[prev in list] [next in list] [prev in thread] [next in thread]
List: vpn
Subject: [VPN] Re: local processes and tunnels
From: "Russell Howe" <rhowe () siksai ! co ! uk>
Date: 2006-01-05 1:16:23
Message-ID: 20060105011623.GA17293 () xiao ! rsnet
[Download RAW message or body]
On Wed, Jan 04, 2006 at 08:43:33PM +1100, Neale Banks wrote:
> One for the IPSec tunnel-wizardary department - but first some
> ascii-art:
>
> ---------- -------------
> | | Wireless | |
> | Leaf-Svr |-------------------| Central-Svr |
> | | | |
> | | == == == == == == | |
> | | Tunnel (Openswan) | |
> ---------- -------------
> | |
> Leaf-LAN| Central-LAN|
> |----------| |-------------|
> | |
> |Client |NS
> ----- -----
> | | | |
> | | | |
> ----- -----
>
> As I hope the diagram suggests, there's a remote site (leaf-node) linked
> back to a central site via an Openswan tunnel over a wireless link.
> Leaf-Svr and Central-Svr are running Fedora (Openswan and kernel 2.6).
>
> Clients can happily communicate via the tunnel to nodes on the
> Central-LAN. So far, so good. But... not so good for processes on
> Leaf-Svr (e.g. name resolver querying the name-server on
> Central-LAN("NS")) - we'd like them to communicate with nodes on
> Central-LAN via the tunnel. Not unreasonably, these packets are not
> encapsulated in the tunnel as they originate from the address of the
> wireless-side.
>
> I tried putting an iptables rule in the POSTROUTING chain of the nat
> table to SNAT name requests to come from Leaf-Svr's Leaf-LAN interace
> address, but no cigar.
>
> Any other suggestions?
I suspect packets are being generated with the wrong source address for
the tunnel policy.. either create a second tunnel of
Leaf-Svr-Wireless-address <===> Central-LAN, or use iproute2's policy
routing to do something like:
ip route add central-LAN via Central-Svr src Leaf-Svr-Leaf-LAN-Address
So, if...
Leaf-LAN 10.0.0.0/24
Central-LAN 172.16.0.0/24
wireless LAN 192.168.0.0/24
Leaf-Svr 10.0.0.1 on Leaf-LAN
Leaf-Svr 172.16.0.1 on the Wireless LAN
Central-Svr 192.168.0.2 Wireless LAN
... you'd do something like this:
ip route add 172.16.0.0/24 via 192.168.0.2 src 10.0.0.1
By default, you would have had something like this, I bet:
ip route add 172.16.0.0/24 via 192.168.0.2 src 192.168.0.1 (the src <x>
bit being implicit).
You should be able to set that route and see if it magically fixes
things. If it does, then I probably have a replacement set of updown
scripts which you'll find useful.
I hope the above is clear...
--
Russell Howe | Why be just another cog in the machine,
rhowe@siksai.co.uk | when you can be the spanner in the works?
_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic