[ previous ] [ next ] [ threads ]
 From:  Carlo Landmeter <clandmeter at gmail dot com>
 To:  Will Dyson <will dot dyson at gmail dot com>
 Cc:  Chris Buechler <cbuechler at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] I don't want to go back using Cisco....
 Date:  Thu, 23 Jun 2005 10:23:29 +0200
I have looked and looked in every direction but i cannot find what i
am doing wrong.
If i look at my setup it is so basic that there isn't much what i can do wrong?

1. Our Cisco router behind the DMZ interface is working just fine when
a tunnel is created without GRE, but when a tunnel is created with GRE
it does not work.

2. One of my servers which is also behind the DMZ interface also works
just fine untill i try to create a PPTP tunnel from this server to my
home m0n0wall while when i try to create this tunnel from behind the
LAN interface it works witout any problems.

3. Now if the m0n0wall is blocking GRE traffic it should atleast show
up in my log files which it doesn't.

With the 3 points mention above i can only come to the conclusion that
this is not a configuration problem but can only be a bug or a
limitation of the software.

Is there maybe somebody here with a similar setup (advanced outbound
nat with a routed subnet) who could simulate what im trying to do
here? Maybe Manuel himself?

I'm sorry to bother but I like my m0n0wall too much to just remove it
and let it be replaced by something else...



On 5/26/05, Will Dyson <will dot dyson at gmail dot com> wrote:
> On 5/24/05, Carlo Landmeter <clandmeter at gmail dot com> wrote:
> > I have tried using the Cisco to Cisco vpn tunnel and windows 2003 vpn
> > client to connect to another m0n0wall without success.
> >
> > If anyone can help me/give advise to analyse the traffic that would be nice.
> >
> > Attached you will find my config which I discussed in my previous mail.
> Config certainly looks correct for a routed subnet.
> You implied but did not directly state that you have tested accessing
> (from a remote network) some tcp based service on the vpn machine.
> Was your vpn client on the same network when you sucessfully tested
> the pptp server on the router that you were when you made the failed
> tests to vpn servers in your DMZ? Some PNAT implementations have code
> to allow a single GRE tunnel to traverse them. Others do not.
> You could add logging pass rules  in each direction for GRE packets to
> the router to verify that they are going through (before the default
> pass rule).
> Beyond that, I suggest you investigate the logs of your vpn client and
> vpn server.
> --
> Will Dyson