[clug] IPSec Question: Connecting outling sites via single head office access point

Stephen Hodgman steve at namsys.com.au
Sat Oct 2 01:52:37 GMT 2004

Can anyone help me with an IPSec question?  I am new to this but have 
been using snapgear  units (basically an embedded linux firewall/VPN box 
with simple browser based config) to connect remote sites to the head 
office LAN with VPN access quite successfully. I am having a routing 
issue though where I cannot route from remot office A to remote office B

I have Head Office (H) with a single snapgear VPN IPSec access point on 
the internet.  I have remote office (A) with internet access and a 
snapgear IPSec access point.  I also have remote office (B) with 
internet access and a snapgear  IPSec access point.

I have established IPSec connections from A ==> H and B ==> H.  I can 
route traffic on these links.  i.e A==> H, H ==> A, B==>H, H==>B.  
However, I am unable to directly route from A ==> B. 

It seems that the IPSec access is not available from withing the IPSec 
access point (Snapgear).  the head office unit has network routes for A 
and B to the ipsec device.  I would have thought packets arriving from A 
would use this routing to go out the ipsec device.
Is this a limit of IPSec?  Interestingly, I notice that both these 
routes use ipsec0 as only one ipsec device has been created.

Do I have to establish separate VPN links form A ==> B to do what I want?
If anyone can enlighten me I would be most appreciative.

Steve Hodgman
Ph: +61 2 6285 3460
Fax: +61 2 6285 3459
Mobile:	+61 407 182 355
steve at namsys.com.au
This message and its attachments contain confidential information and may also contain legally privileged information. This message is intended solely for the named addressee. If you are not the addressee indicated in this message or have received this message in error, you may not copy or deliver any part of this message or its attachments to anyone or use any part of this message or its attachments. Instead, you should permanently delete this message and its attachments (and all copies) from your system and kindly notify the sender by reply e-mail. Any content of this message and its attachments that does not relate to the official business of Namadgi Systems must be taken not to have been sent or endorsed by the company or its management.

More information about the linux mailing list