Hi Bill,

Why not try these rules 
allow tcp lannet * 192.168.1.0 80
and 
allow icmp lannet * 192.168.1.0 *

I don't use the default LAN rule and this is what I have to access my tunnel.

good luck and have fun,



On Fri, 19 Nov 2004 15:18:05 -0500, Bill Hamel <billh at bugs dot hamel dot net> wrote:
> Hello all,
> 
> I have a m0n0 1.11 configured with an IPSec Tunnel to a Watchguard Firebox
> III/700.
> 
> The tunnels appear to be up.
> 
> Only using ping and HTTP at this point for tests. The WAN port of each end
> traverses the internet.
> 
> Network A = 10.10.80.0/24 (m0n0wall)
> Network B = 192.168.1.0/24 (Watchguard Firebox)
> 
> From anything on "B" you can ping and HTTP to "A" (The m0n0 LAN interface)
> From anything "A" you cannot ping or HTTP to anything on "B"
> 
> The tunnel must be up else I would not be seeing pings in one of the directions
> with SRC and DST in private IP space. Not to mention the m0n0 in diag show the
> session active.
> 
> Going out on a limb I'll say that the rules on the Watchguard are correct
> because I have VPN's running to other devices (non-m0n0) just fine.
> 
> So this raises the question, I read in the manual and saw that the m0n0 creates
> it's own rules when creating an IPSEC tunnel, which I don't see in the "Rules"
> Section but in the Diag section I see what appear to be rules (maybe).
> 
> I did set up a rule for ESP just for kicks, but it didnt seem to change
> anything.
> 
> Is there a ruleset I am missing or something ? I have the default any->LAN->any
> rule setup as well as allowing ESP from any source to the WAN IP of the m0n0.
> 
> Any insight or smacks in the head would be appreciated at this point because my
> eyes are crossing :)