[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] IP proto 50 (ESP) / routing - ESP traffic ignores routing table
Thanks Crist, This solved my problem. -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]]On Behalf Of Crist Clark Sent: Thursday, August 14, 2003 7:07 PM To: [email protected] Subject: Re: [FW-1] IP proto 50 (ESP) / routing - ESP traffic ignores routing table Hans Bayle wrote: > > Thanks Carlos, > > Hope this makes it clearer: > > __ce-rtr1__internal WAN__other vpn-1 gateways > / > / > 192.168.25.0 -- A ---+---- B --- 192.168.24.0 > \ > \___ce-rtr2__ internet __ other vpn-1 gateways > > Gateway A is running VPN-1, > its encryption domain is 192.168.25.0, > its internal interface 192.168.25.1, > its first external interface connects to a customer edge router to Internet > (ce-rtr2). > It has its default gateway defined to that router. > its second external interface connects to a subnet in which Gateway B > and another customer edge router that connects to an internal WAN. > > Gateway B is running VPN-1 > its encryption domain is 192.168.24.0, > its internal interface is 192.168.24.1 > its external interface connects to Gateway A and ce-rtr1 > > When i try to set up an IPSec tunnel between Gateway A and Gateway B, > I see that the ESP traffic from Gateway A leaves the wrong interface to > ce-rtr2 and that > the ESP traffic from Gateway B goes to ce-rtr1. This is because the default > gateway for A is ce-rtr2 and for B it is ce-rtr1. > > While all other traffic behaves conform the routing tables, the ESP traffic > always is directed to the default gateway, even if I manually define static > routes. What exactly are your routes and the "external" IP addresses of the two gateways? I'm not 100% on this, but I have a guess at what might be going on. The routing decision on a packet is made _before_ it is processed by the firewall (unless that has changed recently, in mid-NG). That means the address on the encapsulated packet with the other end of the tunnel as the destination is NOT the address used to find the next hop. The address on the original packet determines the route. On gateway A, you'd need a route, # route add -net 192.168.24.0/24 <gateway B's external IP> And on B, # route add -net 192.168.25.0/24 <gateway A's external IP> If you have those routes... NG is doing something else strange with the routing. -- Crist J. Clark [email protected] Globalstar CommunicationsThe information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact [email protected] ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|