Brook Milligan <brook%nmsu.edu@localhost> writes: > I am trying to set up a VPN using IPSEC and racoon. Here is the basic > network configuration. > > VPN client <-- tunnel --> VPN gateway <-- LAN --> Server > 172.20.128.1/16 172.20.0.245/16 172.20.0.10/16 > > The tunnel seems to be set up fine by racoon. For example, I can ping > the gateway from the client, two apparently correct entries in SPD are > present in both the client and the gateway, and the server receives and > responds to pings from the client. good, so when the gateway has a packet it is routed someplace and then hits the spd. > The problem is that the server's responses to the client's pings are > not routed back to the client. Thus, it seems this is a network > routing problem rather than an IPSEC problem, but I'm not sure exactly > what should be done to route the packets correctly. basically, do whatever you would do if the clients were attached to another physical interface on the gateway. IPsec does not address routing (which is a feature). > Should I be seeing the server's ping responses on any of the gateway's > interfaces? (I can't.) yes, the server should be routing to the VPN gateway's lan address and it should show up there. Then you should see the ESP packet go out. > Must every server on the LAN have routes back through the gateway? > That seems wrong. No, it's right. VPN is not NAT or routing. > How can the gateway be configured to route appropriate packets back > through the tunnel and can that be automated when clients connect? that's a good question > I feel like I must be missing something obvious. Thanks for your help. You're missing that racoon is not a fully featured VPN configuration answer, or rather you are realizing it as you try.
Attachment:
pgpiEAZRZGGaw.pgp
Description: PGP signature