From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lewis G Rosenthal Date: Fri, 30 Aug 2013 02:44:48 +0000 Subject: Re: Routing recommendations for sharing VPN connection between VBox guest and host Message-Id: <52200720.80804@2rosenthals.com> List-Id: References: <521FDF79.8020908@2rosenthals.com> In-Reply-To: <521FDF79.8020908@2rosenthals.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: lartc@vger.kernel.org Hi, Scott... Thanks for the quick reply. On 08/29/13 08:13 pm, Scott Edwards thus wrote : > You can enable forwarding via echo 1 > /proc/sys/net/ipv4/ip_forward > (or something like that, I'm a road warrior right now, no linux box in > sight) > Indeed, this is how I did it, as well as: echo 1 > /proc/sys/net/ipv4/ppp0/ip_forward (and ensuring the ipv4/eth0/ip_forward was present) > As for masqurading, that may be necessary, as Cisco is more strict on > the IPsec VPN tunnel. The ACL that directs traffic to the VPN is also > responsible for dropping traffic that does not match. The only way to > be rather flexible with that, is to do IPsec over GRE, but this > clashes with your design needs on a few different angles. > Yes. > If the Linux host has success communicating to the IPsec peer, then it > should be able to say, > iptables -A OUTPUT -o ppp0 -j MASQUERADE > I think this is where I fell short somehow. I believe I entered this as a POSTROUTING rule; perhaps that was my error vs OUTPUT (see http://www.tldp.org/HOWTO/html_single/Masquerading-Simple-HOWTO/ per the dial-up connection summary). I did not NAT it, however (as mentioned in the example). Hmmm... > I would also check "iptables-save -c" for hit counts, and forwarding, > and other policy. > Good tip; thanks! It surely helps to be able to *see* what's going on (especially when things don't work as expected!). > HTH, > Indeed. Thanks again for the quick follow-up. I'll give some of this a test tomorrow and see how I make out. Cheers -- Lewis ------------------------------------------------------------- Lewis G Rosenthal, CNA, CLP, CLE, CWTS, RTRP, EA Rosenthal & Rosenthal, LLC www.2rosenthals.com Need a managed Wi-Fi hotspot? www.hautspot.com Warpstock 2013 - Atlanta, GA - Oct 4-6 www.warpstock.org visit my IT blog www.2rosenthals.net/wordpress -------------------------------------------------------------