PF Sense to Monowall VPN / Newbie to VPN's



  • Two of my friends and I are trying to set up a three way VPN.  They are running M0n0wall.  I'm running PF Sense.  We are seeing the following errors in the IPSEC Log.  Has anyone seen a problem like this and can point me in the right dir?

    Jan 10 21:57:50 racoon: ERROR: phase1 negotiation failed due to time up. 0cb690fac74420d7:58a2314d483daadd
    Jan 10 21:57:40 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 10 21:57:39 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 10 21:57:39 racoon: NOTIFY: the packet is retransmitted by 69.30.171.51[500].
    Jan 10 21:57:30 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 10 21:57:30 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 10 21:57:30 racoon: NOTIFY: the packet is retransmitted by 69.30.171.51[500].
    Jan 10 21:57:20 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 10 21:57:19 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 10 21:57:19 racoon: NOTIFY: the packet is retransmitted by 69.30.171.51[500].
    Jan 10 21:57:10 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 10 21:57:10 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 10 21:57:09 racoon: NOTIFY: the packet is retransmitted by 69.30.171.51[500].
    Jan 10 21:57:00 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 10 21:56:59 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 10 21:56:59 racoon: NOTIFY: the packet is retransmitted by 69.30.171.51[500].
    Jan 10 21:56:50 racoon: ERROR: ignore information because ISAKMP-SA has not been established yet.
    Jan 10 21:56:50 racoon: WARNING: No ID match.
    Jan 10 21:56:50 racoon: INFO: received Vendor ID: DPD
    Jan 10 21:56:50 racoon: INFO: begin Aggressive mode.
    Jan 10 21:56:50 racoon: INFO: respond new phase 1 negotiation: 70.189.74.26[500]<=>69.30.171.51[500]

    IPSec Config:

    • <ipsec><preferredoldsa><enable>- <tunnel><interface>wan</interface>
    • <local-subnet><address>192.168.4.0/22</address></local-subnet>
        <remote-subnet>10.0.0.0/8</remote-subnet>
        <remote-gateway>68.97.171.10</remote-gateway>
    • <p1><mode>aggressive</mode>
    • <myident><fqdn>theharrises.homeip.net</fqdn></myident>
        <encryption-algorithm>blowfish</encryption-algorithm>
        <hash-algorithm>md5</hash-algorithm>
        <dhgroup>2</dhgroup>
        <lifetime>28800</lifetime>
        <pre-shared-key>bob</pre-shared-key>
        <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
    • <p2><protocol>esp</protocol>
        <encryption-algorithm-option>blowfish</encryption-algorithm-option>
        <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
        <hash-algorithm-option>hmac_md5</hash-algorithm-option>
        <pfsgroup>2</pfsgroup>
        <lifetime>28800</lifetime></p2>
        <descr>Justin's Network</descr></tunnel>
    • <tunnel><interface>wan</interface>
    • <local-subnet><address>192.168.4.0/22</address></local-subnet>
        <remote-subnet>192.168.1.0/24</remote-subnet>
        <remote-gateway>69.30.171.51</remote-gateway>
    • <p1><mode>aggressive</mode>
    • <myident><fqdn>theharrises.homeip.net</fqdn></myident>
        <encryption-algorithm>blowfish</encryption-algorithm>
        <hash-algorithm>md5</hash-algorithm>
        <dhgroup>2</dhgroup>
        <lifetime>28800</lifetime>
        <pre-shared-key>thisneedstoworknow</pre-shared-key>
        <private-key><cert><peercert><authentication_method>pre_shared_key</authentication_method></peercert></cert></private-key></p1>
    • <p2><protocol>esp</protocol>
        <encryption-algorithm-option>blowfish</encryption-algorithm-option>
        <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
        <hash-algorithm-option>hmac_md5</hash-algorithm-option>
        <pfsgroup>2</pfsgroup>
        <lifetime>28800</lifetime></p2>
        <descr>Pope's Network</descr></tunnel>
    • <mobilekey><ident>painter.homeip.net</ident>
        <pre-shared-key>dirt_bikes_rule</pre-shared-key></mobilekey>
    • <mobilekey><ident>jpope.homeip.net</ident>
        <pre-shared-key>dirt_bikes_rule</pre-shared-key></mobilekey>
    • <mobileclients>- <p1><mode>aggressive</mode>
    • <myident><fqdn>theharrises.homeip.net</fqdn></myident>
        <encryption-algorithm>blowfish</encryption-algorithm>
        <hash-algorithm>sha1</hash-algorithm>
        <dhgroup>2</dhgroup>
        <lifetime>28800</lifetime>
        <private-key><cert><authentication_method>pre_shared_key</authentication_method></cert></private-key></p1>
    • <p2><protocol>esp</protocol>
        <encryption-algorithm-option>blowfish</encryption-algorithm-option>
        <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
        <pfsgroup>2</pfsgroup>
        <lifetime>28800</lifetime></p2></mobileclients></enable></preferredoldsa></ipsec>


  • Phase one fails for some reason. I guess you have static IPs on WAN so just try the IP-Adresses as identifier. fqdn only works if they are configured on the other end correctly. I can confirm that m0n0-pfsense-tunnels are working without issues. Already tested that.


Locked