Re: [gentoo-user] [OT] "The Internet as a big subnet"
On Monday 28 February 2005 17:14, Mike Williams wrote: > I'm running 2.6, so no ipsecX virtual interfaces :( Got it, and this was the problem. Essentially, what I was doing was correct. It was the KAME ipsec code in 2.6 that was screwing me around. Moved back to 2.4 headers, un-nptl'isd glibc, compiled a gentoo-sources kernel, and after rebuilding openswan it magically worked! It's also nice to have ipsecX virtual interfaces, makes routing far nicer. Does anyone use openswan 2.3 yet? It's supposed to use their KLIPS code in place of KAMEs. Cheers -- Mike Williams pgpiVO7vUfrU7.pgp Description: PGP signature
Re: [gentoo-user] [OT] "The Internet as a big subnet"
On Monday 28 February 2005 22:52, Mike Williams wrote: > > Looking at it though, why don't you setup the PCs on the local network > > to use a gateway on the Datacenter network (say 'firewall' on the > > Datacenter bit). 'West' would then act as a router sending the data > > though East, into the firewall and out? > > Now then, that's an idea! Engage brain -> type. That's won't work, the office PCs have to use the office firewall as their gateway. I think what I really need, is a way to exclude subnets from the subnet declaration in ipsec.conf. As openswan is overriding *all* routing with the 0.0.0.0/0 subnet. The local PCs can't even ping it when it's running. A "normal" subnet-to-subnet VPN works as expected. -- Mike Williams pgpF86ynYb6Up.pgp Description: PGP signature
Re: [gentoo-user] [OT] "The Internet as a big subnet"
On Monday 28 February 2005 21:47, Jonathan Wright wrote: > I've not really done much with VPNs, at least not in the way you're > trying to configure it. I'm not sure how to have two 'catch-all' > gateways, 'cause the one for the VPN would override the original one for > the internet, and then the VPN would be trying to send though itself. Ahh, that's why I purposely removed the default route, and added a host route to the datacentre firewall, before bringing the VPN up :) > Looking at it though, why don't you setup the PCs on the local network > to use a gateway on the Datacenter network (say 'firewall' on the > Datacenter bit). 'West' would then act as a router sending the data > though East, into the firewall and out? Now then, that's an idea! > OR, what about setting up a general firewall rule on West, so that any > connections which would go 'out' onto the internet be routed though the > VPN? In theory, I shouldn't need any firewall rules on west, at least no MASQ or SNAT rules. The PCs would be directly routable by both firewalls, due to the VPN. > I'm not even sure any of this is workable - just thought I'd throw out > some ideas? :) Ideas are always welcome, especially those which point me in a new direction! Thanks. -- Mike Williams pgpqw8ZXH7nOH.pgp Description: PGP signature
Re: [gentoo-user] [OT] "The Internet as a big subnet"
Mike, I've not really done much with VPNs, at least not in the way you're trying to configure it. I'm not sure how to have two 'catch-all' gateways, 'cause the one for the VPN would override the original one for the internet, and then the VPN would be trying to send though itself. Looking at it though, why don't you setup the PCs on the local network to use a gateway on the Datacenter network (say 'firewall' on the Datacenter bit). 'West' would then act as a router sending the data though East, into the firewall and out? OR, what about setting up a general firewall rule on West, so that any connections which would go 'out' onto the internet be routed though the VPN? I'm not even sure any of this is workable - just thought I'd throw out some ideas? :) HTH, -- Jonathan Wright Life has no meaning unless we can enjoy what we've been given -- Running on Gentoo Linux (2.6.10-gentoo-r7-djnauk-b03 i686 AMD Athlon(tm) XP 2100+ GNU/Linux) -- gentoo-user@gentoo.org mailing list
[gentoo-user] [OT] "The Internet as a big subnet"
Hey, I have a problem. That should be fairly easily resolvable. But it isn't. The available documentation sucks. And my head hurts. http://wiki.openswan.org/index.php/The%20Internet%20as%20a%20big%20subnet I have an office, I have a datacentre. If office accesses the internet it must not appear to come from the office. The office can appear to the internet as the datacentre. So, I thought I'd stick up a VPN with the remote subnet as 0.0.0.0/0 on the office firewall, and the local subnet as 0.0.0.0/0 on the datacentre firewall. I removed the office firewalls default route, and added a specific host route to the datacentre firewall. The VPN establishes itself fine, and openswan creates 2 new routing rules on the office firewall: 0.0.0.0 xxx.xxx.xxx.xxx 128.0.0.0 UG0 00 eth2 128.0.0.0 xxx.xxx.xxx.xxx 0.0.0.0 UG0 00 eth2 xxx.xxx.xxx.xxx is the office firewalls nexthop. I'm running 2.6, so no ipsecX virtual interfaces :( Now two things change. 1) I can access the internet from the office firewall, but I appear as the office, not the datacentre. Which shouldn't happen, as I removed the default route out it's own router, and set up one via the datacentre with openswan. 2) I can't access anything on it's internal interface, and machines behind it can't access it. Seems like openswan is trying to send *everything* out the internet connection. Is there anyone who can tell/show me how to create a default route over a subnet-subnet ipsec vpn, without screwing up internal access? Cheers -- Mike Williams pgpiY38FPx3Qs.pgp Description: PGP signature
