Isn't this in the FAQ (yet/still)? It definitely is in the archives...
If you have a tunnel between the networks traffic between the
networks is the *only* traffic to be encrypted. See 'netstat -rn -f
encap', source and destination fields.
As soon as any of the gateways are involved, either the one pinging
or the one being pinged, it will use the IP address of the network
between the gateways (i.e 192.168.2.x) -- and as that IP is not part
of the tunnel it will not be encrypted. (This is really "IP routing
101". :)
You probably have something blocking the cleartext traffic, such as
pf, as the network stack will accept an unecrypted ping response
packet to an encrypted ping packet.
To solve the "problem" you will need to add tunnels from gateway 1 to
net 2, also gateway 2 to net 1 and possibly gateway 1 to gateway 2
(for completeness).
/H
On 14 okt 2005, at 06.55, Josh Webb wrote:
if it's not the sysctl, can gateway1 ping client2 || gateway2 ping
client1 ?
no
or client1 ping 192.168.2.1 || client2 ping 192.168.2.2 ?
yes
also, client1 can't ping 192.168.2.2 || client2 can't ping
192.168.2.1.
/H