VPN

Hello,

I created a customer VPN to site IPsec with the software Shrew VPNCLIENT V2.2.2. (For information I also used Thegreenbow and the problem is identical).

I followed the tuto at the address https://www.shrew.net/support/Howto_m0n0wall
And this one http://doc.m0n0.ch/handbook/faq-muvpn.html

The version of MonoWall is 1.34  built on Mon Nov 12 13:17:22 CET 2012
Platform Generic PC

The IP of the Lan de MonoWall is 192.168.0.1/24

The connection does well but in the logs system of MonoWall I have the error message:

racoon: ERROR: such policy does not already exist: "192.168.0.170/32[0] 192.168.0.0/24[0] proto=any dir=in"
racoon: ERROR: such policy does not already exist: "192.168.0.0/24[0] 192.168.0.170/32[0] proto=any dir=out"

I manage to pinger MonoWall but not the inside of Lan.

In "diagnoses IPSEC" on MonoWall in the tab " SAD " I have well the values:

Source                     Destination      Protocol      SPI     Enc. alg.     Auth. alg.
22.228.90.146     82.237.236.8     ESP     5863a4ff     3des-cbc     hmac-sha1
82.237.236.8        22.228.90.146      ESP     0db808c7     3des-cbc       hmac-sha1

In "diagnoses IPSEC" on MonoWall in the tab " SPD " I have well the values:

Source                      Destination    Direction     Protocol      Tunnel endpoint
192.168.0.170     192.168.0.0/24     ->     ESP      82.237.236.8 – 22.228.90.146
192.168.0.0/24     192.168.0.170     <-      ESP      22.228.90.146 - 82.237.236.8

In " Firewall: Rules " I opened the rights on the various ports in the tab " WAN ".

Proto      Source       Port     Destination      Port      Description
UDP     *      *     Wan address     500     IPSEV ESP IKE
UDP     *      *     Wan address     4500     IPSEC ESP NAT-T
ESP     *      *      Wan address     *      IPsec ESP

Is you remote subnet the same as your LAN subnet?  That will never work...

Hello,

Thank you for the answer.

The problem is identical if there is an other address. For example there, I configured Shrew VPN to take the address current Lan of the PC who is 192.168.52.10

Here is the answer in logs system:

racoon: ERROR: such policy does not already exist: "192.168.52.10/32[0] 192.168.0.0/24[0] proto=any dir=in"
racoon: ERROR: such policy does not already exist: "192.168.0.0/24[0] 192.168.52.10/32[0] proto=any dir=out"

The VPN connects well and I ping well Monowal but not my Lan.

In "diagnoses IPSEC" on MonoWall in the tab " SAD " I have well the values:

Source           Destination      Protocol      SPI       Enc. alg.     Auth. alg.
22.228.90.146     82.237.236.8        ESP          71e49b46      3des-cbc       hmac-sha1
82.237.236.8       22.228.90.146      ESP          0eeff9fd        3des-cbc       hmac-sha1

In "diagnoses IPSEC" on MonoWall in the tab " SPD " I have well the values:

Source                 Destination     Direction     Protocol      Tunnel endpoint
192.168.52.10     192.168.0.0/24    ->      ESP       82.237.236.8 - 22.228.90.146
192.168.0.0/24    192.168.52.10     <-      ESP       22.228.90.146 - 82.237.236.8

I do not see where from comes the problem.
What it is necessary to modify to solve the problem?

Thank you,

Sébastien

For it to work, the subnets must not overlap.  There may be other problems as well, but the subnets must not overlap, or you will not route.