Bogus

Bug - in v1.23, IPSec VPN clients cannot passthrough to a VPN server on the WAN side of m0n0wall.

Description

With a SonicWall Global VPN client on the LAN side and a SonicWall IPSec VPN gateway on the WAN side, the client cannot establish a VPN connection to the VPN gateway.

With v1.22, booted on the same m0n0wall server with the same config floppy (and hence the same settings and firewall rules) the VPN client is able to establish a VPN connection to the VPN gateway.

Comments. The logs on the SonicWall IPSec gatwall show incomming connections from the client, but with v1.23 of m0n0wall the IKE connection times out.

Further testing shows that with v1.22, only one VPN client can pass through the firewall.

If a pass through VPN connection is made from laptopA, the m0n0wall server needs to be rebooted before laptopB can make establish a IPSec VPN connection. Perhaps if I waited longer, a timeout would occur and allow the second laptop to connect.

This report relates to the CDROM boot version of m0n0wall.

It looks like I will need to buy a commercail product, such as the SonicWall TZ170w with the Enhanced OS, which has sophisticated captive portal support.

What kind of VPN is this? This is a known limitation with PPTP, but I've never had any issue with IPsec VPN's.

You don't have to reboot, you can just clear the state table. Normally disconnecting the first VPN client should work, but that doesn't always close the state like it should.

It is an IPSec VPN connection.

If I connect from one laptop, I can connect to the VPN server on the WAN side. The VPN server is a SonicWall appliance and the client is the SonicWall Global IPSec client. The m0n0wall is not acting as an end point, its only role is passthrough the IPSec connection from the client to the SonicWall applicance.

If a client attempts to connect to the SonicWall server, they cannot establish a connection even if the first client has logged off.

If the m0n0wall us rebooted, the first client to connect to the SonicWall server does so successfully, but the second client can't connect.

With v1.23 of m0n0wall, I was not able to make any connections through th m0n0wall.  This relates to the PC Boot version, booted of the same config floppy on the same hardware.

I need to eat humble pie over this bug report.

The WAN IP address used on the test system was set to the same IP as another system (used on a Proxy ARP setting).

Oddly, the duplicate IP address did not seem to affect web browsing and that's why the error was not noticed immediately.

I can confirm that I am able to passthrough IPSec clients now that the duplicate IP address problem is fixed.

Appologies for sending in a false bug report.


Note to modorator - please delete this entire thread to avoid confusion, if you think that suggestion is appropriate.