[ previous ] [ next ] [ threads ]
 
 From:  sylikc <sylikc at gmail dot com>
 To:  Charles AMPEAU <charles dot ampeau at unilim dot fr>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC and routing question
 Date:  Thu, 16 Sep 2004 11:50:42 -0700
Charles,


> Hi all,
> 
> I have a problem with the network map bellow :
> http://www.creape.unilim.fr/vpn.jpg
> 
> I am using a IPSEC between LAN and LAN' because I'm using a WiFi outdoor
> link.
> 
> Config xml for left(LAN) m0n0 at : http://www.creape.unilim.fr/config.xml

First of all, in the P1 mode for both VPN endpoints, use mode = Main
(more secure, and is OK if your IP never changes).


> No problem to ping hosts between LAN and LAN'.
> 
> Impossible to ping from LAN' to DMZ or Internet
> How can I define a "default ipsec route" for LAN' client?

Secondly, I'd be more interested to see the config.xml for the m0n0 on
the right.  Although I haven't tested how duplicate routes will be
handled in m0n0, there are probably two ways you can try to make this
routing wrok out.

I am assuming on the m0n0 on the right you are using VPN and getting
the remote subnet of 192.168.1.0/24.  And, because of that, nothing
routes over the VPN if it doesn't hit that particular defined subnet. 
If so, you can either

1) go to System->Static Routes.  Set interface to LAN, set destination
network to everything (which I think is 0.0.0.0/1 and/or 128.0.0.0/1)
and set your gateway to 192.168.1.253 (note it is NOT 192.168.100.254
because if you set that then everything bypasses the VPN tunnel).

or 

2) go to your VPN settings on the right m0n0.  Set the remote network
to 0.0.0.1 and/or 128.0.0.0/1 to have all of your traffic routed over
VPN automatically.


Again, those are two things to try, and with my knowledge of
networking, should work... but I haven't messed with my static routes
yet so I'm not dead sure.  Go try those out and let me know what you
find out ;)


/sylikc