[plug] How to get sub-subnet to talk
Steve Baker
steve at iinet.net.au
Tue May 1 08:33:37 WST 2007
Hi Plug,
Apologies in advance for the long email, but you all know we need to
include everything we can...
I have a two networks with an IPSec tunnel between them, and happily
routing stuff between both networks. Inside one of the networks I want
to add another separate network, with a gateway/router in-between. So
the scenario is like this:
(Point A) (Gateway X)
192.168.100.0/24 --- 192.168.100.254/internet <--- (ipsec tunnel) ---
(Gateway Y)
---> internet/192.168.140.254 <-- 192.168.140.0/24 ---
(Gateway Z) (Point B)
--- 192.168.140.252/192.168.86.254 --- 192.168.86.0/24
(Hope that is clear...)
The question: *How do I route packets from Point A to Point B?*
Clarifications and Complications:
- Routing between the .100 and .140 networks works
- I've set the correct route to .86 on gateway Y with this:
route add -net 192.168.86.0 netmask 255.255.255.0 gw 192.168.140.252
- ...after which routing between the .140 and .86 networks works. YAY!
- Trying this command on gateway X:
route add -net 192.168.86.0 netmask 255.255.255.0 gw 192.168.140.252
fails with 'SIOCADDRT: Network is unreachable', as does this:
route add -net 192.168.86.0 netmask 255.255.255.0 gw 192.168.140.254
- This error message is due to the next hop gw not being on the local
network.
- I tried adding a 'host route' for the address 192.168.140.252 on
Gateway X,
which works. When I tried adding the route for the .86 network via that
host as before, it fails with the same error as before.
- Gateway X is running kernel 2.6, using OpenSWAN for the tunnel and also
Shorewall. What changes to the Shorewall config might I need to include?
- relevant stuff from netstat -rn on gateway X shows:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
202.72.155.72 0.0.0.0 255.255.255.252 U 0 0 0
eth0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
192.168.140.0 202.72.155.73 255.255.255.0 UG 0 0 0
eth0
0.0.0.0 202.72.155.73 0.0.0.0 UG 0 0 0
eth0
- Despite looking like .140 packets go out eth0, they go down the ipsec
tunnel.
- Gateway Y is running kernel 2.4 (it's an IPCop box)
- relevant stuff from netstat -rn on gateway Y shows:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.100.0 207.81.158.254 255.255.255.0 UG 0 0 0
ipsec0
192.168.86.0 192.168.140.252 255.255.255.0 UG 0 0 0
eth0
192.168.140.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
0.0.0.0 207.81.158.254 0.0.0.0 UG 0 0 0
eth1
- Gateway Z just has routes for .140 and .86, with Gateway Y as it's
default.
I would assume that traffic from there gets routed through, but gets lost
on the way back.
- There is a .150 network on another ipsec tunnel attached to Gateway
X. I'd
like that to be able to see the .86 network as well if possible. One step
at a time, I know, but extra credit for any tips for this one...
Is there a way to set up the routing table so that I can see the .86
network directly from the .100 network? I'm not sure if I should be
trying to implement a bridge here? I'm not sure if that is the
appropriate solution, and if so, where I should be bridging from/to
(between X and Z? what config?)
Any help/insights greatly appreciated.
Regards,
Steve
More information about the plug
mailing list