Re: Redirect traffic through VPN

Thu, 05 Apr 2007 11:46:16 -0700 

Matiss Miglans wrote:

Hi good people !
I need to make connection from server witch is in LAN1 to server witch is in LAN3. And I need to make another connection from that same server witch is in LAN3 to that same server witch is in LAN1. There is 3 different company Ethernets, and I need to make this connection trough my company. There is no way to make direct VPN from LAN1 to LAN3 - Business etc. 

|---LAN1---------|         |----OpenBSD------|          |------LAN2------|
|-10.210.1.0/24--|<------->|--Router/pf/vpn--|<-------->|-192.168.0.0/24-|
|----------------|         |-----------------|          |----------------|
                                 |
                                 | VPN IPsec over public Internet.
                                 |
|-------LAN3------|        |---Netscreen 5xt---|
|-192.168.30.0/29-|<------>|---Router/pf/vpn---|
|-----------------|        |-------------------|

This VPN is from LAN2 to LAN3


I will make nat,rdr or binat, because I can't give direct access. I need 
to control what, where and how can connect.

I tried to make redirect like this:
rdr from 10.210.1.2 to 10.210.1.1 -> 192.168.30.1

But, OpenBSD box, cant see the LAN3 network, or Nestcreen box internal 
IP. - I tried ping, telnet, ssh etc.

Of course I can see that all, if i connect from LAN2 or LAN3.

How can I see this server in LAN3 from OpenBSD box ?
Or maybe there is better way to do that ?

In my pf.conf is no deny rulle
There is my ipsec.conf:
ike esp from 192.168.0.0/24 to 192.168.30.0/29  \
   local x.x.x.x peer x.x.x.x  \
   main auth hmac-md5 enc 3des  \
   quick auth hmac-md5 enc 3des  \
   psk "xxx"

This is OpenBSD snapshot from 2007.26. Jan. (or something that way).

Best regards
Matiss


So you have working VPN from LAN2 to LAN# and reverse?
You can not NAT on the same box you run ipsec on ...

Nat is applied first, then a routing decision is made and if your ip 
addr are outside your encryption 'domain' your traffic will not traverse 
the tunnel.



Are LAN1 and LAN2 really hosted off the same firewall?
If so then the statement no " no VPN between LAN1 and LAN3" is silly.

In the layout as described you need to setup a VPN from LAN1 to LAN3.

You could possibly introduce an additional firewall to do nating prior 
to VPN but that would be again silly.
























					Reply via email to