Re: [m0n0wall] New release and IPSec problem

From:	Manuel Kasper <mk at neon1 dot net>
To:	"Christopher M. Iarocci" <iarocci at eastendsc dot com>
Cc:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] New release and IPSec problem
Date:	Mon, 3 Nov 2003 22:07:00 +0100

On 03.11.2003, at 21:06, Christopher M. Iarocci wrote:

> Here is my status.cgi at the moment I was trying to ping from  
> 192.168.1.3
> (remote network) to 192.168.2.3 (local network).  I can ping the  
> opposite
> way without a problem.  I can ping from the remote networks to my Lan

OK. Seems like the pass rules for ipencap and decrypted packets are no  
longer hit, and as such they don't create any entries in the state  
table, so the packet cannot be sent out via the LAN interface.

There's only one possible explanation: FreeBSD 4.9. There has been a  
change to sys/netinet/ip_input.c since FreeBSD 4.8:

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_input.c.diff? 
r1=1.130.2.53&r2=1.130.2.54

So apparently, if the IPSEC_FILTERGIF kernel option is not set (it  
isn't in m0n0wall at the moment), packets are treated differently than  
before in 4.8 with FAST_IPSEC. ipfilter only sees the ESP packet as it  
comes in via WAN, but not after it has been decrypted.

I put that option back in and made a new generic-pc image (I assume  
that's what you're using):

http://m0n0.ch/temp/generic-pc-pb19r536.img

Could you try it and tell us if it works?

- Manuel