|
|
Post by bigbrother on Aug 20, 2015 20:50:43 GMT
Hi
I had a working IPSec VPN configuration with M0n0wall (1.8.1).
I upgraded to SmallWall (1.8.3) and so far I can confirm the IPSec
configuration is the same as bevor the upgrade.
If I open a tunnel within my MAC (IPSecuritas 3.4) I get connected and I'm also
able to send ICMP packets through the tunnel which are responded by
the targeting node but the ICMP replies from the node are not reaching
the IPSec client anymore for some reason.
I do have the same behaviour with my Windows 7 system which uses
ShrewSoft VPN client (2.2.2).
Anybody outta there with the same behaviour?
thx bb
|
|
|
|
Post by Lee Sharp on Aug 20, 2015 21:54:25 GMT
Look at the routing tables at each end. On smallwall go to the hidden exec.php page and type "netstat -rn" but on your MAC you are on your own.  |
|
|
|
Post by bigbrother on Aug 22, 2015 9:21:43 GMT
I tried with two different versions:
M0n0wall version 1.8.1 (it works)
SmallWall version 1.8.3 (it does not work)
Settings are the same and the routing table on the xxxWall's are identical when connected.
I suppose there is an issue within this versions.
There must be different setting's with the SmallWall 1.8.3 maybe? Or a bug?
thx
|
|
|
|
Post by Lee Sharp on Aug 22, 2015 18:15:14 GMT
There is very little difference between 1.81 and 1.83 for VPN. The lt2p uses the same code, however, so this make take a bit. Can you pull a status.php from both and attach them?
|
|
|
|
Post by bigbrother on Aug 23, 2015 20:23:01 GMT
There is very little difference between 1.81 and 1.83 for VPN. The lt2p uses the same code, however, so this make take a bit. Can you pull a status.php from both and attach them? I could not upload the status.php from SmallWall image directly. "Error: Forbidden" was the message in the browser? So, I did tar.gz compression. Hope you can decompress the SmallWall file. Thanx very much Lee |
|
|
|
Post by Lee Sharp on Aug 24, 2015 4:05:01 GMT
Well the initial diff was hard because one had been running a while... But one thing that I noticed was "Aggressive" negotiation. This can be a problem when you have both on demand and permanent tunnels. It was not in m0n0wall, but in fixing it for l2tp, some of the failsafes had to be removed. Can you set everything to "Main" and see if the problem is still in there? |
|
|
|
Post by bigbrother on Aug 24, 2015 5:53:01 GMT
I configured "Main Mode" anywhere but either way it doesn't work. In "Aggressive" mode I get connected to SmallWall but returning traffic doesn't pass SmallWall somehow. I don't understand what that could be.
Can l2tp used for the same purpose as Mobile VPN or for site-to-site VPN only?
For me it would be better logically to stay with Mobile VPN (cos of less change).
I use Linux, Windows and OSX to access remotely my lab environment.
thank you for your help,
bb
|
|
|
|
Post by Lee Sharp on Aug 24, 2015 14:31:30 GMT
Yes, l2tp is the modern replacement for mobile IPSEC. (and pptp) It is much more stable as well. And it does work with point to point IPSEC.
|
|
|
|
Post by Lee Sharp on Sept 2, 2015 21:46:37 GMT
So, I spoke with Andy White who wrote the original patch, and it seems we have a fundamental incompatibility. L2tp requires "Main" and brakes with "Aggressive." Mobile IPsec requires "Aggressive" and brakes with "Main." It seems main uses the IP address as the identifier which does not work in Mobile IPsec. So, try resetting your tunnels to aggressive, and disabling l2tp and see if it works. If not, let me know! If it does work, I need to fix the documentation and the web GUI pages to cover this. |
|
frodo
New Member
Posts: 5 
|
Post by frodo on Sept 7, 2015 20:44:04 GMT
My mobile ipsec broke around when I enabled l2tp.... I guess this is what hit me.
|
|
