From: Brian C. <B.C...@po...> - 2006-07-28 09:35:31
|
On Fri, Jul 28, 2006 at 09:06:59AM +0100, Ral Alexis Betancor Santana wrote: > On the branch offices I have setup the tunnel to be the "default route" for > all kind of traffic, so in the central office I could also see traffic from > 192.168.31.0/24 to any other 192.168.0.0/16 or to internet. Why not just set the SA on the branches for 192.168.0.0/16? Do you want all the Internet traffic to go down the tunnel too? (Some people do, so that it all transits a central firewall for control and logging) > The problem I have is not to let the internet traffic from the branch office > to go, because I did it with a normal SNAT or MASQUERADE iptables rule, the > problem is that traffic that comes from, for example, 192.168.31.15 and must > go to 192.168.16.82 does not "flow" to the 192.168.16.0/24 tunnel, it get > lost on my central gateway. Show your SNAT/MASQUERADE ruleset. You can insert an extra rule which says "don't do source NAT if the destination is 192.168.0.0/16" |