[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Unable to pass traffic over ipsec tunnel originating from local host
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Unable to pass traffic over ipsec tunnel originating from local host
- From: "Greg Thomas" <getbsd_(_at_)_dslextreme_(_dot_)_com>
- Date: Fri, 22 Oct 2004 16:10:39 -0700 (PDT)
> I have the following fairly basic configuration:
> OpenBSD 3.5 host connecting to SBC via a PPPoE based DSL connection.
This host acts as the gateway for a small network and has an ipsec VPN
to a remote location. The VPN works fine in the sense that all hosts on
the LAN are able to communicate to the remote site. The one thing that
does not work however, is that traffic originating from the OpenBSD host
itself destined for hosts on the other side of the VPN (10.0.0.0/8)
seems to be routed out the WAN interface (tun0). This isn't entirely
unexpected, but I'm wondering how this can be worked around? At this
point, since the traffic originates from the tun0 interface, which has
an SBC assigned public address, it doesn't match the local network
definition in isakmpd and thus, isn't passed over the VPN.
> The basic problem I'm trying to solve is that I need to be able to test
connectivity from this host over the VPN to insure that it's functional
and if not - kick in some countermeasures. Without the ability to
send/receive traffic directly from this host, short of setting up a 2nd
host on the lan to do the monitoring (which isn't really an option), I
don't have a way of doing this.
> I'm glad to post the related config info if someone cares to see - but
I'd rather not spam the list with all that just yet incase someone has
already worked with this issue and knows it either works or does not.
That would help but if I I'm understanding you correctly you just need to
setup another tunnel from the host to the network. I.e., you have net a
to net b now and vice versa, you need to add host a to net b, and then if
you like host a to host b, and vice versa.