I was just experimenting w/ NAT-T for NAT through IPSec. I searched the forum and mail-list and I see that it is being tested, but there is no implement time frame. Is this a feature that might show up in 1.2FINAL or is it too late to get a feature request in for 1.2?
> Interesting .... I have tried opening up the IPsec policy to ANY <> ANY on > both the pfS1/2 boxes. I still see the traceroute (ICMP) packets heading to > INET from NET1 when tracing to a NET4 address. > > Maybe a combo of IPsec policys and static routes??? Not quite sure, not > having any luck in trying different combinations of configs. > > -- > --> David L. Strout > --> ENGINEERING SYSTEMS PLUS, LLC > --> [EMAIL PROTECTED] > -- > > -----Original Message----- > From: Matthew Grooms [mailto:[EMAIL PROTECTED] > Sent: Saturday, July 07, 2007 2:30 AM > To: [email protected] > Subject: Re: [pfSense Support] routing over IPsec tunnel > > David Strout wrote: > > I have a need to setup the following topology at > > several location connected via VPN tunnels. > > > > NET1--RTR1--NET2--pfS1--{INET}--pfS2--NET3--RTR2--NET4 > > >--IPsec TUNNEL--< > > > > NET1=10.10.10.0/24 > > NET2=192.168.100.0/24 > > NET3=192.168.200.0/24 > > NET4=10.10.20.0/24 > > > > I have a VPN tunnel nailed up between the two pfS > > boxes w/ NET2 & NET3 on the "LAN" side. The pfS1 > > box has a static route to NET1 via RTR1 and pfS2 > > has a static route to NET4 via RTR2. The > > "default" route on NET1 & NET4 is RTR1 & RTR2 > > respectively and RTR1 has a next hop of pfS1 and > > RTR2's next hop is pfS2. So now that you have > > your mind wrapped around that .... here's the > > problem. > > > > In order for NET1 hosts to reach NET3/4 hosts .... > > "OR" NET4 hosts to reach NET1/2 hosts I am > > assuming there has to be some static routes on the > > pfS boxes. > > > > I added the following static route on pfS1: > > 10.10.20.0/24{NET4} > 192.168.200.254{RTR2s NET3 > > IP} > > > > I added the following static route on pfS2: > > 10.10.10.0/24{NET1} > 192.168.100.254{RTR1s NET2 > > IP} > > > > My assumption is that pfS1 knows about NET3 and > > pfS2 knows about NET2 via the tunnel. The problem > > is that when I traceroute from a host on NET1 to a > > host on NET4 pfS1 forwards the packets to the > > internet instead of sending them through the > > tunnel (and vice-versa from NET4 to NET1 pfS2 > > forwards the packets to the internet instead of > > through the tunnel). I even added routes to the > > RTR1/2 for the respective networks as well just to > > test with and still no go. I must be missing > > something simple here as I know that this can be > > done as this is just packet routing. Maybe I > > haven't had enough coffee yet. > > > > Any thoughts are greatly appreciated!!! > > > > Static routes won't get you there. Think of IPSEC policies as an > alternate end-to-end routing table that is used to determine what > traffic will be tunneled to a distant peer. You will need to define > separate policies to process traffic between multiple local and distant > private networks. > > In other words, the following policies would be required for your setup ... > > NET1 <-> NET3 > NET3 <-> NET1 > > NET1 <-> NET4 > NET4 <-> NET1 > > NET2 <-> NET3 > NET3 <-> NET2 > > NET2 <-> NET4 > NET4 <-> NET2 > > -Matthew > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
