Hi misc,
We have what should be a simple VPN routing issue but I can't figure out
what to do with the IPSec config. We have many remote office firewalls
with IPSec tunnels linking to our head office (hub and spoke topology),
each defining Phase 2 policies mapping the remote internal networks to
the head office internal network.
Traffic flows perfectly from local LAN to remote LAN and visa-versa. But
I am stuck as to how to configure the tunnels so a daemon on the remote
OBSD firewalls themselves can route traffic to the head office internal LAN.
To be specific I have written a script which analyses the interface HFSC
queues from 'systat queues' etc, and then 'netcats' the formatted data
(throughput rates etc) to our statsd/graphite server for display. It
works really well on the head office firewalls which netcat the rates
etc to the internal statsd/graphite server which is on the internal LAN,
however when running the same script on the remote office firewalls, I
have the problem of how to get the netcat payload down the IPSec tunnel
to the head office LAN.
When I try to do a ping or otherwise on the remote firewalls to the head
office lan, I get a 'no route to host' error which implies that the
IPSec vpn policy route which can be seen in the 'route show' is not
being used as the source IP of the ping/payload is not going to have the
firewalls internal LAN addres to match the policy route etc..
I was thinking about packet tagging, or doing some kind of dirty
mangling of sorts, but not sure?
Thanks for your thoughts :)
Andrew Lemin
