[ previous ] [ next ] [ threads ]
 From:  "dasz" <daszylstra at comcast dot net>
 To:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] SNMP traffic over IPSEC
 Date:  Tue, 28 Feb 2006 09:03:40 -0500
Every other function does seem to work - they have about 100+ nodes at each
location and they can ping, telnet, ftp, http, do firmware/software
upgrades, etc just fine to all nodes; it only seems to be the SNMP traffic
heading back to their central office that fails -- when I look at the Mono
firewall log it shows the SNMP traffic being blocked with a source and
destination that is definitely in the IPSEC IP range, so for some reason
Mono is ignoring the destination IP and trying to pass it through the
firewall . . . . .

example of config at remote location (IPs sanitized):
IPSEC:  remote -, local  (yes they asked for a
pretty big IP range)
Here's one line from the Mono firewall log:
LAN; source =, port 161; destination =, port 162;
proto = UDP

At one location I have a secondary firewall that is logging traffic to/from
their range and it is showing SNMP coming in and going out - but when the
return traffic hits Mono the log shows it getting blocked.

When I searched the archives there were a few posts in 2004 where someone
had the same issue, but there was no resolution posted if it was figured out
. . . . . .

I should have time Thu to upgrade on one of the Monos to see if it works . .
. . . I was hoping to find someone to confirm that they are passing SNMP
traffic over a Mono IPSEC to prove that I have something mis-configured . .
. . .

David Zylstra
(586) 764 9858

-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com]
Sent: Monday, February 27, 2006 6:37 PM
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] SNMP traffic over IPSEC

On 2/27/06, daszylstra at comcast dot net <daszylstra at comcast dot net> wrote:
> Thanks . . . . . I did read the FAQ and it sounded like it pertained only
to routing SNMP
> traffic from Mono itself, but I figured it must also somehow carry over to
SNMP traffic from
> the LAN . . . . . . . I will upgrade one and test - I've been pressed for
time and didn't want to > upgrade their Monos until I had plenty of time to
commit on the slight chance I come up with > a few of the issues other
people have reported when they upgrade (these locations have 5-10 > IPSEC
connections running that I need to make sure come back up quickly)

Ah, ok yeah.  Sorry, I misread your message.  From LAN hosts
themselves across VPN, that's another story.  There isn't any reason
that shouldn't work.  Can you ping to/from those hosts, and other
services work, it's just SNMP that doesn't work?


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch