[ previous ] [ next ] [ threads ]
 
 From:  Jakob Schwienbacher <jakob dot schwienbacher at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] gateway not working with vpn
 Date:  Wed, 12 May 2010 14:34:12 +0200
Hello,

Now the problem is clear. :)

First of all i would make it like this:

192.168.x.0/24<->  gateway<--(192.168.z.0/24)-->  m0n0wall-1<--
{Internet} -->  monowall-2<->  192.168.y.0/24

The option with the same subnet before and after the gateway in my
opinion is to complicated.

As Christoph already says you have to check if NAT is enabled on your
"gateway". Probably yes.

As far as I knows you have to either:
 - enable another VPN between 192.168.z.0/24 and 192.168.y.0/24
or:
 - change the existing VPN to 192.168.x.0/*23* and 192.168.y.0/24

Attention: In the second version it depends what numbers you are using
instead of x,y,z.
It would work if you are using the following configuration:

192.168.0.0/24<->  gateway<--(192.168.1.0/24)-->  m0n0wall-1<--
{Internet} -->  monowall-2<->  192.168.2.0/24

The VPN connection looks like this 192.168.0.0/23(192.168.0.0 -
192.168.1.255) <--> 192.168.2.0/24

Hope this helps.

Jakob

On 8 May 2010 20:16, Christoph Hanle <christoph dot hanle at leinpfad dot de> wrote:
> On 25.04.2010 18:44 Joe wrote:
>> Hi,
>> I have what I believe is a routing problem.
>>
>> First of all, I have a site to site ipsec vpn up and running as follows:
>>
>> Site 1 Lan subnet: 192.168.x.0/24
>> Site 2 Lan subnet: 192.168.y.0/24
>>
>> 192.168.x.0/24 <-> m0n0wall-1 <-(Internet)-> monowall-2 <-> 192.168.y.0/24
>>
>> It works.
>> The vpn setups are to join the 192.168.x.0 network with the 192.168.y.0
>> network and vice versa.
>>
>> Now, I want to introduce another gateway, so that I can monitor and
>> control traffic.
>> I tried this unsuccessfully as follows:
>>
>> 192.168.x.0/24 <-> [(192.168.z.0/24 = eth0) gateway (192.168.z.0/24 =
>> eth1)] <-> m0n0wall-1 <-(Internet)-> monowall-2 <-> 192.168.y.0/24
>>
>> The internal Lan of monowall-1 was put on the 192.168.z.0 subnet and the
>> monowall-2 ipsec vpn was changed to have the remote subnet be 192.168.z.0.
>>
>> A static route on monowall-1 was added to use the gateway eth1 IP
>> (192.168.z.20) as a gateway to the Site1 Lan subnet traffic
>> (192.168.x.0/24).
>>
>> Once configured, I could log onto a host at site1 and ping through to
>> hosts at Site2.
>> But from site2, I could not ping hosts on the site1 subnet.
>>
>> I could however ping the new gateway eth1 IP address (192.168.z.20) from
>> Site2.
>> I could also log onto the monowall-1 web interface and ping the Lan
>> interface to any host of Site1.
>>
>> Can anybody suggest what is wrong?
>> Thanks!
>>
> I seems your gateway does NAT and no simple routing.
> I think so, because you have changed the VPN subnet, but eg. a ping from
> x.0 network to y.0 network will not be possible if you don't have a vpn
> for both subnets. Have a look in the log fof mOnOwall 2 if you get the
> ping from the gateway ETH1 address (NAT) or from the Cient from the x.0
> network. Tracert will be better for debuging
>
> bye
> Christoph
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>