[ previous ] [ next ] [ threads ]
 
 From:  Vincent FLEURANCEAU <vincent at bikost dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch, m0n0wall at lists dot m0n0 dot ch
 Subject:  Strange behaviour - 1.1b16
 Date:  Tue, 20 Jul 2004 17:18:46 +0200
Hi all!

I've been running an IPSec tunnel for 2 days without any problem.

My IPSec config is:

m0n0 1.1b16 (local) <-> m0n0 1.0 (remote)

After I had to reboot my m0n0 1.1b16 (see why in my previous post), the
tunnel did not re-establish on the 1.0 (remote) m0n0 box, although many
remote hosts tried to reach a server on the local network.

I had to ping the remote m0n0wall LAN IP from the local network to open
the tunnel again...

More, I found strange blocking rules on the 1.1b16 box (could not attach 
  the screeshot), although by default nothing prevents ESP and AH to 
enter the box. See below, rules 14 to 19 in particular:

$ ipfstat -ni

@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on sis0 proto udp from any port = 68 to
255.255.255.255/32 port = 67
@5 pass in quick on sis0 proto udp from any port = 68 to
192.168.1.254/32 port = 67
@6 block in log quick on ng0 from 192.168.1.0/24 to any
@7 block in log quick on ng0 proto udp from any port = 67 to
192.168.1.0/24 port = 68
@8 pass in quick on ng0 proto udp from any port = 67 to any port = 68
@9 block in log quick on sis0 from !192.168.1.0/24 to any
@10 block in log quick on ng0 from 10.0.0.0/8 to any
@11 block in log quick on ng0 from 127.0.0.0/8 to any
@12 block in log quick on ng0 from 172.16.0.0/12 to any
@13 block in log quick on ng0 from 192.168.0.0/16 to any
@14 pass in quick on ng0 proto udp from any to 212.11.36.133/32 port = 500
@15 pass in quick on ng0 proto esp from any to 212.11.36.133/32
@16 pass in quick on ng0 proto ah from any to 212.11.36.133/32
@17 pass in quick on sis0 proto udp from any to 192.168.1.254/32 port = 500
@18 pass in quick on sis0 proto esp from any to 192.168.1.254/32
@19 pass in quick on sis0 proto ah from any to 192.168.1.254/32
@20 skip 1 in proto tcp from any to any flags S/FSRA
@21 block in log quick proto tcp from any to any
@22 block in log quick on sis0 from any to any head 100
@1 pass in quick from 192.168.1.0/24 to 192.168.1.254/32 keep state
group 100
@2 pass in quick from 192.168.1.0/24 to any keep state group 100
@23 block in log quick on ng0 from any to any head 200
@24 block in log quick from any to any


The ruleset is 100% factory default. I just use the Magic Shaper
generated rules and the new "Auto-establish" IPSec feature.

Can anyone tell me what's going wrong?  Is this a 1.1b16 specific bug or
should I use 1.1b16 on both tunnel ends? Any idea?

Are the recommended IPSec lifetime values (from the Documentation) good
ones?

Do I miss something trivial?

I can send the status.php page result, if someone find it useful...

Thanks in advance,

-- Vincent