RE: [m0n0wall] Since the list seems to be pretty active right now... Please help, with VPN/routing/tunnel definitions...

From:	"Ginther, Demian M" <demian dot m dot ginther at boeing dot com>
To:	"Fred Wright" <fw at well dot com>, <m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] Since the list seems to be pretty active right now... Please help, with VPN/routing/tunnel definitions...
Date:	Fri, 28 May 2004 15:34:39 -0700

I have a route for that, actually.  The problem is that there are many
subnets on the corporate side and some of them do not match the tunnel
'local' network definition.  For instance, say the local network is
defined on the corporate side m0n0 as 123.456.789.0/24... the packets
are leaving that network and going to another network, passing through a
NAT, (where I see them go with TCPdump) coming back, getting rewritten
with a source of 192.168.20.x and then hitting the corporate side m0n0.
The corporate side m0n0 sees that their source is 456.789.123.0/24 and
doesn't pass them thru the tunnel because they didn't come from
123.456.789.0/24.  This is what I think is happening anyway.  If I was
able to set the tunnel to accept packets from any source address, it
would work.  I can see the firewall dropping those packets in the log,
so I know they are getting at least that far.

Thanks for replying!

Demian

-----Original Message-----
From: Fred Wright [mailto:fw at well dot com] 
Sent: Friday, May 28, 2004 3:45 PM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Since the list seems to be pretty active right
now... Please help, with VPN/routing/tunnel definitions...

On Fri, 28 May 2004, Ginther, Demian M wrote:

> We are trying to set up an encrypted tunnel which will be the default
> route for any and all traffic passed between our corporate network
(many
> subnets) and a subnet in Maui, 192.168.20.0/24.  There will be
Exchange,
> web, and windows networking traffic going over this link.  I have
> successfully set up the tunnel in a test environment, and the clients
on
> the Maui side of the tunnel have 192.168.20.x addresses with a default
> gateway that is the main routing switch here in our network
> (xxx.xxx.xxx.1)  xxx.xxx.xxx.1 is in the network defined by the
tunnel,
> so the packets all flow to the routing switch and then to their
> destination.  The problem is that if the packet destination is
somewhere
> outside the tunnel definition that goes TO Maui, the m0n0wall drops
the
> packets and they never get back through the tunnel.    Is there some
way
> to define the local subnet in the tunnel definition as 0.0.0.0/0?  I
> want all traffic destined for 192.168.20.0/24 to be sent through, no
> matter the source address of the packet.

The source address shouldn't matter in any case, but it sounds like what
you're missing is a routing entry on the "corporate" side making the
tunnel the route for 192.168.20.0/24.  This doesn't get set up
automatically, but you should be able to configure it under "Static
routes".

					Fred Wright

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch