[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] SNMP over IPSEC
 Date:  Sun, 12 Sep 2004 17:12:22 -0700 (PDT)
On Wed, 1 Sep 2004, David Turner wrote:

> I have no static routes at the moment. What should I add a static route
> for and why? It's only SNMP that seems to be a problem. The web
> interface is accessible via the tunnel and ping works fine to the LAN
> interface from the other end of the tunnel. 

Due to the way IPsec tunnels are kludged into the FreeBSD kernel, any
traffic *initiated* by m0n0wall to go through an IPsec tunnel gets the
wrong source IP (and typically doesn't go through the tunnel at all as a
result).  Theoretically this *shouldn't* be an issue for the *server* side
of SNMP, but perhaps the server has a bug (well, deficiency, at least)
where it doesn't send the response out through a socket bound to the
request packet.

You can fake it out by adding a bogus static route to the remote end of
the tunnel via the m0n0wall's LAN IP (assuming that's within the near-end
tunnel range).  A good test is to see whether you can ping something at
the remote end of the tunnel (e.g. the SNMP remote) *from* the m0n0wall.

There's an annoying but mostly harmless side-effect to this - every LAN
packet to the tunnel elicits a no-change ICMP Redirect.

					Fred Wright