[Leaf-user] vpn routing
It seems that I've seen this problem here before: There are two dsl connections to the internet behind one is an NT Proxy server. behind the other is an Eiger router running LRP/IPSec. Both masquerade Behind both of those is a lan 123.x.x.x AS400 123.x.x.1 Exchange Server 123.x.x.2 So the internal subnet for the Eiger is 123.x.x.0/24 A remote laptop with a dynamic address establishes a VPN connection to the Eiger. And access mail on 123.x.x.2 How does the traffic back from the Exchange Server to the laptop find its way back thru the correct router, the eiger. I mean it can only have one default gateway. ?? ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vpn routing
> It seems that I've seen this problem here before: > > There are two dsl connections to the internet > > behind one is an NT Proxy server. > behind the other is an Eiger router running LRP/IPSec. > Both masquerade > > Behind both of those is a lan 123.x.x.x > AS400 123.x.x.1 > Exchange Server 123.x.x.2 > > So the internal subnet for the Eiger is 123.x.x.0/24 > > A remote laptop with a dynamic address establishes a VPN connection > to the Eiger. And access mail on 123.x.x.2 > How does the traffic back from the Exchange Server to the laptop > find its way back thru the correct router, the eiger. > I mean it can only have one default gateway. ?? You either have to have the Eiger VPN gateway as the default route for the exchange box, or setup a static route on the Exchange box pointing to the remote endpoint of the VPN. I've done the latter with subnet-subnet VPN's, but I don't think it will work well with a host-subnet VPN, as the far end IP isn't static... It sounds like you're wanting to just use the Eiger box as a VPN gateway. Another option would be to setup proxy-arp on the Eiger box, with two internal NIC's. Something like: Internet - DSL1 DSL2 || | NT Proxy Server || | Internal net (123.x.x.0/24) || | eth2 eth0-Eiger/Dachstein VPN gateway eth1 | Internal net (123.x.x.0/24) | Exchange server This gets around the routing problem because all packets will go through the VPN gateway, even if "destined" for the IP of your NT proxy-server. The routing rules on the VPN gateway should make everything work properly, but I haven't actually tested this setup. NOTE: While the above diagram may look kind of scary, it really isn't. The big problem will be getting the routing on the VPN box setup to use the alternate DSL link (it would be much more straight-forward if the VPN gateway simply routed all data out the NT Proxy server, and had one default gateway), but you should be able to setup advanced routing rules based on either firewall marks or protocol that sends VPN traffic out the DSL1 link, and all other traffic out the NT proxy... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vpn routing
Hey, Charles, I had a weird idea ihave no way to test right now. What if I had the Eiger masquerade both directions. The packet is unencapsulated. It goes thru the forward chain. Its source address is masqed to the internal address. The Exchange server responds to that address The NAT table converts the destination address of the response to the source address of the request. IPSec sees it and says that's mine. ?? "Charles Steinkuehler" <[EMAIL PROTECTED]> on 03/08/2002 03:27:44 PM To: Phillip Watts/austin/Nlynx@Nlynx, [EMAIL PROTECTED] cc: Subject: Re: [Leaf-user] vpn routing > It seems that I've seen this problem here before: > > There are two dsl connections to the internet > > behind one is an NT Proxy server. > behind the other is an Eiger router running LRP/IPSec. > Both masquerade > > Behind both of those is a lan 123.x.x.x > AS400 123.x.x.1 > Exchange Server 123.x.x.2 > > So the internal subnet for the Eiger is 123.x.x.0/24 > > A remote laptop with a dynamic address establishes a VPN connection > to the Eiger. And access mail on 123.x.x.2 > How does the traffic back from the Exchange Server to the laptop > find its way back thru the correct router, the eiger. > I mean it can only have one default gateway. ?? You either have to have the Eiger VPN gateway as the default route for the exchange box, or setup a static route on the Exchange box pointing to the remote endpoint of the VPN. I've done the latter with subnet-subnet VPN's, but I don't think it will work well with a host-subnet VPN, as the far end IP isn't static... It sounds like you're wanting to just use the Eiger box as a VPN gateway. Another option would be to setup proxy-arp on the Eiger box, with two internal NIC's. Something like: Internet - DSL1 DSL2 || | NT Proxy Server || | Internal net (123.x.x.0/24) || | eth2 eth0-Eiger/Dachstein VPN gateway eth1 | Internal net (123.x.x.0/24) | Exchange server This gets around the routing problem because all packets will go through the VPN gateway, even if "destined" for the IP of your NT proxy-server. The routing rules on the VPN gateway should make everything work properly, but I haven't actually tested this setup. NOTE: While the above diagram may look kind of scary, it really isn't. The big problem will be getting the routing on the VPN box setup to use the alternate DSL link (it would be much more straight-forward if the VPN gateway simply routed all data out the NT Proxy server, and had one default gateway), but you should be able to setup advanced routing rules based on either firewall marks or protocol that sends VPN traffic out the DSL1 link, and all other traffic out the NT proxy... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vpn routing
> I had a weird idea ihave no way to test right now. > What if I had the Eiger masquerade both directions. > The packet is unencapsulated. > It goes thru the forward chain. > Its source address is masqed to the internal address. > The Exchange server responds to that address > The NAT table converts the destination address of the > response to the source address of the request. > IPSec sees it and says that's mine. That should work, although you're a bit outside the existing firewall script functionality. Sounds like you really want a VPN gateway mroe than a firewall, though, so maybe that's OK. If you setup the above, you *WILL* have problems with M$ networking (which doesn't like being masqueraded) over the VPN, so whether masquerading the remote VPN system to your local net will work for you depends on exactly which protocols you need to run. I'm not sure about exchange (I stay as far away from it as possible), but it may suffer the same problems that prevent M$ networking from working properly when masqueraded if you're using the 'advanced' features and not just running in SMTP/POP/IMAP mode... Good old Microsoft...where "enterprise networking" is a single collision domain, all protocols use dynamically allocated ports, and IP information is embedded in datagrams, to break that pesky masqerading...remember, at Micro$oft, security is more than just an afterthought, it's a Marketing Slogan!!! I'm personally glad to live in one of the states that parted ways with Justice on the M$ anti-trust case. Sorry about that...I think something in me just snaps whenever anyone mentions "Exchange server" At least you're looking for an alternate solution for your VPN... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vpn routing
Charles, I did find a way to test it and the reverse masquerading WORKED! ( which I think is cute as hell and solves a major problem of multiple routes to the internet. ) With one problem. When the ipsec connection is made, ipsec INSERTS rules into the forward chain. They appear BEFORE the MASQ rules. These rules put in ACCEPTS for destinations to the vpn clients. Clever fellows, made sure any reverse traffic would be accepted. Problem is they superceded my MASQ rules. No NAT, the packet can't get back into ipsec. If I rerun my firewall script after the connection is established, destroying their rules, MASQ happens again and I can communicate fine. If they had ADDED those rules rather than INSERTING them, I believe all would be well. You don't happen to know of an option which overrides this behaviour? I can't think of a clever way to watch for this situation and override it that would be timely without being burdensome. Thanx, Phil. "Charles Steinkuehler" <[EMAIL PROTECTED]> on 03/08/2002 03:27:44 PM To: Phillip Watts/austin/Nlynx@Nlynx, [EMAIL PROTECTED] cc: Subject: Re: [Leaf-user] vpn routing > It seems that I've seen this problem here before: > > There are two dsl connections to the internet > > behind one is an NT Proxy server. > behind the other is an Eiger router running LRP/IPSec. > Both masquerade > > Behind both of those is a lan 123.x.x.x > AS400 123.x.x.1 > Exchange Server 123.x.x.2 > > So the internal subnet for the Eiger is 123.x.x.0/24 > > A remote laptop with a dynamic address establishes a VPN connection > to the Eiger. And access mail on 123.x.x.2 > How does the traffic back from the Exchange Server to the laptop > find its way back thru the correct router, the eiger. > I mean it can only have one default gateway. ?? You either have to have the Eiger VPN gateway as the default route for the exchange box, or setup a static route on the Exchange box pointing to the remote endpoint of the VPN. I've done the latter with subnet-subnet VPN's, but I don't think it will work well with a host-subnet VPN, as the far end IP isn't static... It sounds like you're wanting to just use the Eiger box as a VPN gateway. Another option would be to setup proxy-arp on the Eiger box, with two internal NIC's. Something like: Internet - DSL1 DSL2 || | NT Proxy Server || | Internal net (123.x.x.0/24) || | eth2 eth0-Eiger/Dachstein VPN gateway eth1 | Internal net (123.x.x.0/24) | Exchange server This gets around the routing problem because all packets will go through the VPN gateway, even if "destined" for the IP of your NT proxy-server. The routing rules on the VPN gateway should make everything work properly, but I haven't actually tested this setup. NOTE: While the above diagram may look kind of scary, it really isn't. The big problem will be getting the routing on the VPN box setup to use the alternate DSL link (it would be much more straight-forward if the VPN gateway simply routed all data out the NT Proxy server, and had one default gateway), but you should be able to setup advanced routing rules based on either firewall marks or protocol that sends VPN traffic out the DSL1 link, and all other traffic out the NT proxy... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vpn routing
> I did find a way to test it and the reverse masquerading WORKED! > ( which I think is cute as hell and solves a major problem of multiple > routes to the internet. ) > > With one problem. > > When the ipsec connection is made, ipsec INSERTS rules into the > forward chain. They appear BEFORE the MASQ rules. These rules > put in ACCEPTS for destinations to the vpn clients. > > Clever fellows, made sure any reverse traffic would be accepted. > Problem is they superceded my MASQ rules. No NAT, the packet can't > get back into ipsec. > > If I rerun my firewall script after the connection is established, > destroying > their rules, MASQ happens again and I can communicate fine. > > If they had ADDED those rules rather than INSERTING them, I believe all > would be well. > You don't happen to know of an option which overrides this behaviour? > > I can't think of a clever way to watch for this situation and override it > that would be timely without being burdensome. This is done by the _updown script. You can either customize the _updown script, or use [left|right]firewall=no in your ipsec.conf file, which will also prevent holes from being automatically created for the protocol 50 traffic, so you'll have to explicitly allow that as well. IPSec scripts are in /usr/local/lib/ipsec IIRC... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] vpn routing
Yessir, I finally found this in the online docs at freeswan over the weekend. Made the change to _updown and everythings cool. This such a nice elegant solution to multiple router/connections, I think I will write it up and send it to the group. It obviously has an application without a VPN. I wonder if there is much performance penalty for bidirectional masquerading? "Charles Steinkuehler" <[EMAIL PROTECTED]> on 03/09/2002 04:59:55 PM To: Phillip Watts/austin/Nlynx@Nlynx cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] vpn routing This is done by the _updown script. You can either customize the _updown script, or use [left|right]firewall=no in your ipsec.conf file, which will also prevent holes from being automatically created for the protocol 50 traffic, so you'll have to explicitly allow that as well. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
