[ previous ] [ next ] [ threads ]
 
 From:  Michael Stecher <Michael dot Stecher at cib dot de>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: AW: [m0n0wall] Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME notification
 Date:  Wed, 3 Dec 2008 17:00:13 +0100
I think it's only a problem with SAD and SPD rules.

If I could change SAD and SPD from 10.0.0.1 (OPT IP) to my own value maybe it works?!?

Any idea?

Have many thanks!

Michael




Von: Michael Stecher [mailto:Michael dot Stecher at cib dot de]
Gesendet: Mittwoch, 3. Dezember 2008 09:23
An: m0n0wall at lists dot m0n0 dot ch
Betreff: AW: AW: [m0n0wall] Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME
notification

OK, have many thanks for your help.

Is there another reason to use m0n0wall with different VPN subnets? I don't want to install a
m0n0wall for each net.



                                         ---> IPSec Tunnel 1 / 10.1.1.1/29
WAN   ->    m0n0wall OPT (10.0.0.0/8) ---
                                         ---> IPSec Tunnel 2 / 10.1.1.9/29


Bye,

Michael




Von: Chris Buechler [mailto:cbuechler at gmail dot com]
Gesendet: Freitag, 28. November 2008 17:26
Cc: m0n0wall at lists dot m0n0 dot ch
Betreff: Re: AW: [m0n0wall] Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME
notification

On Fri, Nov 28, 2008 at 11:05 AM, Michael Stecher
<Michael dot Stecher at cib dot de> wrote:
> I've found out the problem: we're using a 10.0.0.0 Class A net on m0n0wall OPT interface (endpoint
of the tunnel) but only a /29 subnet for the ipsec tunnel. For each subnet we've got one proxy ARP
entry in m0n0wall configuration for the respective subnets gateway. In the near future we want to
establish more of these subnets with a own ipsec tunnel to a specific customer so it's not possible
to use current ipsec subnet for OPT interface. The subnets should be separated from each other (we
do this with firewall rules and managed switches).
>
> M0n0wall adds ipsec firewall rules for OPT interface IP address (/32), but not for the specific
tunnels.
> ...
> @18 pass out quick on vr2 proto udp from 10.0.0.1/32 port = isakmp to any keep frags
> @19 pass out quick on vr2 proto udp from 10.0.0.1/32 port = sae-urn to any keep frags
> @20 pass out quick on vr2 proto esp from 10.0.0.1/32 to any keep frags
> @21 pass out quick on vr2 proto ah from 10.0.0.1/32 to any keep frags
> ...
> @32 pass in quick on vr2 proto udp from any to 10.0.0.1/32 port = isakmp keep frags
> @33 pass in quick on vr2 proto udp from any to 10.0.0.1/32 port = sae-urn keep frags
> @34 pass in quick on vr2 proto esp from any to 10.0.0.1/32 keep frags
> @35 pass in quick on vr2 proto ah from any to 10.0.0.1/32 keep frags
>
> Is there an easy reason to add those rules for our subnets (proxy ARP) gateways?

That's just to allow the connections to be initiated. Add rules in the
GUI for anything else you need to pass.  m0n0wall won't listen on
proxy ARP IPs so you can't terminate IPsec connections using one.

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch