* [LARTC] IPSec tunnel and routing
@ 2005-12-05 1:27 Alexander Kotelnikov
2005-12-05 5:08 ` Andreas Unterkircher
0 siblings, 1 reply; 2+ messages in thread
From: Alexander Kotelnikov @ 2005-12-05 1:27 UTC (permalink / raw)
To: lartc
Hello.
I wonder how just correct couple of spdadd commands like
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec esp/tunnel/10.1.0.1-10.2.0.1/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/10.2.0.1-10.1.0.1/require;
makes _routing_ of packets from 192.168.1/24 into 192.168.2/24.
If I understand correctly how it works on *BSD, these commands with
make already tunneled traffic enrypted, routing is done before and
besides ipsec SA and SP databases. On routing happens just like
miracle.
Ok, I would not ask all this if I have no problem with
tunnelling. With configuration like described above, where multihomed
maches have ip-addresses (192.168.1.1, 10.1.0.1) and (192.168.2.1,
10.2.0.1) tunneling works for all machines, but these two
routers. This happenes becase if we send a packet from 10.1.0.1 into
192.168.2/24 this packet does not come to ipsec, but is pushed to
default gateway, if it exists. In other words, local generated packets
do not come through prerouting or something.
--
Alexander Kotelnikov
Saint-Petersburg, Russia
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [LARTC] IPSec tunnel and routing
2005-12-05 1:27 [LARTC] IPSec tunnel and routing Alexander Kotelnikov
@ 2005-12-05 5:08 ` Andreas Unterkircher
0 siblings, 0 replies; 2+ messages in thread
From: Andreas Unterkircher @ 2005-12-05 5:08 UTC (permalink / raw)
To: lartc
Alexander Kotelnikov schrieb:
> Ok, I would not ask all this if I have no problem with
> tunnelling. With configuration like described above, where multihomed
> maches have ip-addresses (192.168.1.1, 10.1.0.1) and (192.168.2.1,
> 10.2.0.1) tunneling works for all machines, but these two
> routers. This happenes becase if we send a packet from 10.1.0.1 into
> 192.168.2/24 this packet does not come to ipsec, but is pushed to
> default gateway, if it exists. In other words, local generated packets
> do not come through prerouting or something.
>
You have to add a route on 10.1.0.1 to make sure packets which belong to
192.168.2.0/24 have
a src address of 192.168.1.1. Then the packet should go through the
ipsec tunnel. Similar route in
the other direction has to be used on 10.2.0.1.
Cheers,
Andreas
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2005-12-05 5:08 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-05 1:27 [LARTC] IPSec tunnel and routing Alexander Kotelnikov
2005-12-05 5:08 ` Andreas Unterkircher
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.