Re: [m0n0wall] IpSec Tunnel Sanity check please

From:	Bill Hamel <billh at bugs dot hamel dot net>
To:	Rick Preston <rickjpreston at gmail dot com>
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] IpSec Tunnel Sanity check please
Date:	Sat, 20 Nov 2004 11:56:31 -0500
Hi Rick,

Thanks for the reply.

Curious, do you have inbound rules also, and can you ?

I other firewalls I work with I normally see an IPSec interface or tunnel
reference in rule options so that you can map rules from and to the tunnel, but
I guess m0n0 doesnt do it that way.

I'll give this a shot as soon as I can. I really appreciate the insight.

FWIW, I normally set LAN -> Internet traffic to only what the user needs, for
safe internetting :) 

Thanks again,
-b

Quoting Rick Preston <rickjpreston at gmail dot com>:

> Hi Bill,
> 
> Why not try these rules 
> allow tcp lannet * 192.168.1.0 80
> and 
> allow icmp lannet * 192.168.1.0 *
> 
> I don't use the default LAN rule and this is what I have to access my
> tunnel.
> 
> good luck and have fun,
> 
> 
> 
> On Fri, 19 Nov 2004 15:18:05 -0500, Bill Hamel <billh at bugs dot hamel dot net> wrote:
> > Hello all,
> > 
> > I have a m0n0 1.11 configured with an IPSec Tunnel to a Watchguard Firebox
> > III/700.
> > 
> > The tunnels appear to be up.
> > 
> > Only using ping and HTTP at this point for tests. The WAN port of each end
> > traverses the internet.
> > 
> > Network A = 10.10.80.0/24 (m0n0wall)
> > Network B = 192.168.1.0/24 (Watchguard Firebox)
> > 
> > From anything on "B" you can ping and HTTP to "A" (The m0n0 LAN interface)
> > From anything "A" you cannot ping or HTTP to anything on "B"
> > 
> > The tunnel must be up else I would not be seeing pings in one of the
> directions
> > with SRC and DST in private IP space. Not to mention the m0n0 in diag show
> the
> > session active.
> > 
> > Going out on a limb I'll say that the rules on the Watchguard are correct
> > because I have VPN's running to other devices (non-m0n0) just fine.
> > 
> > So this raises the question, I read in the manual and saw that the m0n0
> creates
> > it's own rules when creating an IPSEC tunnel, which I don't see in the
> "Rules"
> > Section but in the Diag section I see what appear to be rules (maybe).
> > 
> > I did set up a rule for ESP just for kicks, but it didnt seem to change
> > anything.
> > 
> > Is there a ruleset I am missing or something ? I have the default
> any->LAN->any
> > rule setup as well as allowing ESP from any source to the WAN IP of the
> m0n0.
> > 
> > Any insight or smacks in the head would be appreciated at this point
> because my
> > eyes are crossing :)
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by the Bugs.Hamel.Net MailScanner, 
> and appears to be clean.
> 
> 




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

-- 
This message has been scanned for viruses and
dangerous content by the Bugs.Hamel.Net MailScanner, 
and appears to be clean.