-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Darcy (Home) wrote:
| Good day All, | | I am trying to figure out how to route over ipsec to one site then over | openvpn to another site as well as a few general questions re OpenVPN. | | 1. I have 8 sites to deal with. All sites will connect to Site #2 but | I also need to get to Site #1 from Site #3 via Site # 2. I have started | migrating from IPSEC to OPenVPN and during this process until I can | upgrade all locations to OpenVPN I will have to run them concurrently. | Site #1 is the exception where I no longer have access to IPSEC, Only | OPenVPN. | | 2. A few quick questions re OpenVPN | Can I run both Client and Server on same FW | If yes do I use the same tap0 and udp port 1194 for both? I don't use OpenVPN, so can't help with this... | 3. Now the tricky part: | | From Site #1 I have an OpenVPN tunnel established to Site #2 where | Site #2 is acting as the openVPN server and Site #1 as the OpenVPN Client | | From Site #3 I have an IPSEC tunnel to Site #2 | | I no longer have my IPSEC tunnel between Site #1 and Site #3 | All other 5 sites connect to Site #2 through IPSEC but I plan to migrate | this to OpenVPN as well. | | How do I add a route so that any traffic to/from Site #1 to/From | Site #3 is routed through Site #2? Well, adding a route is the easy part...just "ip route help" (for the new iproute2 utility). The problem is getting the traffic to actually go through your ipsec tunnel. | Here are the routes from Site #2 and Site #3 <snip> | *** How do add the route 192.168.147.0/24 to Location 3???? IPSec links are *VERY* picky about the traffic they pass...they will *NOT* encrypt anything that isn't part of the tunnel specification (each end can be a subnet or a single IP). That means if you have an IPSec link from #3 to #2, that tunnel will barf on traffic with a source/dest IP of #1, and will not go through the link. Two of the generally used solutions to this problem are: 1) Create a full (or partial) mesh network, with unique IPSec tunnels for each pair of endpoints that needs to talk. From your decscription, I think this is how you had things setup before you were apparently forced to migrate to OpenVPN. 2) Create GRE tunnels on top of IPSec point-point links, and route traffic (and optionally routing protocols) through the GRE tunnels. Google will turn up a lot of info on getting this sort of setup working. In your case, you may be able to 'cheat', and create a second tunnel between #3 and #2 with the #2 side subnet set to the IP range of #1. That way, #3 will happily encrypt traffic destined to #1, sending it via IPSec to #2, which should then decrypt the traffic and send it via OpenVPN to #1. Think of #2 as an IPSec gateway with the "local" network attached via an OpenVPN link to #1! NOTE: I have never actually setup anything quite like this, but AFAIK it should work... HTH, - -- Charles Steinkuehler [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFDvC7WLywbqEHdNFwRApaTAJ0cyMlbqRNCNZb53mNJWMqTV+wxbQCfUzRA ZU+2u+gG3BYIttSb2xeibGs= =Khhf -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click ------------------------------------------------------------------------ leaf-user mailing list: [email protected] https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
