Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ipsec vpn

    Scheduled Pinned Locked Moved IPsec
    2 Posts 1 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mrcola
      last edited by

      Hi

      I have to admit I am using M0N0wall at both ends, but just would like to see if anyone has experienced the same thing. Thanks

      I have got ipsec vpn setup between two m0n0walls. It ended up with ping only but can not access aby other things

      Local LAN 192.168.50.0/24, default gateway 192.168.50.2
      Remote LAN 192.168.60.0/24 default gateway 192.168.60.2

      I can ping IPs from remote LAN IP, and can access remote m0n0 (192.168.60.2) from the web gui

      IPsec logs
      Jun 27 23:07:16    racoon: INFO: IPsec-SA established: ESP/Tunnel 87.127.X.X[500]->180.154.X.X[500] spi=229355714(0xdabb0c2)
      Jun 27 23:07:16    racoon: INFO: IPsec-SA established: ESP/Tunnel 180.154.X.X[0]->87.127.X.X[0] spi=180456609(0xac18ca1)
      Jun 27 23:07:15    racoon: INFO: respond new phase 2 negotiation: 87.127.X.X[500]<=>180.154.X.X[500]
      Jun 27 23:07:15    racoon: INFO: purging spi=118498215.
      Jun 27 23:07:15    racoon: INFO: ISAKMP-SA established 87.127.X.X[500]-180.154.X.X[500] spi:3f884f9617055081:93690d36d00a29aa
      Jun 27 23:07:14    racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Jun 27 23:07:14    racoon: INFO: received Vendor ID: DPD
      Jun 27 23:07:14    racoon: INFO: begin Aggressive mode.
      Jun 27 23:07:14    racoon: INFO: respond new phase 1 negotiation: 87.127.X.X[500]<=>180.154.X.X[500]
      Jun 27 23:07:10    racoon: INFO: purged IPsec-SA proto_id=ESP spi=238907307.
      Jun 27 23:07:05    racoon: INFO: IPsec-SA established: ESP/Tunnel 87.127.X.X[500]->180.154.X.X[500] spi=238907307(0xe3d6fab)
      Jun 27 23:07:05    racoon: INFO: IPsec-SA established: ESP/Tunnel 180.154.X.X[0]->87.127.X.X[0] spi=118498215(0x71023a7)
      Jun 27 23:07:05    racoon: INFO: initiate new phase 2 negotiation: 87.127.X.X[500]<=>180.154.X.X[500]
      Jun 27 23:07:05    racoon: INFO: ISAKMP-SA established 87.127.X.X[500]-180.154.X.X[500] spi:a0cdb8ebf83d8cfb:17afdbd6ea0a6b82
      Jun 27 23:07:05    racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
      Jun 27 23:07:05    racoon: INFO: received Vendor ID: DPD
      Jun 27 23:07:03    racoon: INFO: begin Aggressive mode.
      Jun 27 23:07:03    racoon: INFO: initiate new phase 1 negotiation: 87.127.X.X[500]<=>180.154.X.X[500]
      Jun 27 23:07:03    racoon: INFO: IPsec-SA request for 180.154.X.X queued due to no phase1 found.
      Jun 27 23:07:02    racoon: ERROR: such policy already exists. anyway replace it: 192.168.50.0/24[0] 192.168.60.0/24[0] proto=any dir=out
      Jun 27 23:07:02    racoon: ERROR: such policy already exists. anyway replace it: 192.168.50.2/32[0] 192.168.50.0/24[0] proto=any dir=out
      Jun 27 23:07:02    racoon: ERROR: such policy already exists. anyway replace it: 192.168.60.0/24[0] 192.168.50.0/24[0] proto=any dir=in
      Jun 27 23:07:02    racoon: ERROR: such policy already exists. anyway replace it: 192.168.50.0/24[0] 192.168.50.2/32[0] proto=any dir=in
      Jun 27 23:07:02    racoon: INFO: 192.168.50.2[500] used for NAT-T
      Jun 27 23:07:02    racoon: INFO: 192.168.50.2[500] used as isakmp port (fd=15)
      Jun 27 23:07:02    racoon: INFO: fe80::215:5dff:fe32:a20%de0[500] used as isakmp port (fd=14)
      Jun 27 23:07:02    racoon: INFO: fe80::215:5dff:fe32:a21%de1[500] used as isakmp port (fd=13)
      Jun 27 23:07:02    racoon: INFO: 127.0.0.1[500] used for NAT-T
      Jun 27 23:07:02    racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=12)
      Jun 27 23:07:02    racoon: INFO: ::1[500] used as isakmp port (fd=11)
      Jun 27 23:07:02    racoon: INFO: fe80::1%lo0[500] used as isakmp port (fd=10)
      Jun 27 23:07:02    racoon: INFO: fe80::215:5dff:fe32:a20%ng0[500] used as isakmp port (fd=9)
      Jun 27 23:07:02    racoon: INFO: 87.127.X.X[500] used for NAT-T
      Jun 27 23:07:02    racoon: INFO: 87.127.X.X[500] used as isakmp port (fd=8)
      Jun 27 23:07:02    racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
      Jun 27 23:07:02    racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
      Jun 27 23:07:02    racoon: INFO: @(#)ipsec-tools 0.7.3 (http://ipsec-tools.sourceforge.net)

      both settings are almost identical apart from the remote subnet and remote gateway

      Phase 1
      Negotiation mode  Aggressive (tried both)
      Encryption algorithm 3DES
      Hash algorithm SHA1
      DH key group 5 (tried 2 as well)
      Authentication method pre-shared key

      Phase 2
      Protocol ESP
      Encryption algorithms 3DES
      Hash algorithms md5
      PFS key group off
      Lifetime 14400

      Please help

      Thanks

      Regards RW

      1 Reply Last reply Reply Quote 0
      • M
        mrcola
        last edited by

        Problem solved

        some of the remote IPs I tested do not have default gateway setup

        Easy as that!!!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.