[ previous ] [ next ] [ threads ]
 From:  Vincent Fleuranceau <vincent at bikost dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Testing OpenVPN?
 Date:  Wed, 11 Aug 2004 10:02:18 +0200
-------- Original Message --------

>>Has anyone succeeded in replacing the official IPsec feature (based on 
>>racoon) with the unofficial OpenVPN port, in gateway-to-gateway VPN 
> Well, "replacing" would certainly be a bad idea, for at least a couple of
> reasons:

Hi all,

I'm very sorry if I let you think I wanted have IPSec replaced by 
OpenVPN in official m0n0wall releases.

What I meant should have been written: "Has anyone succeeded in using 
the unofficial OpenVPN port, in gateway-to-gateway VPN configuration?"

In fact, I must have thought and written too quickly. More, English is 
not my natural language. Please apology for this "bug" ;-)

Sorry for that!

(Manuel: in fact I was starting a putsch, but I've been caught ;-)

More: IPsec does not work 100% of the time for me, but this does not 
mean I will switch to OpenVPN and let other people find a solution for 
me. I imagine other people are not satisfied with the situation too, so 
I want to contribute and make IPsec work on m0n0wall. I won't give up so 
easily ;-)

> How about just investigating what's wrong when your IPsec tunnel stops
> working?  Did you ever get the PPTP link set up so you can view the state
> of the remote without depending on IPsec?  Fixing something that almost
> works is likely to be easier than implementing something entirely new.

This was a good "Plan B", but unfortunately, the PPTP integrated server 
feature + IPSec tunnel does not seem to work at the same time on the 
same box. I've tested it two times from different clients and with two 
different m0n0 boxes. PPTP just work fine but the IPsec tunnel does not 
establish anymore after the PPTP is running.

Can someone confirm ?

I may be doing something the wrong way, but I see no extra parameters in 
my configs PPPoE (fixed IP) + DNS forwarder + DHCP server (with static 
entries) + traffic shaper. No special filter rules, no OPT interface, no 
special routing...

As long as we have no way to keep the tunnel alive (I know, it's 
coming...) I can't be sure what's wrong with racoon. Other VPN 
implementations provide such a feature. Why IPsec does not?

Yes, racoon "almost" work. That's the problem. I just have sometimes to 
call the secretary at our remote office and ask her to unplug the black 
power cable on the ugly green box. Soekris users see what I mean.

To be objective, the official racoon's TODO file from 2000/10/04 reads:

       Reboot recovery (peer reboot losing it's security associations)

So, this is a know problem. It's been 4 years now and it has not been 
solved by the development team. I'm personally not able to write the 
piece of code which would solve this issue. So, I just wonder if we 
couldn't *try* something else *besides* racoon.

Thanks to all for your answers. Comments, suggestions are welcome.

-- Vincent