[ previous ] [ next ] [ threads ]
 
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: AW: [m0n0wall] Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME notification
 Date:  Fri, 28 Nov 2008 11:25:43 -0500
On Fri, Nov 28, 2008 at 11:05 AM, Michael Stecher
<Michael dot Stecher at cib dot de> wrote:
> I've found out the problem: we're using a 10.0.0.0 Class A net on m0n0wall OPT interface (endpoint
of the tunnel) but only a /29 subnet for the ipsec tunnel. For each subnet we've got one proxy ARP
entry in m0n0wall configuration for the respective subnets gateway. In the near future we want to
establish more of these subnets with a own ipsec tunnel to a specific customer so it's not possible
to use current ipsec subnet for OPT interface. The subnets should be separated from each other (we
do this with firewall rules and managed switches).
>
> M0n0wall adds ipsec firewall rules for OPT interface IP address (/32), but not for the specific
tunnels.
> ...
> @18 pass out quick on vr2 proto udp from 10.0.0.1/32 port = isakmp to any keep frags
> @19 pass out quick on vr2 proto udp from 10.0.0.1/32 port = sae-urn to any keep frags
> @20 pass out quick on vr2 proto esp from 10.0.0.1/32 to any keep frags
> @21 pass out quick on vr2 proto ah from 10.0.0.1/32 to any keep frags
> ...
> @32 pass in quick on vr2 proto udp from any to 10.0.0.1/32 port = isakmp keep frags
> @33 pass in quick on vr2 proto udp from any to 10.0.0.1/32 port = sae-urn keep frags
> @34 pass in quick on vr2 proto esp from any to 10.0.0.1/32 keep frags
> @35 pass in quick on vr2 proto ah from any to 10.0.0.1/32 keep frags
>
> Is there an easy reason to add those rules for our subnets (proxy ARP) gateways?

That's just to allow the connections to be initiated. Add rules in the
GUI for anything else you need to pass.  m0n0wall won't listen on
proxy ARP IPs so you can't terminate IPsec connections using one.