|
||||||||||
Works perfectly again, thank you. And yes, I was using the generic-pc image. Chris ----- Original Message ----- From: "Manuel Kasper" <mk at neon1 dot net> To: "Christopher M. Iarocci" <iarocci at eastendsc dot com> Cc: <m0n0wall at lists dot m0n0 dot ch> Sent: Monday, November 03, 2003 4:07 PM Subject: Re: [m0n0wall] New release and IPSec problem > On 03.11.2003, at 21:06, Christopher M. Iarocci wrote: > > > Here is my status.cgi at the moment I was trying to ping from > > 192.168.1.3 > > (remote network) to 192.168.2.3 (local network). I can ping the > > opposite > > way without a problem. I can ping from the remote networks to my Lan > > OK. Seems like the pass rules for ipencap and decrypted packets are no > longer hit, and as such they don't create any entries in the state > table, so the packet cannot be sent out via the LAN interface. > > There's only one possible explanation: FreeBSD 4.9. There has been a > change to sys/netinet/ip_input.c since FreeBSD 4.8: > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_input.c.diff? > r1=1.130.2.53&r2=1.130.2.54 > > So apparently, if the IPSEC_FILTERGIF kernel option is not set (it > isn't in m0n0wall at the moment), packets are treated differently than > before in 4.8 with FAST_IPSEC. ipfilter only sees the ESP packet as it > comes in via WAN, but not after it has been decrypted. > > I put that option back in and made a new generic-pc image (I assume > that's what you're using): > > http://m0n0.ch/temp/generic-pc-pb19r536.img > > Could you try it and tell us if it works? > > - Manuel > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.536 / Virus Database: 331 - Release Date: 11/3/2003 |