On Sat, Oct 06, 2007 at 10:37:12AM -0400, Dave Anderson wrote:
quoted text
> On Sat, 6 Oct 2007, Layne Evans wrote:
> 
> >Hello all,
> >
> >
> >vendor -->vendor router<-- Internal LAN Location A -->OBSD GW A<-- Internet
> >       VPN Between
> >Internet -->OBSD GW B<-- Internal LAN Location B
> >
> >Some info: (these are representative IPs)
> >Vendor's IP block that need to go over their T1: 207.12.0.0/18
> >Internal LAN A: 10.74.10.0/24
> >Vendor router Internal LAN IP: 10.74.10.245
> >OpenBSD A Internal IP: 10.74.10.254
> >OpenBSD A External IP: a.b.c.d
> >OpenBSD B Internal IP: 10.76.10.254
> >OpenBSD B External IP: w.x.y.z
> >
> >Any pointers will sure be appreciated.
> 
> Maybe I'm missing something, but (given that everything else is working
> and assuming that the systems on LAN B have a default route directed to
> GW B) wouldn't a static route on GW B for 207.12.0.0/18 pointing to
> 10.74.10.245 do the job?
> 

this will not work. ipsec will not encap packets that not belong to a
flow.

you need a second ipsec flow like on GW B:
ike esp from LAN_B/24 to vendor/18 peer OPENBSD_A_External
and on GW A:
ike esp from VENDOR/18 to LAN_B/24 peer OPENBSD_B_External
and then a route on GW A to the vendor network.

i think this will do the trick.
thomas