Debian and m0n0wall VPN

May 7th, 2007

I've got everything setup, but still phase 1 is not happening. GOT IT! It was the firewall on one of the servers. That is awesome.

I was able to ping the Debian machine from the m0n0wall machine, but then when I tried to ping the m0n0wall LAN, nothing. A route to the rescue:

ip route add dev eth0 src


ip route add via dev eth0 src


-A FORWARD -s -i eth0 -j ACCEPT-A FORWARD -i eth1 -j ACCEPT

I don't need the /23 right at the moment because I've only got one LAN link connected at the moment.

How to get complex routes setup automatically:

I decided to move the vpn to another server in that space so I could setup nat and have a two-sided network. I'm having problems with routing though. I can't seem to figure out how to get the routing table to separate the LAN traffic out and pass it throught vpn. On the VPN gateway it works fine, but not on any of the other lan members. When I try to ping the remote lan, I get this:

connect: No such process
- found a good explanation:


as well as here

The "connect: no such process" is caused by the ipsec-tools security policy. If you google this you won't find much, and its due to a random sequence of events that I ran into it. As I mentioned, I installed racoon and ipsec-tools on one machine, then decided to move the vpn to another machine and setup a gateway. I did that, and left my security policies in place on the former machine. As one of those previous links put it:

"Well, my guess is that what is happening is that the kernel notes that it has to encrypt the data. So it goes of looking for an SA it can use. It doesn't find one, so it tries to contact userspace to initiate IKE (Internet Key Exchange), but since the racoon daemon isn't running this isn't possible. So it simply declares that the process isn't running and returns "No such process". Simple, effective, highly cryptic."

What did I do to fix this? I re-installed ipsec-tools, then commented out the sainfo in /etc/ipsec-tools.conf, and then restarted setkey:

/etc/init.d/setkey restart

After that, I double checked my routing table, and it worked like a charm! It is possible that another note I made about this error:

ping: sendmsg: Operation not permitted

was caused by the same thing...

In this setup, I have two networks, the wan and the lan, and I use the wan as the default gateway, and the vpn gateway to connect to the vpn lans. Works well. Now for the tuning.


I though I was looking for "policy routing", but that is more sophisticated than I need.

See the IPSec page on the Docunext Wiki for more information.

Yearly Indexes: 2003 2004 2006 2007 2008 2009 2010 2011 2012 2013 2015 2019 2020 2022