[ previous ] [ next ] [ threads ]
 
 From:  "Jai Ketteridge" <jai at innaloo dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Random lack of Dataflow over IPSEC VPN
 Date:  Wed, 20 Dec 2006 20:09:02 +0900
Its possible that its doing that - On the WAN home tab in the modem it says
that the Firewall and NAT is enabled. I may try disabling them but if I do
that and it doesnt work im screwed because the modem is 5000km from me and
If i cannot remote in Im in big trouble!!! (ie if I disable NAT or Firewall
the DMZ bit might not work?) The only basic option Ive done is set the DMZ -
so that would mean all traffic goes to the designated IP. Is there another
way to do this? Leave the DMZ option off? Would all packets get through in
that case? I can turn the DMZ option off but I think it would be helping at
this stage.

Here is the IPSEC from SINGAPORE
<ipsec>
		<tunnel>
			<interface>wan</interface>
			<local-subnet>
				<network>lan</network>
			</local-subnet>
			<remote-subnet>10.0.0.0/24</remote-subnet>
			<remote-gateway>203.x.x.x</remote-gateway>
			<p1>
				<mode>main</mode>
				<myident>
					<myaddress/>
				</myident>
				<encryption-algorithm>blowfish</encryption-algorithm>
				<hash-algorithm>sha1</hash-algorithm>
				<dhgroup>2</dhgroup>
				<lifetime>28880</lifetime>
				<pre-shared-key>1234567890</pre-shared-key>
				<private-key/>
				<cert/>
				<peercert/>
				<authentication_method>pre_shared_key</authentication_method>
			</p1>
			<p2>
				<protocol>esp</protocol>
				<encryption-algorithm-option>blowfish</encryption-algorithm-option>
				<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
				<pfsgroup>2</pfsgroup>
				<lifetime>86400</lifetime>
			</p2>
			<descr>TUNNEL TO AUSTRALIA</descr>
		</tunnel>
		<enable/>
		<preferoldsa/>
	</ipsec>

Here is the IPSEC from AUSTRALIA
<ipsec>
		<tunnel>
			<interface>wan</interface>
			<local-subnet>
				<network>lan</network>
			</local-subnet>
			<remote-subnet>10.1.0.0/24</remote-subnet>
			<remote-gateway>58.x.x.x</remote-gateway>
			<p1>
				<mode>main</mode>
				<myident>
					<myaddress/>
				</myident>
				<encryption-algorithm>blowfish</encryption-algorithm>
				<hash-algorithm>sha1</hash-algorithm>
				<dhgroup>2</dhgroup>
				<lifetime>28880</lifetime>
				<pre-shared-key>1234567890</pre-shared-key>
				<private-key/>
				<cert/>
				<peercert/>
				<authentication_method>pre_shared_key</authentication_method>
			</p1>
			<p2>
				<protocol>esp</protocol>
				<encryption-algorithm-option>blowfish</encryption-algorithm-option>
				<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
				<pfsgroup>2</pfsgroup>
				<lifetime>86400</lifetime>
			</p2>
			<descr>TUNNEL TO SINGAPORE</descr>
		</tunnel>
		<enable/>
		<preferoldsa/>
	</ipsec>

Is that all you need?

Thanks alot guys. This is my first commercial deployment of m0n0 and Im
going to donate a percentage of the profit from the job to the project so
hopefully it can be figured out :)

JK

-----Original Message-----
From: Bjoern Euler [mailto:lists at edain dot de]
Sent: Wednesday, 20 December 2006 6:10 PM
To: m0n0wall at lists dot m0n0 dot ch
Cc: jai at innaloo dot net
Subject: Re: [m0n0wall] Random lack of Dataflow over IPSEC VPN


On 20.12.2006 00:42 Jai Ketteridge wrote:
> SINGAPORE
> Dlink DSL604T Modem on Static IP (IPOA connection)
> WAN IP 58.x.x.x -
> LAN IP 192.168.1.1
> Modem is configured to DMZ to 192.168.1.254 so that all traffic is passed
to
> the mono (is this the correct way to do it?)

This probably means that the Dlink is doing some type of static
NAT/masquerading. Although you have a static IP the NAT may be a problem
here. Do you have any options for analyzing the NAT states on the Dlink
(through webgui)?.

What would be helpful in addtion to the infos you provided are the exact
IPSec configurations on both sides (the IPSec part in configuration.xml).


Regards
-Bjoern

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch