I have a 1.3b4 sitting on the edge of workplace's network.
On globalnet (named so because it has globally routable addresses) I
have a host, 188.8.131.52, running WinXP. On a separate wan
connection, adsl2, I have a notebook likewise running WinXP. These two
machines have IPSec policies for traffic to and from 'the world'. The
mono is configured to do advanced NAT, on DMZ addresses only, and has
**** rules (for testing) on wan and globalnet to let the IPSEC traffic
Here's the odd part:
according to the sniffer the two have the ISAKMP chat, and then
+ ping works (I see ESP packets)
+ UDP traffic works (I see ESP packets and the test app gets data back)
- TCP traffic does NOT work (I see single ESP packets that look like
the SYN, but no synack-ack).
- Moving the notebook to DMZ gives the same result.
+ when the traffic is not through mono, TCP in ESP works.
How is it at all possible for mono to break TCP in ESP only? It
shouldn't be able to know.
Q: What's the least dangerous way of putting in a stateless allow rule
(I want dumb routing), and what would it look like?
@38 pass in quick from any to 184.108.40.206/32 keep state keep frags
@8 pass in log first quick from 220.127.116.11/29 to any keep state keep
frags group 700