Tom Eastep wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1Keith Mitchell wrote:I'm attempting to connect a branch office (Office A - private lan 192.168.1.0/24), to a main office (Office B - private lan 10.254.0.0/24) via two different connections for fail-over and data segregation.Connection 1 - ipsec VPN, for traffic between the offices not flowing to or from 2 different phone servers in Office B (10.254.0.4 and 10.254.0.5)Connection 2 - a point-to-point switched fibre circuit (called a tlan by my provider). This circuit is essentially stateless - functionally equivalent to a VLAN on a switch. All traffic flowing to or from 10.254.0.4 and 10.254.0.5 should traverse this circuit.Each office has a 3 card router - one card for internal network, on card for internet (and ipsec vpn), and one card for the fibre tlan.Each office should have the ability to connect directly to the internet through their local router, pass data traffic over the ipsec vpn, and pass voip traffic over the fibre tlan.I don't know a good way to do that. I can tell you that you cannot control which path a particular connection takes using policy routing, because the traffic that goes through the IPSEC tunnel is determined solely by your IPSEC security policies. Routing has no effect. If you want to select via policy routing, then I suggest replacing IPSEC with OpenVPN.Sorry for being unclear. It's difficult for me to explain all this stuff without a whiteboard. I hope the above clears up my intent.I'm also sorry for hijacking Mike's thread. I hit reply and neglected to remove the "Re: [Shorewall-users]" from my first messages.Changing the subject has nothing to do with it. When you hit "reply", your mailer inserts an "In-Reply-To" header that email clients use to present a threaded view of a mailbox. Thread hijacking defeats that very useful feature by causing the hyjacking thread to appear as if it is part of the hyjacked thread. Create a new message addressed to the list!!! -- ThanksPS - Fiber tunnel should refer to the fibre tlan which I have assigned the 10.253.0.* network, yes.Okay. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkraQakACgkQO/MAbZfjDLJC4wCgijVcOTVq3cYsPBatvvCoBL7+ 4hMAnRrB1Tze0F2xZxQmtNg6dkAUF+DO =+jxh -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart yourdeveloping skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now!http://p.sf.net/sfu/devconference _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
You previously stated "Each office has a 3 card router - one card for internal network, on card for internet (and ipsec vpn), and one card for the fibre tlan."
Are you referring to an actual router such as a Cisco or Juniper box or are you really referring to a Linux box doing routing?
If you mean an actual router, then why not move the routing to where it belongs, on the router. I don't have experience with Juniper but Cisco makes it fairly easy for you to create tunnels, including IPSec.
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
