[ previous ] [ next ] [ threads ]
 
 From:  Michael <monowall at encambio dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  M0n0wall <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] How to route OPT traffic to IPSec tunnel?
 Date:  Thu, 1 Apr 2010 20:21:59 +0200 
Hello Chris,

On Thu., Apr  01, 2010, Chris Buechler wrote:
>On Thu, Apr 1, 2010 at 1:56 PM, Michael wrote:
>>  ---- Router A ----        ---- Router B ----
>>  WAN: 64.64.46.65/29       WAN: 86.86.68.31/29
>>  LAN: 192.168.12.1/24      LAN: 192.168.13.1/24
>>  OPT: 123.123.123.1/24     OPT: 110.110.110.1/24
>>
>> The LANs of both routers are connected via a IPSec tunnel, so:
>>
>>  RouterA/LAN $ traceroute 192.168.13.13
>>  traceroute to 192.168.13.13, 30 hops max, 60 byte packets
>>  1  192.168.13.1 0.194 ms  0.180 ms  0.230 ms
>>  2  * * *
>>  3  192.168.13.13 52.103 ms  56.046 ms 61.009 ms
>>
>> ...pinging works fine. The problem is trying to pass any traffic
>> from OPT to the VPN does not work:
>>
>>  RouterA/OPT $ traceroute 192.168.13.13
>>  traceroute to 192.168.12.12, 64 hops max, 52 byte packets
>>  1  123.123.123.1  0.670 ms  0.505 ms  0.510 ms
>>  2  * * *
>>  3  * * ^C
>>
>> What is the correct way to route any (not just ICMP) traffic
>> from the OPT interface to hosts through the tunnel? Thanks.
>>
>>
>Your IPsec config has to include the subnet of that OPT1 interface.
>
But how to do that without adding another tunnel? You see from the
LAN and OPT subnet numbers that they are not summarizable as
mentioned in the FAQ 15.26 (How can I route multiple subnets over
a site to site IPSec VPN.) And I don't want to set up new tunnels.

There must be a way to route traffic from 123.123.123.0/24 to the
IPSec tunnel. Would it work to add a static route somehow involving
the LAN IP 192.168.12.1 as gateway and destination 192.168.13.0/24?

Regards,
Michael