[plug] IPSEC routing between adjacent subnets

[Steve Baker]

Ian Kent wrote:
> On Sat, 2007-05-12 at 21:43 -0700, Steve Baker wrote:
>   
>> Confusing, I know.  I probably could have set up the tunnel on Gateway X 
>> instead of creating a new gateway V inside the .100.0 network, but X is 
>> already a gateway to 3 other networks and I didn't want to risk getting 
>> something wrong and being unable to fix it remotely.
>>     
>
> Not really.
>
> How can a packet find its way to a particular router if it has an
> address that appears to be on the local network? The arp will return
> address not known and since the address belongs to the local network it
> obviously (tongue in cheek) belongs to a non-existent host.
>
> It's unlikely that arp broadcasts will be forwarded through the tunnel
> but maybe I'm wrong about that.
>
> Ian
>   

That's right: this is the mistake I was making in my initial attempts.  
I needed to assign an IP to the tunnel interface that is NOT part of the 
local network, but is routable from the gateway machine.  I could have 
added a new tunnel from Gateway X, which would have added a new 
interface with it's own IP address and routing rules, but I instead 
chose to route via a new gateway (V) inside the .100.0 network.  All I 
had to do then was tell X that the .86 network was available via gateway 
host V (which would have instead been tunnel interface tun0 if I had 
done it the other way).  Gateway X was already the default gateway for 
the rest of the .100.0 network, so hosts on that network would have had 
packets to the .86.0 routed either via gateway X or directly if told to 
via an ICMP redirect.

I had other means of correcting any problems with gateway V if things 
went wrong, and this might not have been an option with gateway X.  This 
is why I chose that option.

I see your point, but I suspect we are talking about slightly different 
aspects of the problem.  I think you have nailed the reasons for my 
initial hassles.

Regards,
Steve