VPN

[first-router]

Two m0n0wall's 1.3b4 doesn't create a VPN connection. Both of them have an Internet conect over PPPoE. There is a IPSec configuration:

first-router

• Mode: Tunnel 
• Interface:  WAN
• NAT-T:  (Enabled)
• Local subnet Type: LAN subnet
• Remote subnet:  192.168.4.0 /24
• Remote gateway: 10.51.xx.xx

• Phase 1 proposal (Authentication)
• Negotiation mode: aggressive
• My identifier: My IP address
• Encryption algorithm: Blowfish
• Hash algorithm: SHA1
• DH key group: 2
• Authentication method: Pre-shared key
• Pre-Shared Key: f00m0nk3y@BubbaLand

• Phase 2 proposal (SA/Key Exchange)
• Protocol:  ESP
• Encryption algorithms: Blowfish
• Hash algorithms: SHA1
• PFS key group: 2

second-router

• Mode: Tunnel 
• Interface:  WAN
• NAT-T:  (Enabled)
• Local subnet Type: LAN subnet
• Remote subnet:  192.168.1.0 /24
• Remote gateway: 85.13.xx.xx

• Phase 1 proposal (Authentication)
• Negotiation mode: aggressive
• My identifier: My IP address
• Encryption algorithm: Blowfish
• Hash algorithm: SHA1
• DH key group: 2
• Authentication method: Pre-shared key
• Pre-Shared Key: f00m0nk3y@BubbaLand

• Phase 2 proposal (SA/Key Exchange)
• Protocol:  ESP
• Encryption algorithms: Blowfish
• Hash algorithms: SHA1
• PFS key group: 2

Logs
first-router
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.4.0/24[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.222/32[0] 192.168.1.0/24[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.1.0/24[0] proto=any dir=in
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.222/32[0] proto=any dir=in
racoon: INFO: 192.168.1.222[4500] used for NAT-T
racoon: INFO: 192.168.1.222[4500] used as isakmp port (fd=13)
racoon: INFO: 192.168.1.222[500] used for NAT-T
racoon: INFO: 192.168.1.222[500] used as isakmp port (fd=12)
racoon: INFO: 127.0.0.1[4500] used for NAT-T
racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=11)
racoon: INFO: 127.0.0.1[500] used for NAT-T
racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
racoon: INFO: 85.13.xx.xx[4500] used for NAT-T
racoon: INFO: 85.13.xx.xx[4500] used as isakmp port (fd=9)
racoon: INFO: 85.13.xx.xx[500] used for NAT-T
racoon: INFO: 85.13.xx.xx[500] used as isakmp port (fd=8)
racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
racoon: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net)
racoon: INFO: racoon shutdown
racoon: INFO: caught signal 15

second-router
racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.1.0/24[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.250/32[0] 192.168.4.0/24[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.4.0/24[0] proto=any dir=in
racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.4.250/32[0] proto=any dir=in
racoon: INFO: 192.168.4.250[4500] used for NAT-T
racoon: INFO: 192.168.4.250[4500] used as isakmp port (fd=13)
racoon: INFO: 192.168.4.250[500] used for NAT-T
racoon: INFO: 192.168.4.250[500] used as isakmp port (fd=12)
racoon: INFO: 127.0.0.1[4500] used for NAT-T
racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=11)
racoon: INFO: 127.0.0.1[500] used for NAT-T
racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
racoon: INFO: 10.51.xx.xx[4500] used for NAT-T
racoon: INFO: 10.51.xx.xx[4500] used as isakmp port (fd=9)
racoon: INFO: 10.51.xx.xx[500] used for NAT-T
racoon: INFO: 10.51.xx.xx[500] used as isakmp port (fd=8)
racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
racoon: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net)
racoon: INFO: racoon shutdown
racoon: INFO: caught signal 15

So as result there is No IPsec security associations. where is my fault?
schema included in message..

that 10.51.x.x is a private IP address, you can't communicate with that over the Internet. If that's what you're getting, your ISP is NAT'ing you somewhere and you won't be able to directly connect to that system, hence IPsec isn't going to work.

Great Thanx! Sometimes i have a trouble with my brains...

In the MY Identifier field change to Domain name and enter a name.net. This name .net can be anything you want.  This will fix it. Do this in both sides and make the two monos different name.net.

Thank you billmakr! I'll try it!

So i have changed my configuration..

first-router
Mode: Tunnel 
Interface:  WAN
NAT-T:  (Enabled)
Local subnet Type: LAN subnet
Remote subnet:  192.168.4.0 /24
Remote gateway: 10.51.xx.xx
Phase 1 proposal (Authentication)
Negotiation mode: aggressive
My identifier: Domain Name (office-router.corben.corp)
Encryption algorithm: Blowfish
Hash algorithm: SHA1
DH key group: 2
Authentication method: Pre-shared key
Pre-Shared Key: f00m0nk3y@BubbaLand
Phase 2 proposal (SA/Key Exchange)
Protocol:  ESP
Encryption algorithms: Blowfish
Hash algorithms: SHA1
PFS key group: 2

second-router
Mode: Tunnel 
Interface:  WAN
NAT-T:  (Enabled)
Local subnet Type: LAN subnet
Remote subnet:  192.168.1.0 /24
Remote gateway: 10.52.xx.xx
Phase 1 proposal (Authentication)
Negotiation mode: aggressive
My identifier: Domain Name (ns-router.corben.corp)
Encryption algorithm: Blowfish
Hash algorithm: SHA1
DH key group: 2
Authentication method: Pre-shared key
Pre-Shared Key: f00m0nk3y@BubbaLand
Phase 2 proposal (SA/Key Exchange)
Protocol:  ESP
Encryption algorithms: Blowfish
Hash algorithms: SHA1
PFS key group: 2

first router's log
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.4.0/24[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.222/32[0] 192.168.1.0/24[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.1.0/24[0] proto=any dir=in
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.222/32[0] proto=any dir=in
racoon: INFO: 192.168.1.222[500] used for NAT-T
racoon: INFO: 192.168.1.222[500] used as isakmp port (fd=10)
racoon: INFO: 127.0.0.1[500] used for NAT-T
racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9)
racoon: INFO: 10.52.xx.xx[500] used for NAT-T
racoon: INFO: 10.52.xx.xx[500] used as isakmp port (fd=8)
racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
racoon: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net)
racoon: INFO: racoon shutdown
racoon: INFO: caught signal 15

second router's log
racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.1.0/24[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.250/32[0] 192.168.4.0/24[0] proto=any dir=out
racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.4.0/24[0] proto=any dir=in
racoon: ERROR: such policy already exists. anyway replace it: 192.168.4.0/24[0] 192.168.4.250/32[0] proto=any dir=in
racoon: INFO: 192.168.4.250[500] used for NAT-T
racoon: INFO: 192.168.4.250[500] used as isakmp port (fd=10)
racoon: INFO: 127.0.0.1[500] used for NAT-T
racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=9)
racoon: INFO: 10.51.xx.xx[500] used for NAT-T
racoon: INFO: 10.51.xx.xx[500] used as isakmp port (fd=8)
racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
racoon: INFO: @(#)ipsec-tools 0.6.7 (http://ipsec-tools.sourceforge.net)
racoon: INFO: racoon shutdown
racoon: INFO: caught signal 15

so there is no IPSec...

hello PlazmaGoD, you solve this problem ?

no, i cold not do that with m0n0...easyest way, i find was configuration of full BSD..

you think this is because a pppoe type connection ?

maybe..i will be waiting for next realise...

I am keeping work on that and, if find any solution I tell you ...