|
||||||||||
If you can make it for the 4501, I can test it this evening. Thanks! Greg Nicholson -----Original Message----- From: Manuel Kasper [mailto:mk at neon1 dot net] Sent: Monday, November 03, 2003 3:07 PM To: Christopher M. Iarocci Cc: m0n0wall at lists dot m0n0 dot ch Subject: Re: [m0n0wall] New release and IPSec problem On 03.11.2003, at 21:06, Christopher M. Iarocci wrote: > Here is my status.cgi at the moment I was trying to ping from > 192.168.1.3 > (remote network) to 192.168.2.3 (local network). I can ping the > opposite > way without a problem. I can ping from the remote networks to my Lan OK. Seems like the pass rules for ipencap and decrypted packets are no longer hit, and as such they don't create any entries in the state table, so the packet cannot be sent out via the LAN interface. There's only one possible explanation: FreeBSD 4.9. There has been a change to sys/netinet/ip_input.c since FreeBSD 4.8: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_input.c.diff? r1=1.130.2.53&r2=1.130.2.54 So apparently, if the IPSEC_FILTERGIF kernel option is not set (it isn't in m0n0wall at the moment), packets are treated differently than before in 4.8 with FAST_IPSEC. ipfilter only sees the ESP packet as it comes in via WAN, but not after it has been decrypted. I put that option back in and made a new generic-pc image (I assume that's what you're using): http://m0n0.ch/temp/generic-pc-pb19r536.img Could you try it and tell us if it works? - Manuel --------------------------------------------------------------------- To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch |