Hi everybody,
As a picture is better than thousand words, here is the network I am
talking about (some ip renamed). See it with a non-proportional font:
+----+
| ha |
+--+-+
| 192.168.0.1
---+-----------------+------------------------ LANA = 192.168.0/24
| 192.168.0.253
+-+--+
m0n0wall | ma |---IPsec--+
+----+ |
| |
WAN |
|
WAN |
| |
+----+ |
m0n0wall | mb |---IPsec--+
+-+--+
| 10.80.48.253
----+----------------+--------------+----------- LANB = 10.80.48.0/20
| 10.80.48.1 | 10.80.48.99
+-+--+ +--+--+
| hb | | gbc |
+-+--+ +--+--+
|
------+--------------+----------- LANC = 192.168.60.0/24
| 192.168.60.1
+-+--+
| hc |
+----+
ha = hosta = 192.168.0.1
hb = hostb = 10.80.48.1
hc = hostc = 192.168.60.1
ma = m0n0a = 192.168.0.253
mb = m0n0b = 10.80.48.253
gbc = gatewaybc = 10.80.48.99
What works:
ping: ha <-> hb
ping: hb <-> hc
(after I added a static route on m0n0b: LAN,192.168.60/24,10.80.48.99)
What DONT work:
ping: ha -> hc
I am totally unable to ping from hosta to hostc, no matter what I try
(and I easily spent 8 hours on that). As far as I can tell, the m0n0a
seems to send the packet to the WAN instead of the IPSec link.
I don't understand how the stuff is supposed to work:
1/ ha have a packet for 192.168.60.1
2/ this is not a local address, so it sends it to default gw (m0n0a)
3/ m0n0a have NO idea about what to do with the packet, so it send it to
the WAN.
I seems obvious to me that m0n0a needs some sort of route to understand
how to handle packet for LANC. But I can't get it to have one that work
(/kernel: arplookup 10.80.50.99 failed: host is not on local network).
And due to the nature of IPsec (mainly the fact that there is no
associated interface), I don't know understand how/if it is supposed to
work.
Any help appreciated,
Thanks, in advance,
--fred | 