[ previous ] [ next ] [ threads ]
 
 From:  Justin Ellison <justin at techadvise dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPSec VPN Routing
 Date:  Thu, 20 May 2004 16:03:39 -0500
Well, I got it.

After a hairy crash course in FreeBSD/Racoon/KAME, I discovered that the
problem wasn't with routes.  When I would ping the m0n0wall, the
m0n0wall's response would be encrypted (which my host wasn't
expecting).  So, I found that I had to add two SPD's before the ipsec
related SPD's were created.

A quick and dirty hack that worked was made by inserting the following
code on line 110 in /etc/inc/vpn.inc, right after the call to
vpn_localnet_determine:


if (!$localdone) {
   $spdconf .= "spdadd {$sa}/{$sn} {$sa}/{$sn} any -P in none;\n";
   $spdconf .= "spdadd {$sa}/{$sn} {$sa}/{$sn} any -P out none;\n";
   $localdone++;
}

Of course, since I haven't read the hacker's guide yet, the option is
cleared once I reboot.  I'm going to get a development setup going at
home, and add a checkbox option to turn the feature on/off.

Hope this helps others,

Justin

> > -----Original Message-----
> > From: Justin Ellison [mailto:justin at techadvise dot com]
> > Sent: Wednesday, May 19, 2004 6:41 PM
> > To: Mitch (WebCob)
> > Subject: RE: [m0n0wall] IPSec VPN Routing
> > 
> > 
> > Hey Mitch,
> > 
> > On Wed, 2004-05-19 at 20:21, Mitch (WebCob) wrote:
> > > My question, is was "My House" able to communicate
> > > with "Montana" through "Local Office" before... and if so, can it now?
> > 
> > Before with FreeS/WAN, yes with no problems.  Before with m0n0wall, yes,
> > but I couldn't access the m0n0wall itself - I was forced to switch to
> > where I could get to "Local Office" and my m0n0wall, sacrificing access
> > to the "Montana Office".
> > 
> > > I was told to look into openvpn - which I am as time permits...
> > 
> > The problem with OpenVPN is that it is SSL/TLS, not IPSec.  I need IPSec
> > to talk to my Netscreen...
> > 
> > Justin
> > 
> > -- 
> > Justin Ellison <justin at techadvise dot com>
> > 
-- 
Justin Ellison <justin at techadvise dot com>
signature.asc (0.2 KB, application/pgp-signature)