Tom Eastep wrote:
Keith Mitchell wrote:Sigh. Fixed my pretty little ascii art.eth1 - 10.253.0.1 eth3 - 10.253.0.254 eth0 /-----------------------\ eth0 192.168.1.1/24 --- Office A - - Office B --- 10.254.0.1/24 \---------vpn-----------/ eth2 eth2Okay -- let's back up a minute. When you say 'vpn', what exactly do you mean? I only have access to the 'shorewall dump' information from Office A but I can see that there are a number of IPSEC SPs (and SAs); is THAT what you mean by 'vpn'? And you say:I cannot, however, ping the private subnets in either office through the fiber tunnelPlease give me an example; source address, destination address and what you see. And a fresh copy of the 'shorewall dump' output from Office B would be helpful. -Tom------------------------------------------------------------------------------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart yourdeveloping skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now!http://p.sf.net/sfu/devconference ------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Sorry about that. My brain was a little fried last night. Here's the networkb uncorrupted.Yes, the vpn is an ipsec vpn. It works fine thanks to your excellent documentation and openswan.
If I do a "ping -I eth1 10.254.0.x" (any address) from the network a firewall, I get no return and nothing in the syslogs. A ping -I eth1 10.253.0.254 gets a return.
Likewise, a "ping -I eth3 192.168.1.x" (any address) from the network b firewall gives no return and nothing in syslogs. A ping -I eth3 10.253.0.1 gets a return.
If I run a tracert from inside network a to one of the IP's I'm trying to direct through the 10.253.0.0 tlan (10.254.0.4 or 10.254.0.5), the return clearly shows the traffic transversed via the vpn and not the tlan.
C:\>tracert asterisk Tracing route to asterisk.paisd.com [10.254.0.4] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms linus-int.paisd.com [192.168.1.1] 2 3 ms 2 ms 2 ms firewall.paisd.com [10.254.0.1] 3 3 ms 2 ms 2 ms asterisk.paisd.com [10.254.0.4] Trace complete.I would suspect that a correct transversal would include the 10.253.0 addresses in the tracert values. If I take the ipsec VPN down, the tracert above fails.
The first two sentences point me towards a masq'ing problem. The second point me to a marking or routing problem. It could be that trying to use multi-isp setup to do this could be trying to put the square peg in the round hole.
-- Keith Mitchell CTO Productivity Associates, Inc. 5625 Ruffin Rd STE 220 San Diego, CA 92123 858-495-3528 (Direct) 858-495-3540 (Fax)
networkb.bz2
Description: Binary data
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
