Re: [m0n0wall] m0n0-m0n0 1.3b4 ipsec up but can't ping LAN

From:	Joe Commisso <jemc at twcny dot rr dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Cc:	"Christopher M. Iarocci" <iarocci at eastendsc dot com>
Subject:	Re: [m0n0wall] m0n0-m0n0 1.3b4 ipsec up but can't ping LAN
Date:	Mon, 29 Oct 2007 19:24:10 -0400
The "right" m0n0 is on a dynamic IP and I had it powered off last night.
I changed all the settings today in the ipsec configuration of the 
"left" m0n0 but no "SA".
My settings are as if I had a static IP at the "right" side.
I am trying to test the m0n0wall settings and performance for when it is 
put into production on two static IP addresses.

I had no "SA" until I tried to ping the internal NIC of the left m0n0 
from the LAN of the right m0n0.
Then that ping worked. But I still have the original problem that I 
can't ping anything other than the internal NIC of the other m0n0.

On the "left" m0n0:

$ cat /var/etc/racoon.conf
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 72.xxx.xxx.159 {
	exchange_mode aggressive;
	my_identifier address "64.x.xx.14";
	nat_traversal on;
	
	peers_identifier address 72.xxx.xxx.159;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm blowfish;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 1;
		lifetime time 86400 secs;
	}
	lifetime time 86400 secs;
}

sainfo address 192.168.5.0/24 any address 192.168.7.0/24 any {
	encryption_algorithm blowfish;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 1;
	lifetime time 14400 secs;
}


On the "right" m0n0:

$ cat /var/etc/racoon.conf
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote 64.x.xx.14 {
	exchange_mode aggressive;
	my_identifier address "72.xxx.xxx.159";
	nat_traversal on;
	
	peers_identifier address 64.x.xx.14;
	initial_contact on;
	support_proxy on;
	proposal_check obey;

	proposal {
		encryption_algorithm blowfish;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 1;
		lifetime time 86400 secs;
	}
	lifetime time 86400 secs;
}

sainfo address 192.168.7.0/24 any address 192.168.5.0/24 any {
	encryption_algorithm blowfish;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
	pfs_group 1;
	lifetime time 14400 secs;
}



Thanks very much,
Joe


Christopher M. Iarocci wrote:
> Joe,
>
> I suspect you have the subnet wrong, maybe a /32 instead of a /24 in 
> your config.  Check that, and if it's not the problem, post your IPSEC 
> config here.
>
> Chris
>
> Joe Commisso wrote:
>> Hello,
>>
>> I have m0n0 1.3b4 -- m0n0 1.3b4 with ipsec working (NAT enabled) and 
>> SA established.
>>
>> I can only ping the internal IP of the m0n0 at the other end but 
>> can't ping the rest of the LAN.
>>
>> In my firewall log, the following is a record of the blocked ping:
>>
>> Act  |    Time                       |   If         |     
>> Source                       |      Destination                      
>> |     Proto
>>
>> X     |    19:48:26.397742    |   WAN  |    64.xx.xx.14, port 443  
>> |     192.168.7.50, port 4989  |     TCP
>>
>>
>> As I said, pinging the internal NIC of the m0n0 at the other end 
>> works and of course is on the LAN, not the WAN.
>> I have tried searching the message boards all day. Now it is time for 
>> me to post.
>>
>> Firewall rules at both ends:
>>
>> Proto  |    Source  |    Port   |   Destination  |      Port  |    
>> Description     *         |   *           |    *       |   
>> *                 |       *     |   Default LAN -> any
>>
>>
>> Thanks in advance,
>>
>> Joe
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>
>
>