[ previous ] [ next ] [ threads ]
 
 From:  "Don Hoffman" <don at dhoffman dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] Problems with 'road warrior' IPSec configuration
 Date:  Thu, 1 Apr 2004 14:08:59 -0800
One more bit of data...  I see the packets arrive at the interior nodes with
the source address set to the external address of the laptop.  Doing a ping
from the laptop to the interior node arrives at that node fine, and it
replies to the address of the laptop.  I never see this packet back at the
laptop. Nothing in the m0n0 logs about dropping the icmp reply. (Are these
logged?)

But when I do the same thing with an HTTP connect, I do see a reject in the
log for the reply SYN.  All this implies that perhaps there is not
corresponding outbound policy being set up.  How does this work?

Don


-----Original Message-----
From: Don Hoffman [mailto:don at dhoffman dot net]
Sent: Thursday, April 01, 2004 1:22 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Problems with 'road warrior' IPSec configuration


Just installed m0n0wall (excellent product BTW) and having trouble getting
what I assume to be a standard  "road warrior" IPSec config working.  (i.e.,
dynamic address on the laptop client)  Older messages in the archive
indicated that this was not supported at one time but has been since pb25.
Read the tutorial in the FAQ...

Coming in from the laptop on a public dial-up IP address to the firewall, I
am able to get a security association between the client and firewall, but
seem unable to reach any nodes on the LAN.  There appear to be SAD and SPD
entries corresponding to my tunnel under the diagnostics pages.

First question... Should this work?  The tutorial was a bit short on
principles of operation and qualifying assumptions, so I don't want so spend
huge amounts of time on this if it is currently known not to work.  In
particular, does appropriate policy get setup when the tunnel is created?



Some basic config info:  I am using SSH Sentinel 1.4 on the client side and
m0n0wall 1.0 for the firewall software (running on a 4501).   The firewall
works fine for normal operation of both arbitrary outgoing services and
several incoming port-forwarded services.  WAN address is static via DSL,
and the LAN is 192.168.1.0/24.  The fact that I have an SA makes me assume I
have crypto and pre-shared keys set up right, but am in the dark about what
policy gets set up on the firewall when the tunnel is activated.


Second question.....  Does this config (if it does work) set up policy
assuming the packets will still be from the "external" address of the laptop
or an assigned "internal" address on the destination network?  Couldn't find
anything in the mail archives on this.

SSH Sentinel appears to allow me to use DHCP (and a few other mechanism) to
create a client-local virtual address on the remote network, but this seems
to fail/hang when I select the option.  Tunnel set-up appears to work fine
when I don't select it, but no traffic passes.   Note, my DHCP server is
external to the firewall running on a Linux box on the 192.168.1.0 network.
I have logging for the default rule enable, but see nothing obvious to me in
the logs.

Any help or advice is appreciated.

Thanks,
Don




---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch