Board index Linux Networking

Multiple vpn tunnels

Multiple vpn tunnels

Post by said.ab.. » Tue, 27 Mar 2007 21:35:52



Hello Folks,

I have the following situation:

                       VPN Tunnel 1                      VPN Tunnel 2
81.129.39.9  ============ 59.20.93.49  =============  93.48.28.27
Gateway A                             Gateway
B                               Gateway C

I need all clients coming from gateway C to be able to use the vpn
tunnel 1, so I have the following rule on Gateway B:

iptables -t nat -A POSTROUTING -s  93.48.28.27 -d 81.129.40.0/24 -o
eth0 -j MASQUERADE

But does not work, what I'm missing here?

Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping
or telnet from Gateway C seems to work. I don't have access to Gateway
A, so I can't verify if the packets get to Gateway A.

I would really appreciate if you can help me fix this or find an other
job ;)

 
 
 
Top

Multiple vpn tunnels

Post by Tauno Voipi » Tue, 27 Mar 2007 23:16:06



> Hello Folks,

> I have the following situation:

>                        VPN Tunnel 1                      VPN Tunnel 2
> 81.129.39.9  ============ 59.20.93.49  =============  93.48.28.27
> Gateway A                             Gateway
> B                               Gateway C

> I need all clients coming from gateway C to be able to use the vpn
> tunnel 1, so I have the following rule on Gateway B:

> iptables -t nat -A POSTROUTING -s  93.48.28.27 -d 81.129.40.0/24 -o
> eth0 -j MASQUERADE

> But does not work, what I'm missing here?

> Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping
> or telnet from Gateway C seems to work. I don't have access to Gateway
> A, so I can't verify if the packets get to Gateway A.

> I would really appreciate if you can help me fix this or find an other
> job ;)

The masquerade may be an overkill, unless you need to limit
the visibility of the subnets to the other end of the tunnel.

Did you:

  - tell gateway A that VPN tunnel 2 is reachable via VPN tunnel 1?
  - tell VPN tunnel 2 end that gateway A and the nets behind it
    are reachable via gateway C?
  - enable forwarding at gateway C?

--

Tauno Voipio
tauno voipio (at) iki fi

 
 
 
Top

Multiple vpn tunnels

Post by said.ab.. » Wed, 28 Mar 2007 02:58:44




> > Hello Folks,

> > I have the following situation:

> >                        VPN Tunnel 1                      VPN Tunnel 2
> > 81.129.39.9  ============ 59.20.93.49  =============  93.48.28.27
> > Gateway A                             Gateway
> > B                               Gateway C

> > I need all clients coming from gateway C to be able to use the vpn
> > tunnel 1, so I have the following rule on Gateway B:

> > iptables -t nat -A POSTROUTING -s  93.48.28.27 -d 81.129.40.0/24 -o
> > eth0 -j MASQUERADE

> > But does not work, what I'm missing here?

> > Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping
> > or telnet from Gateway C seems to work. I don't have access to Gateway
> > A, so I can't verify if the packets get to Gateway A.

> > I would really appreciate if you can help me fix this or find an other
> > job ;)

> The masquerade may be an overkill, unless you need to limit
> the visibility of the subnets to the other end of the tunnel.

> Did you:

>   - tell gateway A that VPN tunnel 2 is reachable via VPN tunnel 1?

I don't have access to administration on Gateway A. The reason why we
need this is that we wanted to save time to use a temporary tunnel but
in the future (in couple months) they will provide us with a tunnel
between Gateway A and Gateway C.

Quote:>   - tell VPN tunnel 2 end that gateway A and the nets behind it
>     are reachable via gateway C?

It already knows that. tcpdump on gateway B shows that Gateway C is
talking to Gateway A via Gateway B.

Quote:>   - enable forwarding at gateway C?
Yes it is enabled.

> --

> Tauno Voipio
> tauno voipio (at) iki fi

Thanks a lot for your reply :)
 
 
 
Top

Multiple vpn tunnels

Post by Tauno Voipi » Wed, 28 Mar 2007 03:35:03





>>>Hello Folks,

>>>I have the following situation:

>>>                       VPN Tunnel 1                      VPN Tunnel 2
>>>81.129.39.9  ============ 59.20.93.49  =============  93.48.28.27
>>>Gateway A                             Gateway
>>>B                               Gateway C

>>>I need all clients coming from gateway C to be able to use the vpn
>>>tunnel 1, so I have the following rule on Gateway B:

>>>iptables -t nat -A POSTROUTING -s  93.48.28.27 -d 81.129.40.0/24 -o
>>>eth0 -j MASQUERADE

>>>But does not work, what I'm missing here?

>>>Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping
>>>or telnet from Gateway C seems to work. I don't have access to Gateway
>>>A, so I can't verify if the packets get to Gateway A.

>>>I would really appreciate if you can help me fix this or find an other
>>>job ;)

>>The masquerade may be an overkill, unless you need to limit
>>the visibility of the subnets to the other end of the tunnel.

>>Did you:

>>  - tell gateway A that VPN tunnel 2 is reachable via VPN tunnel 1?

> I don't have access to administration on Gateway A. The reason why we
> need this is that we wanted to save time to use a temporary tunnel but
> in the future (in couple months) they will provide us with a tunnel
> between Gateway A and Gateway C.

This will be a problem: The gateway should know to route your
packets for tunnel 2 via the intermediate gateway. If you cannot
change the routing here, the packets destined to the second
tunnel will be sent to gateway A's default next-hop gateway.

Could you think of splitting the subnet in tunnel 1 into
two sub-subnets and assign it to tunnel 2?

--

Tauno Voipio
tauno voipio (at) iki fi

 
 
 
Top

1. Multiple VPN tunnels

I am trying to set up my OpenBSD 2.9-stable to handle two separate
net-to-net vpn tunnels. Example: OpenBSD box currently has one
net-to-net VPN set up with a remote cisco pix firewall that works
fine. Now I need to add another net-to-net VPN between OpenBSD and
different location. I do not want the two remote locations to
communicate with each other, I just want to have my local network to
be able to communicate with either of the two remote sites.

I am having a hard time finding documentation as far as configuring
isakmpd for this. Maybe it is so simple that no one thought to add it
and I just am dense or maybe it is something isn't done usually or at
all; this is possible isn't it?

2. Sound Test Under Linux

3. VPN Tunnel; PIX -> Cisco VPN Client for Solaris 3.5

4. ACPI: Interpreter update to 20021122

5. VPN Tunnels and IPSec

6. Future domain 950 gives timeout problem... help!!

7. ssh vpn tunnel, FAQ?

8. FreeBSD ->X400

9. Linux VPN / Tunnel solutions

10. VPN/Tunnel

11. VPN (tunneling) question

12. configuring SSH to act as a vpn tunnel

13. VPN / Tunneling


All times are UTC
Board index