Topic: Multiple networks and IPSec

[Walid Moghrabi]

Hi,

Here is my problem :

I must access a network through a router (which is in site B) from site A.
Site A and site B are connected through an IPSec connection vi dsl.

From site A, I can see all the computers of site B, I can ping them, I can see shares, etc etc ...
From site B, I can do exactly the same.
There is a router in site B which is necessary to connect to another private network (Galileo for those who knows what it is).
From site B, I can ping the router which is needed to connect this network and my computers can exchange informations with this network.

My problem is that from site A, I can't ping this router which is on the same ip range than the computers of site B.
And of course, as I can't ping it, my computers in site B can't "talk" to this network.

Can somebody help me ?

Thanks.

[Dan G.]

IPSec is going to create a route to B, via the virtual device ipsec0.  This route will point at the IP range of site B --- it can't point at two interfaces.  The only workaround I can think of to create host routes to few important systems on either network, and map them to ipsec0 or ipsec1 depending on which network they reside on.  If you are saying you need to be able to route to 192.168.1.2 at site B, and also be able to route to 192.168.1.2 at site C, you are out of luck --- there is not method for telling your system how to distinguish them.  Of course, renumbering either network B or network C would solve your problem...

[Walid Moghrabi]

This not my problem.

Site A is on the range 192.168.16.x
Site B is on the range 10.0.0.x
The network I want to talk to (let's say site C) is 57.x.x.x

Site A is connected to Site B vi IPSec VPN over dsl and site C is connected to site B through a router to access a private network on the Internet.
I can only talk to site C through this router, there is no other way.

In site B, I can ping this router and I can talk to site C.
From site A, I can't even ping this router (but I can poing any computer in site B which is on the same range) and by the way, I can't talk to site C from site A.

Any clue ?

This is very impportant for me.

Thanks.

[Dan G.]

Darn, I hoped it would be an easy one

From here your situation is complicated, and I really, really, really encourage you to read and follow the troubleshooting intstructions at:

http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/trouble.html

(did I mention I really, really, really encourage you to do this?)

You are going to need to know exactly what error messages are being generated, what your routing tables look like, what packets are being denied, etc.  Basically, the output of 'ipsec barf' piped to a file ---- a file of perhaps 1000 lines of information.  It is definitely not a trivial exercise.

You might get some ideas here:  http://jixen.tripod.com/#NATed%20gateways

...or  subscribe and try posting your questions to the "users" list here:

http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/mail.html

You are at the point where it gets complicated.  Be ready --- this stuff has been known to cause insanity

Dan

[Walid Moghrabi]

Thanks ... sounds like me having a nice sleepless night tonight ...

Well, just something ... I'm not using FreeSWAN but the official Mitel IPSec solution (Service Link) but I guess I will find some clues with the FreeSWAN stuff ...

Anyhow ... if someone can help me, I would be very thanksfull !

Bye.

[Dan G.]

Type 'ipsec barf' at your SME command prompt...

Dan

[trevorb]

MTCW

The router between B & C is probably set to only accept traffic from the B network. It would probably reject/drop anything not from B (including anything from A). Not quite sure what rules you would have to supply the router, but would expect that you could tell it to accept traffic from the SME Server at A (external address) you may be OK

Trevor B