|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] IP proto 50 (ESP) / routing - ESP traffic ignores routing table
Hans, I think Crist as got it all right, since as you have been saying both gateways have one interface within the same network. If you still have problems you need to disclosure a bit more, no need for real ip addresses but a bit more info would be good. Regards, CS >-----Original Message----- >From: Mailing list for discussion of Firewall-1 >[mailto:[email protected]] On Behalf >Of Crist Clark >Sent: Thursday, 14 August, 2003 18:07 >To: [email protected] >Subject: Re: [FW-1] IP proto 50 (ESP) / routing - ESP traffic >ignores routing table > > >Hans Bayle wrote: >> >> Thanks Carlos, >> >> Hope this makes it clearer: >> >> __ce-rtr1__internal WAN__other vpn-1 gateways >> / >> / >> 192.168.25.0 -- A ---+---- B --- 192.168.24.0 >> \ >> \___ce-rtr2__ internet __ other vpn-1 gateways >> >> Gateway A is running VPN-1, >> its encryption domain is 192.168.25.0, >> its internal interface 192.168.25.1, >> its first external interface connects to a customer edge >router to Internet >> (ce-rtr2). >> It has its default gateway defined to that router. >> its second external interface connects to a subnet in which Gateway B >> and another customer edge router that connects to an internal WAN. >> >> Gateway B is running VPN-1 >> its encryption domain is 192.168.24.0, >> its internal interface is 192.168.24.1 >> its external interface connects to Gateway A and ce-rtr1 >> >> When i try to set up an IPSec tunnel between Gateway A and Gateway B, >> I see that the ESP traffic from Gateway A leaves the wrong >interface to >> ce-rtr2 and that >> the ESP traffic from Gateway B goes to ce-rtr1. This is >because the default >> gateway for A is ce-rtr2 and for B it is ce-rtr1. >> >> While all other traffic behaves conform the routing tables, >the ESP traffic >> always is directed to the default gateway, even if I >manually define static >> routes. > >What exactly are your routes and the "external" IP addresses of the two >gateways? > >I'm not 100% on this, but I have a guess at what might be going on. The >routing decision on a packet is made _before_ it is processed by the >firewall (unless that has changed recently, in mid-NG). That means the >address on the encapsulated packet with the other end of the tunnel as >the destination is NOT the address used to find the next hop. >The address >on the original packet determines the route. > >On gateway A, you'd need a route, > > # route add -net 192.168.24.0/24 <gateway B's external IP> > >And on B, > > # route add -net 192.168.25.0/24 <gateway A's external IP> > >If you have those routes... NG is doing something else strange with the >routing. >-- >Crist J. Clark [email protected] >Globalstar Communications> >The information contained in this e-mail message is confidential, >intended only for the use of the individual or entity named above. >If the reader of this e-mail is not the intended recipient, or the >employee or agent responsible to deliver it to the intended recipient, >you are hereby notified that any review, dissemination, distribution or >copying of this communication is strictly prohibited. If you have >received this e-mail in error, please contact [email protected] > >================================================= >To set vacation, Out-Of-Office, or away messages, >send an email to [email protected] >in the BODY of the email add: >set fw-1-mailinglist nomail >================================================= >To unsubscribe from this mailing list, >please see the instructions at >http://www.checkpoint.com/services/mailing.html >================================================= >If you have any questions on how to change your >subscription options, email >[email protected] >================================================= > Trusted Systems - http://www.trusted.pt Praça de Alvalade, n.º 6 - 6.º piso 1700-036 Lisboa, PORTUGAL Tel: +00 Fax: +42 -- A presente mensagem pode conter informação considerada confidencial. Se o receptor desta mensagem não for o destinatário indicado, fica expressamente proibido de copiar ou endereçar a mensagem a terceiros. Em tal situação, o receptor deverá destruir a presente mensagem e por gentileza informar o emissor de tal facto. Privileged or confidential information may be contained in this message. If you are not the addressee indicated in this message, you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
