[ previous ] [ next ] [ threads ]
 From:  "Keith Redfield" <kredfield at airsurfwireless dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  m0n0 VPN static routing problem
 Date:  Wed, 26 Jan 2005 21:09:18 -0800
Hi folks,
Having problems with static routes across a VPN [which I'm new at] as follows:
Stub Net---------------- MonoA===/VPN/=== MonoB----------Cisco[vlan2]       [vlan1]    
The IP addresses for the Monos are the endpoints for the VPN. The VPN is up and a host from the stub
can access the GUI for both A & B
Neither mono can ping the other. But they can both ping hosts through on the adjacent net. I *think*
that's the expected behavior...conceptually it seems like you can treat two mono's across a tunnel
as a single virtual router/fw.
Host on stub can ping the cisco @ but no other 10.x networks. The cisco can likewise ping
the stub. The 10.0.1.x subnet is on a tagged 802.1Q vlan port.
MonoB has a static route for pointing to the cisco as GW and it can ping the main
target 10.100.100.x which is off the Cisco.
MonoA is the default route for stub hosts i.e. 
MonoA has a static route for pointing to MonoB.
Cisco has a static route for pointing to MonoB
I need a host on the stub to be able to access for example, but they can't. Even
pinging the cisco interface on and running a debug on ICMP shows nothing getting
through to the cisco.
I believe all the above says it ought to work. But it appears that monoB is only forwarding to
locally attached interfaces, and failing it's duty as next-hop gateway. In fact, it's really only
forwarding to the interface that's part of the VPN - I have a interface on the LAN as
well and pings to it fail. So a blackhole somewhere..
Somehow I think the answer is going to be so obvious as to be embarassing [wth I'm getting used to
it] , but I can't get it. It looks like a routing and not a FW issue (nothing is showing in the
logs). I'm used to tunnels acting like LAN's and I miss traceroute...I've poured through the FAQ's
and lists..
Below is monoA and monoB netstat -ar
- Keith
$ netstat -ar
Routing tables

Destination        Gateway            Flags    Refs      Use  Netif Expire
default            er1.sfo1.XXXX  UGSc        5   237222   fxp0          ff.ff.ff.ff.ff.ff  UHLWb       0       84  vlan2 =>
10.0.10/24         link#9             UC          3        0  vlan2        0.b.cd.e9.99.b6    UHLW        5    90751  vlan2    786        0.b.e.3.0.81       UHLW        0    49275  vlan2    908
10.100.100/24           UGSc        0       13   fxp0
localhost          localhost          UH          0        0    lo0
192.168.98         link#8             UC          0        0  vlan1
192.168.99         link#1             UC          1        0    xl0     link#1             UHLW        1     3207    xl0

$ netstat -ar
Routing tables

Destination        Gateway            Flags    Refs      Use  Netif Expire
default            er1.sfo1.XXXXX    UGSc        5    57391   fxp0
10/24              link#1             UC          3        0    xl0           00:03:e3:d4:70:42  UHLW        0      699    xl0   1200
10.0.1/24          link#8             UC          2        0  vlan1           0.3.e3.d4.70.42    UHLW        2     2611  vlan1    938         0.b.e.0.a4.23      UHLW        0    57472  vlan1   1096
10.0.2/24           UGSc        0        0  vlan1        er1.sfo1.XXXXXX  UGHW        2      898   fxp0
10.100.100/24           UGSc        0        0  vlan1
localhost          localhost          UH          0        0    lo0
192.168.5          link#7             UC          0        0  vlan0

[public IP's elided]