David Strout wrote:
I have a need to setup the following topology at several location connected via VPN tunnels.NET1--RTR1--NET2--pfS1--{INET}--pfS2--NET3--RTR2--NET4>--IPsec TUNNEL--<NET1=10.10.10.0/24 NET2=192.168.100.0/24 NET3=192.168.200.0/24 NET4=10.10.20.0/24 I have a VPN tunnel nailed up between the two pfS boxes w/ NET2 & NET3 on the "LAN" side. The pfS1 box has a static route to NET1 via RTR1 and pfS2 has a static route to NET4 via RTR2. The "default" route on NET1 & NET4 is RTR1 & RTR2 respectively and RTR1 has a next hop of pfS1 and RTR2's next hop is pfS2. So now that you have your mind wrapped around that .... here’s the problem. In order for NET1 hosts to reach NET3/4 hosts .... "OR" NET4 hosts to reach NET1/2 hosts I am assuming there has to be some static routes on the pfS boxes. I added the following static route on pfS1: 10.10.20.0/24{NET4} > 192.168.200.254{RTR2s NET3 IP} I added the following static route on pfS2: 10.10.10.0/24{NET1} > 192.168.100.254{RTR1s NET2 IP} My assumption is that pfS1 knows about NET3 and pfS2 knows about NET2 via the tunnel. The problem is that when I traceroute from a host on NET1 to a host on NET4 pfS1 forwards the packets to the internet instead of sending them through the tunnel (and vice-versa from NET4 to NET1 pfS2 forwards the packets to the internet instead of through the tunnel). I even added routes to the RTR1/2 for the respective networks as well just to test with and still no go. I must be missing something simple here as I know that this can be done as this is just packet routing. Maybe I haven’t had enough coffee yet. Any thoughts are greatly appreciated!!!
Static routes won't get you there. Think of IPSEC policies as an alternate end-to-end routing table that is used to determine what traffic will be tunneled to a distant peer. You will need to define separate policies to process traffic between multiple local and distant private networks.
In other words, the following policies would be required for your setup ... NET1 <-> NET3 NET3 <-> NET1 NET1 <-> NET4 NET4 <-> NET1 NET2 <-> NET3 NET3 <-> NET2 NET2 <-> NET4 NET4 <-> NET2 -Matthew --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
