[ previous ] [ next ] [ threads ]
 
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  "Don Munyak" <don dot munyak at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSEC Issues site-to-site ver 1.22
 Date:  Mon, 8 May 2006 22:47:40 +0100
Hello,

I've always had good luck using 'main' mode rather than 'aggressive'.

Also, try hardcoding the identifier to be your WAN address, rather than 
setting it to 'My IP Address'.

Regards,

Kris.

----- Original Message ----- 
From: "Don Munyak" <don dot munyak at gmail dot com>
To: "Kristian Shaw" <monowall at wealdclose dot co dot uk>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Monday, May 08, 2006 10:22 PM
Subject: Re: [m0n0wall] IPSEC Issues site-to-site ver 1.22


On 5/8/06, Kristian Shaw <monowall at wealdclose dot co dot uk> wrote:
> Hello,
>
> I've just checked this with my install of 1.22 and I get extra firewall
> rules created when IPSEC is enabled. They aren't visible in the GUI but 
> can
> be seen in the ipfilter section of status.php.
>
> # Pass ESP packets
> pass in quick on ep0 proto esp from any to 82.xx.xx.xx
> pass out quick on ep0 proto esp from 82.xx.xx.xx to any
>
> ..etc...
>
> Kris.
>

First thing...I didn't mean to confuse anyone about ICMP ping and
NAT-T. The point I was trying to make was "MY" inability to ping
through an IPSEC tunnel, and yet still be able to connect remotely to
the application server intended. I am under the impression you can't
ping through an IPSEC tunnel...but I could be wrong.

Anyway, Here's my config for the site-to-site IPSEC configuration.
This same configuration works on ver 1.21 using two(2) soekris
routers. This configuration is not working with verison 1.22 using
two(2) netgate routers. These are the only difference between the two
different client sites. I personally don't feel the router hardware
has anything to do with this... but I could be wrong ??


OS: m0n0wall Firewall/Router
ver 1.22 wrap.img
http://m0n0.ch/wall
UID: admin
PW: xxxxxxxx

**************************
>> MAIN Office <<
**************************
> LAN : Enabled
Port: Eth-0 (sis0)
IP:192.168.1.0
SM :255.255.255.0
GW:192.168.1.1
DNS:192.168.1.1
WINS: none
DHCP: 192.168.1.100 -.150

> WAN : Enabled
Port: Eth-1 (sis1)
IP:71.xx.xx.119 /24
SM :255.255.255.0
GW:71.xx.xx.1
DNS:xx.10.10.11
DNS:xx.10.10.12
WINS: none
DHCP: none static wan

> DMZ : Disabled

------------------------

IPSEC:
Tunnel
Interface: WAN
Local subnet: LAN Subnet
Remote Subnet: 192.168.20.0 /24
Remote Gateway: 141.xx.xx.178
Description: Remote Office VPN

>Phase-1
Negotiation mode:aggressive
My Identifier: My IP Address
Encryption: Blowfish
Hash: SHA1
DH Key group: 2
Lifetime: 86400 seconds
Auth medthod: Pre-share key
pre-share key: xxxxxxxxxxxxxx

>Phase-2
Protocol: ESP
Encryption Algorithm: Blowfish only
Hash Algorithm: SHA1 only
PFS key group: 2
14400 seconds

**************************
>> REMOTE Office <<
**************************
> LAN : Enabled
Port: Eth-0 (sis0)
IP:192.168.2.0
SM :255.255.255.0
GW:192.168.2.1
DNS:192.168.2.1
WINS: none
DHCP: 192.168.2.100 -.150

> WAN : Enabled
Port: Eth-1 (sis1)
IP:141.xx.xx.178 /24
SM :255.255.255.0
GW:141.152.156.1
DNS:xx.10.10.11
DNS:xx.10.10.12
WINS: none
DHCP: none static wan

> DMZ : Disabled

------------------------

IPSEC:
Tunnel
Interface: WAN
Local subnet: LAN Subnet
Remote Subnet: 192.168.1.0 /24
Remote Gateway: 71.xx.xx.119
Description: MAIN Office VPN

>Phase-1
Negotiation mode:aggressive
My Identifier: My IP Address
Encryption: Blowfish
Hash: SHA1
DH Key group: 2
Lifetime: 86400 seconds
Auth medthod: Pre-share key
pre-share key: xxxxxxxxxx

>Phase-2
Protocol: ESP
Encryption Algorithm: Blowfish only
Hash Algorithm: SHA1 only
PFS key group: 2
14400 seconds

{end snip}

Regards,

~ Don

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch