Topic: Routing HELP!

[Bill Pflaumer]

for the hell of it change the 172.20.1.0 network to 172.20.106.126 on the P lan

bill

[Bill Pflaumer]

Sterling
I meant to say change the   172.20.1.0 network  route to 172.20.106.126 on the P lan instead of default.


Sorry getting tired

Bill

[Bill Pflaumer]

I looked a little further and noticed the local network router settings will not allow what I stated in the previos post. Sorry

bill

[Sterling]

It gives me "Error: router address is not accessible from local network. Did not add network." when trying to do that.

It also gives me a similar "Network unreachable" error when I try to use the remote router (172.20.106.126) as a gateway using the route command. I assume this is because 172.20.106.126 isn't considered to be physically connected.

It seems the P SME box takes the packet destined for the 172.20.1.0/25 network and just drops it somewhere instead of forwarding it through the ipsec0 interface. Could this be freeswan eating the the packets because the tunnel was only configured to speak directly to the 172.20.106.0/25 network from the P SME side? I think I'll try to set up a phony local network on the L SME box and see if it even tries to forward to the P SME side through the ipsec0 interface. It should fail when it hits the P SME box, but it should try to get there anyway shouldn't it?

here we go...

OK, tried it and have the same situation with the L box. It won't even forward packets that are not on the network that the ipsec tunnel is configured to see, even though it's added to the local networks panel in server-manager and to the routing table.

If I don't put it in the routing table it tries to go out eth1 instead of ipsec0 and I can get a couple of hops out of it (from my isp I assume) so at least it tries if it's not configured to go out of ipsec0. Seems I need to tweak the freeswan settings if possible to allow the addidional network's traffic to flow through the ipsec tunnel. Do you know if this is a possible solution?

Thanks again,
Sterling

[Sterling]

I finally figured it out. In reading the Freeswan docs I learned that each ipsec tunnel will pass trafic for its pre-defined networks only so trying to route other traffic through the ipsec tunnel is pointless.
----------------------------------------
From the Freeswan FAQ:
Q: I send packets to the tunnel with route( but they vanish

A: IPsec connections are designed to carry only packets travelling between pre-defined connection endpoints. As project technical lead Henry Spencer put it:

"IPsec tunnels are not just virtual wires; they are virtual wires with built-in access controls. Negotiation of an IPsec tunnel includes negotiation of access rights for it, which don't include packets to/from other IP addresses. (The protocols themselves are quite inflexible about this, so there are limits to what we can do about it.)"
----------------------------------------
Therefore I had to add another ipsec tunnel defined as 172.20.160.128/25 <-> 172.20.1.0/25 and add it to my templates-custom area. That allowed the traffic to go via the ipsec0 interface.

Many thanks to Bill for trying to help me troubleshoot this.

-Sterling

[Bill Pflaumer]

Sterling,
Good for you, we both learned something today. I know you won't be reading this post soon, since your last post shows 3:45 in the morning ! One thing that still bothers me, how were you able to ping from the 172.20.1.12 host through the ipsec tunnel to the P Lan, but not visa versa ??

BTW,
I like the network diagram you made, what program did you use to design it ??


Bill

[Jeff C]

Sterling,

I really like the way you modified the Lophty indexer.  Want to share your mods?

-jeff

[Sterling]

Jeff, thanks for the compliment. I wish I could remember how I even modified it As soon as I get time I will check it out and post it.

Regards,
Sterling

Jeff C wrote:
>
> Sterling,
>
> I really like the way you modified the Lophty indexer.  Want
> to share your mods?
>
> -jeff

[Sterling]

I assume it worked like that was because when pinging from 172.20.1.12 the destination address was 172.20.106.130 which qualified as an allowable destination address on the first tunnel (172.20.160.128/25 <-> 172.20.106.0/25) because it was within the 172.20.160.128/25 network. But when I tried pinging the other way (from 172.20.106.130 to 172.20.1.12) the destination address was 172.20.1.12 which didn't qualify as being part of the two pre-defined tunnel networks and was therefore dropped.

As for the diagram I just used MS Publisher and printed it to my PaperPort 9.0 PDF Printer to make the .pdf file

Sterling

Bill Pflaumer wrote:
>
> Sterling,
> Good for you, we both learned something today. I know you
> won't be reading this post soon, since your last post shows
> 3:45 in the morning ! One thing that still bothers me, how
> were you able to ping from the 172.20.1.12 host through the
> ipsec tunnel to the P Lan, but not visa versa ??
>
> BTW,
> I like the network diagram you made, what program did you use
> to design it ??
>
>
> Bill

[Sterling]

Here's the link to the lophty indexer I modified:

http://www.abacustechnology.net/files/public/

I think (hope) everything you need is in the tarball there.

Sterling

Jeff C wrote:
>
> Sterling,
>
> I really like the way you modified the Lophty indexer.  Want
> to share your mods?
>
> -jeff

[Jeff C]

Thanks Sterling!

-jeff

[Bill Pflaumer]

Sterling ,
When you get the problem resolved, can you share a howto with the rest of us ?

Thanks,

Bill

[Sterling]

As soon as I completely understand what I did to make it work I will try and generate a how-to

Regards,
Sterling

Bill Pflaumer wrote:
>
> Sterling ,
> When you get the problem resolved, can you share a howto with
> the rest of us ?
>
> Thanks,
>
> Bill