[ previous ] [ next ] [ threads ]
 From:  "Dennis Lloyd (ABC)" <dennis at abccomm dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Soekris +m0n0wall VLAN interfaces over IPsec VPN help
 Date:  Fri, 27 May 2005 22:42:43 -0700
Hello everyone,  New to the list and looked over the archives but I 
can't find exactly what I"m looking for.

We have purchased 3 Soekris (4801) boxes, to be used as private IPSec 
VPN endpoint connections, routing traffic between branch offices using 
E10 links.  The issue I'm having is this..

I need to use VLAN links on both endpoints,  each Soekris 4801 box will 
be connecting to both a WAN link as well as two interfaces for LAN 
network connectivity.  Each network runs two VLANS that must be able to 
communicate with the office on the other end..

I'm having some difficulty getting these to work correctly.. ie. I can 
create the VLAN on each interface and still regain connectivity to the 
other office via the IPSec link..  but It does not segment the VLAN's 
from each other.  How is m0n0wall managing the interfaces on these boxes 
?  I see by status.php that the VLAN interface is parented to sis0 ( no 
patch cable in right now )

    inet netmask 0xffffffc0 broadcast
    ether 00:00:24:c4:16:e0
    media: Ethernet autoselect (none)
    status: no carrier
    inet xxx.xxx.xxx.180 netmask 0xffffff00 broadcast xxx.xxx.xxx.255
    ether 00:00:24:c4:16:e1
    media: Ethernet autoselect (100baseTX <full-duplex>)
    status: active
sis2: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
    ether 00:00:24:c4:16:e2
    media: Ethernet autoselect (none)
    status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
    inet netmask 0xff000000
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
faith0: flags=8002<BROADCAST,MULTICAST> mtu 1500
    ether 00:00:24:c4:16:e0
    media: Ethernet autoselect (none)
    status: no carrier
    vlan: 100 parent interface: sis0

If I create vlan200 on the remote side.. there does not seem to be any 
segmentation to the VLAN's accross the IPSec VPN links.  VLAN header 
information *should* be left encapsulated within each ESP packet and 
'unwraped' intact on the remote end, should it not ??  Do the interfaces 
strip/add  tags ingress/egress on the ports? or do they assume that only 
802.1q tagged packets will hit the parrent interfaces??

Is my design flawed or is there something that i'm just missing from my 
Thanks to all who can help with this.


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch