[ previous ] [ next ] [ threads ]
 
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  Joe Commisso <jemc at twcny dot rr dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] m0n0-m0n0 1.3b4 ipsec up but can't ping LAN
 Date:  Mon, 29 Oct 2007 20:13:33 -0400
The only thing I see wrong with it off the bat is NAT transversal is 
on.  No need since you have public IPs on both WANs.  Try shutting that 
off and report.

Chris

Joe Commisso wrote:
>
> The "right" m0n0 is on a dynamic IP and I had it powered off last night.
> I changed all the settings today in the ipsec configuration of the 
> "left" m0n0 but no "SA".
> My settings are as if I had a static IP at the "right" side.
> I am trying to test the m0n0wall settings and performance for when it 
> is put into production on two static IP addresses.
>
> I had no "SA" until I tried to ping the internal NIC of the left m0n0 
> from the LAN of the right m0n0.
> Then that ping worked. But I still have the original problem that I 
> can't ping anything other than the internal NIC of the other m0n0.
>
> On the "left" m0n0:
>
> $ cat /var/etc/racoon.conf
> path pre_shared_key "/var/etc/psk.txt";
>
> path certificate  "/var/etc";
>
> remote 72.xxx.xxx.159 {
>     exchange_mode aggressive;
>     my_identifier address "64.x.xx.14";
>     nat_traversal on;
>     
>     peers_identifier address 72.xxx.xxx.159;
>     initial_contact on;
>     support_proxy on;
>     proposal_check obey;
>
>     proposal {
>         encryption_algorithm blowfish;
>         hash_algorithm sha1;
>         authentication_method pre_shared_key;
>         dh_group 1;
>         lifetime time 86400 secs;
>     }
>     lifetime time 86400 secs;
> }
>
> sainfo address 192.168.5.0/24 any address 192.168.7.0/24 any {
>     encryption_algorithm blowfish;
>     authentication_algorithm hmac_sha1;
>     compression_algorithm deflate;
>     pfs_group 1;
>     lifetime time 14400 secs;
> }
>
>
> On the "right" m0n0:
>
> $ cat /var/etc/racoon.conf
> path pre_shared_key "/var/etc/psk.txt";
>
> path certificate  "/var/etc";
>
> remote 64.x.xx.14 {
>     exchange_mode aggressive;
>     my_identifier address "72.xxx.xxx.159";
>     nat_traversal on;
>     
>     peers_identifier address 64.x.xx.14;
>     initial_contact on;
>     support_proxy on;
>     proposal_check obey;
>
>     proposal {
>         encryption_algorithm blowfish;
>         hash_algorithm sha1;
>         authentication_method pre_shared_key;
>         dh_group 1;
>         lifetime time 86400 secs;
>     }
>     lifetime time 86400 secs;
> }
>
> sainfo address 192.168.7.0/24 any address 192.168.5.0/24 any {
>     encryption_algorithm blowfish;
>     authentication_algorithm hmac_sha1;
>     compression_algorithm deflate;
>     pfs_group 1;
>     lifetime time 14400 secs;
> }
>
>
>
> Thanks very much,
> Joe
>
>
> Christopher M. Iarocci wrote:
>> Joe,
>>
>> I suspect you have the subnet wrong, maybe a /32 instead of a /24 in 
>> your config.  Check that, and if it's not the problem, post your 
>> IPSEC config here.
>>
>> Chris
>>
>> Joe Commisso wrote:
>>> Hello,
>>>
>>> I have m0n0 1.3b4 -- m0n0 1.3b4 with ipsec working (NAT enabled) and 
>>> SA established.
>>>
>>> I can only ping the internal IP of the m0n0 at the other end but 
>>> can't ping the rest of the LAN.
>>>
>>> In my firewall log, the following is a record of the blocked ping:
>>>
>>> Act  |    Time                       |   If         |     
>>> Source                       |      Destination                      
>>> |     Proto
>>>
>>> X     |    19:48:26.397742    |   WAN  |    64.xx.xx.14, port 443  
>>> |     192.168.7.50, port 4989  |     TCP
>>>
>>>
>>> As I said, pinging the internal NIC of the m0n0 at the other end 
>>> works and of course is on the LAN, not the WAN.
>>> I have tried searching the message boards all day. Now it is time 
>>> for me to post.
>>>
>>> Firewall rules at both ends:
>>>
>>> Proto  |    Source  |    Port   |   Destination  |      Port  |    
>>> Description     *         |   *           |    *       |   
>>> *                 |       *     |   Default LAN -> any
>>>
>>>
>>> Thanks in advance,
>>>
>>> Joe
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>