Charles,
I did find a way to test it and the reverse masquerading WORKED!
( which I think is cute as hell and solves a major problem of multiple
routes to the internet. )
With one problem.
When the ipsec connection is made, ipsec INSERTS rules into the
forward chain. They appear BEFORE the MASQ rules. These rules
put in ACCEPTS for destinations to the vpn clients.
Clever fellows, made sure any reverse traffic would be accepted.
Problem is they superceded my MASQ rules. No NAT, the packet can't
get back into ipsec.
If I rerun my firewall script after the connection is established,
destroying
their rules, MASQ happens again and I can communicate fine.
If they had ADDED those rules rather than INSERTING them, I believe all
would be well.
You don't happen to know of an option which overrides this behaviour?
I can't think of a clever way to watch for this situation and override it
that would be timely without being burdensome.
Thanx, Phil.
"Charles Steinkuehler" <[EMAIL PROTECTED]> on 03/08/2002 03:27:44 PM
To: Phillip Watts/austin/Nlynx@Nlynx, [EMAIL PROTECTED]
cc:
Subject: Re: [Leaf-user] vpn routing
> It seems that I've seen this problem here before:
>
> There are two dsl connections to the internet
>
> behind one is an NT Proxy server.
> behind the other is an Eiger router running LRP/IPSec.
> Both masquerade
>
> Behind both of those is a lan 123.x.x.x
> AS400 123.x.x.1
> Exchange Server 123.x.x.2
>
> So the internal subnet for the Eiger is 123.x.x.0/24
>
> A remote laptop with a dynamic address establishes a VPN connection
> to the Eiger. And access mail on 123.x.x.2
> How does the traffic back from the Exchange Server to the laptop
> find its way back thru the correct router, the eiger.
> I mean it can only have one default gateway. ??
You either have to have the Eiger VPN gateway as the default route for the
exchange box, or setup a static route on the Exchange box pointing to the
remote endpoint of the VPN. I've done the latter with subnet-subnet VPN's,
but I don't think it will work well with a host-subnet VPN, as the far end
IP isn't static...
It sounds like you're wanting to just use the Eiger box as a VPN gateway.
Another option would be to setup proxy-arp on the Eiger box, with two
internal NIC's. Something like:
Internet
---------
DSL1 DSL2
| |
| NT Proxy Server
| |
| Internal net (123.x.x.0/24)
| |
| eth2
eth0-Eiger/Dachstein VPN gateway
eth1
|
Internal net (123.x.x.0/24)
|
Exchange server
This gets around the routing problem because all packets will go through the
VPN gateway, even if "destined" for the IP of your NT proxy-server. The
routing rules on the VPN gateway should make everything work properly, but I
haven't actually tested this setup.
NOTE: While the above diagram may look kind of scary, it really isn't. The
big problem will be getting the routing on the VPN box setup to use the
alternate DSL link (it would be much more straight-forward if the VPN
gateway simply routed all data out the NT Proxy server, and had one default
gateway), but you should be able to setup advanced routing rules based on
either firewall marks or protocol that sends VPN traffic out the DSL1 link,
and all other traffic out the NT proxy...
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
