[ previous ] [ next ] [ threads ]
 
 From:  Rick Preston <rickjpreston at gmail dot com>
 To:  Diego Canalis <diegocanalis at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problem with VPN
 Date:  Fri, 7 Jan 2005 19:13:21 -0500
I'll try, I don't think you need NAT, however I believe you need rules
between the two networks.  Like Pass any 10.91.0.0/23 any
10.0.254.0/24 any on 10.0.0.5/23 and switch that around for
10.0.0.3/23.  Of course just for testing, I wouldn't recommend leaving
that rule enabled.  IMO you should just open the ports you need.

Also check the WAN interface settings and uncheck 'Block private
networks' near the bottom.

good luck


On Fri, 7 Jan 2005 13:00:42 -0300, Diego Canalis <diegocanalis at gmail dot com> wrote:
> Hi guys
> 
> I have to monowalls in my network, this is a description:
> 
>       LAN 10.91.0.0/23
>                   |
>     ________|________
>             monowall
>     -----------------------------
>                  | |               WAN IP 10.0.0.5/23
>                  | |  IPsec
>                  | |
>     _______ | |_______ WAN IP 10.0.0.3/23
>             monowall
>     -----------------------------
>                   |
>                   |
>         LAN 10.0.254.1/24
> 
> I've made the basic configuration for the vpn tunnel in both sides.
> this are the values:
> 
> Negotiation mode  main
> My identifier  My IP address
> Encryption algorithm  3DES
> Hash algorithm  MD5
> DH key group   2
> Protocol  ESP
> Encryption algorithms  3DES
> Hash algorithms  MD5
> PFS key group  2
> 
> and the logs are:
> 
> Jan 7 09:48:05 racoon: INFO: isakmp.c:808:isakmp_ph1begin_i():
> initiate new phase 1 negotiation: 10.0.0.3[500]<=>10.0.0.5[500]
> Jan 7 09:48:05 racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin
> Identity Protection mode.
> Jan 7 09:48:05 racoon: INFO: vendorid.c:128:check_vendorid(): received
> Vendor ID: KAME/racoon
> Jan 7 09:48:05 racoon: INFO: vendorid.c:128:check_vendorid(): received
> Vendor ID: KAME/racoon
> Jan 7 09:48:06 racoon: INFO: isakmp.c:2459:log_ph1established():
> ISAKMP-SA established 10.0.0.3[500]-10.0.0.5[500]
> spi:9ebb6c6c2cb0b35b:3bcc147f0eb8cf97
> Jan 7 09:48:07 racoon: INFO: isakmp.c:952:isakmp_ph2begin_i():
> initiate new phase 2 negotiation: 10.0.0.3[0]<=>10.0.0.5[0]
> Jan 7 09:44:51 last message repeated 2 times
> Jan 7 09:48:07 /kernel: WARNING: pseudo-random number generator used
> for IPsec processing
> Jan 7 09:48:07 racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA
> established: ESP/Tunnel 10.0.0.5->10.0.0.3 spi=37791830(0x240a856)
> Jan 7 09:48:07 racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA
> established: ESP/Tunnel 10.0.0.3->10.0.0.5 spi=229127567(0xda8358f)
> 
> It seems that work fine, but I cann't see the subnets from both sides.
> I cann't ping the computers from one lan to another,
> may be I have to make NAT rules in both sides???
> any ideas,suggestions ??
> 
> Thanks
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
>