[ previous ] [ next ] [ threads ]
 From:  Pauline Middelink <middelink at polyware dot nl>
 To:  Fred Wright <fw at well dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Routing Problems - IPSEC & m0n0wall
 Date:  Mon, 28 Jun 2004 20:48:23 +0200
On Sun, 27 Jun 2004 around 18:06:15 -0700, Fred Wright wrote:
> On Fri, 25 Jun 2004, Justin Ellison wrote:
> > The problem is that you're pinging from the WAN side, but your tunnel
> > exists from your LAN IP's.  You need to change the source address from
> > which you are pinging from to the LAN side.  Go to exec.php, and paste
> > the following command in m0n0wall-1:
> > 
> > /sbin/ping -c 10 -S
> The default source address is the IP address of the interface on which the
> packet will be sent.  When pinging through a tunnel, that would be the IP
> address of the *tunnel's* virtual interface.

Sorry, although the above is true, an IPSEC tunnel is NOT an interface,
just a policy. Since ping (for that matter any application or protocol)
does not know about the policy, it will select the wrong IP address
(i.e. the outer address of the ipsec tunnel) and not the inner.

If we are talking GRE or other tunnels with a 'real' interface it
would be en entirely different matter and your statement would be correct.

> > This should work as expected.  If not, your tunnels aren't configured
> > quite properly.
> I'd guess the latter.


    Met vriendelijke groet,
        Pauline Middelink
GPG Key fingerprint = 2D5B 87A7 DDA6 0378 5DEA  BD3B 9A50 B416 E2D0 C3C2
For more details look at my website http://www.polyware.nl/~middelink