Just installed m0n0wall (excellent product BTW) and having trouble getting
what I assume to be a standard "road warrior" IPSec config working. (i.e.,
dynamic address on the laptop client) Older messages in the archive
indicated that this was not supported at one time but has been since pb25.
Read the tutorial in the FAQ...
Coming in from the laptop on a public dial-up IP address to the firewall, I
am able to get a security association between the client and firewall, but
seem unable to reach any nodes on the LAN. There appear to be SAD and SPD
entries corresponding to my tunnel under the diagnostics pages.
First question... Should this work? The tutorial was a bit short on
principles of operation and qualifying assumptions, so I don't want so spend
huge amounts of time on this if it is currently known not to work. In
particular, does appropriate policy get setup when the tunnel is created?
Some basic config info: I am using SSH Sentinel 1.4 on the client side and
m0n0wall 1.0 for the firewall software (running on a 4501). The firewall
works fine for normal operation of both arbitrary outgoing services and
several incoming port-forwarded services. WAN address is static via DSL,
and the LAN is 192.168.1.0/24. The fact that I have an SA makes me assume I
have crypto and pre-shared keys set up right, but am in the dark about what
policy gets set up on the firewall when the tunnel is activated.
Second question..... Does this config (if it does work) set up policy
assuming the packets will still be from the "external" address of the laptop
or an assigned "internal" address on the destination network? Couldn't find
anything in the mail archives on this.
SSH Sentinel appears to allow me to use DHCP (and a few other mechanism) to
create a client-local virtual address on the remote network, but this seems
to fail/hang when I select the option. Tunnel set-up appears to work fine
when I don't select it, but no traffic passes. Note, my DHCP server is
external to the firewall running on a Linux box on the 192.168.1.0 network.
I have logging for the default rule enable, but see nothing obvious to me in
Any help or advice is appreciated.