News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  General Questions
linktree Topic: Headache over IPsec tunnels and subnetting
Pages: [1]
Topic: Headache over IPsec tunnels and subnetting  (Read 1615 times)
« on: January 15, 2009, 23:20:30 »
ouberlord *
Posts: 9
Hello,

I have two locations, each running monowall on Soekris net4801 devices.  The first device is connected to two networks, 10.100.100.0 /24 on eth0 (LAN) and 10.100.102.0 /24 on eth2 (OPT1).  The other location just has a LAN network, 192.168.20.1 /24 on eth0.

I have gotten a IPSec tunnel to work between the 10.100.100.0 and 192.168.20.0 networks using the following config:

Site One:
LAN
192.168.20.0/24
WAN
(Address of Site Two)

Site Two:
LAN
10.100.100.0/24
WAN
(Address of Site One)

However, I need to make it so Site Two can reach the 10.100.102.0 subnet.  I also need to make it so that at Site One traffic can pass freely between the 10.100.100.0 and 10.100.102.0 subnets.  The monowall itself can ping any host on either subnet from the appropriate interface (eth0 or eth2), it just doesn't route between them.

Thoughts?
« Reply #1 on: January 16, 2009, 02:39:56 »
ChainSaw
Guest
to enable routing between your 10.100.100.0 LAN and your 10.100.102.0 OPT1 interface you need to add a OPT1 rule that looks like the default LAN interface rule.  also, to allow your 192.168.20.0 network to access both your 10.100.100.0 LAN and your 10.100.102.0 OPT1 interface you need to change your Site Two IPSEC config to:

Site Two:
LAN
10.100.100.0/22
WAN

CS...
« Reply #2 on: January 16, 2009, 20:04:58 »
ouberlord *
Posts: 9
With the changes, neither the local Site One routing nor the 102 subnet access from Site Two is working yet.  The tunnel still however routes 10.100.100.0 subnet traffic just fine.  My current config is as follows, any thoughts?  The monowall at Site Two can ping addresses on the 10.100.102.0 subnet through the WAN interface, but it seems like it can even ping addresses that aren't actually in use.  No computers actually behind the monowall at Site Two on the 192.168.20.0 subnet can ping any of these addresses, valid or not.  The LAN port on the monowall at Site One can ping any LAN subnet addresses, and the OPT1 port can ping any OPT1 subnet addresses.

---Site One:---
Interface(s):
eth0 (LAN): 10.100.100.6 /24
eth1 (WAN): (WAN Address of Site One)
eth2 (OPT1): 10.100.102.2 /24

IPSec Tunnel:
10.100.100.0/22 (I had to change this from "LAN" to "10.100.100.0/22", as otherwise the tunnel did not come up)
192.168.20.0/24
WAN
(WAN Address of Site Two)

Firewall Rule(s):
[Tab, Protocol, Source, Port, Destination, Port, Description]
(LAN) *  LAN net  *  *  *  Default LAN -> any
(OPT1) *  OPT1 net  *  *  *  Default OPT1 -> any


---Site Two:---
Interface(s):
eth0 (LAN): 192.168.20.1 /24
eth1 (WAN): (WAN Address of Site Two)

IPSec Tunnel:
LAN
10.100.100.0/22
WAN
(WAN Address of Site One)

Firewall Rule(s):
[Tab, Protocol, Source, Port, Destination, Port, Description]
(LAN) *  LAN net  *  *  *  Default LAN -> any
« Last Edit: January 16, 2009, 20:09:21 by ouberlord »
« Reply #3 on: January 16, 2009, 20:52:29 »
ChainSaw
Guest
yes I forgot to add that site 1's tunnel needed to be changed from Local subnet = LAN to Local subnet = Network 10.100.100.0/22

BTW, check your PM messages

CS...
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines