[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Unable to pass traffic over ipsec tunnel originating from local host
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: Unable to pass traffic over ipsec tunnel originating from local host
- From: Aaron Nichols <adnichols_(_at_)_gmail_(_dot_)_com>
- Date: Mon, 25 Oct 2004 17:49:35 -0700
- Reply-to: Aaron Nichols <adnichols_(_at_)_gmail_(_dot_)_com>
I got an off-list response that indeed did resolve my problem.
Apparently if you add a route pointing traffic to the remote network
via the LAN interface of the BSD host, it works. Thus, in my scenario
where the remote network is 10.0.0.0/8 and the local LAN is
10.11.1.1/24 I added the following route:
route add 10.0.0.0/8 10.11.1.1
I'm now able to originate traffic from the local BSD box across the
VPN. I guess this is because of processing order?
Thanks for everyone's help.
On Fri, 22 Oct 2004 16:10:39 -0700 (PDT), Greg Thomas
> Aaron Nichols
> > All,
> > I have the following fairly basic configuration:
> > OpenBSD 3.5 host connecting to SBC via a PPPoE based DSL connection.
> This host acts as the gateway for a small network and has an ipsec VPN
> to a remote location. The VPN works fine in the sense that all hosts on
> the LAN are able to communicate to the remote site. The one thing that
> does not work however, is that traffic originating from the OpenBSD host
> itself destined for hosts on the other side of the VPN (10.0.0.0/8)
> seems to be routed out the WAN interface (tun0). This isn't entirely
> unexpected, but I'm wondering how this can be worked around? At this
> point, since the traffic originates from the tun0 interface, which has
> an SBC assigned public address, it doesn't match the local network
> definition in isakmpd and thus, isn't passed over the VPN.
> > The basic problem I'm trying to solve is that I need to be able to test
> connectivity from this host over the VPN to insure that it's functional
> and if not - kick in some countermeasures. Without the ability to
> send/receive traffic directly from this host, short of setting up a 2nd
> host on the lan to do the monitoring (which isn't really an option), I
> don't have a way of doing this.
> > I'm glad to post the related config info if someone cares to see - but
> I'd rather not spam the list with all that just yet incase someone has
> already worked with this issue and knows it either works or does not.
> That would help but if I I'm understanding you correctly you just need to
> setup another tunnel from the host to the network. I.e., you have net a
> to net b now and vice versa, you need to add host a to net b, and then if
> you like host a to host b, and vice versa.