[ previous ] [ next ] [ threads ]
 
 From:  "Quark AV - Hilton Travis" <Hilton at QuarkAV dot com>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Patch for IPSec VPN Routing
 Date:  Mon, 7 Jun 2004 19:02:25 +1000
Hi All,

> > > From: Justin Ellison [mailto:justin at techadvise dot com]
> > > Sent: Wednesday, May 19, 2004 6:41 PM
> > > 
> > > Hey Mitch,
> > > 
> > > On Wed, 2004-05-19 at 20:21, Mitch (WebCob) wrote:
> > > > My question, is was "My House" able to communicate 
> > > > with "Montana" through "Local Office" before... and 
> > > > if so, can it now?
> > > 
> > > Before with FreeS/WAN, yes with no problems.  Before 
> > > with m0n0wall, yes, but I couldn't access the m0n0wall 
> > > itself - I was forced to switch to where I could get 
> > > to "Local Office" and my m0n0wall, sacrificing access 
> > > to the "Montana Office".
> > > 
> > > > I was told to look into openvpn - which I am as time 
> > > > permits...
> > > 
> > > The problem with OpenVPN is that it is SSL/TLS, not 
> > > IPSec.  I need IPSec to talk to my Netscreen...
> > 
> > Well, I got it.
> > 
> > After a hairy crash course in FreeBSD/Racoon/KAME, I 
> > discovered that the problem wasn't with routes.  When I 
> > would ping the m0n0wall, the m0n0wall's response would 
> > be encrypted (which my host wasn't expecting).  So, I 
> > found that I had to add two SPD's before the ipsec 
> > related SPD's were created.
> > 
> > A quick and dirty hack that worked was made by inserting 
> > the following code on line 110 in /etc/inc/vpn.inc, 
> > right after the call to vpn_localnet_determine:
> > 
> > if (!$localdone) {
> >    $spdconf .= "spdadd {$sa}/{$sn} {$sa}/{$sn} any -P \
> >       in none;\n";
> >    $spdconf .= "spdadd {$sa}/{$sn} {$sa}/{$sn} any -P \
> >       out none;\n";
> >    $localdone++;
> > }
> > 
> > Of course, since I haven't read the hacker's guide yet, 
> > the option is cleared once I reboot.  I'm going to get a 
> > development setup going at home, and add a checkbox 
> > option to turn the feature on/off.
> > 
> > Hope this helps others,
> > 
> > Justin
> > 
> 
> Dunno if Manuel wants it or not, but here's a patch to add a 
> config option to fix the problem described below.
> 
> Justin

I thought I'd reply to this in here as it is more appropriate in dev than in
user.

Manuel - have you had a chance to look at this patch yet?  If so, does it
fit in your specs for m0n0wall, and then if it does, are we likely to see
this in the next beta?  

It seems to fix a few issues, and hopefully it doesn't break any.  I'd say
the next beta is a great place to trial this patch to see if it is a worthy
contender for a "gold" release.

Hilton Travis
http://www.quarkit.com.au