[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] ipsec problem
 Date:  Tue, 8 Jul 2003 23:48:15 -0700 (PDT)
On Wed, 9 Jul 2003, Tomaso Scarsi wrote:
> On Tue, Jul 08, 2003 at 01:44:57PM -0700, Fred Wright wrote:
> > 
> > 1) Each m0n0wall needs to know that the other LAN is reachable via the
> > tunnel.  You can check for this with "netstat -rn" in /exec.php.  If the
> > tunnel is configured as a point-to-point link, the route to the remote
> > m0n0wall's IP should be established automatically, but that doesn't cover
> > the rest of its LAN.
> you are right: the route to the other lan is missing;
> in the ipsec configuration pages there is nothing about the tunnel type, I
> cannot choose beetween a point-to-point tunnel or a lan-to-lan tunnel;

I didn't say it was something you could configure. :-) But ifconfig will
tell you whether it's "BROADCAST" (which really means multidrop) or
"POINTOPOINT".  The latter (which is what I expect it uses) is more
appropriate for a tunnel, and at least gives you a route to *one* remote
IP.  The former doesn't give you a route to anything that isn't in the
same subnet as the local interface.

> maybe I can manually add the route but I don't know how to save on the
> floppy;

It's a lot more than just "saving on the floppy", since something has to
execute the necessary commands at startup.  Static routes is one of the
"to do" items.

A general-purpose workaround for a variety of deficiencies would be to
execute a script (if present) from the floppy or CF /conf at boot time.

					Fred Wright