[ previous ] [ next ] [ threads ]
 
 From:  Michael <monowall at encambio dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Problems with IPSec tunnel config
 Date:  Mon, 29 Mar 2010 15:16:13 +0200 
Hello,

On Fri., Mar 26, 2010, Michael wrote:
>>If I try to ping (Diagnostics menu) from one router with the LAN
>>address 192.168.12.0/24 to the other 192.168.13.0/24, I get no
>>answer:
>>
>>  <192.168.12.10>$ ping 192.168.13.8
>>  No answer (host down)
>>
I've gotten past this now by disabling the 'Block RFC1918 networks'
at the bottom of the Interfaces:WAN: menu. The strange thing is
that although a ping from the local subnet to the remote one
succeeds (over IPSec and through the remote router's NAT), I
must first select 'LAN' from the Diagnostics:Ping menu. When
doing the same ping from the WAN or OPT interface, no echo is
received. Coincidentally, all LAN interfaces have NATed subnets
while all OPT (and of course WAN) interfaces do not.

My IPSec configurations were using preshared keys at first. Now
they are using X.590 certificates. Strangely, the problem which
this email thread describes only happens to the IPSec tunnels
and not with the IPSec mobile clients (which are behind NAT
themselves.)

It would seem as if NAT is the problem, but I have tested both
with and without NAT-T on all IPSec clients and servers.

My interfaces are:

  ---- Router A ----        ---- Router B ----
  WAN: 64.64.46.65/29       WAN: 86.86.68.31/29
  LAN: 192.168.12.1/24      LAN: 192.168.13.1/24
  OPT: 123.123.123.1/24     OPT: 110.110.110.1/24

Router A has an IPSec tunnel to Router B, and vice versa.
Looking at Diagnostics:IPSec...

Router A: Source         Destination    Proto   SPI
          64.64.46.65    86.86.68.31    ESP     07f40163
          86.86.68.31    64.64.46.65    ESP     0bf91bfa

Router B: Source         Destination    Proto   SPI
          86.86.68.31    64.64.46.65    ESP     0bf91bfa
          64.64.46.65    86.86.68.31    ESP     07f40163

Example router pings (simulating the Diagnostics:Ping web UI):

  <LAN> ping 192.168.13.8
  PING 192.168.13.8: 56 data bytes
  64 bytes from 192.168.13.8: icmp_seq=0 ttl=64 time=0.358 ms
  64 bytes from 192.168.13.8: icmp_seq=1 ttl=64 time=0.251 ms

  <WAN> ping 192.168.13.8
  PING 192.168.13.8: 56 data bytes
  Request timeout for icmp_seq 0        (PROBLEM HERE!!!)
  Request timeout for icmp_seq 1        (PROBLEM HERE!!!)

  <OPT> ping 192.168.13.8
  PING 192.168.13.8: 56 data bytes
  Request timeout for icmp_seq 0        (PROBLEM HERE!!!)
  Request timeout for icmp_seq 1        (PROBLEM HERE!!!)

Any help is appreciated to resolve this IPSec (?) or NAT
traversal (?) problem.

Regards,
Michael