Re: [Ipsec-tools-devel] doubs about a star configuration

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Fri, Jul 28, 2006 at 09:06:59AM +0100, Ral Alexis Betancor Santana wrote:
> On the branch offices I have setup the tunnel to be the "default route" for 
> all kind of traffic, so in the central office I could also see traffic from 
> 192.168.31.0/24 to any other 192.168.0.0/16 or to internet.

Why not just set the SA on the branches for 192.168.0.0/16? Do you want all
the Internet traffic to go down the tunnel too? (Some people do, so that it
all transits a central firewall for control and logging)

> The problem I have is not to let the internet traffic from the branch office 
> to go, because I did it with a normal SNAT or MASQUERADE iptables rule, the 
> problem is that traffic that comes from, for example, 192.168.31.15 and must 
> go to 192.168.16.82 does not "flow" to the 192.168.16.0/24 tunnel, it get 
> lost on my central gateway.

Show your SNAT/MASQUERADE ruleset. You can insert an extra rule which says
"don't do source NAT if the destination is 192.168.0.0/16"