[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSec VPN Routing problem
 Date:  Thu, 19 Aug 2004 16:36:59 -0700 (PDT)
On Fri, 20 Aug 2004, szebi5 wrote:

> I have a problem with ipsec. I have set up a net-net vpn described below
> between my office (using linux+frees/wan) and home (using m0n0).
> 
> 
> 	home--------------------------------------office
> 	lan ip: 10.0.0.0/24				lan ip: 192.168.0.0/24
> 	m0n0 lan ip: 10.0.0.9				linux ip: 192.168.0.3
> 
> 
> The VPN works fine between any 2 host on the network, but not between m0n0
> and the office network. The same problem arise with linux too. The cause was
> that when I tried to send a packet from the router, the source ip was the
> WAN ip, and it got routed via the ISP's router, not the tunnel. It was
> resolved by inserting the following command in an updown script for
> frees/wan:
> 
> 	
> 	ip route replace %m0n0_WAN_IP% via %linux_gateway% dev ipsec0 src
> 192.168.0.3
> 
> So I can ping anything on my home net, including m0n0, and I'd need to do
> the same from m0n0 too, especially so I could set up a DNS forwarder for the
> office DNS server. Since I installed m0n0 today, and this is the first BSD
> system I use, I don't know how I can replace the linux "ip route" commands
> under BSD.

Assuming the line with the two "lan ip"s is your tunnel configuration,
then on the mon0wall System:Static routes page, add an entry that looks
like:

	Interface	Network		Gateway		Description
	---------	-------		-------		-----------
	LAN		192.168.0.0/24	10.0.0.9	Kludge for IPsec

This is essentially a bogus routing entry that makes it think it's going
to send the packet on the LAN long enough to pick up the LAN IP as the
source.

You can test it with Diagnostics:Ping.

					Fred Wright