To aid in this conversation, I used a port tool to test
incoming/outgoing ports on m0n0wall PC image version 1.21
Since I can only manually test one port at a time for data input/output,
I only did ports 500 UDP to 505 UDP and TCP for giggles.
My test showed that m0n0wall doesn't pass UDP packets on Port 500 as
this person has stated, but it worked fine on ports 501, 502, 503, etc.
My test did find that TCP packets would pass port 500 just fine. I even
tried port remapping, like m0n0wall port 500 to 501 just to see if it
was the direct 500:500 that was having the problem and still packets are
dropped. I checked the firewall log of m0n0wall to see if maybe those
packets would show up there, nothing found.
I know that by default on a windows machine, you can't listen for port
500 UDP because it's being used by the lsass.exe server process, but my
test on both a windows workstation (with a killed lsass.exe process) and
linux workstation show that m0n0wall will not pass port 500 UDP using
simple NAT rules and pass rules for the firewall. I haven't tried
assigning a machine an external WAN address and doing the same test for
sanity reasons. Maybe someone can shed some light on why m0n0wall would
discard packets coming inbound on port 500 UDP?
Polus, Tomasz wrote:
>> -----Original Message-----
>> From: Chris Buechler [mailto:cbuechler at gmail dot com]
>> Sent: Wednesday, March 15, 2006 1:15 AM
>> Cc: m0n0wall at lists dot m0n0 dot ch
>> Subject: Re: [m0n0wall] FW: m0n0wall blocks incoming UDP 500
>> On 3/14/06, Polus, Tomasz <tomek at polvision dot com dot pl> wrote:
>>> Come on guys, I don't believe m0n0wall working as a NAT
>> gateway cannot
>>> pass returning UDP 500 packets....
>> Of course it can. That's not the problem. The problem is
>> most likely that you don't have NAT-T enabled on the Linksys
>> you're connecting to.
> Nope. As I stated before, Linux NAT works great in this configuration.
> After switching from Linux to m0n0wall - connection cannot be
> Me --- Linux NAT --- INTERNET --- Linksys VPN router = YES
> Me --- m0n0wall NAT --- INTERNET --- Linksys VPN router = NO
>> The process of NAT breaks IPsec unless the terminating
>> device supports and has NAT-T enabled. Previously, you may
>> have had ESP forwarded to your machine, but ipfilter doesn't
>> support anything but TCP and UDP on non-1:1 forwards.
> In other words.... Linux can do it, but FreeBSD cannot? Very