[ previous ] [ next ] [ threads ]
 
 From:  "Greg Nicholson" <greg at d0gz dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] New release and IPSec problem
 Date:  Mon, 3 Nov 2003 10:50:21 -0600
I noticed the same behavior on my installation last night, but didn't have
time to troubleshoot before reverting to pb18 where everything worked.  I'm
pretty sure that it is in the firewall code, as I was seeing the packets
being bounced by rule 0:4.  

On a related note, we have LAN,WAN,PPTP options on the firewall rules.
Where do the IPsec tunnels fit in?

Greg Nicholson

-----Original Message-----
From: Christopher M. Iarocci [mailto:iarocci at eastendsc dot com] 
Sent: Monday, November 03, 2003 9:38 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] New release and IPSec problem

I think I found a problem with the new release and IPSec.  I had a working
IPSec config with version 18.  I upgraded to 19, and it still works except I
can only communicate with people on the other LANs, but if they try and
communicate with me, no go.  They can ping my LAN interface, and that's it.
Here is a copy of  cat /var/etc/racoon.conf.  This config was working
perfectly with the old version.  Could this be a firewall issue considering
the changes made to that?  I tried putting allows for all traffic to and
from 192.168.0.0, but no luck.

Chris
path pre_shared_key "/var/etc/psk.txt";

remote 24.187.115.86 {
    exchange_mode main;
    my_identifier address "24.190.174.211";
    peers_identifier address 24.187.115.86;
    initial_contact on;
    support_proxy on;
    proposal_check obey;
    proposal {
        encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group 2;
        lifetime time 86400 secs;
    }
    lifetime time 86400 secs;
}

sainfo address 192.168.2.0/24 any address 192.168.4.0/24 any {
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
    pfs_group 2;
    lifetime time 86400 secs;
}

remote 24.185.231.163 {
    exchange_mode main;
    my_identifier address "24.190.174.211";
    peers_identifier address 24.185.231.163;
    initial_contact on;
    support_proxy on;
    proposal_check obey;
    proposal {
        encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group 2;
        lifetime time 86400 secs;
    }
    lifetime time 86400 secs;
}

sainfo address 192.168.2.0/24 any address 192.168.3.0/24 any {
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
    pfs_group 2;
    lifetime time 86400 secs;
}

remote 24.190.161.244 {
    exchange_mode main;
    my_identifier address "24.190.174.211";
    peers_identifier address 24.190.161.244;
    initial_contact on;
    support_proxy on;
    proposal_check obey;
    proposal {
        encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group 2;
        lifetime time 86400 secs;
    }
    lifetime time 86400 secs;
}

sainfo address 192.168.2.0/24 any address 192.168.1.0/24 any {
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
    pfs_group 2;
    lifetime time 86400 secs;
}

remote 24.184.150.82 {
    exchange_mode main;
    my_identifier address "24.190.174.211";
    peers_identifier address 24.184.150.82;
    initial_contact on;
    support_proxy on;
    proposal_check obey;
    proposal {
        encryption_algorithm des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group 2;
        lifetime time 86400 secs;
    }
    lifetime time 86400 secs;
}

sainfo address 192.168.2.0/24 any address 192.168.5.0/24 any {
    encryption_algorithm des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
    pfs_group 2;
    lifetime time 86400 secs;
}

remote 24.190.161.244 {
    exchange_mode main;
    my_identifier address "24.190.174.211";
    peers_identifier address 24.190.161.244;
    initial_contact on;
    support_proxy on;
    proposal_check obey;
    proposal {
        encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group 2;
        lifetime time 86400 secs;
    }
    lifetime time 86400 secs;
}

sainfo address 192.168.2.0/24 any address 192.168.6.0/24 any {
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
    pfs_group 2;
    lifetime time 86400 secs;
}

remote 207.198.250.254 {
    exchange_mode main;
    my_identifier address "24.190.174.211";
    peers_identifier address 207.198.250.254;
    initial_contact on;
    support_proxy on;
    proposal_check obey;
    proposal {
        encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group 5;
        lifetime time 86400 secs;
    }
    lifetime time 86400 secs;
}

sainfo address 192.168.2.0/24 any address 172.16.0.0/16 any {
    encryption_algorithm des,3des,blowfish,cast128,rijndael;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
    pfs_group 5;
    lifetime time 86400 secs;
}


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch