Re: Difficult routing problem

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Thomas Schoeller

Date: Saturday, October 6, 2007 - 9:17 am

On Sat, Oct 06, 2007 at 10:37:12AM -0400, Dave Anderson wrote:
quoted text> On Sat, 6 Oct 2007, Layne Evans wrote:
> 
> >Hello all,
> >
> >
> >vendor -->vendor router<-- Internal LAN Location A -->OBSD GW A<-- Internet
> >       VPN Between
> >Internet -->OBSD GW B<-- Internal LAN Location B
> >
> >Some info: (these are representative IPs)
> >Vendor's IP block that need to go over their T1: 207.12.0.0/18
> >Internal LAN A: 10.74.10.0/24
> >Vendor router Internal LAN IP: 10.74.10.245
> >OpenBSD A Internal IP: 10.74.10.254
> >OpenBSD A External IP: a.b.c.d
> >OpenBSD B Internal IP: 10.76.10.254
> >OpenBSD B External IP: w.x.y.z
> >
> >Any pointers will sure be appreciated.
> 
> Maybe I'm missing something, but (given that everything else is working
> and assuming that the systems on LAN B have a default route directed to
> GW B) wouldn't a static route on GW B for 207.12.0.0/18 pointing to
> 10.74.10.245 do the job?
> 

this will not work. ipsec will not encap packets that not belong to a
flow.

you need a second ipsec flow like on GW B:
ike esp from LAN_B/24 to vendor/18 peer OPENBSD_A_External
and on GW A:
ike esp from VENDOR/18 to LAN_B/24 peer OPENBSD_B_External
and then a route on GW A to the vendor network.

i think this will do the trick.
thomas

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Difficult routing problem, Layne Evans, (Sat Oct 6, 1:04 am)

Re: Difficult routing problem, Dave Anderson, (Sat Oct 6, 7:37 am)

Re: Difficult routing problem, Thomas Schoeller, (Sat Oct 6, 9:17 am)

Re: Difficult routing problem, Layne Evans, (Mon Oct 8, 12:24 am)


linux-kernel:
Michael Trimarchi	Re: [PATCH] VFS: make file->f_pos access atomic on 32bit arch
Miklos Szeredi	[patch 14/15] vfs: more path_permission() conversions
Serge E. Hallyn	Re: [RFC v5][PATCH 7/8] Infrastructure for shared objects
Bernd Schmidt	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Takashi Iwai	[PATCH 2/2] input: Add LED support to Synaptics device
git:
Junio C Hamano	Re: mingw, windows, crlf/lf, and git
Eyvind Bernhardsen	Re: Where has "git ls-remote" reference pattern matching gone?
Shawn O. Pearce	Re: Switching from CVS to GIT
Todd Zullinger	Re: [PATCH 2/2] send-email: rfc2047-quote subject lines with non-ascii characters
Santi Béjar	Re: How to use git-fmt-merge-msg?
linux-netdev:
Ramkrishna Vepa	[net-2.6 PATCH 1/10] Neterion: New driver: Driver help file
Mark Anthony	invitation / inquiry
Ingo Molnar	Re: [PATCH 08/16] dma-debug: add core checking functions
David Miller	Re: [PATCH 1/3] f_phonet: dev_kfree_skb instead of dev_kfree_skb_any in TX callback
Sascha Hauer	[PATCH 03/12] fec: do not typedef struct types
git-commits-head:
Linux Kernel Mailing List	amba: struct device - replace bus_id with dev_name(), dev_set_name()
Linux Kernel Mailing List	MIPS: Yosemite: Convert SMP startup lock to arch spinlock.
Linux Kernel Mailing List	ARM: S5PC100: IRQ and timer
Linux Kernel Mailing List	davinci: edma: clear interrupt status for interrupt enabled channels only
Linux Kernel Mailing List	x86, mm, kprobes: fault.c, simplify notify_page_fault()
openbsd-misc:
Daniel A. Ramaley	Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?
Matthias Kilian	Re: can't get vesa @ 1280x800 or nv
Tobias Ulmer	Re: Problem after upgrade 4.5 to 4.6: ERR M
Philip Guenther	Re: SIGCHLD and libpthread.so
J.C. Roberts	Re: [semi-OT] Can anyone recommend an OpenBSD-compatible colour laser printer?