[ previous ] [ next ] [ threads ]
 From:  "Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: [m0n0wall] Multiple ipsec tunnels
 Date:  Sun, 13 Nov 2005 20:47:42 +0100
If I understand you correctly you want to route from Texas to LA via San Diego over IPSEC?
Ok, maybe some ASCII-Art will help:
Aaron, I always get this when mailing you:

A message that you sent could not be delivered to one or more of
its recipients. The following addresses failed:

  <aaronpc at pccreations dot net>

domain name system error:
mail exchanger not found


Here's the answer to your question:

Texas---(IPSEC)---San Diego---(IPSEC)---Los Angeles

The Problem in this setup is, that you can't do the routing through IPSEC with static routes as the
Tunnel definition doesn't match the remote subnet.

Tunnel from Texas to San Diego encapsulates Traffic to destinations 192.168.99.x. If you send
traffic to Los Angeles the destination is 192.168.1.x which obviously doesn't match the tunnel
definition. That's why the traffic is going out to the internet instead of the IPSEC-Tunnel.

How to solve this? You have to use parallel tunnels to make this work:

Texas LAN-Subnet to San Diego LAN-Subnet (this is the tunnel you already have in place)
Texas LAN-Subnet to San Diego (this one does the magic!) isn't at the San Diego location but with this tunnel we are able to get the traffic
to that remote subnet encapsulated through the tunnel to San Diego. To get this tunnel configured
you have to change the local subnet at the San Diego site for this tunnel to the LAN subnet of Los
Angeles. You also have to add an additional identifier for this tunnel as source and destination IP
for this 2nd parallel tunnel is the same so m0n0 doesn't get confused.

Ok, now we have the traffic for Los Angeles hitting San Diego over IPSEC. Now we need the same setup
for San Diego and Los Angeles:

San Diego LAN-Subnet to Los Angeles LAN-Subnet (you already have this one)
San Diego to Los Angeles LAN-Subnet (same deal here)

By doing so we have managed to route the traffic from Texas to Los Angeles via San Diego.

I hope this helps. It took me 2 days to find out how this is working as I didn't get any help from
the mailinglist when I tried to set this up but I guess nobody knew how to accomplish this ;-)

Holger Bauer

> Von: Aaron Freeman [mailto:aaronpc at pccreations dot net]
> Gesendet: Sonntag, 13. November 2005 03:50
> An: Holger Bauer
> Betreff: RE: [m0n0wall] Multiple ipsec tunnels
> Thank you so much for your response. I guess you need to get 
> out the dunce cap, I read your answer several times and it is 
> just not sinking in.
> Here is my setup.
> [Texas 192.168.111.x] to [San Diego, 192.168.99.x] this tunnel works. 
> [San Diego, 192.168.99.x] to [Texas 192.168.111.x] this tunnel works.
> [Los Angels 192.168.1.x] to [San Diego, 192.168.99.x] this 
> tunnel does not work.
> [San Diego, 192.168.99.x] to [Los Angels 192.168.1.x] this 
> tunnel does not work.
> What am I missing? Are you saying before the Los Angels to 
> San Diego tunnel will work this tunnel needs to be setup on 
> all 3 monowalls??
> Aaron Freeman
> -----Original Message-----
> From: Holger Bauer [mailto:Holger dot Bauer at citec dash ag dot de] 
> Sent: Saturday, November 12, 2005 1:23 PM
> To: Aaron Freeman; m0n0wall at lists dot m0n0 dot ch
> Subject: AW: [m0n0wall] Multiple ipsec tunnels
> I have answered this in the past. You need parallel tunnels for this:
> http://www.m0n0.ch/wall/list/showmsg.php?id=160/29
> Holger Bauer

> > Von: Aaron Freeman [mailto:aaronpc at pccreations dot net]
> > Gesendet: Freitag, 11. November 2005 22:59
> > An: m0n0wall at lists dot m0n0 dot ch
> > Betreff: [m0n0wall] Multiple ipsec tunnels
> > 
> > 
> > Is it possible to connect two remote sites that are using 
> monowall to 
> > a single site using monowall through ipsec tunnel? If yes how?
> >  
> > I tried this with monowall 1.2 with no success. I read that a few 
> > individuals had trouble with ipsec tunnels after upgraging 
> to 1.2, so 
> > I went back to 1.11 and still can not successfully 
> establish a second 
> > tunnel. Please help.
> >  
> > Aaron Freeman
> > 
> ____________
> Virus checked by G DATA AntiVirusKit
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Virus checked by G DATA AntiVirusKit