[ previous ] [ next ] [ threads ]
 
 From:  "Arnold Cavazos Jr." <abcjr at abcjr dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  m0n0 IPSec and SSH Sentinel
 Date:  Mon, 15 Mar 2004 20:08:45 -0600
I have been able to get a IPSec tunnel semi-working with m0n0 and SSH 
Sentinel 1.3.2.2.  I can get through phase 1 and phase 2, get a tunnel 
up and running but once the tunnel is up, I am unable to do the 
following:

1. Ping any hosts on the LAN except the IP assigned to m0n0's LAN
   interface 

	-- If I manually specify my own virtual IP addr for the IPSec 
           tunnel (an unused IP in my public /29 netwrk),  I can only 
	   ping the m0n0's LAN IP and no other LAN IP addrs.  Looking 
	   at the ARP cache on any of the LAN hosts, the arp entry for 
	   the static IP is shown as (incomplete).

19:46:28.565531 IPSec.client.virtualip > Local.lan.ip: icmp: echo request (ttl 127, id 18309, len
60)
19:46:28.565649 arp who-has IPSec.client.virtualip tell Local.lan.ip
IPSec.client.virtualip (aaa.bbb.ccc.ddd) at (incomplete) on fxp0 [ethernet]

	  I am very new to IPSec, but to me it looks like the m0n0 is 
          just not arping for this virtual IP.  Should I expect it to?


2. Get DHCP over IPSec to work. (I am sure that #1 needs to be hammered 
   out before I can proceed trying to do this)

	-- The SSH Sentinel logs show the dhcp broadcast being sent 
	   across the tunnel, but tcpdump never shows that being sent 
           through to the LAN.  (The DHCP server is _not_ on the m0n0).


What am I missing?

-- 
Arnold Cavazos, Jr.		abcjr at abcjr . net