Hello,
the question is about how to route traffic from an openvpn tunnel
to an ipsec tunnel.
This is my setup:
The OpenBSD gateway has an internal (10.0.1.1/24 )
and external (x.x.x.x/30) interface.
The internal net is NAT'ed to the external interface to provide
internet access to hosts on the internal net.
Through the external interface an ipsec SA ( security association )
is established ( tunnel mode ) between my internal net ( 10.0.1/24 )
and another local net of a remote site ( 10.0.2/24 ).
So hosts on the internal net can reach hosts on the internet
(being NAT'ed ) as well as hosts on the remote
private net 10.0.2/24 ( not being NAT'ed ).
Now I have setup an openvpn server on this box.
This openvpn server gives out addresses from yet
another net ( 10.0.3/24 ) to the connected clients.
Connections from openvpn clients are NAT'Ed to the internal
interface to make them appear as being directly attached
to the local private net ( 10.0.1/24 ).
So far, it works.
Now I want the clients on the openvpn subnet ( 10.0.3/24 ) to get
access to the remote side of the ipsec sa ( 10.0.2/24 ).
Here is an excerpt of my ipconfig and routing table
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
address: 00:a0:c9:43:07:20
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
inet6 fe80::2a0:c9ff:fe43:720%fxp0 prefixlen 64 scopeid 0x1
fxp1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
address: 00:a0:c9:30:b3:34
media: Ethernet autoselect (10baseT)
status: active
inet x.x.x.254 netmask 0xfffffffc broadcast x.x.x.255
inet6 fe80::2a0:c9ff:fe30:b334%fxp1 prefixlen 64 scopeid 0x2
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 2020
enc0: flags=0<> mtu 1536
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
inet 10.0.3.1 --> 10.0.3.2 netmask 0xffffffff
# netstat -rn
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Interface
default x.x.x.254 UGS 11 1211734 - fxp1
10.0.3/24 10.0.3.2 UGS 0 31900 - tun0
10.0.3.2 10.0.3.1 UH 1 0 - tun0
x.x.x.x/30 link#2 UC 1 0 - fxp1
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 1 392 33224 lo0
10.0.1/24 link#1 UC 11 0 - fxp0
224/4 127.0.0.1 URS 0 0 33224 lo0
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
10.0.2/24 0 10.0.1/24 0 0 y.y.y.y/50/use/in
10.0.1/24 0 10.0.2/24 0 0 y.y.y.y/50/require/out
where x.x.x.x is the external address of my box, y.y.y.y is the
external address of the remote side of the ipsec tunnel.
I expected this to be sufficient for the routing
from 10.0.3/24 to 10.0.2/24.
But it is not.
Using tcpdump I see that packets entering the gateway via the
openvpn tun0 interface destined to some host on 10.0.2/24
do not get routed to the ipsec tunnel but are routed directly
to the external interface, i.e. a packet with
source ip = 10.0.3.10 and destination ip 10.0.2.1
is routed as is to the external interface.
I assume that the route through the IPSEC SA is not taken into account,
as the packet to be routed is not from the internal interface.
If there were a way to source-nat the packet when it comes in
via the tun interface, i.e. before the routing is done, maybe
all would be fine. But I don't know a way to achieve this.
The straight forward solution to setup another ipsec tunnel
between 10.0.2/24 and 10.0.3/24 is out of reach
due to weird administrative constraints.
Any suggestions?
Thanks
Christoph
