[ previous ] [ next ] [ threads ]
 From:  Adam Gibson <agibson at ptm dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.21 bug Found (I think)
 Date:  Thu, 16 Mar 2006 10:24:01 -0500
I have a similar problem with 1.21.  I noticed this within a week of 
1.21 release.  I had to downgrade to 1.2 on all the systems (all 
firewalls are using S2S Shared Secret VPN tunnels to a SEF firewall and 
exhibited the problem).

On 4 different m0n0wall systems I saw that the tunnels came up the first 
time when 1.2 was upgraded to 1.21.  After some amount of time the 
tunnels just stopped working.

On the non-m0n0wall(SymantecEnterpriseFirewall) side of the tunnels it 
just mentioned awaiting ISAKMP rekey.  I tried rebooting the m0n0wall 
system, etc but the only thing that worked was backing down to 1.2 and 
immediately the tunnels established again and all are still running 
today(1 to 2 months so far).  I repeated the problem again by upgrading 
one to 1.21 again and then had to back it down a few days later when the 
problem was discovered again.

Not a big deal right now for me since 1.2 works just fine and 
troubleshooting remote VPN tunnels.

I wonder what changed in 1.21 from 1.2.  Something must have changed.

Jason King wrote:
> I think I have found a bug in 1.21. I have been using 1.2 for a while 
> now. These are the points of interest.
> I have 2 IPSec VPN connections connecting us to 4 different hosts. Both 
> of these tunnels work perfectly on 1.2. The only time these connections 
> go down is when there is some problem on the remote end, not with the 
> m0n0wall.
> Having said that, I tried upgrading a month ago to 1.21 which was 
> running off of a PC. I switched the firewall that previous night and 
> started it up and tested connectivity, everything appeared to be fine 
> (didn't check the vpn connections). Came in the next morning and I was 
> getting complaints that users couldn't get to those remote hosts through 
> the IPSec VPN tunnel. So I checked the tunnels. One of the tunnels was 
> up, but one was not. I called the remote host admins and asked what 
> could be wrong. They told me nothing changed on their side and so since 
> the only thing I changed was from 1.2 to 1.21 I decided it must be me.
> Anyway, I took down 1.21 and put the 1.2 back in place. Both VPN tunnels 
> came up just fine and people continued to working.
> I recently got approved for a soekris net4801 with the vpn1411 addon 
> board (joy). I decided I would try the net48xx version of 1.21 and see 
> if that made a difference. It was no different. This time I tested the 
> VPN connections before I left and discovered that the same problem as 
> before was still there. So I had to flash my CF card with 1.2 instead of 
> 1.21 and bring the soekris up with 1.2. There again, both VPN tunnels 
> came up fine.
> I'm not even sure where to start looking for a solution to this problem 
> I'm seeing. Not really sure if it IS a problem but something has 
> definitly changed between 1.2 and 1.21 that breaks my VPN tunnels.
> Just wanted to let everyone know what I found. I'm not looking for a 
> solution so much as I wanted the list to know about the problem. I'm 
> perfectly fine with 1.2.
> m0n0wall ROCKS!
> Jason
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch