[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unable to pass traffic over ipsec tunnel originating from local host

    I got an off-list response that indeed did resolve my problem.
Apparently if you add a route pointing traffic to the remote network
via the LAN interface of the BSD host, it works. Thus, in my scenario
where the remote network is and the local LAN is I added the following route:

route add

I'm now able to originate traffic from the local BSD box across the
VPN. I guess this is because of processing order?

Thanks for everyone's help. 


On Fri, 22 Oct 2004 16:10:39 -0700 (PDT), Greg Thomas
<getbsd_(_at_)_dslextreme_(_dot_)_com> wrote:
> Aaron Nichols
> > All,
> >     I have the following fairly basic configuration:
> >
> > OpenBSD 3.5 host connecting to SBC via a PPPoE based DSL connection.
> This host acts as the gateway for a small network and has an ipsec VPN
> to a remote location. The VPN works fine in the sense that all hosts on
> the LAN are able to communicate to the remote site. The one thing that
> does not work however, is that traffic originating from the OpenBSD host
> itself destined for hosts on the other side of the VPN (
> seems to be routed out the WAN interface (tun0). This isn't entirely
> unexpected, but I'm wondering how this can be worked around? At this
> point, since the traffic originates from the tun0 interface, which has
> an SBC assigned public address, it doesn't match the local network
> definition in isakmpd and thus, isn't passed over the VPN.
> >
> > The basic problem I'm trying to solve is that I need to be able to test
> connectivity from this host over the VPN to insure that it's functional
> and if not - kick in some countermeasures. Without the ability to
> send/receive traffic directly from this host, short of setting up a 2nd
> host on the lan to do the monitoring (which isn't really an option), I
> don't have a way of doing this.
> >
> > I'm glad to post the related config info if someone cares to see - but
> I'd rather not spam the list with all that just yet incase someone has
> already worked with this issue and knows it either works or does not.
> >
> That would help but if I I'm understanding you correctly you just need to
> setup another tunnel from the host to the network.  I.e., you have net a
> to net b now and vice versa, you need to add host a to net b, and then if
> you like host a to host b, and vice versa.
> Greg