[ previous ] [ next ] [ threads ]
 From:  "Philippe Lang" <philippe dot lang at attiksystem dot ch>
 To:  "Frederic Stark" <f5428 at almonde dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Getting nuts with an ipsec routing problem
 Date:  Fri, 26 Aug 2005 15:05:38 +0200

I'm not sure it will help, but have you tried configuring a VPN with local network LANA and remote
network LANC in both M0n0walls, with proper static routes to LANC in mb and gbc? 

-----Message d'origine-----
De : Frederic Stark [mailto:f5428 at almonde dot com] 
Envoyé : vendredi, 26. août 2005 14:36
À : m0n0wall at lists dot m0n0 dot ch
Objet : [m0n0wall] Getting nuts with an ipsec routing problem

Hi everybody,

As a picture is better than thousand words, here is the network I am talking about (some ip
renamed). See it with a non-proportional font:

| ha |
---+-----------------+------------------------ LANA = 192.168.0/24
           m0n0wall | ma |---IPsec--+
                    +----+          |
                       |            |
                      WAN           |
                      WAN           |
                       |            |
                    +----+          |
           m0n0wall | mb |---IPsec--+
----+----------------+--------------+----------- LANB =
     |                    |
   +-+--+                         +--+--+
   | hb |                         | gbc |
   +-+--+                         +--+--+
                ------+--------------+----------- LANC =
                    | hc |

ha = hosta =
hb = hostb =
hc = hostc =
ma = m0n0a =
mb = m0n0b =
gbc = gatewaybc =

What works:
ping: ha <-> hb
ping: hb <-> hc
   (after I added a static route on m0n0b: LAN,192.168.60/24,

What DONT work:
ping: ha -> hc

I am totally unable to ping from hosta to hostc, no matter what I try (and I easily spent 8 hours on
that). As far as I can tell, the m0n0a seems to send the packet to the WAN instead of the IPSec

I don't understand how the stuff is supposed to work:
1/ ha have a packet for
2/ this is not a local address, so it sends it to default gw (m0n0a) 3/ m0n0a have NO idea about
what to do with the packet, so it send it to the WAN.

I seems obvious to me that m0n0a needs some sort of route to understand how to handle packet for
LANC. But I can't get it to have one that work
(/kernel: arplookup failed: host is not on local network). 
And due to the nature of IPsec (mainly the fact that there is no associated interface), I don't know
understand how/if it is supposed to work.

Any help appreciated,

Thanks, in advance,


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch