[ previous ] [ next ] [ threads ]
 
 From:  "Don Munyak" <don dot munyak at gmail dot com>
 To:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC Issues site-to-site ver 1.22
 Date:  Mon, 8 May 2006 17:22:20 -0400
On 5/8/06, Kristian Shaw <monowall at wealdclose dot co dot uk> wrote:
> Hello,
>
> I've just checked this with my install of 1.22 and I get extra firewall
> rules created when IPSEC is enabled. They aren't visible in the GUI but can
> be seen in the ipfilter section of status.php.
>
> # Pass ESP packets
> pass in quick on ep0 proto esp from any to 82.xx.xx.xx
> pass out quick on ep0 proto esp from 82.xx.xx.xx to any
>
> ..etc...
>
> Kris.
>

First thing...I didn't mean to confuse anyone about ICMP ping and
NAT-T. The point I was trying to make was "MY" inability to ping
through an IPSEC tunnel, and yet still be able to connect remotely to
the application server intended. I am under the impression you can't
ping through an IPSEC tunnel...but I could be wrong.

Anyway, Here's my config for the site-to-site IPSEC configuration.
This same configuration works on ver 1.21 using two(2) soekris
routers. This configuration is not working with verison 1.22 using
two(2) netgate routers. These are the only difference between the two
different client sites. I personally don't feel the router hardware
has anything to do with this... but I could be wrong ??


OS: m0n0wall Firewall/Router
ver 1.22 wrap.img
http://m0n0.ch/wall
UID: admin
PW: xxxxxxxx

**************************
>> MAIN Office <<
**************************
> LAN : Enabled
Port: Eth-0 (sis0)
IP:192.168.1.0
SM :255.255.255.0
GW:192.168.1.1
DNS:192.168.1.1
WINS: none
DHCP: 192.168.1.100 -.150

> WAN : Enabled
Port: Eth-1 (sis1)
IP:71.xx.xx.119 /24
SM :255.255.255.0
GW:71.xx.xx.1
DNS:xx.10.10.11
DNS:xx.10.10.12
WINS: none
DHCP: none static wan

> DMZ : Disabled

------------------------

IPSEC:
Tunnel
Interface: WAN
Local subnet: LAN Subnet
Remote Subnet: 192.168.20.0 /24
Remote Gateway: 141.xx.xx.178
Description: Remote Office VPN

>Phase-1
Negotiation mode:aggressive
My Identifier: My IP Address
Encryption: Blowfish
Hash: SHA1
DH Key group: 2
Lifetime: 86400 seconds
Auth medthod: Pre-share key
pre-share key: xxxxxxxxxxxxxx

>Phase-2
Protocol: ESP
Encryption Algorithm: Blowfish only
Hash Algorithm: SHA1 only
PFS key group: 2
14400 seconds

**************************
>> REMOTE Office <<
**************************
> LAN : Enabled
Port: Eth-0 (sis0)
IP:192.168.2.0
SM :255.255.255.0
GW:192.168.2.1
DNS:192.168.2.1
WINS: none
DHCP: 192.168.2.100 -.150

> WAN : Enabled
Port: Eth-1 (sis1)
IP:141.xx.xx.178 /24
SM :255.255.255.0
GW:141.152.156.1
DNS:xx.10.10.11
DNS:xx.10.10.12
WINS: none
DHCP: none static wan

> DMZ : Disabled

------------------------

IPSEC:
Tunnel
Interface: WAN
Local subnet: LAN Subnet
Remote Subnet: 192.168.1.0 /24
Remote Gateway: 71.xx.xx.119
Description: MAIN Office VPN

>Phase-1
Negotiation mode:aggressive
My Identifier: My IP Address
Encryption: Blowfish
Hash: SHA1
DH Key group: 2
Lifetime: 86400 seconds
Auth medthod: Pre-share key
pre-share key: xxxxxxxxxx

>Phase-2
Protocol: ESP
Encryption Algorithm: Blowfish only
Hash Algorithm: SHA1 only
PFS key group: 2
14400 seconds

{end snip}

Regards,

~ Don