Hey, Charles,
I had a weird idea ihave no way to test right now.
What if I had the Eiger masquerade both directions.
The packet is unencapsulated.
It goes thru the forward chain.
Its source address is masqed to the internal address.
The Exchange server responds to that address
The NAT table converts the destination address of the
response to the source address of the request.
IPSec sees it and says that's mine.
??????????????????
"Charles Steinkuehler" <[EMAIL PROTECTED]> on 03/08/2002 03:27:44 PM
To: Phillip Watts/austin/Nlynx@Nlynx, [EMAIL PROTECTED]
cc:
Subject: Re: [Leaf-user] vpn routing
> It seems that I've seen this problem here before:
>
> There are two dsl connections to the internet
>
> behind one is an NT Proxy server.
> behind the other is an Eiger router running LRP/IPSec.
> Both masquerade
>
> Behind both of those is a lan 123.x.x.x
> AS400 123.x.x.1
> Exchange Server 123.x.x.2
>
> So the internal subnet for the Eiger is 123.x.x.0/24
>
> A remote laptop with a dynamic address establishes a VPN connection
> to the Eiger. And access mail on 123.x.x.2
> How does the traffic back from the Exchange Server to the laptop
> find its way back thru the correct router, the eiger.
> I mean it can only have one default gateway. ??
You either have to have the Eiger VPN gateway as the default route for the
exchange box, or setup a static route on the Exchange box pointing to the
remote endpoint of the VPN. I've done the latter with subnet-subnet VPN's,
but I don't think it will work well with a host-subnet VPN, as the far end
IP isn't static...
It sounds like you're wanting to just use the Eiger box as a VPN gateway.
Another option would be to setup proxy-arp on the Eiger box, with two
internal NIC's. Something like:
Internet
---------
DSL1 DSL2
| |
| NT Proxy Server
| |
| Internal net (123.x.x.0/24)
| |
| eth2
eth0-Eiger/Dachstein VPN gateway
eth1
|
Internal net (123.x.x.0/24)
|
Exchange server
This gets around the routing problem because all packets will go through the
VPN gateway, even if "destined" for the IP of your NT proxy-server. The
routing rules on the VPN gateway should make everything work properly, but I
haven't actually tested this setup.
NOTE: While the above diagram may look kind of scary, it really isn't. The
big problem will be getting the routing on the VPN box setup to use the
alternate DSL link (it would be much more straight-forward if the VPN
gateway simply routed all data out the NT Proxy server, and had one default
gateway), but you should be able to setup advanced routing rules based on
either firewall marks or protocol that sends VPN traffic out the DSL1 link,
and all other traffic out the NT proxy...
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
