[ previous ] [ next ] [ threads ]
 
 From:  Trent Cameron <tcameron at conservice dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Monowall blocking ipsec traffic that should be passed
 Date:  Thu, 12 Aug 2010 13:37:47 -0600
I am having the following problem (Also listed here
http://forum.m0n0.ch/index.php/topic,4329.msg13367.html#msg13367)
I am trying to pass IPSEC traffic from a Cisco device to another cisco


having problems with the m0nowall still blocking the UDP packets.
Here are some of the logs (I have replaced 1.2.3.4 with the actual IP
of the device that is trying to connect).

I have tried to allow all traffic from 1.2.3.4
@22 pass in log first quick from 1.2.3.4/32 to any keep state group 200


as well as the specific UDP traffic that is being blocked
@25 pass in log first quick proto udp from 1.2.3.4/32 to
192.168.60.2/32 port = sae-urn keep state group 200




Error Message with the packet getting blocked ...

Last 50 filter log entries
Aug 11 22:05:26 m0n0wall ipmon[115]: 22:05:25.871437 bce1 @200:25 b
1.2.3.4,4500 -> 192.168.60.2,4500 PR udp len 20 160 IN bad NAT
Aug 11 22:05:28 m0n0wall ipmon[115]: 22:05:27.871379 bce1 @200:25 b
1.2.3.4,4500 -> 192.168.60.2,4500 PR udp len 20 160 K-S IN bad NAT
Aug 11 22:05:30 m0n0wall ipmon[115]: 22:05:29.869274 bce1 @200:25 b
1.2.3.4,4500 -> 192.168.60.2,4500 PR udp len 20 160 K-S IN bad NAT
Aug 11 22:05:32 m0n0wall ipmon[115]: 22:05:31.869223 bce1 @200:25 b
1.2.3.4,4500 -> 192.168.60.2,4500 PR udp len 20 160 K-S IN bad NAT
Aug 11 22:05:34 m0n0wall ipmon[115]: 22:05:33.869262 bce1 @200:25 b
1.2.3.4,4500 -> 192.168.60.2,4500 PR udp len 20 160 K-S IN bad NAT

ipfstat -nio
@1 pass out quick on lo0 all
@2 pass out quick on bce0 proto udp from 192.168.60.1/32 port = bootps
to any port = bootpc
@3 pass out quick on bce1 proto udp from any port = bootpc to any port = bootps
@4 pass out quick on bce0 all keep state
@5 pass out quick on bce1 all keep state
@6 block out log quick all
@1 pass in quick on lo0 all
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopts
@4 pass in quick on bce0 proto udp from any port = bootpc to
255.255.255.255/32 port = bootps
@5 pass in quick on bce0 proto udp from any port = bootpc to
192.168.60.1/32 port = bootps
@6 block in log quick on bce1 from 192.168.60.0/24 to any
@7 block in log quick on bce1 proto udp from any port = bootps to
192.168.60.0/24 port = bootpc
@8 pass in quick on bce1 proto udp from any port = bootps to any port = bootpc
@9 skip 4 in on bce0 from 192.168.2.0/24 to any
@10 skip 3 in on bce0 from 192.168.4.0/24 to any
@11 skip 2 in on bce0 from 192.168.5.0/24 to any
@12 skip 1 in on bce0 from 192.168.60.0/24 to any
@13 block in log quick on bce0 all
@14 skip 1 in proto tcp from any to any flags S/FSRA
@15 block in log quick proto tcp from any to any
@16 block in log quick on bce0 all head 100
@17 block in log quick on bce1 all head 200
@18 block in log quick all
# Group 100
@1 pass in quick from 192.168.60.0/24 to 192.168.60.1/32 keep state group 100
@2 pass in log first quick from any to 192.168.60.2/32 keep state group 100
@3 pass in log first quick from 192.168.60.2/32 to any keep state group 100
@4 pass in quick from 192.168.60.0/24 to any keep state group 100
@5 pass in quick proto tcp from 192.168.4.0/24 to any keep state group 100
@6 pass in quick proto tcp from 192.168.2.0/24 to any keep state group 100
@7 pass in quick from 192.168.5.0/24 to any keep state group 100
@8 pass in quick from 192.168.4.0/24 to any keep state group 100
@9 pass in quick from any to 192.168.60.217/32 keep state group 100
@10 pass in quick from 192.168.60.217/32 to any keep state group 100
@11 pass in quick from any to 1.2.3.4/32 keep state group 100
@12 pass in quick from 1.2.3.4/32 to any keep state group 100
@13 pass in log first quick from x.x.x.x/32 to any keep state group 100
# Group 200
@1 pass in quick proto tcp from any to 192.168.60.152/32 port = http
keep state group 200
@2 pass in quick proto tcp from any to 192.168.60.152/32 port = https
keep state group 200
@3 pass in quick proto tcp from any to 192.168.60.153/32 port = http
keep state group 200
@4 pass in quick proto tcp from any to 192.168.60.153/32 port = https
keep state group 200
@5 pass in quick proto tcp from any to 192.168.60.154/32 port = http
keep state group 200
@6 pass in quick proto tcp from any to 192.168.60.154/32 port = https
keep state group 200
@7 pass in quick proto tcp from any to 192.168.60.155/32 port = http
keep state group 200
@8 pass in quick proto tcp from any to 192.168.60.155/32 port = https
keep state group 200
@9 pass in quick proto tcp from any to 192.168.60.156/32 port = http
keep state group 200
@10 pass in quick proto tcp from any to 192.168.60.156/32 port = https
keep state group 200
@11 pass in quick proto tcp from any to 192.168.60.157/32 port = http
keep state group 200
@12 pass in quick proto tcp from any to 192.168.60.157/32 port = https
keep state group 200
@13 pass in quick proto tcp from any to 192.168.60.159/32 port = http
keep state group 200
@14 pass in quick proto tcp from any to 192.168.60.159/32 port = https
keep state group 200
@15 pass in quick proto tcp from any to 192.168.60.230/32 port = http
keep state group 200
@16 pass in quick from 192.168.4.0/24 to 192.168.60.0/24 keep state group 200
@17 pass in quick from 192.168.60.0/24 to 192.168.4.0/24 keep state group 200
@18 pass in quick proto udp from any to 192.168.60.198/32 port = 1150
keep state group 200
@19 pass in quick proto tcp from any to 192.168.60.198/32 port = ssh
keep state group 200
@20 pass in quick proto udp from any to 192.168.60.198/32 port =
wizard keep state group 200
@21 pass in quick proto udp from any to 192.168.60.217/32 port =
wizard keep state group 200
@22 pass in log first quick from 1.2.3.4/32 to any keep state group 200
@23 pass in quick from any to 1.2.3.4/32 keep state group 200
@24 pass in log first quick from x.x.x.x/32 to any keep state group 200
@25 pass in log first quick proto udp from 1.2.3.4/32 to
192.168.60.2/32 port = sae-urn keep state group 200