[ previous ] [ next ] [ threads ]
 
 From:  Jason King <jking at informs dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] 1.21 bug Found (I think)
 Date:  Thu, 16 Mar 2006 10:02:37 -0600
Yes, something had to have changed in 1.21 from 1.2. Specifially in the 
area of the ISA keying/hashing. Who knows, I know I'm not adept enough 
to even know what to look for. I'm glad it isn't just me though. THanks 
for the input.

Jason

Adam Gibson wrote:

> I have a similar problem with 1.21.  I noticed this within a week of 
> 1.21 release.  I had to downgrade to 1.2 on all the systems (all 
> firewalls are using S2S Shared Secret VPN tunnels to a SEF firewall 
> and exhibited the problem).
>
> On 4 different m0n0wall systems I saw that the tunnels came up the 
> first time when 1.2 was upgraded to 1.21.  After some amount of time 
> the tunnels just stopped working.
>
> On the non-m0n0wall(SymantecEnterpriseFirewall) side of the tunnels it 
> just mentioned awaiting ISAKMP rekey.  I tried rebooting the m0n0wall 
> system, etc but the only thing that worked was backing down to 1.2 and 
> immediately the tunnels established again and all are still running 
> today(1 to 2 months so far).  I repeated the problem again by 
> upgrading one to 1.21 again and then had to back it down a few days 
> later when the problem was discovered again.
>
> Not a big deal right now for me since 1.2 works just fine and 
> troubleshooting remote VPN tunnels.
>
> I wonder what changed in 1.21 from 1.2.  Something must have changed.
>
> Jason King wrote:
>
>> I think I have found a bug in 1.21. I have been using 1.2 for a while 
>> now. These are the points of interest.
>>
>> I have 2 IPSec VPN connections connecting us to 4 different hosts. 
>> Both of these tunnels work perfectly on 1.2. The only time these 
>> connections go down is when there is some problem on the remote end, 
>> not with the m0n0wall.
>>
>> Having said that, I tried upgrading a month ago to 1.21 which was 
>> running off of a PC. I switched the firewall that previous night and 
>> started it up and tested connectivity, everything appeared to be fine 
>> (didn't check the vpn connections). Came in the next morning and I 
>> was getting complaints that users couldn't get to those remote hosts 
>> through the IPSec VPN tunnel. So I checked the tunnels. One of the 
>> tunnels was up, but one was not. I called the remote host admins and 
>> asked what could be wrong. They told me nothing changed on their side 
>> and so since the only thing I changed was from 1.2 to 1.21 I decided 
>> it must be me.
>>
>> Anyway, I took down 1.21 and put the 1.2 back in place. Both VPN 
>> tunnels came up just fine and people continued to working.
>>
>> I recently got approved for a soekris net4801 with the vpn1411 addon 
>> board (joy). I decided I would try the net48xx version of 1.21 and 
>> see if that made a difference. It was no different. This time I 
>> tested the VPN connections before I left and discovered that the same 
>> problem as before was still there. So I had to flash my CF card with 
>> 1.2 instead of 1.21 and bring the soekris up with 1.2. There again, 
>> both VPN tunnels came up fine.
>>
>> I'm not even sure where to start looking for a solution to this 
>> problem I'm seeing. Not really sure if it IS a problem but something 
>> has definitly changed between 1.2 and 1.21 that breaks my VPN tunnels.
>>
>> Just wanted to let everyone know what I found. I'm not looking for a 
>> solution so much as I wanted the list to know about the problem. I'm 
>> perfectly fine with 1.2.
>>
>> m0n0wall ROCKS!
>>
>> Jason
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>