I am trying to pass IPSEC traffic from a Cisco device to another cisco device that is behind our m0n0wall. I have set up a 1 to 1 nat with the external ip that redirects the traffic to the Cisco device. I am having problems with the m0nowall still blocking the UDP packets. here are some of the logs (I have replaced 1.2.3.4 with the actual IP of the device that is trying to connect). I have tried to allow all traffic from 1.2.3.4
@22 pass in log first quick from 1.2.3.4/32 to any keep state group 200
as well as the specific UDP traffic that is being blocked
@25 pass in log first quick proto udp from 1.2.3.4/32 to 192.168.60.2/32 port = sae-urn keep state group 200
What more do I need to do to allow this traffic. Any help would be appreciated
Error Message with the packet getting blocked ...
Last 50 filter log entries
Aug 11 22:05:26 m0n0wall ipmon[115]: 22:05:25.871437 bce1 @200:25 b 1.2.3.4,4500 -> 192.168.60.2,4500 PR udp len 20 160 IN bad NAT
Aug 11 22:05:28 m0n0wall ipmon[115]: 22:05:27.871379 bce1 @200:25 b 1.2.3.4,4500 -> 192.168.60.2,4500 PR udp len 20 160 K-S IN bad NAT
Aug 11 22:05:30 m0n0wall ipmon[115]: 22:05:29.869274 bce1 @200:25 b 1.2.3.4,4500 -> 192.168.60.2,4500 PR udp len 20 160 K-S IN bad NAT
Aug 11 22:05:32 m0n0wall ipmon[115]: 22:05:31.869223 bce1 @200:25 b 1.2.3.4,4500 -> 192.168.60.2,4500 PR udp len 20 160 K-S IN bad NAT
Aug 11 22:05:34 m0n0wall ipmon[115]: 22:05:33.869262 bce1 @200:25 b 1.2.3.4,4500 -> 192.168.60.2,4500 PR udp len 20 160 K-S IN bad NAT
ipfstat -nio
@1 pass out quick on lo0 all
@2 pass out quick on bce0 proto udp from 192.168.60.1/32 port = bootps to any port = bootpc
@3 pass out quick on bce1 proto udp from any port = bootpc to any port = bootps
@4 pass out quick on bce0 all keep state
@5 pass out quick on bce1 all keep state
@6 block out log quick all
@1 pass in quick on lo0 all
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopts
@4 pass in quick on bce0 proto udp from any port = bootpc to 255.255.255.255/32 port = bootps
@5 pass in quick on bce0 proto udp from any port = bootpc to 192.168.60.1/32 port = bootps
@6 block in log quick on bce1 from 192.168.60.0/24 to any
@7 block in log quick on bce1 proto udp from any port = bootps to 192.168.60.0/24 port = bootpc
@8 pass in quick on bce1 proto udp from any port = bootps to any port = bootpc
@9 skip 4 in on bce0 from 192.168.2.0/24 to any
@10 skip 3 in on bce0 from 192.168.4.0/24 to any
@11 skip 2 in on bce0 from 192.168.5.0/24 to any
@12 skip 1 in on bce0 from 192.168.60.0/24 to any
@13 block in log quick on bce0 all
@14 skip 1 in proto tcp from any to any flags S/FSRA
@15 block in log quick proto tcp from any to any
@16 block in log quick on bce0 all head 100
@17 block in log quick on bce1 all head 200
@18 block in log quick all
# Group 100
@1 pass in quick from 192.168.60.0/24 to 192.168.60.1/32 keep state group 100
@2 pass in log first quick from any to 192.168.60.2/32 keep state group 100
@3 pass in log first quick from 192.168.60.2/32 to any keep state group 100
@4 pass in quick from 192.168.60.0/24 to any keep state group 100
@5 pass in quick proto tcp from 192.168.4.0/24 to any keep state group 100
@6 pass in quick proto tcp from 192.168.2.0/24 to any keep state group 100
@7 pass in quick from 192.168.5.0/24 to any keep state group 100
@8 pass in quick from 192.168.4.0/24 to any keep state group 100
@9 pass in quick from any to 192.168.60.217/32 keep state group 100
@10 pass in quick from 192.168.60.217/32 to any keep state group 100
@11 pass in quick from any to 1.2.3.4/32 keep state group 100
@12 pass in quick from 1.2.3.4/32 to any keep state group 100
@13 pass in log first quick from x.x.x.x/32 to any keep state group 100
# Group 200
@1 pass in quick proto tcp from any to 192.168.60.152/32 port = http keep state group 200
@2 pass in quick proto tcp from any to 192.168.60.152/32 port = https keep state group 200
@3 pass in quick proto tcp from any to 192.168.60.153/32 port = http keep state group 200
@4 pass in quick proto tcp from any to 192.168.60.153/32 port = https keep state group 200
@5 pass in quick proto tcp from any to 192.168.60.154/32 port = http keep state group 200
@6 pass in quick proto tcp from any to 192.168.60.154/32 port = https keep state group 200
@7 pass in quick proto tcp from any to 192.168.60.155/32 port = http keep state group 200
@8 pass in quick proto tcp from any to 192.168.60.155/32 port = https keep state group 200
@9 pass in quick proto tcp from any to 192.168.60.156/32 port = http keep state group 200
@10 pass in quick proto tcp from any to 192.168.60.156/32 port = https keep state group 200
@11 pass in quick proto tcp from any to 192.168.60.157/32 port = http keep state group 200
@12 pass in quick proto tcp from any to 192.168.60.157/32 port = https keep state group 200
@13 pass in quick proto tcp from any to 192.168.60.159/32 port = http keep state group 200
@14 pass in quick proto tcp from any to 192.168.60.159/32 port = https keep state group 200
@15 pass in quick proto tcp from any to 192.168.60.230/32 port = http keep state group 200
@16 pass in quick from 192.168.4.0/24 to 192.168.60.0/24 keep state group 200
@17 pass in quick from 192.168.60.0/24 to 192.168.4.0/24 keep state group 200
@18 pass in quick proto udp from any to 192.168.60.198/32 port = 1150 keep state group 200
@19 pass in quick proto tcp from any to 192.168.60.198/32 port = ssh keep state group 200
@20 pass in quick proto udp from any to 192.168.60.198/32 port = wizard keep state group 200
@21 pass in quick proto udp from any to 192.168.60.217/32 port = wizard keep state group 200
@22 pass in log first quick from 1.2.3.4/32 to any keep state group 200
@23 pass in quick from any to 1.2.3.4/32 keep state group 200
@24 pass in log first quick from x.x.x.x/32 to any keep state group 200
@25 pass in log first quick proto udp from 1.2.3.4/32 to 192.168.60.2/32 port = sae-urn keep state group 200
m0n0wall Forum > m0n0wall Support (English) > Firewall/NAT
Topic: Monowall blocking ipsec traffic that should be passed.