[Fwd: Re: Routing from ppp to ipsec tunnel]

[Fwd: Re: Routing from ppp to ipsec tunnel]

[devel]

Thank you for this quick answer.

I tried first to set it up as you mentionned :
Say site 1 lan is 10.211/16 site 2 lan is 10.212/16
road warrior 1 range is 10.210/16 (let's first don't consider the second
road warrior access)

So at first (before trying to turn on road warriors) I configured the
following SAs :

10.211.0.0/16 to 10.212.0.0/16 and vice versa on each end of the VPN (and
this worked fine)
and add the routes 10.212.0.0/16 through 10.211.254.254 (being the vpn
gateway lan address)
and 10.211.0.0/16 through 10.212.254.254 on site 2 gateway

These 2 VPN gateway also act as nating firewall for internet access, and
so all the lan client are configured with these address as default
gateway.

So far, this work great.

Then to allow road warrior attached to site 1 traffic go through the
tunnel, I thought I just had to modify the SAs and routes as follows :

10.210.0.0/15 to 10.212.0.0/16 and vice versa on each end, then on site 2
gateway, replace the route to site one by 10.210.0.0/15 through
10.212.254.254.

At this point, the intersite VPN works ok, but when I try to ping site 2
gateway from the local (site 1) ppp end, I can't get the traffic go
through the tunnel. I can see the packet (I use LOG target in netfilter)
get out ppp0 in the OUTPUT table, then go through the POSTROUTING table in
NAT chain, and that's all. No IPSEC traffic is generated for the packet.

What did I do wrong ?

François

---------------------------- Message original ----------------------------
Objet:   Re: Routing from ppp to ipsec tunnel
De:      "Grant Taylor" <gtaylor@riverviewtech.net>
Date:    Lun 18 août 2008 23:16
À:       "Mail List - Netfilter" <netfilter@vger.kernel.org>
--------------------------------------------------------------------------

On 08/18/08 12:24, devel@thom.fr.eu.org wrote:
> I have two sites connected using an IPSEC Tunnel (Linux 2.6/KAME
> Tools). I can also have "roadwarriors" clients (Windows based)
> connect to either site using an L2TP/IPSEC tunnel.

Ok...

> I would like to know if it's possible to route packets from the
> roadwarrior client (sent out through my ppp interface) through the
> inter site ipsec tunnel and back.

Yes.

> So far, the only way I could have this work was by SNATing the
> traffic from my ppp network destined to the other site network to the
> local lan interface address, but I'd rather not use SNAT to achieve
> this.

SNAT / MASQUERADE will work, but as you are seeing is undesirable.

> Anybody can help?

As I see it there are a couple of different things working against you.
 1)  You will have to add routes to each VPN gateway for the road
warriors on the other end.
 2)  You will need to (re)configure your IPSec VPN to allow the
additional road warrior IP space.

I don't know what you have for IP address space on either end of the
VPN, so I can't say for sure what you need to do.  In essence you will
need to provision a new subnet for the road warriors at each end.  This
can be done by either creating a new dis-similar subnet for the road
warriors or if the IP addressing scheme will allow by enlarging the
subnet (reducing the netmask by one bit).  If you can do the later
things with in your VPN will be easier because you can just alter the
netmask of what IPs are allowed to go through (match) the VPN.  If one
office is 192.168.0/24 and the other is 192.168.1/24 then you can't
expand the netmask with out re-addressing one end or the other and you
will have to more drastically adjust your VPNs.

I've not had to mess with an IPSec VPN that had multiple dis-similar IP
subnets pass through them, so I can't say how to do it.  In short, you
will have four subnets in the company, Site 1 LAN, Site 1 Road Warrior,
Site 2 LAN, and Site 2 Road Warrior.  With this in mind you will need to
have your VPN allow traffic from either LAN or Road Warriors at Site 1
to either LAN or Road Warriors at Site 2.  So you end up with these
possible combinations

1L <-> 2L
1L <-> 2R
1R <-> 2L
1R <-> 2R

(You may be able to get away with out allowing a road warrior at one
site to talk to another road warrior at the other site, thus negating
the need for 1R <-> 2R.)

But this does mean that you will need to allow at least the first three
subnet to subnet communications.  If you can not define these in one
single IPSec VPN, you /may/ have to establish a separate IPSec VPN for
each subnet to subnet pairing.  Thus what was one simple site to site
VPN now becomes three site to site VPNs.  :(

I know that this seems like a lot of work just to allow road warriors to
be able to access other remote sites, but I agree with you hole
heartedly about not wanting to SNAT / MASQUERADE.  (Though you could get
away with just nating the road warrior traffic and not the rest of the
site to site traffic.)



Grant. . . .
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html


-- 

Re: [Fwd: Re: Routing from ppp to ipsec tunnel]

[Grant Taylor]

On 08/19/08 02:19, devel@thom.fr.eu.org wrote:
> Thank you for this quick answer.

You are welcome.

> I tried first to set it up as you mentionned : Say site 1 lan is 
> 10.211/16 site 2 lan is 10.212/16 road warrior 1 range is 10.210/16 
> (let's first don't consider the second road warrior access)

Quick question:  Road warriors are connecting to Site 1, correct?  (I'm 
presuming so, unless you say other wise, based on the fact that Site 1's 
subnet mask is being altered below to be inclusive of the road warrior's 
subnet.)

We'll not look at Site 2's road warrior(s) yet.  ;)

> So at first (before trying to turn on road warriors) I configured the 
> following SAs :
> 
> 10.211.0.0/16 to 10.212.0.0/16 and vice versa on each end of the VPN 
> (and this worked fine) and add the routes 10.212.0.0/16 through 
> 10.211.254.254 (being the vpn gateway lan address) and 10.211.0.0/16 
> through 10.212.254.254 on site 2 gateway

Um, why are you adding routes?  I (mis)understood your VPN end points to 
be NATing routers that were the default gateway for the LANs at both 
Site 1 and Site 2.  Thus there should be no need to add routes at all. 
At least as I understand it, IPSec will take care of this for you, thus 
you don't need to do it.  /Or/ were you indicating that they were added 
by your IPSec stack for you?

> These 2 VPN gateway also act as nating firewall for internet access, 
> and so all the lan client are configured with these address as 
> default gateway.

*nod*  This makes things simpler.  You should only need to add routes to 
the default gateways on each LAN if they are not also the VPN end points.

> So far, this work great.

Good.

> Then to allow road warrior attached to site 1 traffic go through the 
> tunnel, I thought I just had to modify the SAs and routes as follows 
> :

*nod*  You should expand the netmask on the SAs.

> 10.210.0.0/15 to 10.212.0.0/16 and vice versa on each end, then on 
> site 2 gateway, replace the route to site one by 10.210.0.0/15 
> through 10.212.254.254.

Yes, that should take care of your SA.  As far as the routes, I'm still 
at a loss as to why you have to add them your self.  Either way, 
expanding your route's target match netmask by one bit like you did in 
the SA netmask is correct.

> At this point, the intersite VPN works ok, but when I try to ping 
> site 2 gateway from the local (site 1) ppp end, I can't get the 
> traffic go through the tunnel. I can see the packet (I use LOG target 
> in netfilter) get out ppp0 in the OUTPUT table, then go through the 
> POSTROUTING table in NAT chain, and that's all. No IPSEC traffic is 
> generated for the packet.

Hum.

> What did I do wrong ?

I don't know.  Nor do I have an environment that I can test this to help.

Let's get some information out in the open to make sure that we are both 
thinking the same thing.

Site 1
Internet:  a.b.c.d
      LAN:  10.211/16
   RW VPN:  10.210/16

Site 2
Internet:  e.f.g.h
      LAN:  10.212/16

Site 1 and Site 2 are doing the following:
  - Establishing an IPSec VPN between a.b.c.d and e.f.g.h (respectively).
  - Adding routes to the other sites subnet through the VPN.

Presuming that your configuration is as it was prior to starting with 
road warriors, can you do the following?
  - Can a computer on the LAN at Site 1 ping a computer (not Site 2's 
router) on Site 2's LAN?
  - Can a computer on the LAN at Site 1 ping the inside of the router at 
Site 2?
  - Can a computer on the LAN at Site 1 ping the outside of the router 
at Site 2 (e.f.g.h)?
  - Can a computer on the LAN at Site 2 ping a computer (not Site 1's 
router) on Site 1's LAN?
  - Can a computer on the LAN at Site 2 ping the inside of the router at 
Site 1?
  - Can a computer on the LAN at Site 2 ping the outside of the router 
at Site 1 (a.b.c.d)?
  - Can the router at Site 1 ping the inside of the router at Site 2?
  - Can the router at Site 2 ping the inside of the router at Site 1?
    (If computers on each LAN can ping the inside of the router of the 
other site, we know the routers can ping the LAN for other sites.)
    (We know the routers can ping each others external interfaces by the 
ver fact that they can establish a VPN between each other.

I'm trying to establish how functional the VPN is or if there might be 
something else going on.



Grant. . . .