From: Erich T. <eri...@th...> - 2006-06-02 06:22:10
|
Jason Burrell wrote: > On 6/1/06, Erich Titl <eri...@th...> wrote: >> Jason >> ... >> > >> > I tried turning off masquerading on either side, to no avail. I set >> > explicit routes, to no avail. >> >> What do you masquerade, where and why? > > Both sides of the VPN tunnel are border routers for their respective > networks. As such, both of those machines masquerade traffic from > machines behind them that's heading out to the Internet. The exception > is if the traffic comes from 192.168.0.0/16, at which point it isn't > caught by the masquerading rule. Make sure you don't masquerade the tunnel inside traffic, you will break routing. > > Since I stuck the VPN subnet in 10.3.0.0, my problem might be that the > machines are masquerading the traffic over that subnet and confusing > the issue. (KInd of nebulous that.) > >> >> > >> > Any ping from any machine behind the client router, such as >> > 192.168.0.130, gets dropped with the error message above, and drops >> > off into a black hole. >> >> Where does it get dropped, on the client or the server? Try to use >> tcpdump to determine which system does not want to play with you. > > It obvious gets to the server because that's where the log message > citing the remote IP comes up. I had assumed that the error was thus > generated by the server, meaning that the server didn't have a route > back to the client, not visa versa. (There's no message in the client > logs.) I'll check with tcpdump. Which interface does the server get that message from? Is it coming from the tunnel interface? IIRC the server has a route to 192.168.0.0/24 through the tunnel. cheers Erich |