[ previous ] [ next ] [ threads ]
 
 From:  Dario Rigolin <drigolin at iol dot it>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSEC issue. Failed ESP authentication.
 Date:  Fri, 31 Dec 2004 10:37:46 +0100
I have packets dropped and I didn't create a rule for that.
The configuration of my m0n0 is 4 ethernet interfaces: LAN (fxp0), WAN (fxp1), 
OPT1 (fxp2), OPT2 (fxp3).
On OPT2 (10.23.208.1/26) I have a tunnel to a PIX (10.23.205.65) but the @19 
rule drop all incoming packets to OPT2 and the m0n0 cannot complete the 
authentication phase with the PIX. Firewall log shows UDP packets dropped 
coming from 10.23.205.65 and directed to 10.28.208.1
Checking into status.php page I have a dump of all rules...

[lots of rules cutted]
  @15 pass out quick on fxp3 proto udp from 10.23.208.1/32 port = 500 to any
  @16 pass out quick on fxp3 proto esp from 10.23.208.1/32 to any
  @17 pass out quick on fxp3 proto ah from 10.23.208.1/32 to any
[lots of rules cutted]
  @18 skip 1 in on fxp3 from 10.23.208.0/26 to any
  @19 block in log quick on fxp3 from any to any
[lots of rules cutted]
[then last rules for fxp3]
  @37 block in log quick on fxp3 from any to any head 400
  @1 pass in quick from any to 10.23.208.1/32 keep state group 400
  @2 pass in quick proto udp from 10.23.205.65/32 to 10.23.208.1/32 port = 500
     keep state group 400
  @3 pass in quick proto ah from 10.23.205.65/32 to 10.23.208.1/32 keep state    
     group 400
  @4 pass in quick proto esp from 10.23.205.65/32 to 10.23.208.1/32 keep state 
     group 400
  @38 block in log quick from any to any
[enf of rules]

What I saw (but i'm not sure) @19 is a rule coming first any other fxp3 rules 
that drop any incoming packets. Automagically rules @15-@17 add 
authentication to external IPsec endpoint but no corresponding rules are 
created to accept incoming ESP authentication.
Or maybe the other end point isn't configured in the right way. Does anybody 
have a suggestion or hint for me?

Thank you.

-- 
Dario Rigolin
Mobile: +39 347 7232652