[ previous ] [ next ] [ threads ]
 
 From:  Raphael Maunier <raphael at maunier dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Getting nuts with an ipsec routing problem -- success
 Date:  Fri, 26 Aug 2005 18:08:31 +0400
> Hi,
> 
> I added the tunnel and it worked like a charm. Many, many thanks to both
> Philippe and Raphael.
> 
> I owe you a virtual beer (or physical, if you happen to come to paris,
> france)
I'm on Paris :)
> 
> That beeing said, I am surpised that one HAVE to add a tunnel and cannot
> route thought the exising IPsec tunnel.

For each networks you need to join into and ipsec network, you will need 
to add an ipsec route/rule (but if it's /23 no need to create two /24 
for example).
Another solution (tested and running with cisco) is to create a GRE 
tunnel and to crypt the traffic with 3des/Aes...

So you will not need to add ipsec route but only static route (or 
dynamic routing like ospf or bgp) on the crypted tunnel.

Regards,

> 
> Thank you very much,
> 
> --fred
> 
> Philippe Lang wrote:
> 
>> Hi,
>>
>> I'm not sure it will help, but have you tried configuring a VPN with 
>> local network LANA and remote network LANC in both M0n0walls, with 
>> proper static routes to LANC in mb and gbc?
>> -----Message d'origine-----



>> Objet : [m0n0wall] Getting nuts with an ipsec routing problem
>>
>> Hi everybody,
>>
>> As a picture is better than thousand words, here is the network I am 
>> talking about (some ip renamed). See it with a non-proportional font:
>>
>> +----+
>> | ha |
>> +--+-+
>>     | 192.168.0.1
>> ---+-----------------+------------------------ LANA = 192.168.0/24
>>                       | 192.168.0.253
>>                     +-+--+
>>            m0n0wall | ma |---IPsec--+
>>                     +----+          |
>>                        |            |
>>                       WAN           |
>>                                     |
>>                       WAN           |
>>                        |            |
>>                     +----+          |
>>            m0n0wall | mb |---IPsec--+
>>                     +-+--+
>>                       | 10.80.48.253
>> ----+----------------+--------------+----------- LANB = 10.80.48.0/20
>>      | 10.80.48.1                    | 10.80.48.99
>>    +-+--+                         +--+--+
>>    | hb |                         | gbc |
>>    +-+--+                         +--+--+
>>                                      |
>>                 ------+--------------+----------- LANC = 192.168.60.0/24
>>                       | 192.168.60.1
>>                     +-+--+
>>                     | hc |
>>                     +----+
>>
>> ha = hosta = 192.168.0.1
>> hb = hostb = 10.80.48.1
>> hc = hostc = 192.168.60.1
>> ma = m0n0a = 192.168.0.253
>> mb = m0n0b = 10.80.48.253
>> gbc = gatewaybc = 10.80.48.99
>>
>> What works:
>> ping: ha <-> hb
>> ping: hb <-> hc
>>    (after I added a static route on m0n0b: LAN,192.168.60/24,10.80.48.99)
>>
>> What DONT work:
>> ping: ha -> hc
>>
>>
>> I am totally unable to ping from hosta to hostc, no matter what I try 
>> (and I easily spent 8 hours on that). As far as I can tell, the m0n0a 
>> seems to send the packet to the WAN instead of the IPSec link.
>>
>> I don't understand how the stuff is supposed to work:
>> 1/ ha have a packet for 192.168.60.1
>> 2/ this is not a local address, so it sends it to default gw (m0n0a) 
>> 3/ m0n0a have NO idea about what to do with the packet, so it send it 
>> to the WAN.
>>
>> I seems obvious to me that m0n0a needs some sort of route to 
>> understand how to handle packet for LANC. But I can't get it to have 
>> one that work
>> (/kernel: arplookup 10.80.50.99 failed: host is not on local network). 
>> And due to the nature of IPsec (mainly the fact that there is no 
>> associated interface), I don't know understand how/if it is supposed 
>> to work.
>>
>> Any help appreciated,
>>
>> Thanks, in advance,
>>
>> --fred
>>