Re: [m0n0wall] m0n0-m0n0 1.3b4 ipsec up but can't ping LAN

From:	Joe Commisso <jemc at twcny dot rr dot com>
To:	"Christopher M. Iarocci" <iarocci at eastendsc dot com>, m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] m0n0-m0n0 1.3b4 ipsec up but can't ping LAN
Date:	Mon, 29 Oct 2007 20:49:11 -0400
It acts the same with or without NAT Traversal.

Could it be that there is something that is persistent that needs to be 
flushed?
I tried a reboot and still can't ping anything but the m0n0 nic.

Strange that I don't get an SA until I ping through to the internal NIC 
of the other m0n0.

Could it be that I need to add a route or maybe add a firewall rule?

Joe


Christopher M. Iarocci wrote:
> The only thing I see wrong with it off the bat is NAT transversal is 
> on.  No need since you have public IPs on both WANs.  Try shutting 
> that off and report.
>
> Chris
>
> Joe Commisso wrote:
>>
>> The "right" m0n0 is on a dynamic IP and I had it powered off last night.
>> I changed all the settings today in the ipsec configuration of the 
>> "left" m0n0 but no "SA".
>> My settings are as if I had a static IP at the "right" side.
>> I am trying to test the m0n0wall settings and performance for when it 
>> is put into production on two static IP addresses.
>>
>> I had no "SA" until I tried to ping the internal NIC of the left m0n0 
>> from the LAN of the right m0n0.
>> Then that ping worked. But I still have the original problem that I 
>> can't ping anything other than the internal NIC of the other m0n0.
>>
>> On the "left" m0n0:
>>
>> $ cat /var/etc/racoon.conf
>> path pre_shared_key "/var/etc/psk.txt";
>>
>> path certificate  "/var/etc";
>>
>> remote 72.xxx.xxx.159 {
>>     exchange_mode aggressive;
>>     my_identifier address "64.x.xx.14";
>>     nat_traversal on;
>>         peers_identifier address 72.xxx.xxx.159;
>>     initial_contact on;
>>     support_proxy on;
>>     proposal_check obey;
>>
>>     proposal {
>>         encryption_algorithm blowfish;
>>         hash_algorithm sha1;
>>         authentication_method pre_shared_key;
>>         dh_group 1;
>>         lifetime time 86400 secs;
>>     }
>>     lifetime time 86400 secs;
>> }
>>
>> sainfo address 192.168.5.0/24 any address 192.168.7.0/24 any {
>>     encryption_algorithm blowfish;
>>     authentication_algorithm hmac_sha1;
>>     compression_algorithm deflate;
>>     pfs_group 1;
>>     lifetime time 14400 secs;
>> }
>>
>>
>> On the "right" m0n0:
>>
>> $ cat /var/etc/racoon.conf
>> path pre_shared_key "/var/etc/psk.txt";
>>
>> path certificate  "/var/etc";
>>
>> remote 64.x.xx.14 {
>>     exchange_mode aggressive;
>>     my_identifier address "72.xxx.xxx.159";
>>     nat_traversal on;
>>         peers_identifier address 64.x.xx.14;
>>     initial_contact on;
>>     support_proxy on;
>>     proposal_check obey;
>>
>>     proposal {
>>         encryption_algorithm blowfish;
>>         hash_algorithm sha1;
>>         authentication_method pre_shared_key;
>>         dh_group 1;
>>         lifetime time 86400 secs;
>>     }
>>     lifetime time 86400 secs;
>> }
>>
>> sainfo address 192.168.7.0/24 any address 192.168.5.0/24 any {
>>     encryption_algorithm blowfish;
>>     authentication_algorithm hmac_sha1;
>>     compression_algorithm deflate;
>>     pfs_group 1;
>>     lifetime time 14400 secs;
>> }
>>
>>
>>
>> Thanks very much,
>> Joe
>>
>>
>> Christopher M. Iarocci wrote:
>>> Joe,
>>>
>>> I suspect you have the subnet wrong, maybe a /32 instead of a /24 in 
>>> your config.  Check that, and if it's not the problem, post your 
>>> IPSEC config here.
>>>
>>> Chris
>>>
>>> Joe Commisso wrote:
>>>> Hello,
>>>>
>>>> I have m0n0 1.3b4 -- m0n0 1.3b4 with ipsec working (NAT enabled) 
>>>> and SA established.
>>>>
>>>> I can only ping the internal IP of the m0n0 at the other end but 
>>>> can't ping the rest of the LAN.
>>>>
>>>> In my firewall log, the following is a record of the blocked ping:
>>>>
>>>> Act  |    Time                       |   If         |     
>>>> Source                       |      
>>>> Destination                      |     Proto
>>>>
>>>> X     |    19:48:26.397742    |   WAN  |    64.xx.xx.14, port 443  
>>>> |     192.168.7.50, port 4989  |     TCP
>>>>
>>>>
>>>> As I said, pinging the internal NIC of the m0n0 at the other end 
>>>> works and of course is on the LAN, not the WAN.
>>>> I have tried searching the message boards all day. Now it is time 
>>>> for me to post.
>>>>
>>>> Firewall rules at both ends:
>>>>
>>>> Proto  |    Source  |    Port   |   Destination  |      Port  |    
>>>> Description     *         |   *           |    *       |   
>>>> *                 |       *     |   Default LAN -> any
>>>>
>>>>
>>>> Thanks in advance,
>>>>
>>>> Joe
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>
>
>