[ previous ] [ next ] [ threads ]
 
 From:  "Keith Redfield" <kredfield at airsurfwireless dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  m0n0 VPN static routing problem
 Date:  Wed, 26 Jan 2005 21:09:18 -0800
Hi folks,
 
Having problems with static routes across a VPN [which I'm new at] as follows:
 
Stub Net---------------- MonoA===/VPN/=== MonoB----------Cisco
10.100.100.1---------10.100.100.111(RADIUS)
10.0.10.252[vlan2]    10.0.10.1                 10.0.1.55[vlan1]              10.0.1.1
 
The IP addresses for the Monos are the endpoints for the VPN. The VPN is up and a host from the stub
can access the GUI for both A & B
 
Neither mono can ping the other. But they can both ping hosts through on the adjacent net. I *think*
that's the expected behavior...conceptually it seems like you can treat two mono's across a tunnel
as a single virtual router/fw.
 
Host on stub can ping the cisco @ 10.0.1.1 but no other 10.x networks. The cisco can likewise ping
the stub. The 10.0.1.x subnet is on a tagged 802.1Q vlan port.
 
MonoB has a static route for 10.100.100.0/24 pointing to the cisco as GW and it can ping the main
target 10.100.100.x which is off the Cisco.
 
MonoA is the default route for stub hosts i.e. 10.0.10.252. 
 
MonoA has a static route for 10.100.100.0/24 pointing to MonoB.
 
Cisco has a static route for 10.0.10.0/24 pointing to MonoB
 
I need a host on the stub to be able to access 10.100.100.111 for example, but they can't. Even
pinging the cisco interface on 10.100.100.1 and running a debug on ICMP shows nothing getting
through to the cisco.
 
I believe all the above says it ought to work. But it appears that monoB is only forwarding to
locally attached interfaces, and failing it's duty as next-hop gateway. In fact, it's really only
forwarding to the interface that's part of the VPN - I have a 10.0.0.0/24 interface on the LAN as
well and pings to it fail. So a blackhole somewhere..
 
Somehow I think the answer is going to be so obvious as to be embarassing [wth I'm getting used to
it] , but I can't get it. It looks like a routing and not a FW issue (nothing is showing in the
logs). I'm used to tunnels acting like LAN's and I miss traceroute...I've poured through the FAQ's
and lists..
 
Below is monoA and monoB netstat -ar
 
TIA 
 
- Keith
 
monoA:
 
$ netstat -ar
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            er1.sfo1.XXXX  UGSc        5   237222   fxp0
10.0.10.0          ff.ff.ff.ff.ff.ff  UHLWb       0       84  vlan2 =>
10.0.10/24         link#9             UC          3        0  vlan2
10.0.10.200        0.b.cd.e9.99.b6    UHLW        5    90751  vlan2    786
10.0.10.252        0.b.e.3.0.81       UHLW        0    49275  vlan2    908
10.100.100/24      10.0.1.1           UGSc        0       13   fxp0
localhost          localhost          UH          0        0    lo0
192.168.98         link#8             UC          0        0  vlan1
192.168.99         link#1             UC          1        0    xl0
192.168.99.199     link#1             UHLW        1     3207    xl0

 
monoB:
 
$ netstat -ar
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            er1.sfo1.XXXXX    UGSc        5    57391   fxp0
10/24              link#1             UC          3        0    xl0
10.0.0.1           00:03:e3:d4:70:42  UHLW        0      699    xl0   1200
10.0.1/24          link#8             UC          2        0  vlan1
10.0.1.1           0.3.e3.d4.70.42    UHLW        2     2611  vlan1    938
10.0.1.252         0.b.e.0.a4.23      UHLW        0    57472  vlan1   1096
10.0.2/24          10.0.1.1           UGSc        0        0  vlan1
10.0.10.200        er1.sfo1.XXXXXX  UGHW        2      898   fxp0
10.100.100/24      10.0.1.1           UGSc        0        0  vlan1
localhost          localhost          UH          0        0    lo0
192.168.5          link#7             UC          0        0  vlan0

[public IP's elided]