Re: Routing all traffic through IPSEC VPN

Tue, 19 Apr 2011 03:46:08 -0700 

Matt S P?P8QP5Q:

Hello @misc:
I am up against a stumper. I have a Site-to-Site IPSEC VPN working beautifully. However, I would like the remote site to route all of its traffic through the VPN. After googling, I seemed to come up with a suggestion to do a route change -net 0.0.0.0/0 <gateway> which didn't work well. I think it might have to do with NAT. The main office is doing the NAT. Perhaps I need to some sort of NAT traversal on the VPN?? 



Hello.
Here is working config. I have two nets 15.0/24 and 16.0/24.
16.0/24 have default gateway to Internet.
between 15 and 16 setup IPSec.
from 15 for lucky boys I setup tunnel to any.
on router in 16 lucky boys go out with NAT.
=======net 15.0=============
ipsec.conf

remote_nets = "{ 192.168.16.0/24, 172.20.252.0/24}"
nat_clients = "{ 192.168.15.10, 192.168.15.167, 192.168.15.170 }"
flow esp from 192.168.15.0/24 to $remote_nets peer 192.168.10.1
flow esp from $nat_clients to any peer 192.168.10.1
esp from 192.168.10.2 to 192.168.10.1

ifconfig

rl0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
lladdr 00:02:44:56:39:04
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.15.6 netmask 0xffffff00 broadcast 192.168.15.255
vr0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
lladdr 00:13:d3:36:f5:ce
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.10.2 netmask 0xffffff00 broadcast 192.168.10.255

route -n show
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.10.1 UGS 5 5440 - 8 vr0
127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
127.0.0.1 127.0.0.1 UH 2 4 33200 4 lo0
192.168.10/24 link#2 UC 1 0 - 4 vr0
192.168.10.1 00:d0:b7:60:5f:5c UHLc 3 1357436 - 4 vr0
192.168.15/24 link#1 UC 38 0 - 4 rl0
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
default 0 192.168.15.170/32 0 0 192.168.10.1/esp/require/in
192.168.15.170/32 0 default 0 0 192.168.10.1/esp/require/out
default 0 192.168.15.167/32 0 0 192.168.10.1/esp/require/in
192.168.15.167/32 0 default 0 0 192.168.10.1/esp/require/out
default 0 192.168.15.10/32 0 0 192.168.10.1/esp/require/in
192.168.15.10/32 0 default 0 0 192.168.10.1/esp/require/out
172.20.252/24 0 192.168.15/24 0 0 192.168.10.1/esp/require/in
192.168.15/24 0 172.20.252/24 0 0 192.168.10.1/esp/require/out
192.168.16/24 0 192.168.15/24 0 0 192.168.10.1/esp/require/in
192.168.15/24 0 192.168.16/24 0 0 192.168.10.1/esp/require/out

============net 16=============
local_nets = "{ 172.20.252.0/24, 192.168.16.0/24 }"
flow esp from $local_nets to 192.168.15.0/24 peer 192.168.10.2
flow esp from any to { 192.168.15.10, 192.168.15.167, 192.168.15.170 } peer 192.168.10.2 
esp from 192.168.10.1 to 192.168.10.2

fxp0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
lladdr 00:d0:b7:60:75:51
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.16.6 netmask 0xffffff00 broadcast 192.168.16.255
fxp1: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500
lladdr 00:d0:b7:60:5f:5c
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.10.1 netmask 0xffffff00 broadcast 192.168.10.255
fxp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:d0:b7:60:5d:9c
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 172.20.252.36 netmask 0xfffffff8 broadcast 172.20.252.39
inet6 fe80::2d0:b7ff:fe60:5d9c%fxp2 prefixlen 64 scopeid 0x3
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0d:88:45:68:aa
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.20.55 netmask 0xffffff00 broadcast 192.168.20.255

Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.16.8 UGS 6 14997670 - 8 fxp0
127/8 127.0.0.1 UGRS 0 0 33200 8 lo0
127.0.0.1 127.0.0.1 UH 2 11204 33200 4 lo0
172.20.252.32/29 link#3 UC 1 0 - 4 fxp2
172.20.252.38 00:03:7e:00:73:40 UHLc 0 4831569 - 4 fxp2
192.168.10/24 link#2 UC 2 0 - 4 fxp1
192.168.10.1 00:d0:b7:60:5f:5c UHLc 0 4 - 4 lo0
192.168.10.2 00:13:d3:36:f5:ce UHLc 15 102190836 - 4 fxp1
192.168.15/24 192.168.10.2 UGS 0 119979 - 8 fxp1
Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction)
192.168.15.170/32 0 default 0 0 192.168.10.2/esp/require/in
default 0 192.168.15.170/32 0 0 192.168.10.2/esp/require/out
192.168.15.167/32 0 default 0 0 192.168.10.2/esp/require/in
default 0 192.168.15.167/32 0 0 192.168.10.2/esp/require/out
192.168.15.10/32 0 default 0 0 192.168.10.2/esp/require/in
default 0 192.168.15.10/32 0 0 192.168.10.2/esp/require/out
192.168.15/24 0 192.168.16/24 0 0 192.168.10.2/esp/require/in
192.168.16/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out
192.168.15/24 0 172.20.252/24 0 0 192.168.10.2/esp/require/in
172.20.252/24 0 192.168.15/24 0 0 192.168.10.2/esp/require/out


host 192.168.16.8 doint NAT for lucky boys from 15.0/24:
tracert mail.ru
traceroute to mail.ru (94.100.191.204), 30 hops max, 40 byte packets
1 192.168.15.6 (192.168.15.6) 0.518 ms 0.475 ms 0.462 ms
2 192.168.10.1 (192.168.10.1) 3.331 ms 3.368 ms 3.357 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 94.100.191.204 (94.100.191.204) 31.093 ms 31.139 ms 31.128 ms
so, you need to route brance office to 0/0 in ipsec settings, not in plain routing. 
in routing you need to write other side of tunnel.

Reply via email to