Dag Richards wrote:
Matiss Miglans wrote:
Hi good people !
I need to make connection from server witch is in LAN1 to server
witch is in LAN3.
And I need to make another connection from that same server witch is
in LAN3 to that same server witch is in LAN1.
There is 3 different company Ethernets, and I need to make this
connection trough my company. There is no way to make direct VPN from
LAN1 to LAN3 - Business etc.
|---LAN1---------| |----OpenBSD------|
|------LAN2------|
|-10.210.1.0/24--|<------->|--Router/pf/vpn--|<-------->|-192.168.0.0/24-|
|----------------| |-----------------|
|----------------|
|
| VPN IPsec over public Internet.
|
|-------LAN3------| |---Netscreen 5xt---|
|-192.168.30.0/29-|<------>|---Router/pf/vpn---|
|-----------------| |-------------------|
This VPN is from LAN2 to LAN3
I will make nat,rdr or binat, because I can't give direct access. I
need to control what, where and how can connect.
I tried to make redirect like this:
rdr from 10.210.1.2 to 10.210.1.1 -> 192.168.30.1
But, OpenBSD box, cant see the LAN3 network, or Nestcreen box
internal IP. - I tried ping, telnet, ssh etc.
Of course I can see that all, if i connect from LAN2 or LAN3.
How can I see this server in LAN3 from OpenBSD box ?
Or maybe there is better way to do that ?
In my pf.conf is no deny rulle
There is my ipsec.conf:
ike esp from 192.168.0.0/24 to 192.168.30.0/29 \
local x.x.x.x peer x.x.x.x \
main auth hmac-md5 enc 3des \
quick auth hmac-md5 enc 3des \
psk "xxx"
This is OpenBSD snapshot from 2007.26. Jan. (or something that way).
Best regards
Matiss
So you have working VPN from LAN2 to LAN# and reverse?
You can not NAT on the same box you run ipsec on ...
Nat is applied first, then a routing decision is made and if your ip
addr are outside your encryption 'domain' your traffic will not
traverse the tunnel.
Are LAN1 and LAN2 really hosted off the same firewall?
If so then the statement no " no VPN between LAN1 and LAN3" is silly.
In the layout as described you need to setup a VPN from LAN1 to LAN3.
You could possibly introduce an additional firewall to do nating prior
to VPN but that would be again silly.
Yes, this VPN from LAN2 to LAN3 works great !
There is three company's, and I need to make this connection trought my
company. The idea is that, I can make changes in connection when I need.
I can control that all.
There is no way to make VPN from LAN1 to LAN3 - of course I too, will
amke there VPN, but...
Normaly there is route that shows external interface and IP as a
gateway, I changed that to the 192.168.0.1 and now I can ping, ssh, etc
to the LAN3 froum this OpenBSD box. But anyway I cant forward/binat to
the LAN3
I tried to set up one old Celeron box with OpenBSD, that do only port
forwarding from LAN1 to LAN3 and reverse.
This box is in LAN1 and LAN2, thei make port forvarding like this:
rdr on fxp1 from 10.210.1.215 to 10.210.1.216 -> 192.168.30.2
That all works great. But thats not that what I will make. I will make
that on one box, becaus this is very old box, and I do not now, when
they can die.
I don't understand, if I can see this network from router, why I can't
forward traffic to this network ?!
Best regards
Matiss
