[ previous ] [ next ] [ threads ]
 
 From:  "Christopher M. Iarocci" <iarocci at eastendsc dot com>
 To:  Rick Preston <rickjpreston at gmail dot com>
 Cc:  Markus Fischer <markus at fischer dot name>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC and access from complete internal LAN to tunneled subnet
 Date:  Wed, 23 Mar 2005 07:18:10 -0500
When an IPSEC tunnel is established correctly, all routes are added 
automatically.  You don't need firewall rules because the firewall 
doesn't touch IPSEC traffic.  Once the tunnel is established, traffic 
should just work.  Something may be mismatched in your IPSec config.  
Check it carefully.

--Chris


Rick Preston wrote:

>Hi Markus,
>
>I believe all you need to do is make a firewall rule allowing traffic
>from 10/8 to 192.168.x/24.  I had the same thing when I set up my
>tunnel to tunnel.
>
>Cheers,
>
>
>On Wed, 23 Mar 2005 08:19:39 +0100, Markus Fischer <markus at fischer dot name> wrote:
>  
>
>>Hi,
>>
>>I'm so far very pleased with m0n0wall, but couldn't find out this thing.
>>I've successfully established an IPSEC tunnel from our 10/8 net to
>>another 192.168.x/24 net over the internet. Sending a ping from m0n0wall
>>directly to a machine in the tunneled 192 net works, but I'm unable to
>>find out how I can from any machine withing 10/8 access the 192.168.x/24
>>net.
>>
>>When I ping from 10/8 to a machine in 192.168.x./24 the ping reaches the
>>default gateway of m0n0wall which is the gateway of my provider so I
>>think I've to somehow tell m0n0wall "all requests from my lan (10/8) to
>>the subnet 192.168.x/24 should be sent over the tunnel". Unfortunately I
>>can't work out the "should be sent over the tunnel" part. I guess I need
>>to set a route somewhere, but I don't know if I need a static route, a
>>outband NAT route, etc.
>>
>>Here's a short overview of the network
>>
>>LAN (10/8) - m0n0wall - Internet - other tunnel endpoint - 192.168.x/24
>>
>>Ping works from m0n0wall -> 192.168.x/24 but not from LAN (10/8) ->
>>192.168.x/24. Or any other TCP service.
>>
>>Any help is very appreciated,
>>
>>regards,
>>- Markus
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>    
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>