"Peter Mueller" <[EMAIL PROTECTED]> wrote on 11/12/2004 12:42:27 PM:
> > left=68.208.33.25
> > leftsubnet=10.154.16.0/22
>
> > rightsubnet=10.154.16.0/255.255.252.0
>
> (If I'm reading this correctly..)
> In left's view, 10.154.16.0/.252 is owned by left. Ipsec routes get a lower
> route priority than local interface routes. Therefore, traffic won't bother
> to traverse over IPSec. Try changing the subnet range to something
> different.
The difference between right and left is not a problem: if you want to set up both firewalls so that they interpret themselves as being left or right, or both be different, it does not matter.
However, your statement did lead me to the answer. Because the VPN client (a host endpoint) was on the same subnet as the Leaf firewall's external network, Leaf routed the traffic straight to it, instead of as part of the IPSec tunnel. Once I put a router in between the Windows VPN endpoint and the LEAF router, it worked.
To repeat: I made exactly zero VPN or IPSec configuration changes. I only moved the Windows VPN endpoint to an IP network different than the Leaf firewall's external network (i.e.: put a simple non-firewall, non-NAT computer with 2 interfaces acting as a router between them). And it now works.
Why wouldn't the IPSec tunnels not have a *higher* priority than the interface routes? That doesn't make sense to me. It also was something that I did not think would happen: I have connected subnet-to-subnet firewalls directly together on the same external subnet without problems. Of course, there, the IP address that the Leaf firewall is given is of the *subnet* endpoint and therefore does not conflict with the interface route. However, because I have been doing that for years, I thought nothing of putting my VPN host endopoint in the same place...
Tim Massey
------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
