[ previous ] [ next ] [ threads ]
 
 From:  Gordon Day <gordon at deepcovelabs dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSEC SA present, but no traffic flow!
 Date:  Thu, 07 Oct 2004 13:34:32 -0700
Greetings, all. I have configured an IPSEC tunnel between two sites. 

The left site:
     -is protected by m0n0 with a WAN address of a.b.c.d
     -has an internal network 10.0.0.0/24
     -all hosts are outbound NAT'ed to a.b.c.d
     -contains a host 10.0.0.4

The right site
    -is protected by a Linksys VPN "firewall" with a WAN address of w.x.y.z
    -has an internal network 10.0.100.0/24
    -all hosts are outbound NAT'ed to w.x.y.z
    -contains a host 10.0.100.2

The tunnel is a host to host tunnel with the left host being 10.0.0.4 
and the right host 10.0.100.2
The tunnel can be successfully established, but no traffic flows. 
Furthermore, any attempt to contact the right host from the left host 
results in a block entry in the m0n0 firewall log, as though m0n0 isn't 
recognising that that the packet should be encapsulated and sent through 
the tunnel.  The Linksys doesn't show any traffic arriving across the 
tunnel.

A typical m0n0 log entry:
13:24:25.252157 fxp0 @0:22 b 10.0.0.4,4663 -> 10.0.100.2,7001 PR tcp len 
20 48 -S IN

1. I tried adding a LAN rule to allow the traffic, but while that stops 
the log entry, the traffic still doesn't move across.
2. I tried turning off the *"Block private networks" on the WAN 
interface of m0n0, but that had no effect.
* **
I suspect  the problem may have something to do with the NAT side of 
things, but I'm not sure what to try.

Any comments or suggestions?

Cheers,

Gordon Day.