On 25.04.2010 18:44 Joe wrote:
> Hi,
> I have what I believe is a routing problem.
> 
> First of all, I have a site to site ipsec vpn up and running as follows:
> 
> Site 1 Lan subnet: 192.168.x.0/24
> Site 2 Lan subnet: 192.168.y.0/24
> 
> 192.168.x.0/24 <-> m0n0wall-1 <-(Internet)-> monowall-2 <-> 192.168.y.0/24
> 
> It works.
> The vpn setups are to join the 192.168.x.0 network with the 192.168.y.0
> network and vice versa.
> 
> Now, I want to introduce another gateway, so that I can monitor and
> control traffic.
> I tried this unsuccessfully as follows:
> 
> 192.168.x.0/24 <-> [(192.168.z.0/24 = eth0) gateway (192.168.z.0/24 =
> eth1)] <-> m0n0wall-1 <-(Internet)-> monowall-2 <-> 192.168.y.0/24
> 
> The internal Lan of monowall-1 was put on the 192.168.z.0 subnet and the
> monowall-2 ipsec vpn was changed to have the remote subnet be 192.168.z.0.
> 
> A static route on monowall-1 was added to use the gateway eth1 IP
> (192.168.z.20) as a gateway to the Site1 Lan subnet traffic
> (192.168.x.0/24).
> 
> Once configured, I could log onto a host at site1 and ping through to
> hosts at Site2.
> But from site2, I could not ping hosts on the site1 subnet.
> 
> I could however ping the new gateway eth1 IP address (192.168.z.20) from
> Site2.
> I could also log onto the monowall-1 web interface and ping the Lan
> interface to any host of Site1.
> 
> Can anybody suggest what is wrong?
> Thanks!
> 
I seems your gateway does NAT and no simple routing.
I think so, because you have changed the VPN subnet, but eg. a ping from
x.0 network to y.0 network will not be possible if you don't have a vpn
for both subnets. Have a look in the log fof mOnOwall 2 if you get the
ping from the gateway ETH1 address (NAT) or from the Cient from the x.0
network. Tracert will be better for debuging

bye
Christoph