8.2. Special Features

Most special IPsec features have been added to beta versions of m0n0wall and may be changed or withdrawn before a final stable version release.

8.2.1. Dead Peer Detection

Starting in firmware 1.3b11 it is possible to configure a Dead Peer Detection (DPD) interval in seconds with a default of seconds. This allows the m0n0wall device to detect if a tunnel is still being used. If the DPD interval has passed and the m0n0wall devices finds an IPsec tunnel is not exchanging phase 1 IKE messages (which should be happening even if the tunnel is not being used to transmit data) the tunnel will be closed.

Without this option activated, an IPsec tunnel may be left open and active when an actual problem has appeared such as bad routing, reboot of the remote client, change of IP addresses.

Both sides of the IPsec connection must support and activate Dead Peer Detection.

Note

Firmware 1.3b11 also includes a fix for m0n0wall preferring new SAs over old SAs by default (should solve problems with tunnels not working after an interruption or peer IP address change). In previous versions old SAs where preferred.

8.2.2. Dynamic DNS Support

Starting in firmware 1.3b6 it is possible to configure domain names to be IPsec connection endpoints. Although fixed IP addresses are recommended for building IPsec connections, using domain names allows IPsec usage with clients whose IP address may change frequently (a home Internet connection or a laptop user at a wireless hotspot for example.)

The IPsec DNS Check Interval option is under the System > Advanced menu. An interval time in seconds can be set here. If at least one IPsec tunnel has a host name (instead of an IP address) as the remote gateway, a DNS lookup is performed at the interval specified here, and if the IP address that the host name resolved to has changed, the IPsec tunnel is reconfigured. The default is 60 seconds.

The remote connection point must use a Dynamic DNS client software that registers any IP address changes with the domain server.

8.2.3. NAT Traversal

Starting in firmware 1.3b2 it is possible to use NAT Traversal (NAT-T) with IPsec connections. This feature allows IPsec clients to be behind a NAT device (common in a home or office firewall). Using ESP packets to transmit encrypted data does not allow it to pass through a NAT transformation but encapsulating the encrypted data in UDP packets allows the data to pass through NAT transformations.

Using NAT-T creates two types of traffic: IKE authentication (phase 1) on UDP 500 and encrypted data (phase 2) on UDP 4500. These two ports must be allowing data on the m0n0wall device and not be blocked by any intervening firewalls. This feature can be turned on or off for each IPsec connection.

8.2.4. IPsec Traffic Filtering

Starting in firmware 1.3b6 there is firewall support for decapsulated IPsec packets (new pseudo-interface "IPsec" in firewall rule editor); this is on by default, but the default configuration contains a "pass all" rule on the new IPsec pseudo- interface (and this is also added automatically for existing configurations), which can then be deleted to actually filter IPsec VPN traffic.

To configure filtering on IPsec traffic, select the IPsec interface from the list of interfaces that packets must come in to match the selected rule.

Note

These rules are applied to all IPsec connection traffic. The only way to apply rules to specific connections is to additionally use a source IP address or subnet that is used on a selected remote IPsec connection.