Re: Routing recommendations for sharing VPN connection between VBox guest and host

[Lewis G Rosenthal <lgrosenthal@2rosenthals.com>]

Got it.

On 08/29/13 10:44 pm, Lewis G Rosenthal thus wrote :
> Hi, Scott... Thanks for the quick reply.
>
> On 08/29/13 08:13 pm, Scott Edwards thus wrote :
>> You can enable forwarding via echo 1 > /proc/sys/net/ipv4/ip_forward
>> (or something like that, I'm a road warrior right now, no linux box in
>> sight)
>>
> Indeed, this is how I did it, as well as:
>
> echo 1 > /proc/sys/net/ipv4/ppp0/ip_forward
>
> (and ensuring the ipv4/eth0/ip_forward was present)
>
Under openSUSE 12.3 (as guest), I ensured that
/proc/sys/net/ipv4/ip_forward was enabled, as was
/proc/sys/net/ipv4/conf/all/forwarding (which ensures that when ppp0 is
created, forwarding is enabled on that interface).
>> As for masqurading, that may be necessary, as Cisco is more strict on
>> the IPsec VPN tunnel. The ACL that directs traffic to the VPN is also
>> responsible for dropping traffic that does not match.  The only way to
>> be rather flexible with that, is to do IPsec over GRE, but this
>> clashes with your design needs on a few different angles.
>>
> Yes.
>> If the Linux host has success communicating to the IPsec peer, then it
>> should be able to say,
>> iptables -A OUTPUT -o ppp0 -j MASQUERADE
>>
> I think this is where I fell short somehow. I believe I entered this as
> a POSTROUTING rule; perhaps that was my error vs OUTPUT (see
> http://www.tldp.org/HOWTO/html_single/Masquerading-Simple-HOWTO/ per the
> dial-up connection summary). I did not NAT it, however (as mentioned in
> the example). Hmmm...
>
Yep. Got it:

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

(this can be saved across boot sessions by using, e.g.,
/etc/sysconfig/scripts/SuSEfirewall2-custom)

Then, in the host (and I tested this under eComStation, too, as it's
quite simple):

route add -net <remote_protected_subnet> netmask
<netmask_of_remote_protected_subnet>  gw <local_IP_or_FQDN_of_guest>

or, for eComStation (OS/2):

route add -net <remote_protected_subnet> <local_IP_or_FQDN_of_guest>
-netmask <netmask_of_remote_protected_subnet>

Done!

Thanks for kicking this around with me, Scott.

Cheers

-- 
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, RTRP, EA
Rosenthal & Rosenthal, LLC                www.2rosenthals.com
Need a managed Wi-Fi hotspot?                www.hautspot.com
Warpstock 2013 - Atlanta, GA - Oct 4-6      www.warpstock.org
visit my IT blog                www.2rosenthals.net/wordpress
-------------------------------------------------------------