Every other function does seem to work - they have about 100+ nodes at each
location and they can ping, telnet, ftp, http, do firmware/software
upgrades, etc just fine to all nodes; it only seems to be the SNMP traffic
heading back to their central office that fails -- when I look at the Mono
firewall log it shows the SNMP traffic being blocked with a source and
destination that is definitely in the IPSEC IP range, so for some reason
Mono is ignoring the destination IP and trying to pass it through the
firewall . . . . .
example of config at remote location (IPs sanitized):
IPSEC: remote - 192.168.2.0/24, local 18.104.22.168/22 (yes they asked for a
pretty big IP range)
Here's one line from the Mono firewall log:
LAN; source = 22.214.171.124, port 161; destination = 192.168.2.50, port 162;
proto = UDP
At one location I have a secondary firewall that is logging traffic to/from
their range and it is showing SNMP coming in and going out - but when the
return traffic hits Mono the log shows it getting blocked.
When I searched the archives there were a few posts in 2004 where someone
had the same issue, but there was no resolution posted if it was figured out
. . . . . .
I should have time Thu to upgrade on one of the Monos to see if it works . .
. . . I was hoping to find someone to confirm that they are passing SNMP
traffic over a Mono IPSEC to prove that I have something mis-configured . .
. . .
(586) 764 9858
From: Chris Buechler [mailto:cbuechler at gmail dot com]
Sent: Monday, February 27, 2006 6:37 PM
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] SNMP traffic over IPSEC
On 2/27/06, daszylstra at comcast dot net <daszylstra at comcast dot net> wrote:
> Thanks . . . . . I did read the FAQ and it sounded like it pertained only
to routing SNMP
> traffic from Mono itself, but I figured it must also somehow carry over to
SNMP traffic from
> the LAN . . . . . . . I will upgrade one and test - I've been pressed for
time and didn't want to > upgrade their Monos until I had plenty of time to
commit on the slight chance I come up with > a few of the issues other
people have reported when they upgrade (these locations have 5-10 > IPSEC
connections running that I need to make sure come back up quickly)
Ah, ok yeah. Sorry, I misread your message. From LAN hosts
themselves across VPN, that's another story. There isn't any reason
that shouldn't work. Can you ping to/from those hosts, and other
services work, it's just SNMP that doesn't work?
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch