Re: [LARTC] custom route for forwarded traffic

From: Grant Taylor <gtaylor@riverviewtech.net>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] custom route for forwarded traffic
Date: Tue, 30 Oct 2007 16:14:39 +0000	[thread overview]
Message-ID: <4727586F.3030808@riverviewtech.net> (raw)
In-Reply-To: <472741D4.4050409@krediidiinfo.ee>

On 10/30/07 09:38, Aleksander Kamenik wrote:
> I have two networks, users and servers connected via vpn (ipsec). Both 
> internal networks. The routing is fine and connections work both ways.
> 
> Accordingly both networks have a firewall each which faces the internet 
> and they create the vpn link between each other. Both firewalls have 
> only one external IP (if they had more, I wouldn't be asking).
> 
> The servers network's firewall however does DNAT too. This is for 
> external clients who connect to the external IP of the firewall and so 
> can connect to the internal mail and webserver.
> 
> I want the computers in the users network to connect to the external IP 
> of the servers firewall AND have the connection go through the VPN.
> 
> If I add a rule to the main routing table in the users network's 
> firewall for servers network's external IP to go through the VPN, I will 
> break the VPN connection (kind of like the chicken and egg problem).
> 
> So I need to create a route, which will apply only for forwarded 
> connections. How do I do that?

It has been a long time sense I messed with IPSec under Linux so I can 
not say any thing for sure.  But what I can say is the direction that I 
would start looking.

           +----------+            +----------+
(LAN 1)---+ Router 1 +---(INet)---+ Router 2 +---(LAN 2)
           +----------+            +----------+

I would only encrypt traffic that is from / to LAN 1 and to / from LAN 2 
through the IPSec VPN.  Any other traffic from / to LAN 1 that is not 
going to / from LAN 2 would be unencrypted and vice versa for LAN 2. 
This way when LAN 1 tried to access the external IP of Router 2 it would 
not match your routing rules for encryption and thus not be encrypted. 
If the traffic is not encrypted it should be subject to the normal DNAT 
rule(s) on Route 2.  Likewise for reverse traffic and the corresponding 
traffic from LAN 2.

I'm not sure how to set up such routes with current IPSec 
implementations so I can't help specifically with that.  What I do see 
is the various types of traffic that will be seen from each end.

LAN 1 <-> LAN 2    (encrypted via IPSec VPN)
                    (LAN 1 subnet to LAN 2 subnet)
LAN 1 <-> INet     (unencrypted)
                    (Router 1 external to INet)
LAN 1 <-> Router 2 (unencrypted)
                    (Router 1 external to Router 2 external)
INet  <-> Router 1 (unencrypted)
                    (INet to Router 1 external & DNATed in)

The same above is true in reverse for LAN 2.  So in short, I see four 
classes of traffic at each connection.

I hope this helps clear things up and make the water a little less 
muddy.  If you need any thing else, I'll be glad to try.

Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc