On 29/10/2007, Graham Bloice <[EMAIL PROTECTED]> wrote: > > > > On 27/10/2007, cluther <[EMAIL PROTECTED]> wrote: > > > > Ideally you want to get these IPSec tunnel interfaces modeled within > > Zenoss so this happens automatically. With that disclaimer out of the way, > > here's how you would manually construct the relationship. > > > You said ideally. Is this because this is something zenoss should be > doing, but doesn't yet, or because zenoss can do it but is failing. > > For this demonstration we will be using the example tunnel network of > > 10.0.254.0/30 with firewallA being 10.0.254.1 and firewallB being > > 10.0.254.2. > > > > 1. Go to the OS tab of firewallA and add an IpInterface called ipsec1 > > a. Set the IP address to 10.0.254.1/30 > > b. Set the interface to admin up, oper up. > > c. Set the type to manualTunnel > > d. Set the monitored to False > > e. Lock this interface from deletion and updates > > > > 2. Repeat step one replacing the IP address with firewallB's IP. > > > Is this on firewall B? > > Because these two firewalls are in two separate locations and share the > > 10.0.254.0/30 subnet, the links will be drawn. The interfaces must be > > locked to prevent the modeler from deleting them on the next cycle. > > > > > > > I have a slightly different situation where the LANs either side of the > firewalls are on different subnets (although part of the same supernet), > e.g. > > LAN A 10.0.0.0/20 -- Firewall A 10.0.0.10/20 -- IPSEC -- Internet -- > IPSEC -- Firewall B 10.0.128.10/20 -- LAN B 10.0.128.0/20 > > Both LAN subnets belong to the 10.0.0.0/16 supernet. > > Via snmp discovery, I already have interfaces on the firewalls such as > ipsec0 & 1, gathered from the snmp discovery. They don't have an ip address > associated with them though. I also have the LAN interfaces on the firewall > e.g. eth0 with the correct IP address. > > When I try your suggestion (using a name such as tunnel1), on entering the > IP address as 10.0.0.10/16 it is immediately changed to the existing LAN > IP ( i.e. /20), and that IP is removed from the eth0 interface. > > Using the advice you gave in another thread (to redicover the ipinterfaces first then the routes) has cleaned up my installation and now I get the links between sites.
I only have a small quibble in that everything is lumped into the large supernet, rather than the individual site subnets. -- Regards, Graham Bloice
_______________________________________________ zenoss-users mailing list [email protected] http://lists.zenoss.org/mailman/listinfo/zenoss-users
