[ previous ] [ next ] [ threads ]
 
 From:  Justin Ellison <justin at techadvise dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Patch for IPSec VPN Routing
 Date:  Sat, 22 May 2004 15:10:52 -0500 
Dunno if Manuel wants it or not, but here's a patch to add a config
option to fix the problem described below.

Justin

On Thu, 2004-05-20 at 16:03, Justin Ellison wrote:
> Well, I got it.
> 
> After a hairy crash course in FreeBSD/Racoon/KAME, I discovered that the
> problem wasn't with routes.  When I would ping the m0n0wall, the
> m0n0wall's response would be encrypted (which my host wasn't
> expecting).  So, I found that I had to add two SPD's before the ipsec
> related SPD's were created.
> 
> A quick and dirty hack that worked was made by inserting the following
> code on line 110 in /etc/inc/vpn.inc, right after the call to
> vpn_localnet_determine:
> 
> 
> if (!$localdone) {
>    $spdconf .= "spdadd {$sa}/{$sn} {$sa}/{$sn} any -P in none;\n";
>    $spdconf .= "spdadd {$sa}/{$sn} {$sa}/{$sn} any -P out none;\n";
>    $localdone++;
> }
> 
> Of course, since I haven't read the hacker's guide yet, the option is
> cleared once I reboot.  I'm going to get a development setup going at
> home, and add a checkbox option to turn the feature on/off.
> 
> Hope this helps others,
> 
> Justin
> 
> > > -----Original Message-----
> > > From: Justin Ellison [mailto:justin at techadvise dot com]
> > > Sent: Wednesday, May 19, 2004 6:41 PM
> > > To: Mitch (WebCob)
> > > Subject: RE: [m0n0wall] IPSec VPN Routing
> > > 
> > > 
> > > Hey Mitch,
> > > 
> > > On Wed, 2004-05-19 at 20:21, Mitch (WebCob) wrote:
> > > > My question, is was "My House" able to communicate
> > > > with "Montana" through "Local Office" before... and if so, can it now?
> > > 
> > > Before with FreeS/WAN, yes with no problems.  Before with m0n0wall, yes,
> > > but I couldn't access the m0n0wall itself - I was forced to switch to
> > > where I could get to "Local Office" and my m0n0wall, sacrificing access
> > > to the "Montana Office".
> > > 
> > > > I was told to look into openvpn - which I am as time permits...
> > > 
> > > The problem with OpenVPN is that it is SSL/TLS, not IPSec.  I need IPSec
> > > to talk to my Netscreen...
> > > 
> > > Justin
> > > 
> > > -- 
> > > Justin Ellison <justin at techadvise dot com>
> > > 
-- 
Justin Ellison <justin at techadvise dot com>
vpn.patch (2.6 KB, text/x-patch)
signature.asc (0.2 KB, application/pgp-signature)