[ previous ] [ next ] [ threads ]
 From:  Jim Gifford <jim at giffords dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] need help with DMZ setup, and broken ipsec tunnels
 Date:  Wed, 3 Mar 2004 15:13:25 -0500
On Wed, Mar 03, 2004 at 02:53:21PM -0500, Jim Gifford wrote:
> Going with the theory that a tunnel newly set up might function
> differently than one in a stored config file, I dug up an old config file
> from when ipsec was working fine for me between the dsl and cable.  I
> changed the IP addresses to match the current config, downloaded each
> m0n0wall systems config.xml, replaced the <ipsec>...</ipsec> sections
> with the ones I just hacked up, restored, waited for reboot, and the
> tunnel works again.
> I might be able to follow this same procedure to get the tunnel working
> between these 2 m0n0wall boxes and the 3rd box.
> I wish I had a diff of the config from a 1.0 gui created config vs a
> manually created config.  I'll keep experimenting and see if I can track
> down the differences.
> I'm still having all kinds of problems with the DMZ stuff though.

Ok, I feel kinda stupid now.  I tracked down this problem to be one of
user error (me of course).

For the "Remote Subnet" field, I was putting the address like
' / 24' instead of ' / 24'.  I've verified that
this works correctly whether the tunnel is created via the webgui or via
the config.xml file.  I suspect this is a large part of why I couldn't
get a tunnel to work with the remote freebsd machine in the past.
That means I just need to do more testing.  If I were smarter, I would
start writing down some of these little tidbits I discover for the
documentation project so others won't have to pull out as much hair as I
have.  *grin*

Now I have a triangle shaped set of tunnels.  cable to dsl, dsl to t1, t1
to cable, and all are working.  Now I just need to make the DMZ stuff

Sorry for the false alarm about the ipsec tunnels.