subnet>
                                <network>lan</network>
                        </local-subnet>
                        <remote-subnet>172.16.168.0/24</remote-subnet>
                        <remote-gateway>777.777.777.777</remote-gateway>
                        <p1>
                                <mode>main</mode>
                                <myident>
                                        <myaddress/>
                                </myident>
                                <encryption-algorithm>3des</encryption-algorithm>
                                <hash-algorithm>md5</hash-algorithm>
                                <dhgroup>2</dhgroup>
                                <lifetime>28800</lifetime>
                                <pre-shared-key>omerandomedatagoeshere</pre-shared-key>
                                <private-key/>
                                <cert/>
                                <peercert/>
                                <authentication_method>pre_shared_key</authentication_method>
                        </p1>
                        <p2>
                                <protocol>esp</protocol>
                                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                                <hash-algorithm-option>hmac_md5</hash-algorithm-option>
                                <pfsgroup>2</pfsgroup>
                                <lifetime>3600</lifetime>
                        </p2>
                        <descr>LAN to LAN VPN</descr>
                </tunnel>
                <dns-interval/>
                <enable/>
        </ipsec>

Change your local subnet on both devices to be 10.1.1.0/24 and 172.16.168.0/24 as appropriate.  It may not be translating "LAN" in the expected way.

Also, your obfuscated  (Or not...  It would be a very secure key!) pre-shared-keys do not match.  I assume they do in real life, but check anyway.  Lastly, the lifetime on p2 is shorter than p1, and that is unusual.  Try setting both p1 and p2 to 28800 and see if it gets better.

Lastly, try turning off the p2 PFS Group.  This is to see if you are failing in p1 or p2.  (Although there are several commercial firewalls that default PFS to off anyway...)

I presume when you recommend " try turning off the p2 PFS Group" you mean set it to AH, or is there another method you recommend. I configured it with AH and set the lifetime the same as Phase 1. Restarted IPSEC on both ends. Tunnel still not coming up. This is frustrating. I've set this up before and don't remember these problems. I don't see Phase 1 completing, in the logs. I've even been on the phone with both upstream providers to assure myself neither is blocking IPSEC. They both deny it.

        <tunnel>
            <dpddelay/>
            <interface>wan</interface>
            <local-subnet>
                <address>192.168.64.0/23</address>
            </local-subnet>
            <remote-subnet>192.168.20.0/23</remote-subnet>
            <remote-gateway>gateway.realip.com</remote-gateway>
            <p1>
                <mode>aggressive</mode>
                <myident>
                    <myaddress/>
                </myident>
                <encryption-algorithm>blowfish</encryption-algorithm>
                <hash-algorithm>md5</hash-algorithm>
                <dhgroup>2</dhgroup>
                <lifetime>28800</lifetime>
                <pre-shared-key>xxxxx</pre-shared-key>
                <private-key/>
                <cert/>
                <peercert/>
                <authentication_method>pre_shared_key</authentication_method>
            </p1>
            <p2>
                <protocol>esp</protocol>
                <encryption-algorithm-option>blowfish</encryption-algorithm-option>
                <hash-algorithm-option>hmac_md5</hash-algorithm-option>
                <pfsgroup>0</pfsgroup>
                <lifetime>28800</lifetime>
            </p2>
            <descr>Bridge</descr>

Ok I made all these setting changes with my network addresses. Still doesn't come up. And as I recall, there should be something in the logs on one or both machines saying it's trying to negotiate phase one. Is that correct? I don't see anything past

racoon: ERROR: such policy already exists. anyway replace it: 172.16.168.0/24[0] 10.1.1.0/24[0] proto=any dir=out

This isn't a fatal error is it?

I'm wondering why I never see attempts at phase 1 negotiation, fail or succeed.

Disable VPN on both sides, and they start it.  The error you are seeing is the reconfigured tunnel trying to come up on an already partially up tunnel.

Second, and I should have asked this first...  Do you have a firewall rule allowing traffic on the IPsec link?