[ previous ] [ next ] [ threads ]
 
 From:  Vincent Fleuranceau <vincent at bikost dot com>
 To:  Markus Fischer <markus at fischer dot name>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC and access from complete internal LAN to tunneled subnet
 Date:  Thu, 31 Mar 2005 14:19:29 +0200
Markus,

> As I told, ping from my m0m0 to remote ipsec endpoint works, but ping 
> from my local lan behind m0n0 cannot reach the other net behind the 
> remote ipsec gate. Basically as I saw the packets, m0n0 sent them to 
> internet default gateway of my provider.

This is normal I think. In fact, as long as m0n0wall does not use any 
dedicated (virtual) interface for its IPSec traffic, there is not 
special route entry for it. It's a matter of packet encapsulation, 
routing is not involved at all here. Tools like traceroute see nothing 
between the two tunnel ends.


> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Interface:              WAN
> Local subnet:           Network
>                         10.0.0.0/8
> Remote subnet:          192.168.1.0/24
> Remote gateway:         212.213.214.215
> 
> Phase 1 proposal (Authentication)
> 
> Netgotation mode:        main
> My identifier:           My IP address
> Encryption algorithm:    3DES
> Hash algorithm:          MD5
> DH key group:            5 (1536 bit)
> Lifetime:                28800
> Pre-Shared Key:          verylongstring
> 
> Phase 2 proposal (SA/Key Exchange)
> 
> Protocol:                ESP
> Encryption algorithms:   3DES (the only one checked)
> Hash algorithms:         MD5
> PFS key group:           off
> Lifetime:                28800
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You may have a problem with these parameters not matching on both IPsec 
configurations. For testing purpose, I would use aggressive mode instead 
of main. Again, if it can help you here is what I currently use:

Netgotiation mode:        aggressive
My identifier:           My IP address
Encryption algorithm:    Blowfish
Hash algorithm:          SHA1
DH key group:            2 (1024 bit)
Lifetime:                86400
Pre-Shared Key:

Phase 2 proposal (SA/Key Exchange)

Protocol:                ESP
Encryption algorithms:   Blowfish (the only one checked)
Hash algorithms:         SHA1
PFS key group:           2 (1024 bit)
Lifetime:                21600

To do: try with these settings and let us know if something has changed.

Question: did you double-verify the subnet mask for the 'remote subnet' 
entries on both ends?

> I've explicitely allowed the AH and ESP protocol in the rules and also 
> UDP Port 500.

In fact m0n0wall auto-magically adds the necessary firewall pass rules 
for IPsec. You can verify this on the status.php (hidden) page of the 
WebGUI. If you take a look at the 'unparsed ipfilter rules' section, you 
should see something like this:

# Pass IKE packets
pass in quick on ng0 proto udp from any to <WAN_IP_ADDRESS> port = 500
pass out quick on ng0 proto udp from <WAN_IP_ADDRESS> port = 500 to any

# Pass ESP packets
pass in quick on ng0 proto esp from any to <WAN_IP_ADDRESS>
pass out quick on ng0 proto esp from <WAN_IP_ADDRESS> to any

# Pass AH packets
pass in quick on ng0 proto ah from any to <WAN_IP_ADDRESS>
pass out quick on ng0 proto ah from <WAN_IP_ADDRESS> to any

# Pass IKE packets
pass in quick on sis0 proto udp from any to <LAN_IP_ADDRESS> port = 500
pass out quick on sis0 proto udp from <LAN_IP_ADDRESS> port = 500 to any

# Pass ESP packets
pass in quick on sis0 proto esp from any to <LAN_IP_ADDRESS>
pass out quick on sis0 proto esp from <LAN_IP_ADDRESS> to any

# Pass AH packets
pass in quick on sis0 proto ah from any to <LAN_IP_ADDRESS>
pass out quick on sis0 proto ah from <LAN_IP_ADDRESS> to any

NOTICE: In my case, ng0 is the WAN interface since I use PPPoE and sis0 
is my LAN inerface (default on Soekris gear).

Question: do you have such entries?

Good luck!

-- Vincent