Re: [m0n0wall] IPSEC and access from complete internal LAN to tunneled subnet

From:	Markus Fischer <markus at fischer dot name>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] IPSEC and access from complete internal LAN to tunneled subnet
Date:	Thu, 31 Mar 2005 13:25:35 +0200

Hi,

this is a follow up from my last post. I'm including my configuration 
variables this time, maybe there's a problem somewhere.

I yet have to test the advice to to use ping -S from Vincent, but since 
it's pretty time consuming with my other endpoint to make further test I 
try to gather as much info I could possible need for further debugging.

As I told, ping from my m0m0 to remote ipsec endpoint works, but ping 
from my local lan behind m0n0 cannot reach the other net behind the 
remote ipsec gate. Basically as I saw the packets, m0n0 sent them to 
internet default gateway of my provider.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interface:              WAN
Local subnet:           Network
                         10.0.0.0/8
Remote subnet:          192.168.1.0/24
Remote gateway:         212.213.214.215

Phase 1 proposal (Authentication)

Netgotation mode:        main
My identifier:           My IP address
Encryption algorithm:    3DES
Hash algorithm:          MD5
DH key group:            5 (1536 bit)
Lifetime:                28800
Pre-Shared Key:          verylongstring

Phase 2 proposal (SA/Key Exchange)

Protocol:                ESP
Encryption algorithms:   3DES (the only one checked)
Hash algorithms:         MD5
PFS key group:           off
Lifetime:                28800
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I've explicitely allowed the AH and ESP protocol in the rules and also 
UDP Port 500.


When I ping from 10.x.y.z to 192.168.1.x it goes to the WAN gateway instead.

What could possible be cause for the m0n0wall not redirecting my LAN 
pings to the remote net properly?


thanks again,
- Markus