[ previous ] [ next ] [ threads ]
 
 From:  "Robert Pumphrey" <rlpumphrey at 1mage dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  (Fwd) Re: [m0n0wall] Problem with using vpn-1 Securemote clien
 Date:  Fri, 18 Apr 2008 16:34:16 -0600
First to Neil A. Hillard  Thank You!

That was it.

> The traffic is more than likely being dropped by fragmentation.  Tick the
> 'Allow fragmented packets' option on the rule that lets the traffic out
> (default LAN to any rule?) and you'll probably find it works fine.

I had not looked at allowing fragmentation for the default LAN outbound rule.


------- Forwarded message follows -------
Date sent:      	Fri, 18 Apr 2008 22:47:48 +0100
To:             	m0n0wall at lists dot m0n0 dot ch
From:           	"Neil A. Hillard" <m0n0 at dana dot org dot uk>
Subject:        	Re: [m0n0wall] Problem with using vpn-1 
Securemote client.

[ Double-click this line for list subscription options ] 

Hi,

In message <48088387 dot 3972 dot 955DF3 at rlpumphrey dot 1mage dot com>, Robert 
Pumphrey
<rlpumphrey at 1mage dot com> writes
>I have a problem with using VPN-1 SecurRemote client.
>I'm using Monowall 1.23 on a standard
>I see in the firewall logs that the UDP connection is being blocked:
>
>X 10:52:03.371251 WAN 207.109.XX.XX 192.168.XX.XX UDP
>or the raw view:
>10:52:03.371251 xl1 @200:3 b 207.109.XX.XX -> 192.168.XX.XX PR udp 
len 20
>(224) (frag 14451:204@1480) K-S K-F IN
>On the WAN interface I have added two rules
>The first one allows UDP from 207.109.XX.XX any port, to our LAN on any 
port
>And second rule on the WAN interface allows any protocol from 
207.109.XX.XX
>any port to our LAN on any port.
>So two questions.
>How do I tell which of the rules bocked the UDP connections?
>Why if I think I have rule allowing UDP is it still being blocked?

I don't follow how you've got this configured.  Do you have SecuRemote
on the LAN?

If so, you don't need to add any rules on the WAN interface, just on the
LAN interface to allow the SecuRemote traffic out.  As m0n0wall is
stateful it will automatically allow the replies.

The traffic is more than likely being dropped by fragmentation.  Tick
the 'Allow fragmented packets' option on the rule that lets the traffic
out (default LAN to any rule?) and you'll probably find it works fine.

I have SecuRemote working here with no problems.

HTH,


                                Neil.

-- 
Neil A. Hillard                E-Mail:   m0n0 at dana dot org dot uk

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

------- End of forwarded message -------
Robert L. Pumphrey
1mage Software 
303-773-1424