[ previous ] [ next ] [ threads ]
 From:  Michael <monowall at encambio dot com>
 To:  M0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] How to route OPT traffic to IPSec tunnel?
 Date:  Fri, 16 Apr 2010 11:36:59 +0200
Hello Hilton,

On Sun., Apr 11, 2010, Hilton TRAVIS wrote:
>On Fri., Apr 2, 2010, Michael wrote:
>>On Thurs., Apr 01, 2010, Chris Buechler wrote:
>>>On Thu, Apr 1, 2010 at 2:21 PM, Michael wrote:
>>>> But how to do that without adding another tunnel? You see from
>>>> the LAN and OPT subnet numbers that they are not summarizable as
>>>> mentioned in the FAQ 15.26 (How can I route multiple subnets over
>>>> a site to site IPSec VPN.) And I don't want to set up new tunnels.
>>>There is no other option. It must match a SPD entry to go across
>>>IPsec, the routing table cannot send traffic over IPsec.
>> Okay, thanks for pointing it out. I guess I'll have to double my
>> IPSec tunnel configurations then, and give each OPT interface its
>> own tunnel to all of the other hosts (not very scalable.)
>If you want scalable, configure the networks as subnets of one
>supernet, and away you go.
There are two networks and one is private (RFC1918) while the other
is public. To do what you suggest, I would need to stop fulfilling
this requirement right?

>You simply cannot configure a network as you have and want the
>functionality you need. You *CAN* make it scalable if you
>configure your network to be able to be scalable.
I do see your point, and you've worded it well. The requirement
of serving private and public subnets seems to conflict with the
requirement of routing hosts on both subnet types over a single
IPSec VPN tunnel.

Because the requirement of having both a private and public subnet
is more important than scalability, then I'm still considering just
adding more tunnels.