[ previous ] [ next ] [ threads ]
 
 From:  Kasper Pedersen <m0n0list dash kkp2 at kasperkp dot dk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSec transport mode through 1.3b4 - I believe in ghosts.
 Date:  Sat, 15 Sep 2007 13:55:28 +0200
I have a 1.3b4 sitting on the edge of workplace's network.
wanlink1----[mono]---->dmz hosts
                |
                +------>globalnet hosts

On globalnet (named so because it has globally routable addresses) I
have a host, 217.198.219.98, running WinXP. On a separate wan
connection, adsl2, I have a notebook likewise running WinXP. These two
machines have IPSec policies for traffic to and from 'the world'. The
mono is configured to do advanced NAT, on DMZ addresses only, and has
**** rules (for testing) on wan and globalnet to let the IPSEC traffic
through.

Here's the odd part:
  according to the sniffer the two have the ISAKMP chat, and then
  + ping works (I see ESP packets)
  + UDP traffic works (I see ESP packets and the test app gets data back)
  - TCP traffic does NOT work (I see single ESP packets that look like
the SYN, but no synack-ack).
  - Moving the notebook to DMZ gives the same result.
  + when the traffic is not through mono, TCP in ESP works.
How is it at all possible for mono to break TCP in ESP only? It
shouldn't be able to know.

Q: What's the least dangerous way of putting in a stateless allow rule
(I want dumb routing), and what would it look like?

/Kasper Pedersen

@38 pass in quick from any to 217.198.219.98/32 keep state keep frags 
group 100
@8 pass in log first quick from 217.198.219.96/29 to any keep state keep 
frags group 700