* rking@generationtechnology.co.uk wrote on Fri, Aug 23, 2002 at 13:31 +0100:
Not related to security, eh?
No, that is networking related :)
I thought that was what I was trying to achieve in implementing IPSec for VPN, no?
You did and know you have some selfmade routing problem I think :)
Now the road warrior dials up and uses the vpn client to get in. The SuSE server passes the packets, through the tunnel into the exchange server. The exchange server sees the packets from their original, external ip.
You use ESP transport mode I guess?
So it sends the replies back along it's default gateway to send them externally. It's default gateway is the PIX, NOT the SuSE Server!
The network consultant that manages the PIX says that if I use RIP on the SuSE Server, and somehow broadcast its established routes, the PIX will redirect the packets that came into the exchange server, through the SuSE server, back to the SuSE Server.
Sounds ok (but I haven't understood your setup completly I think).
My problems are: I don't see the PIX doing this, when it's own default gateway will tell it to send the packets back out;
Usually the RIP routes are preferred if available.
I don't know how to set the gated.conf to get the rip broadcasting correctly, and there is very little useful stuff in the groups.
Hum, IIRC I had similar troubles with gated. Maybe you should take a look to zebra. I played with it a little only, but it seemed for me to be not to cryptic and handles RIP.
I wonder if they used static dial-ups, and put the static routes in the PIX, it would work?
Well, someone may argue that a firewall (PIX is one, ain't?) shouldn't accept dynamic routing... For me, it sounds like a problem of some unclean security/routing concept if you have such issues. But I think you could solve it with zebra. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.