| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] IP proto 50 (ESP) / routing - ESP traffic ignores routing table
- To: [email protected]
- Subject: Re: [FW-1] IP proto 50 (ESP) / routing - ESP traffic ignores routing table
- From: "Burton, Chris" <[email protected]>
- Date: Thu, 14 Aug 2003 21:00:19 -0700
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcNigxVjHNpd+GZSQTWewsSObTeMggAXnNPw
- Thread-topic: [FW-1] IP proto 50 (ESP) / routing - ESP traffic ignores routing table
It sounds like it does not find a route pointing to ce-rtr1 or ce-rtr1
does not have a route pointing back to gateway A.
Chris C. Burton
Network Engineer
Walt Disney Internet Group: Network Services
-----Original Message-----
From: Hans Bayle [mailto:[email protected]]
Sent: Thursday, August 14, 2003 9:20 AM
To: [email protected]
Subject: Re: [FW-1] IP proto 50 (ESP) / routing - ESP traffic ignores
routing table
Thanks Carlos,
Hope this makes it clearer:
__ce-rtr1__internal WAN__other vpn-1 gateways
/
/
192.168.25.0 -- A ---+---- B --- 192.168.24.0
\
\___ce-rtr2__ internet __ other vpn-1 gateways
Gateway A is running VPN-1,
its encryption domain is 192.168.25.0,
its internal interface 192.168.25.1,
its first external interface connects to a customer edge router to
Internet
(ce-rtr2).
It has its default gateway defined to that router.
its second external interface connects to a subnet in which Gateway B
and another customer edge router that connects to an internal WAN.
Gateway B is running VPN-1
its encryption domain is 192.168.24.0,
its internal interface is 192.168.24.1
its external interface connects to Gateway A and ce-rtr1
When i try to set up an IPSec tunnel between Gateway A and Gateway B,
I see that the ESP traffic from Gateway A leaves the wrong interface to
ce-rtr2 and that
the ESP traffic from Gateway B goes to ce-rtr1. This is because the
default
gateway for A is ce-rtr2 and for B it is ce-rtr1.
While all other traffic behaves conform the routing tables, the ESP
traffic
always is directed to the default gateway, even if I manually define
static
routes.
Hans Bayle
Network Consultant
[email protected]
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]]On Behalf Of Carlos
Santos
Sent: Thursday, August 14, 2003 5:09 PM
To: [email protected]
Subject: Re: [FW-1] IP proto 50 (ESP) / routing - ESP traffic ignores
routing table
If you mind me asking...what are you routing?
IP address of the gateway?
IP addresses of the encryption domain behind the other peer?
CS
>-----Original Message-----
>From: Mailing list for discussion of Firewall-1
>[mailto:[email protected]] On Behalf
>Of Hans Bayle
>Sent: Thursday, 14 August, 2003 15:38
>To: [email protected]
>Subject: [FW-1] IP proto 50 (ESP) / routing - ESP traffic
>ignores routing table
>
>
>>>7890
>
>Hi,
>
>
>We are using NG FP3 on Solaris 9.
>
>On our VPN gateway with 2 external interfaces; one interface connected
>to Internet, the other to an internal WAN, ESP traffic ignores
>the routing
>table, and always flows to the default gateway (a router to Internet),
>and not to another VPN gateway that is connected to the internal WAN.
>
>Within the same configuration, management traffic, TCP traffic
>etc. *does*
>follow
>the routing table.
>
>What can I do to let ESP traffic follow the routing table?
>
>
>Hans Bayle
>Network Consultant
>[email protected]
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [email protected]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[email protected]
>=================================================
>
Trusted Systems - http://www.trusted.pt
Praga de Alvalade, n.: 6 - 6.: piso
1700-036 Lisboa, PORTUGAL
Tel: +00
Fax: +42
--
A presente mensagem pode conter informagco considerada confidencial.
Se o receptor desta mensagem nco for o destinatario indicado, fica
expressamente proibido de copiar ou enderegar a mensagem a terceiros.
Em tal situagco, o receptor devera destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
