Re: Redirect traffic through VPN
Dag Richards wrote: Matiss Miglans wrote: Hi good people ! I need to make connection from server witch is in LAN1 to server witch is in LAN3. And I need to make another connection from that same server witch is in LAN3 to that same server witch is in LAN1. There is 3 different company Ethernets, and I need to make this connection trough my company. There is no way to make direct VPN from LAN1 to LAN3 - Business etc. |---LAN1-| |OpenBSD--| |--LAN2--| |-10.210.1.0/24--|---|--Router/pf/vpn--||-192.168.0.0/24-| || |-| || | | VPN IPsec over public Internet. | |---LAN3--||---Netscreen 5xt---| |-192.168.30.0/29-|--|---Router/pf/vpn---| |-||---| This VPN is from LAN2 to LAN3 I will make nat,rdr or binat, because I can't give direct access. I need to control what, where and how can connect. I tried to make redirect like this: rdr from 10.210.1.2 to 10.210.1.1 - 192.168.30.1 But, OpenBSD box, cant see the LAN3 network, or Nestcreen box internal IP. - I tried ping, telnet, ssh etc. Of course I can see that all, if i connect from LAN2 or LAN3. How can I see this server in LAN3 from OpenBSD box ? Or maybe there is better way to do that ? In my pf.conf is no deny rulle There is my ipsec.conf: ike esp from 192.168.0.0/24 to 192.168.30.0/29 \ local x.x.x.x peer x.x.x.x \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des \ psk xxx This is OpenBSD snapshot from 2007.26. Jan. (or something that way). Best regards Matiss So you have working VPN from LAN2 to LAN# and reverse? You can not NAT on the same box you run ipsec on ... Nat is applied first, then a routing decision is made and if your ip addr are outside your encryption 'domain' your traffic will not traverse the tunnel. Are LAN1 and LAN2 really hosted off the same firewall? If so then the statement no no VPN between LAN1 and LAN3 is silly. In the layout as described you need to setup a VPN from LAN1 to LAN3. You could possibly introduce an additional firewall to do nating prior to VPN but that would be again silly. Yes, this VPN from LAN2 to LAN3 works great ! There is three company's, and I need to make this connection trought my company. The idea is that, I can make changes in connection when I need. I can control that all. There is no way to make VPN from LAN1 to LAN3 - of course I too, will amke there VPN, but... Normaly there is route that shows external interface and IP as a gateway, I changed that to the 192.168.0.1 and now I can ping, ssh, etc to the LAN3 froum this OpenBSD box. But anyway I cant forward/binat to the LAN3 I tried to set up one old Celeron box with OpenBSD, that do only port forwarding from LAN1 to LAN3 and reverse. This box is in LAN1 and LAN2, thei make port forvarding like this: rdr on fxp1 from 10.210.1.215 to 10.210.1.216 - 192.168.30.2 That all works great. But thats not that what I will make. I will make that on one box, becaus this is very old box, and I do not now, when they can die. I don't understand, if I can see this network from router, why I can't forward traffic to this network ?! Best regards Matiss
Re: Redirect traffic through VPN
rc wrote: On 4/5/07, Dag Richards [EMAIL PROTECTED] wrote: Matiss Miglans wrote: Hi good people ! I need to make connection from server witch is in LAN1 to server witch is in LAN3. And I need to make another connection from that same server witch is in LAN3 to that same server witch is in LAN1. There is 3 different company Ethernets, and I need to make this connection trough my company. There is no way to make direct VPN from LAN1 to LAN3 - Business etc. |---LAN1-| |OpenBSD--| |--LAN2--| |-10.210.1.0/24--|---|--Router/pf/vpn--||-192.168.0.0/24-| || |-| || | | VPN IPsec over public Internet. | |---LAN3--||---Netscreen 5xt---| |-192.168.30.0/29-|--|---Router/pf/vpn---| |-||---| This VPN is from LAN2 to LAN3 I will make nat,rdr or binat, because I can't give direct access. I need to control what, where and how can connect. I tried to make redirect like this: rdr from 10.210.1.2 to 10.210.1.1 - 192.168.30.1 But, OpenBSD box, cant see the LAN3 network, or Nestcreen box internal IP. - I tried ping, telnet, ssh etc. Of course I can see that all, if i connect from LAN2 or LAN3. How can I see this server in LAN3 from OpenBSD box ? Or maybe there is better way to do that ? In my pf.conf is no deny rulle There is my ipsec.conf: ike esp from 192.168.0.0/24 to 192.168.30.0/29 \ local x.x.x.x peer x.x.x.x \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des \ psk xxx This is OpenBSD snapshot from 2007.26. Jan. (or something that way). Best regards Matiss So you have working VPN from LAN2 to LAN# and reverse? You can not NAT on the same box you run ipsec on ... Nat is applied first, then a routing decision is made and if your ip addr are outside your encryption 'domain' your traffic will not traverse the tunnel. Are LAN1 and LAN2 really hosted off the same firewall? If so then the statement no no VPN between LAN1 and LAN3 is silly. In the layout as described you need to setup a VPN from LAN1 to LAN3. You could possibly introduce an additional firewall to do nating prior to VPN but that would be again silly. Matiss, There are three ways that you can connect to the servers: 1. VPN (IPSEC) 2. 1 to 1 NAT (bidirectional NAT). Opened to the world, if not properly firewalled. This will have to be done on both sides. 3. Port forwarding (redirection with pf) Opened to the world, if not properly firewalled. This will have to be done on both sides. 1. There is no way to make VPN from LAN1 to LAN3 - I'm also angry for that... 2. and 3. I tried - I have no idea how to make that trought VPN. Forwarding traffic over public Internet- I can firewall what I will, if this is non-crypted trafiic, that tis is not secure. . I would choose 1. because the traffic is going to be encrypted going over the Internet and still behind your firewall and NAT without being opened to the world. I tried to make redirect like this: rdr from 10.210.1.2 to 10.210.1.1 - 192.168.30.1 Implemented incorrectly: http://www.openbsd.org/faq/pf/rdr.html or if you want binat: http://www.openbsd.org/faq/pf/nat.html#binat I have read this FAQ's I dont understand what are implemented incorrectly ?! If i try this on separated OpenBSD box, then that works great ! rdr on fxp1 from 10.210.1.215 to 10.210.1.216 - 192.168.30.2 You can not NAT on the same box you run ipsec on ... Nat is applied first, then a routing decision is made and if your ip addr are outside your encryption 'domain' your traffic will not traverse the tunnel. From my experience, this is not correct. You can have NAT and IPSEC running on the same box. IPSEC takes precedence over NAT and routing. Of course, NAT over routing. rc Do you have NAT over IPSEC or you have NAT and IPSEC on one box ? I have no Idea where to search - i tried google, but nothing useful. Best Regards Matiss
Re: Redirect traffic through VPN
On 4/5/07, Dag Richards [EMAIL PROTECTED] wrote: Matiss Miglans wrote: Hi good people ! I need to make connection from server witch is in LAN1 to server witch is in LAN3. And I need to make another connection from that same server witch is in LAN3 to that same server witch is in LAN1. There is 3 different company Ethernets, and I need to make this connection trough my company. There is no way to make direct VPN from LAN1 to LAN3 - Business etc. |---LAN1-| |OpenBSD--| |--LAN2--| |-10.210.1.0/24--|---|--Router/pf/vpn--||-192.168.0.0/24-| || |-| || | | VPN IPsec over public Internet. | |---LAN3--||---Netscreen 5xt---| |-192.168.30.0/29-|--|---Router/pf/vpn---| |-||---| This VPN is from LAN2 to LAN3 I will make nat,rdr or binat, because I can't give direct access. I need to control what, where and how can connect. I tried to make redirect like this: rdr from 10.210.1.2 to 10.210.1.1 - 192.168.30.1 But, OpenBSD box, cant see the LAN3 network, or Nestcreen box internal IP. - I tried ping, telnet, ssh etc. Of course I can see that all, if i connect from LAN2 or LAN3. How can I see this server in LAN3 from OpenBSD box ? Or maybe there is better way to do that ? In my pf.conf is no deny rulle There is my ipsec.conf: ike esp from 192.168.0.0/24 to 192.168.30.0/29 \ local x.x.x.x peer x.x.x.x \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des \ psk xxx This is OpenBSD snapshot from 2007.26. Jan. (or something that way). Best regards Matiss So you have working VPN from LAN2 to LAN# and reverse? You can not NAT on the same box you run ipsec on ... Nat is applied first, then a routing decision is made and if your ip addr are outside your encryption 'domain' your traffic will not traverse the tunnel. Are LAN1 and LAN2 really hosted off the same firewall? If so then the statement no no VPN between LAN1 and LAN3 is silly. In the layout as described you need to setup a VPN from LAN1 to LAN3. You could possibly introduce an additional firewall to do nating prior to VPN but that would be again silly. Matiss, There are three ways that you can connect to the servers: 1. VPN (IPSEC) 2. 1 to 1 NAT (bidirectional NAT). Opened to the world, if not properly firewalled. This will have to be done on both sides. 3. Port forwarding (redirection with pf) Opened to the world, if not properly firewalled. This will have to be done on both sides. I would choose 1. because the traffic is going to be encrypted going over the Internet and still behind your firewall and NAT without being opened to the world. I tried to make redirect like this: rdr from 10.210.1.2 to 10.210.1.1 - 192.168.30.1 Implemented incorrectly: http://www.openbsd.org/faq/pf/rdr.html or if you want binat: http://www.openbsd.org/faq/pf/nat.html#binat You can not NAT on the same box you run ipsec on ... Nat is applied first, then a routing decision is made and if your ip addr are outside your encryption 'domain' your traffic will not traverse the tunnel. From my experience, this is not correct. You can have NAT and IPSEC running on the same box. IPSEC takes precedence over NAT and routing. Of course, NAT over routing. rc
Redirect traffic through VPN
Hi good people ! I need to make connection from server witch is in LAN1 to server witch is in LAN3. And I need to make another connection from that same server witch is in LAN3 to that same server witch is in LAN1. There is 3 different company Ethernets, and I need to make this connection trough my company. There is no way to make direct VPN from LAN1 to LAN3 - Business etc. |---LAN1-| |OpenBSD--| |--LAN2--| |-10.210.1.0/24--|---|--Router/pf/vpn--||-192.168.0.0/24-| || |-| || | | VPN IPsec over public Internet. | |---LAN3--||---Netscreen 5xt---| |-192.168.30.0/29-|--|---Router/pf/vpn---| |-||---| This VPN is from LAN2 to LAN3 I will make nat,rdr or binat, because I can't give direct access. I need to control what, where and how can connect. I tried to make redirect like this: rdr from 10.210.1.2 to 10.210.1.1 - 192.168.30.1 But, OpenBSD box, cant see the LAN3 network, or Nestcreen box internal IP. - I tried ping, telnet, ssh etc. Of course I can see that all, if i connect from LAN2 or LAN3. How can I see this server in LAN3 from OpenBSD box ? Or maybe there is better way to do that ? In my pf.conf is no deny rulle There is my ipsec.conf: ike esp from 192.168.0.0/24 to 192.168.30.0/29 \ local x.x.x.x peer x.x.x.x \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des \ psk xxx This is OpenBSD snapshot from 2007.26. Jan. (or something that way). Best regards Matiss
Re: Redirect traffic through VPN
Matiss Miglans wrote: Hi good people ! I need to make connection from server witch is in LAN1 to server witch is in LAN3. And I need to make another connection from that same server witch is in LAN3 to that same server witch is in LAN1. There is 3 different company Ethernets, and I need to make this connection trough my company. There is no way to make direct VPN from LAN1 to LAN3 - Business etc. |---LAN1-| |OpenBSD--| |--LAN2--| |-10.210.1.0/24--|---|--Router/pf/vpn--||-192.168.0.0/24-| || |-| || | | VPN IPsec over public Internet. | |---LAN3--||---Netscreen 5xt---| |-192.168.30.0/29-|--|---Router/pf/vpn---| |-||---| This VPN is from LAN2 to LAN3 I will make nat,rdr or binat, because I can't give direct access. I need to control what, where and how can connect. I tried to make redirect like this: rdr from 10.210.1.2 to 10.210.1.1 - 192.168.30.1 But, OpenBSD box, cant see the LAN3 network, or Nestcreen box internal IP. - I tried ping, telnet, ssh etc. Of course I can see that all, if i connect from LAN2 or LAN3. How can I see this server in LAN3 from OpenBSD box ? Or maybe there is better way to do that ? In my pf.conf is no deny rulle There is my ipsec.conf: ike esp from 192.168.0.0/24 to 192.168.30.0/29 \ local x.x.x.x peer x.x.x.x \ main auth hmac-md5 enc 3des \ quick auth hmac-md5 enc 3des \ psk xxx This is OpenBSD snapshot from 2007.26. Jan. (or something that way). Best regards Matiss So you have working VPN from LAN2 to LAN# and reverse? You can not NAT on the same box you run ipsec on ... Nat is applied first, then a routing decision is made and if your ip addr are outside your encryption 'domain' your traffic will not traverse the tunnel. Are LAN1 and LAN2 really hosted off the same firewall? If so then the statement no no VPN between LAN1 and LAN3 is silly. In the layout as described you need to setup a VPN from LAN1 to LAN3. You could possibly introduce an additional firewall to do nating prior to VPN but that would be again silly.