[ previous ] [ next ] [ threads ]
 
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Holger Bauer <Holger dot Bauer at citec dash ag dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: AW: [m0n0wall] Second total freeze of 1.2b3
 Date:  Mon, 21 Feb 2005 16:16:49 +0100 
On 21.02.2005 13:30 +0100, Holger Bauer wrote:

> All my WRAPS with 1.2b3 work stable so far, only thing is, that
> IPSEC doesn´t work with any of the 1.2bs in the following situation:
> 
> m0n0 with fixed IP ---- m0n0 with dynamic IP
> 
> everything is configured right and the tunnel comes up the first
> time you use it. After the lifetime has expired the new keys can´t
> be exchanged and the tunnel doesn´t come up again unless you click
> "Save" on the IPSEC-settingpage of the dynamic m0n0 without
> changing anything. I reported this behavior before, but nobody
> cared about it. :-( Going back to 1.11 works rockstable.

The only major changes (as far as IPsec is concerned) are the kernel
fix to prefer newer SAs over older ones, and the fact that
proposal_check in racoon.conf is now set to "claim" instead of
"obey". Try turning off the kernel hack using

sysctl -w net.key.preferred_oldsa=1

in /exec.php after it has booted (this change is lost on reboot, when
you apply/save new IPsec settings or when your WAN IP address
changes).

> Another thing I found out is that there are problems with newer
> dsl-modems and m0n0s pppoe. I can provide logs, if you need them,
> but it seems that the link up request times out although the
> servername of the distant server can be seen. This happens with
> more than one specific vendor (for example the new netgear modem
> DG632B, products from t-com, ....) I am very unhappy about that, as
> the problem seems to appear with nearly every new modem I get to
> test. I tested different providers and also have different
> connections to test on. The same modems work with other products on
> the same wanconnection. This happens also with 1.11.

Huh? This is the first time that I hear of this issue. The latest
modems that I've used with m0n0wall are ZyXEL 623MEs. But yes, please
do send me the logs. There aren't many parameters to PPPoE; FreeBSD's
ng_pppoe has a sysctl variable to control interoperation with "broken
PPPoE implementations":

sysctl -w net.graph.nonstandard_pppoe=1

and after that click "Save" on the WAN setup page again. I doubt that
it's the solution as you probably wouldn't be seeing the remote
server name if that was the problem, but maybe it's still worth a try.

If anyone has an ADSL modem with this issue and would be willing to
lend it to me for testing, please contact me (Annex B ADSL line
available here).

- Manuel