[VPN]m0n0=>m0n0 IPSec behide NAT

i am now using 1.3b18 for both m0n0
one side of the m0n0 is behide an debian firewall
i just keep fail in linking up 2 m0n0

Site 1:  Outside IP: ***.92.99.3/24
           Outside Gateway:  ***.92.99.1
           Inside IP: 192.168.1.0/24

Site 2:  Outside IP: 218.188.2.19/(unknow subnet)
           Outside Gateway:  unkown(is it necessary?)
           IP between m0n0/debian:  10.128.70.15/21
           Outside Gateway:  10.128.64.2
           Inside IP: 192.168.2.0/24

Site1
Interface : WAN
Local Subnet : Type : LAN Subnet
Remote Subnet :192.168.2.0/24
Remote Gateway : 218.188.2.19
Description : VPN FW 2

Phase1 proposal
Negotiation mode : aggressive
My identifier : My IP address
Encryption algorithm :3DES
Hash algorithm : SHA1
DH key group : 2
Lifetime : 28800
Authentication method : Pre-shared key
Pre-Shared Key : password
Phase 2 proposal (SA/Key Exchange)
Protocol : ESP

Encryption algorithms :
3DES
Blowfish
CAST128
Rijndael (AES)

Hash algorithms :
SHA1
MD5

PFS key group : 2
Lifetime : 28800

===============================

Site2
Interface : WAN
Local Subnet : Type : LAN Subnet
Remote Subnet : 192.168.1.0/24
Remote Gateway : ***.92.99.3
Description : VPN FW 1
Phase1 proposal
Negotiation mode : aggressive
My identifier : My IP address
Encryption algorithm :3DES
Hash algorithm : SHA1
DH key group : 2
Lifetime : 28800
Authentication method : Pre-shared key
Pre-Shared Key : password

Phase 2 proposal (SA/Key Exchange)
Protocol : ESP

Encryption algorithms :
3DES
Blowfish
CAST128
Rijndael (AES)

Hash algorithms :
SHA1
MD5

PFS key group : 2
Lifetime : 28800

==========================

Site1
Diagnostics: IPsec

    * SAD
No IPsec security associations.

    * SPD
Source    Destination    Direction    Protocol    Tunnel endpoints   
192.168.2.0/24    192.168.1.0/24       ESP    218.188.2.19 -***.92.99.3
192.168.1.0/24    192.168.2.0/24       ESP    ***.92.99.3 -218.188.2.19

Site2
Diagnostics: IPsec

    * SAD
No IPsec security associations.

    * SPD
Source    Destination    Direction    Protocol    Tunnel endpoints   
192.168.1.0/24    192.168.2.0/24       ESP    ***.92.99.3 -10.128.70.15
192.168.2.0/24    192.168.1.0/24       ESP    10.128.70.15 -***.92.99.3

(Any thing wrong with the IP?)

================================================
ERROR LOGs

Site1
Sep 3 16:43:39    racoon: ERROR: phase1 negotiation failed due to time up. f3b28eabc6a275cb:0000000000000000
Sep 3 16:43:20    racoon: INFO: delete phase 2 handler.
Sep 3 16:43:20    racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 218.188.2.19[0]->61.92.99.3[0]
Sep 3 16:42:49    racoon: INFO: begin Aggressive mode.
Sep 3 16:42:49    racoon: INFO: initiate new phase 1 negotiation: 61.92.99.3[500]<=>218.188.2.19[500]
Sep 3 16:42:49    racoon: INFO: IPsec-SA request for 218.188.2.19 queued due to no phase1 found.
Sep 3 16:40:49    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=out
Sep 3 16:40:49    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.1/32[0] 192.168.1.0/24[0] proto=any dir=out
Sep 3 16:40:49    racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=in
Sep 3 16:40:48    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.1.1/32[0] proto=any dir=in
Sep 3 16:40:48    racoon: INFO: 61.92.99.3[4500] used for NAT-T
Sep 3 16:40:48    racoon: INFO: 61.92.99.3[4500] used as isakmp port (fd=13)
Sep 3 16:40:48    racoon: INFO: 61.92.99.3[500] used for NAT-T
Sep 3 16:40:48    racoon: INFO: 61.92.99.3[500] used as isakmp port (fd=12)
Sep 3 16:40:48    racoon: INFO: 192.168.1.1[4500] used for NAT-T
Sep 3 16:40:48    racoon: INFO: 192.168.1.1[4500] used as isakmp port (fd=11)
Sep 3 16:40:48    racoon: INFO: 192.168.1.1[500] used for NAT-T
Sep 3 16:40:48    racoon: INFO: 192.168.1.1[500] used as isakmp port (fd=10)
Sep 3 16:40:48    racoon: INFO: 127.0.0.1[4500] used for NAT-T
Sep 3 16:40:48    racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=9)
Sep 3 16:40:48    racoon: INFO: 127.0.0.1[500] used for NAT-T
Sep 3 16:40:48    racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Sep 3 16:40:48    racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Sep 3 16:40:48    racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Sep 3 16:40:48    racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Sep 3 16:40:48    racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
Sep 3 16:40:47    racoon: INFO: racoon shutdown
Sep 3 16:40:46    racoon: INFO: caught signal 15

----------------------------------------
Site2
Sep 3 16:43:55    racoon: ERROR: phase1 negotiation failed due to time up. 85a92cd4c2249058:0000000000000000
Sep 3 16:43:36    racoon: INFO: delete phase 2 handler.
Sep 3 16:43:36    racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 61.92.99.3[0]->10.128.70.15[0]
Sep 3 16:43:04    racoon: INFO: begin Aggressive mode.
Sep 3 16:43:04    racoon: INFO: initiate new phase 1 negotiation: 10.128.70.15[500]<=>61.92.99.3[500]
Sep 3 16:43:04    racoon: INFO: IPsec-SA request for 61.92.99.3 queued due to no phase1 found.
Sep 3 16:40:04    racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.1.0/24[0] proto=any dir=out
Sep 3 16:40:04    racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.1/32[0] 192.168.2.0/24[0] proto=any dir=out
Sep 3 16:40:04    racoon: ERROR: such policy already exists. anyway replace it: 192.168.1.0/24[0] 192.168.2.0/24[0] proto=any dir=in
Sep 3 16:40:04    racoon: ERROR: such policy already exists. anyway replace it: 192.168.2.0/24[0] 192.168.2.1/32[0] proto=any dir=in
Sep 3 16:40:04    racoon: INFO: 10.128.70.15[4500] used for NAT-T
Sep 3 16:40:04    racoon: INFO: 10.128.70.15[4500] used as isakmp port (fd=13)
Sep 3 16:40:04    racoon: INFO: 10.128.70.15[500] used for NAT-T
Sep 3 16:40:04    racoon: INFO: 10.128.70.15[500] used as isakmp port (fd=12)
Sep 3 16:40:04    racoon: INFO: 192.168.2.1[4500] used for NAT-T
Sep 3 16:40:04    racoon: INFO: 192.168.2.1[4500] used as isakmp port (fd=11)
Sep 3 16:40:04    racoon: INFO: 192.168.2.1[500] used for NAT-T
Sep 3 16:40:04    racoon: INFO: 192.168.2.1[500] used as isakmp port (fd=10)
Sep 3 16:40:04    racoon: INFO: 127.0.0.1[4500] used for NAT-T
Sep 3 16:40:04    racoon: INFO: 127.0.0.1[4500] used as isakmp port (fd=9)
Sep 3 16:40:04    racoon: INFO: 127.0.0.1[500] used for NAT-T
Sep 3 16:40:04    racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Sep 3 16:40:04    racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Sep 3 16:40:04    racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Sep 3 16:40:04    racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Sep 3 16:40:04    racoon: INFO: @(#)ipsec-tools 0.7.2 (http://ipsec-tools.sourceforge.net)
Sep 3 00:40:03    racoon: INFO: racoon shutdown
Sep 3 00:40:02    racoon: INFO: caught signal 15

-----------------------------------------
Any solution?

[ 本帖最後由 野比小雄 於 2009-9-3 17:52 編輯 ]



[ 本帖最後由 kwongoc_1016 於 2009-9-3 21:28 編輯 ]

TOP



[ 本帖最後由 野比小雄 於 2009-9-3 21:26 編輯 ]

TOP

其實我跟樓主是同學 , 現在正為這個問題煩惱

有無爸打有解決方案

TOP

唉!其實樓上3個都係我同學

為求5想俾爺知(5係中共)

希望各位大大幫下手!

[ 本帖最後由 kelvinwong0429 於 2009-9-3 19:35 編輯 ]

TOP

Debian firewall有冇做static Nat map去後面? 可以喺m0n0做tcpdump睇有冇ipsec traffic.

TOP

原帖由 bethedealer 於 2009-9-3 19:58 發表
Debian firewall有冇做static Nat map去後面? 可以喺m0n0做tcpdump睇有冇ipsec traffic.

debian 無呀(我地control 唔到e個firewall)
check ipsec traffic 我用ping ip睇
無反應
仲林住m0n0 1.3b有 nat-t function
site1 去唔到site2
site2都可以去到site1

TOP