On Sat, Oct 06, 2007 at 10:37:12AM -0400, Dave Anderson wrote: > On Sat, 6 Oct 2007, Layne Evans wrote: > > >Hello all, > > > > > >vendor -->vendor router<-- Internal LAN Location A -->OBSD GW A<-- Internet > > VPN Between > >Internet -->OBSD GW B<-- Internal LAN Location B > > > >Some info: (these are representative IPs) > >Vendor's IP block that need to go over their T1: 207.12.0.0/18 > >Internal LAN A: 10.74.10.0/24 > >Vendor router Internal LAN IP: 10.74.10.245 > >OpenBSD A Internal IP: 10.74.10.254 > >OpenBSD A External IP: a.b.c.d > >OpenBSD B Internal IP: 10.76.10.254 > >OpenBSD B External IP: w.x.y.z > > > >Any pointers will sure be appreciated. > > Maybe I'm missing something, but (given that everything else is working > and assuming that the systems on LAN B have a default route directed to > GW B) wouldn't a static route on GW B for 207.12.0.0/18 pointing to > 10.74.10.245 do the job? >
this will not work. ipsec will not encap packets that not belong to a flow. you need a second ipsec flow like on GW B: ike esp from LAN_B/24 to vendor/18 peer OPENBSD_A_External and on GW A: ike esp from VENDOR/18 to LAN_B/24 peer OPENBSD_B_External and then a route on GW A to the vendor network. i think this will do the trick. thomas