[ previous ] [ next ] [ threads ]
 
 From:  "Tony" <m0n0wall at switchout dot com>
 To:  "Claude Morin" <klodefactor at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Mobile IPSEC VPN Problems
 Date:  Fri, 1 Apr 2005 01:06:30 -0800 (PST) 
I managed to figure out what I did wrong. I made the mistake of connecting
m0n0wall's LAN interface to a network that already had a default route
setup for the client machines on that network. Whenever I pinged those LAN
clients from my VPN client, I would not get a reply back. However, if I
reconfigured those LAN clients' default route to point to m0n0wall,
everything worked as expected.

Sorry for the mistake & if I caused any unnecessary noise on the list.
Thanks to those for the replies.

Tony

> I gather this is your configuration:
> mobile IPsec client -- (10.1.1.201
> <http://10.1.1.201>)m0n0wall(192.168.1.1?<http://192.168.1.1?>)
> -- LAN
>
> without hubs or switches anywhere; please correct me if I'm wrong.
>
> Stupid questions:
>
>    - Have you confirmed that the LAN clients can ping the external
>    client's external IP?
>    - How are you checking whether packets hit the LAN? Are you running a
>    sniffer (something like Ethereal) on the LAN client?
>    - When you hit the m0n0wall's webgui from the WAN interface, are you
>    doing so via an encrypted tunnel to m0n0's internal IP, or over a
> regular IP
>    connection to the external IP?
>     - You showed us the system log; what do the m0n0wall's firewall logs
>    show?
>
> -klode
>
> On Mar 29, 2005 1:22 PM, Tony <m0n0wall at switchout dot com> wrote:
>>
>> Yes, I've tried that with no luck either.
>>
>> Regards,
>> Tony
>>
>> > Since it is a test on your own switch you can use any real IP address
>> > on the WAN without any problems. Have you tried to do that?
>> >
>> > sai
>> >
>> > On Tue, 29 Mar 2005 00:17:57 -0800 (PST), Tony <m0n0wall at switchout dot com
>> >
>> > wrote:
>> >> Hello,
>> >>
>> >> Following are my IPSEC configs for "Mobile Clients"
>> >>
>> >> Phase 1 proposal (Authentication)
>> >> ---------------------------------
>> >> Negotiation Mode = aggressive
>> >> My Identifier = My IP address
>> >> Encryption algorithm = SHA1
>> >> DH Key group = 2
>> >>
>> >> Phase 2 proposal (SA/Key Exchange)
>> >> ----------------------------------
>> >> Protocol = ESP
>> >> Encryption algorithms = 3DES
>> >> Hash algorithms = SHA1
>> >> PFS key group = 2
>> >>
>> >> 10.1.1.200 <http://10.1.1.200> = latop connected to the same switch
>> as
>> m0n0wall's WAN
>> >> interface
>> >> 10.1.1.201 <http://10.1.1.201> = m0n0wall's WAN interface
>> >>
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>