ipsec routing issue

[Bjoern A. Zeeb]

> On 30 Dec 2014, at 05:22 , Aristedes Maniatis <ari at ish.com.au> wrote:
> 
> On 30/12/2014 4:23am, Bjoern A. Zeeb wrote:
>> 
>>> On 29 Dec 2014, at 16:20 , Aristedes Maniatis <ari at ish.com.au> wrote:
>>> 
> 
> 
>>> But how does the OS know where to send traffic to $remote_internal_address? Is that something racoon takes care of?
>> 
>> No, there are no routes involved; your security policy deals with this.   setkey -DP is your friend.   You can have racoon inject the policy for you if you want, otherwise ipsec.conf is where it goes.
> 

…
> Am I right in saying that I would not get this far if setkey wasn't already correct?
> 
> 
> But still I cannot ping the remote internal IP (203.29.62.129). I also notice that other addresses in the remote network except for the remote firewall itself are not sent through the tunnel. I guess I'll need to add a route for those after all.
> 
> Are you able to suggest my next step in diagnosis. Everything seems to be working... other than traffic going into the tunnel and coming out the other side :-)


Hint:  not sure if you are testing from the gateway itself;  if you do you might have to use a specific source address (internal) with ping/telnet/etc.

Otherwise, read man setkey on the difference of “use” vs. “require” vs. “unique” for the level in the policy part.


— 
Bjoern A. Zeeb                                  Charles Haddon Spurgeon:
"Friendship is one of the sweetest joys of life.  Many might have failed
 beneath the bitterness of their trial  had they not found a friend."