'RE: [IPCop-user] Help can't configure parallel VPN's'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipcop-user
Subject:    RE: [IPCop-user] Help can't configure parallel VPN's
From:       "David Ruggles" <david () safedatausa ! com>
Date:       2006-03-31 17:42:14
Message-ID: 006401c654ea$75ae8590$0202fea9 () DavidDesktop
[Download RAW message or body]

As Richard said, a second tunnel would be best way to go. I'm not very
familure with IPSec tunnels so I can't help you there. I enjoy hacking
around with routing so that's more of my sort of thing. If someone else
chimes in and get a second tunnel running throw my ideas away.

Assuming you can't create a second tunnel as you said in your first post I
would try something like this:

**I'm not sure this would work and I haven't tried it myself**

Our goal is to get traffic from 10.21.0.0/16 to 192.168.1.0/27 via
10.50.0.0/16
Our link between is 10.21.0.0/16 and 10.50.0.0/16 is subnet restricted to
10.21.0.0/16 on one side and 10.50.0.0/16 on the otherside. Let's expand
that to 10.50.0.0/15 that gives us access to 10.50.0.0/16 and 10.51.0.0/16.

Now we need to tell the tunnel that traffic going to 192.168.1.0/27 is going
to 10.51.0.0/16 and that traffic coming from 192.168.1.0/27 is coming from
10.51.0.0/16.

I believe destination natting 192.168.1.0/27 to 10.51.0.0/27 and
          source natting 10.51.0.0/27 to 192.168.1.0/27 on the local IPCop
box
And
          destination natting 10.51.0.0/27 to 192.168.1.0/27 and
          source natting 192.168.1.0/27 to 10.51.0.0/27 on the remote IPCop
box
Would do the trick.

I'm using the more restrictive subnet mask. I think this should work because
both .0. and .1. fit in 27

Local IPCop box:
iptables -t nat -A PREROUTING -d 192.168.1.0/27 -j DNAT --to-destination
10.51.0.0/27
iptables -t nat -A POSTROUTING -s 10.51.0.0/27 -j SNAT --to-source
192.168.1.0/27

Remote IPCop box:
iptables -t nat -A PREROUTING -d 10.51.0.0/27 -j DNAT --to-destination
192.168.1.0/27
iptables -t nat -A POSTROUTING -s 192.168.1.0/27 -j SNAT --to-source
10.51.0.0/27

If this works I think it should happen before and after (respectively) the
IPSec tunnel so it should be allowed to route over the tunnel.

Again, I'm not sure this will work.

Thanks,

David Ruggles
CCNA MCSE (NT) CNA A+
Network Engineer	Safe Data, Inc.
(910) 285-7200	david@safedatausa.com



-----Original Message-----
From: ipcop-user-admin@lists.sourceforge.net
[mailto:ipcop-user-admin@lists.sourceforge.net] On Behalf Of Andre Newman
Sent: Friday, March 31, 2006 10:49 AM
To: ipcop-user@lists.sourceforge.net
Subject: RE: [IPCop-user] Help can't configure parallel VPN's


> I'm going to try to diagram what you described:
>
> IPCop Box             IPCop Box
> Local site -> VPN -> remote site -> remote router -> DMZ
> 10.21.0.0/16         10.50.0.0/16                    192.168.1.0/27

That's spot on.

> You can't modify the remote router, but have full control of the two IPCop
> Boxen?

I can modify the remote router, I just can't change the 192.168.1.0/27 to
something more sensible like 10.51.0.0 :-( The IPCop's are all new, all
mine. :-)




-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
IPCop-user mailing list
IPCop-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-user

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic