[ previous ] [ next ] [ threads ]
 
 From:  Tomaso Scarsi <tomaso at cab dot unipd dot it>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] ipsec problem
 Date:  Wed, 9 Jul 2003 08:21:22 +0200
On Tue, Jul 08, 2003 at 01:44:57PM -0700, Fred Wright wrote:
> 
> On Tue, 8 Jul 2003, Tomaso Scarsi wrote:
> 
> > I've setup an m0n0wall <-> m0n0wall ipsec tunnel
> > in the log file I can see:
> > 
> > Jul 7 19:04:06
> > racoon: INFO: pfkey.c:1110:pk_recvupdate(): IPsec-SA established:
> > ESP/Tunnel aaa.bbb.ccc.ddd->eee.fff.ggg.hhh spi=34240748(0x20a78ec)
> > 
> > 
> > Jul 7 19:04:06
> > racoon: INFO: pfkey.c:1322:pk_recvadd(): IPsec-SA established:
> > ESP/Tunnel eee.fff.ggg.hhh->aaa.bbb.ccc.ddd spi=70969143(0x43ae737)
> > 
> > where aaa.bbb.ccc.ddd and eee.fff.ggg.hhh are the public ip of the two
> > m0n0wall
> > 
> > the two lan's connected are 192.168.1.0/24 and 10.0.0.0/24
> > 
> > the lan ip of the m0n0wall are 192.168.1.254 and 10.0.0.254
> > 
> > 
> > Now if I try to ping from a lan to the other I can ping only the
> > gateway, for example from the 192.168.1.x I receive an answer only from
> > the m0n0wall gateway 10.0.0.254 but not from any other host;
> > 
> > it seems like a routing problem.
> 
> Yup.  For full LAN<->LAN connectivity (without NAT):
> 
> 1) Each m0n0wall needs to know that the other LAN is reachable via the
> tunnel.  You can check for this with "netstat -rn" in /exec.php.  If the
> tunnel is configured as a point-to-point link, the route to the remote
> m0n0wall's IP should be established automatically, but that doesn't cover
> the rest of its LAN.
you are right: the route to the other lan is missing;
in the ipsec configuration pages there is nothing about the tunnel type, I
cannot choose beetween a point-to-point tunnel or a lan-to-lan tunnel;

maybe I can manually add the route but I don't know how to save on the
floppy;

thanks for your help
Tomaso


-- 

Tomaso Scarsi

Universita' degli Studi di Padova