rc wrote:
On 4/5/07, Dag Richards <[EMAIL PROTECTED]> wrote:
Matiss Miglans wrote:
> Hi good people !
> I need to make connection from server witch is in LAN1 to server witch
> is in LAN3.
> And I need to make another connection from that same server witch is in
> LAN3 to that same server witch is in LAN1.
> There is 3 different company Ethernets, and I need to make this
> connection trough my company. There is no way to make direct VPN from
> LAN1 to LAN3 - Business etc.
>
> |---LAN1---------| |----OpenBSD------| |------LAN2------| > |-10.210.1.0/24--|<------->|--Router/pf/vpn--|<-------->|-192.168.0.0/24-| > |----------------| |-----------------| |----------------|
>                                  |
>                                  | VPN IPsec over public Internet.
>                                  |
> |-------LAN3------|        |---Netscreen 5xt---|
> |-192.168.30.0/29-|<------>|---Router/pf/vpn---|
> |-----------------|        |-------------------|
>
> This VPN is from LAN2 to LAN3
>
> I will make nat,rdr or binat, because I can't give direct access. I need
> to control what, where and how can connect.
> I tried to make redirect like this:
> rdr from 10.210.1.2 to 10.210.1.1 -> 192.168.30.1
> But, OpenBSD box, cant see the LAN3 network, or Nestcreen box internal
> IP. - I tried ping, telnet, ssh etc.
> Of course I can see that all, if i connect from LAN2 or LAN3.
>
> How can I see this server in LAN3 from OpenBSD box ?
> Or maybe there is better way to do that ?
>
> In my pf.conf is no deny rulle
> There is my ipsec.conf:
> ike esp from 192.168.0.0/24 to 192.168.30.0/29  \
>    local x.x.x.x peer x.x.x.x  \
>    main auth hmac-md5 enc 3des  \
>    quick auth hmac-md5 enc 3des  \
>    psk "xxx"
>
> This is OpenBSD snapshot from 2007.26. Jan. (or something that way).
>
> Best regards
> Matiss
>
So you have working VPN from LAN2 to LAN# and reverse?
You can not NAT on the same box you run ipsec on ...
Nat is applied first, then a routing decision is made and if your ip
addr are outside your encryption 'domain' your traffic will not traverse
the tunnel.


Are LAN1 and LAN2 really hosted off the same firewall?
If so then the statement no " no VPN between LAN1 and LAN3" is silly.

In the layout as described you need to setup a VPN from LAN1 to LAN3.
You could possibly introduce an additional firewall to do nating prior
to VPN but that would be again silly.



Matiss,

There are three ways that you can connect to the servers:

1.  VPN (IPSEC)
2.  1 to 1 NAT (bidirectional NAT).  Opened to the world, if not
properly firewalled.  This will have to be done on both sides.
3.  Port forwarding (redirection with pf)  Opened to the world, if not
properly firewalled.  This will have to be done on both sides.
1. There is no way to make VPN from LAN1 to LAN3 - I'm also angry for that... 2. and 3. I tried - I have no idea how to make that trought VPN. Forwarding traffic over public Internet- I can firewall what I will, if this is non-crypted trafiic, that tis is not secure. .


I would choose 1. because the traffic is going to be encrypted going
over the Internet and still behind your firewall and NAT without being
opened to the world.

"I tried to make redirect like this:
rdr from 10.210.1.2 to 10.210.1.1 -> 192.168.30.1"

Implemented incorrectly:  http://www.openbsd.org/faq/pf/rdr.html
or if you want binat:  http://www.openbsd.org/faq/pf/nat.html#binat
I have read this FAQ's
I dont understand what are implemented incorrectly ?! If i try this on separated OpenBSD box, then that works great !
rdr on fxp1 from 10.210.1.215 to 10.210.1.216 -> 192.168.30.2
"You can not NAT on the same box you run ipsec on ...
Nat is applied first, then a routing decision is made and if your ip
addr are outside your encryption 'domain' your traffic will not traverse
the tunnel."

From my experience, this is not correct.  You can have NAT and IPSEC
running on the same box.  IPSEC takes precedence over NAT and routing.
Of course, NAT over routing.

rc
Do you have NAT over IPSEC or you have NAT and IPSEC on one box ?
I have no Idea where to search - i tried google, but nothing useful.

Best Regards
Matiss

Reply via email to