[ previous ] [ next ] [ threads ]
 
 From:  "szebi5" <szebi5 at freemail dot hu>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPSec VPN Routing problem
 Date:  Fri, 20 Aug 2004 10:27:57 +0200 
> -----Original Message-----
> From: Fred Wright [mailto:fw at well dot com] 
> Sent: Friday, August 20, 2004 1:37 AM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: Re: [m0n0wall] IPSec VPN Routing problem
> 
> 
> On Fri, 20 Aug 2004, szebi5 wrote:
> 
> > I have a problem with ipsec. I have set up a net-net vpn described 
> > below between my office (using linux+frees/wan) and home 
> (using m0n0).
> > 
> > 
> > 	home--------------------------------------office
> > 	lan ip: 10.0.0.0/24				lan ip: 
> 192.168.0.0/24
> > 	m0n0 lan ip: 10.0.0.9				linux 
> ip: 192.168.0.3
> > 
> > 
> > The VPN works fine between any 2 host on the network, but 
> not between 
> > m0n0 and the office network. The same problem arise with linux too. 
> > The cause was that when I tried to send a packet from the 
> router, the 
> > source ip was the WAN ip, and it got routed via the ISP's 
> router, not 
> > the tunnel. It was resolved by inserting the following 
> command in an 
> > updown script for
> > frees/wan:
> > 
> > 	
> > 	ip route replace %m0n0_WAN_IP% via %linux_gateway% dev 
> ipsec0 src
> > 192.168.0.3
> > 
> > So I can ping anything on my home net, including m0n0, and 
> I'd need to 
> > do the same from m0n0 too, especially so I could set up a DNS 
> > forwarder for the office DNS server. Since I installed m0n0 
> today, and 
> > this is the first BSD system I use, I don't know how I can 
> replace the 
> > linux "ip route" commands under BSD.
> 
> Assuming the line with the two "lan ip"s is your tunnel 
> configuration, then on the mon0wall System:Static routes 
> page, add an entry that looks
> like:
> 
> 	Interface	Network		Gateway		Description
> 	---------	-------		-------		-----------
> 	LAN		192.168.0.0/24	10.0.0.9	Kludge for IPsec
> 
> This is essentially a bogus routing entry that makes it think 
> it's going to send the packet on the LAN long enough to pick 
> up the LAN IP as the source.
> 
> You can test it with Diagnostics:Ping.
> 
> 					Fred Wright
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> 


Thank You, this solved  the problem!

	Zsolt Szeberenyi