Re: [m0n0wall] Still, IPSec VPN with Dyndns hosts

From:	Michael <monowall at encambio dot com>
To:	M0n0wall List <m0n0wall at lists dot m0n0 dot ch>
Cc:	Heinz TEICHMANN <heinz dot teichmann at wanews dot com dot au>
Subject:	Re: [m0n0wall] Still, IPSec VPN with Dyndns hosts
Date:	Fri, 28 Jan 2011 16:23:03 +0100

Hello Heinz,

On Fri., Jan 28, 2011, Heinz TEICHMANN wrote:
>On Fri., Jan 21, 2011, Michael wrote:
>>The change in the configuration was in the menu Firewall/NAT.
>>If you choose 'Enable advanced outbound NAT' in the Outbound tab,
>>then make sure to deselect 'Disable port mapping' in the entries.
>>
>I can't confirm this. In my case "Disable port mapping" is always
>checked because of SIP.  Everywhere in the web interface you see
>the new address of the other party, but the racoon logs say that
>it is trying to establish a connection to the old IP address.
>The biggest trial was 3 sites with version 1.32 and all 3 behave
>the same way.
>
Oh I almost forgot. For good measure I rebooted all three routers
after upgrading to the beta image and adding the second outbound
NAT rule. If at all possible reboot your routers, verify that
IPSec works, and then wait until you're sure the IP address
changed on just one router and test your IPSec tunnels again.
From a host in the 'Computers with portmapping' NAT region
ping other hosts in similar NAT regions over IPSec, and for
good measure send TCP traffic (to a webserver port 80 for
example.) I need to wait a few minutes sometimes and repeat
this process to get the IPSec connected after a dynamic IP
address change.

Regards,
Michael