[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  "Greg Nicholson" <greg at d0gz dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] New release and IPSec problem
 Date:  Mon, 3 Nov 2003 18:40:12 +0100
On 03.11.2003, at 17:50, Greg Nicholson wrote:

> I noticed the same behavior on my installation last night, but didn't 
> have
> time to troubleshoot before reverting to pb18 where everything worked. 
>  I'm
> pretty sure that it is in the firewall code, as I was seeing the 
> packets
> being bounced by rule 0:4.

Well, I can't see why any of the changes made to the filter generator 
from pb18 to pb19 would cause something like this. Guess we'll need 
more input, like status.cgi output when the problem occurs...

> On a related note, we have LAN,WAN,PPTP options on the firewall rules.
> Where do the IPsec tunnels fit in?

Nowhere. In a way, IPsec completely sucks when it comes to filtering 
because there are no virtual interfaces per tunnel as there are with 
PPTP or OpenVPN. ipfilter just sees those packets as coming in via WAN 
(and to make matters worse, they pass through the filter three (!) 
times - once as ESP, then as ipencap and finally as the decrypted 
packet). Maybe some kludge with gif interfaces would help, but I'm not 
sure about that.

I'd prefer to get rid of that nasty, ugly, kludgy IPsec + IKE (did I 
mention that racoon sucks? ;) shit anyway - causes more headaches than 
it is worth. Too bad it's the de-facto industry standard. OpenVPN is 
much more beautiful. But the good things in life always have a catch: 
it runs in userland and as such it's very slow on low-end platforms 
like embedded PCs. Gosh!

- Manuel