[ previous ] [ next ] [ threads ]
 
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  "Manuel Kasper" <mk at neon1 dot net>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] New release and IPSec problem
 Date:  Mon, 3 Nov 2003 18:59:20 -0500
Works perfectly again, thank you.  And yes, I was using the generic-pc
image.

Chris

----- Original Message ----- 
From: "Manuel Kasper" <mk at neon1 dot net>
To: "Christopher M. Iarocci" <iarocci at eastendsc dot com>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Monday, November 03, 2003 4:07 PM
Subject: Re: [m0n0wall] New release and IPSec problem


> On 03.11.2003, at 21:06, Christopher M. Iarocci wrote:
>
> > Here is my status.cgi at the moment I was trying to ping from
> > 192.168.1.3
> > (remote network) to 192.168.2.3 (local network).  I can ping the
> > opposite
> > way without a problem.  I can ping from the remote networks to my Lan
>
> OK. Seems like the pass rules for ipencap and decrypted packets are no
> longer hit, and as such they don't create any entries in the state
> table, so the packet cannot be sent out via the LAN interface.
>
> There's only one possible explanation: FreeBSD 4.9. There has been a
> change to sys/netinet/ip_input.c since FreeBSD 4.8:
>
> http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/ip_input.c.diff?
> r1=1.130.2.53&r2=1.130.2.54
>
> So apparently, if the IPSEC_FILTERGIF kernel option is not set (it
> isn't in m0n0wall at the moment), packets are treated differently than
> before in 4.8 with FAST_IPSEC. ipfilter only sees the ESP packet as it
> comes in via WAN, but not after it has been decrypted.
>
> I put that option back in and made a new generic-pc image (I assume
> that's what you're using):
>
> http://m0n0.ch/temp/generic-pc-pb19r536.img
>
> Could you try it and tell us if it works?
>
> - Manuel
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>


---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.536 / Virus Database: 331 - Release Date: 11/3/2003