[ previous ] [ next ] [ threads ]
 
 From:  "Greg Nicholson" <greg at d0gz dot net>
 To:  "'Manuel Kasper'" <mk at neon1 dot net>, "'Christopher M. Iarocci'" <iarocci at eastendsc dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] New release and IPSec problem
 Date:  Mon, 3 Nov 2003 15:18:10 -0600
If you can make it for the 4501, I can test it this evening.

Thanks!

Greg Nicholson

-----Original Message-----
From: Manuel Kasper [mailto:mk at neon1 dot net] 
Sent: Monday, November 03, 2003 3:07 PM
To: Christopher M. Iarocci
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] New release and IPSec problem

On 03.11.2003, at 21:06, Christopher M. Iarocci wrote:

> Here is my status.cgi at the moment I was trying to ping from  
> 192.168.1.3
> (remote network) to 192.168.2.3 (local network).  I can ping the  
> opposite
> way without a problem.  I can ping from the remote networks to my Lan

OK. Seems like the pass rules for ipencap and decrypted packets are no  
longer hit, and as such they don't create any entries in the state  
table, so the packet cannot be sent out via the LAN interface.

There's only one possible explanation: FreeBSD 4.9. There has been a  
change to sys/netinet/ip_input.c since FreeBSD 4.8:

http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_input.c.diff? 
r1=1.130.2.53&r2=1.130.2.54

So apparently, if the IPSEC_FILTERGIF kernel option is not set (it  
isn't in m0n0wall at the moment), packets are treated differently than  
before in 4.8 with FAST_IPSEC. ipfilter only sees the ESP packet as it  
comes in via WAN, but not after it has been decrypted.

I put that option back in and made a new generic-pc image (I assume  
that's what you're using):

http://m0n0.ch/temp/generic-pc-pb19r536.img

Could you try it and tell us if it works?

- Manuel


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch