Are systems behind the firewall able to route to and reach the remote network? I just built out an environment to do this last week using carp, and some of the trouble I had was that we could route through the device, but packets that originated from the router were not able to make it through. Even though the flows were setup to use the remote gateways, traffic would still leave for the default gateway. We either had to create a static route for the remote network to use the external interface of the remote router as the gateway, or point to the internal carp interface. There seems to be something funny about the way flows interact with the routing table at times, and its not quite clear to me why.
On Mon, Feb 10, 2014 at 7:43 AM, Aurelien Martin <01aurel...@gmail.com>wrote: > Hi Christoph, > > Yes it works if the binary handle the interface selection. > But in my case, unbound is listening on *.20.254 (my local gateway) but it > can't reach the remote LAN > It use the default (wan) interface instead of the IPSEC tunnel by default > > Cheer, > Aurelien > > Le 02/10/2014 04:31 PM, Christoph Leser a écrit : > >> For me it works if I do the 'interface selection' myself, by specifying >> the -I switch on ping, or -b for ssh. >> >> -----Ursprüngliche Nachricht----- >>> Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im >>> Auftrag von Aurelien Martin >>> Gesendet: Montag, 10. Februar 2014 16:10 >>> An: Mitja MuženiÄ; misc@openbsd.org >>> Betreff: Re: reach a remote LAN through IPSEC from the router >>> >>> >>> Hi Mitja, >>> >>> When I add the route manually it's working like a charm. >>> >>> But after that, all machines of my LAN ping with this following form >>> (Redirect Host). What does it mean ? For me the router rewrite the >>> destination that create an overhead. >>> >>> >>> $ ping 192.168.10.1 >>> PING 192.168.10.1 (192.168.10.1): 56 data bytes >>> 36 bytes from 192.168.20.254: Redirect Host(New addr: 192.168.20.254) >>> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst >>> 4 5 00 0054 85ff 0 0000 40 01 4b56 192.168.30.2 192.168.10.1 >>> >>> >>> Cheers,Aurelien >>> >>> >>> Le 02/10/2014 04:03 PM, Mitja MuženiÄ a écrit : >>> >>>> A simple trick is to add a manual route for the remote LAN to the >>>> internal interface of your router. >>>> >>>> >>>> -----Original Message----- >>>>> From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On >>>>> Behalf Of Aurelien Martin >>>>> Sent: Monday, February 10, 2014 3:59 PM >>>>> To: misc@openbsd.org >>>>> Subject: reach a remote LAN through IPSEC from the router >>>>> >>>>> Dear all, >>>>> >>>>> I'm linked to another LAN trough IPSEC. Everything is working except, >>>>> if I try to reach the remote LAN from my OpenBSD router. >>>>> >>>>> In this case, the router use the default interface (wan) instead of >>>>> the IPSEC tunneling. >>>>> >>>>> I would like to be able to reach the remote LAN due to a service on >>>>> the router that need to reach it >>>>> >>>>> Please follow the log in attachment (schema-and-logs.txt + >>>>> ipsec-pf-route.txt) >>>>> >>>>> Any idea ? >>>>> >>>>> I already try to add a dirty route that's working, but create >>>>> overhead >>>>> >>>>> $ ping 192.168.10.1 >>>>> PING 192.168.10.1 (192.168.10.1): 56 data bytes >>>>> 36 bytes from 192.168.20.254: Redirect Host(New addr: >>>>> 192.168.20.254) >>>>> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst >>>>> 4 5 00 0054 85ff 0 0000 40 01 4b56 192.168.20.2 >>>>> 192.168.10.1 >>>>> >>>>> >>>>> >>>>> Have a good day >>>>> Cheers,Aurelien >>>>> >>>> > -- Zach
