[ previous ] [ next ] [ threads ]
 
 From:  Raphael Maunier <raphael at maunier dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Getting nuts with an ipsec routing problem
 Date:  Fri, 26 Aug 2005 17:17:56 +0400 
Frederic Stark a écrit :
> Hi everybody,
> 
> As a picture is better than thousand words, here is the network I am 
> talking about (some ip renamed). See it with a non-proportional font:
> 
> +----+
> | ha |
> +--+-+
>    | 192.168.0.1
> ---+-----------------+------------------------ LANA = 192.168.0/24
>                      | 192.168.0.253
>                    +-+--+
>           m0n0wall | ma |---IPsec--+
>                    +----+          |
>                       |            |
>                      WAN           |
>                                    |
>                      WAN           |
>                       |            |
>                    +----+          |
>           m0n0wall | mb |---IPsec--+
>                    +-+--+
>                      | 10.80.48.253
> ----+----------------+--------------+----------- LANB = 10.80.48.0/20
>     | 10.80.48.1                    | 10.80.48.99
>   +-+--+                         +--+--+
>   | hb |                         | gbc |
>   +-+--+                         +--+--+
>                                     |
>                ------+--------------+----------- LANC = 192.168.60.0/24
>                      | 192.168.60.1
>                    +-+--+
>                    | hc |
>                    +----+
> 
> ha = hosta = 192.168.0.1
> hb = hostb = 10.80.48.1
> hc = hostc = 192.168.60.1
> ma = m0n0a = 192.168.0.253
> mb = m0n0b = 10.80.48.253
> gbc = gatewaybc = 10.80.48.99
> 
> What works:
> ping: ha <-> hb
> ping: hb <-> hc
>   (after I added a static route on m0n0b: LAN,192.168.60/24,10.80.48.99)
> 
> What DONT work:
> ping: ha -> hc
> 
> 
> I am totally unable to ping from hosta to hostc, no matter what I try 
> (and I easily spent 8 hours on that). As far as I can tell, the m0n0a 
> seems to send the packet to the WAN instead of the IPSec link.
> 
> I don't understand how the stuff is supposed to work:
> 1/ ha have a packet for 192.168.60.1
> 2/ this is not a local address, so it sends it to default gw (m0n0a)
> 3/ m0n0a have NO idea about what to do with the packet, so it send it to 
> the WAN.
> 
> I seems obvious to me that m0n0a needs some sort of route to understand 
> how to handle packet for LANC. But I can't get it to have one that work 
> (/kernel: arplookup 10.80.50.99 failed: host is not on local network). 
> And due to the nature of IPsec (mainly the fact that there is no 
> associated interface), I don't know understand how/if it is supposed to 
> work.
> 
> Any help appreciated,
> 
> Thanks, in advance,
> 
> --fred
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
Hi Frederic,

Do you have 2 ipsec rules/routes ?
You will need to have
on monoA
192.168.0/24 to 10.80.48.0/20 (already ok)
192.168.0/24 to 192.168.60.0/24
on monoB
10.80.48.0/20 to 192.168.0/24 (already ok)
192.168.60/24 to 192.168.0.0/24

Static route needed :
- On monoB : To join 192.168.60.0/24 (already done on your side)
- On gbc static route for 192.168.0.0/24 to monoB (or default route)

And just be sure that the netmask on all station is /24

Regards,
Raphaël