[ previous ] [ next ] [ threads ]
 From:  Nicolai Scheer <scope at planetavent dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problems with IPSEC and NAT over m0n0wall fw
 Date:  Mon, 06 Mar 2006 16:32:08 +0100

Mark Huizer schrieb:
> Hello,
> I checked google and the m0n0wall mailinglist for something resembling
> my problems, but I couldn't find anything that was close enough.
> We have a vpn gateway at a public IP address (linux, openswan,
> certificates) using IPSEC/L2TP vpns for Windows XP roadwarriors.
> So far so good, works like a charm.
> Now one roadwarrior has a m0n0wall firewall at home, and he cannot get
> the VPN working.
> The setup is basically:
> VPNGW  ---- internet ---- m0n0wall ----- Windows XP
> the m0n0wall is doing nat, no firewalling, just a basic 'insert cd,
> configure lan/wan interfacs and dhcp and connect the windows box'
> install. The version is 1.21
> I installed a minimal FreeBSD system (FreeBSD 6.0) with ipfw/natd, to
> make sure that his Windows configuration wasn't the issue, and as to be
> expected: that worked like a charm.
> It seems that somehow the NAT or some other IP related issue at the
> m0n0wall box is causing this vpn connection not to work.
> The VPN gateway sees traffic coming in, some traffic is exchanged but as
> soon as the NAT-T related stuff should kick in, the problems start.
> With tcpdump on the vpngw I see traffic coming in at udp 4500 as
> expected from the windows box, but no replies. The logfiles at the vpngw
> talk about malformed payloads.
> Is this a known problem? Can anyone provide me with some pointers on how
> to solve this issue, or explain why this is a limitation somehow?

I read about this in the documentation a few days ago:

8.1.2. Remote Access IPsec VPN

I wonder, if this is the issue, that keeps me from connecting to my
m0n0wall via ipsec...

My home Net -- m0n0wall -- the internet -- some nat router -- me wanting
to access my home net

If, and it seems so, the Nat-T issue keeps me/us from connecting, this
is, as already stated, a serious limitation.

Is there any way to get around this?

And, by the way, I'm not in the details, why does PPTP work with the
same setup?



signature.asc (0.8 KB, application/pgp-signature)