1.  Yes the masks are /22 for the internal LAN

2.  I should have checked the ipfstat.  I have another unit that connects fine to OpenBSD and I was
wondering why it was working without the rules.  I have deleted the extra UDP/ESP rules.  Thanks

3.  Yes I can ping the LAN host using "ping -S 172.16.100.22 -c 10 172.16.40.23" from the exec.php
page.

And now it works.

Note: This is a backup circuit for a Frame Relay connection.
Shouldn't this connection be permanent or will it only come up when there is traffic?
Why did ping wake it up?

Kevin

-----Original Message-----
From: Vincent Fleuranceau [mailto:vincent at bikost dot com] 
Sent: Friday, July 23, 2004 7:00 AM
To: Kevin Roosdahl
Subject: Re: [m0n0wall] Problem setting up IPSec between two Soekris net4501 running m0n0wall 1.0

1° - Verify the netmask, in particular the /22 one ; The "standard" 
value is /24.

2° - You don't need to set up specific filter rules for IPSec because m0n0wall takes care of that
for you. Idem for routing.

3° - Try to ping some remote host from a LAN host, or even go to exec.php and type:

   ping -S <LAN_IP> -c10 <LAN_IP_ON_OTHER_END_OF_TUNNEL>

Note: the tunnel may take 5 seconds to establish, maybe up to 60 seconds if it has to clean expired
SA before...

Please let me know if it works.

-- Vincent