On Sat, Oct 06, 2007 at 10:37:12AM -0400, Dave Anderson wrote:

quoted text
> On Sat, 6 Oct 2007, Layne Evans wrote:

>

> >Hello all,

> >

> >

> >vendor -->vendor router<-- Internal LAN Location A -->OBSD GW A<-- Internet

> >       VPN Between

> >Internet -->OBSD GW B<-- Internal LAN Location B

> >

> >Some info: (these are representative IPs)

> >Vendor's IP block that need to go over their T1: 207.12.0.0/18

> >Internal LAN A: 10.74.10.0/24

> >Vendor router Internal LAN IP: 10.74.10.245

> >OpenBSD A Internal IP: 10.74.10.254

> >OpenBSD A External IP: a.b.c.d

> >OpenBSD B Internal IP: 10.76.10.254

> >OpenBSD B External IP: w.x.y.z

> >

> >Any pointers will sure be appreciated.

>

> Maybe I'm missing something, but (given that everything else is working

> and assuming that the systems on LAN B have a default route directed to

> GW B) wouldn't a static route on GW B for 207.12.0.0/18 pointing to

> 10.74.10.245 do the job?

> 

this will not work. ipsec will not encap packets that not belong to a

flow.
you need a second ipsec flow like on GW B:

ike esp from LAN_B/24 to vendor/18 peer OPENBSD_A_External

and on GW A:

ike esp from VENDOR/18 to LAN_B/24 peer OPENBSD_B_External

and then a route on GW A to the vendor network.
i think this will do the trick.

thomas