Multiple vpn tunnels
This is a discussion on Multiple vpn tunnels within the Linux Networking forums, part of the Linux Forums category; Hello Folks, I have the following situation: VPN Tunnel 1 VPN Tunnel 2 81.129.39.9 ============ 59.20.93....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-26-2007
|
|||
|
|||
Multiple vpn tunnels
Hello Folks,
I have the following situation: VPN Tunnel 1 VPN Tunnel 2 81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27 Gateway A Gateway B Gateway C I need all clients coming from gateway C to be able to use the vpn tunnel 1, so I have the following rule on Gateway B: iptables -t nat -A POSTROUTING -s 93.48.28.27 -d 81.129.40.0/24 -o eth0 -j MASQUERADE But does not work, what I'm missing here? Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping or telnet from Gateway C seems to work. I don't have access to Gateway A, so I can't verify if the packets get to Gateway A. I would really appreciate if you can help me fix this or find an other job ;) 
|
|
03-26-2007
|
|||
|
|||
|
Re: Multiple vpn tunnels
said.abdel@gmail.com wrote:
> Hello Folks, > > I have the following situation: > > VPN Tunnel 1 VPN Tunnel 2 > 81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27 > Gateway A Gateway > B Gateway C > > I need all clients coming from gateway C to be able to use the vpn > tunnel 1, so I have the following rule on Gateway B: > > iptables -t nat -A POSTROUTING -s 93.48.28.27 -d 81.129.40.0/24 -o > eth0 -j MASQUERADE > > But does not work, what I'm missing here? > > Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping > or telnet from Gateway C seems to work. I don't have access to Gateway > A, so I can't verify if the packets get to Gateway A. > > I would really appreciate if you can help me fix this or find an other > job ;) The masquerade may be an overkill, unless you need to limit the visibility of the subnets to the other end of the tunnel. Did you: - tell gateway A that VPN tunnel 2 is reachable via VPN tunnel 1? - tell VPN tunnel 2 end that gateway A and the nets behind it are reachable via gateway C? - enable forwarding at gateway C? -- Tauno Voipio tauno voipio (at) iki fi
|
|
03-26-2007
|
|||
|
|||
|
Re: Multiple vpn tunnels
On Mar 26, 10:16 am, Tauno Voipio <tauno.voi...@INVALIDiki.fi> wrote:
> said.ab...@gmail.com wrote: > > Hello Folks, > > > I have the following situation: > > > VPN Tunnel 1 VPN Tunnel 2 > > 81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27 > > Gateway A Gateway > > B Gateway C > > > I need all clients coming from gateway C to be able to use the vpn > > tunnel 1, so I have the following rule on Gateway B: > > > iptables -t nat -A POSTROUTING -s 93.48.28.27 -d 81.129.40.0/24 -o > > eth0 -j MASQUERADE > > > But does not work, what I'm missing here? > > > Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping > > or telnet from Gateway C seems to work. I don't have access to Gateway > > A, so I can't verify if the packets get to Gateway A. > > > I would really appreciate if you can help me fix this or find an other > > job ;) > > The masquerade may be an overkill, unless you need to limit > the visibility of the subnets to the other end of the tunnel. > > Did you: > > - tell gateway A that VPN tunnel 2 is reachable via VPN tunnel 1? I don't have access to administration on Gateway A. The reason why we need this is that we wanted to save time to use a temporary tunnel but in the future (in couple months) they will provide us with a tunnel between Gateway A and Gateway C. > - tell VPN tunnel 2 end that gateway A and the nets behind it > are reachable via gateway C? It already knows that. tcpdump on gateway B shows that Gateway C is talking to Gateway A via Gateway B. > - enable forwarding at gateway C? Yes it is enabled. > > -- > > Tauno Voipio > tauno voipio (at) iki fi Thanks a lot for your reply :)
|
|
03-26-2007
|
|||
|
|||
|
Re: Multiple vpn tunnels
said.abdel@gmail.com wrote:
> On Mar 26, 10:16 am, Tauno Voipio <tauno.voi...@INVALIDiki.fi> wrote: > >>said.ab...@gmail.com wrote: >> >>>Hello Folks, >> >>>I have the following situation: >> >>> VPN Tunnel 1 VPN Tunnel 2 >>>81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27 >>>Gateway A Gateway >>>B Gateway C >> >>>I need all clients coming from gateway C to be able to use the vpn >>>tunnel 1, so I have the following rule on Gateway B: >> >>>iptables -t nat -A POSTROUTING -s 93.48.28.27 -d 81.129.40.0/24 -o >>>eth0 -j MASQUERADE >> >>>But does not work, what I'm missing here? >> >>>Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping >>>or telnet from Gateway C seems to work. I don't have access to Gateway >>>A, so I can't verify if the packets get to Gateway A. >> >>>I would really appreciate if you can help me fix this or find an other >>>job ;) >> >>The masquerade may be an overkill, unless you need to limit >>the visibility of the subnets to the other end of the tunnel. >> >>Did you: >> >> - tell gateway A that VPN tunnel 2 is reachable via VPN tunnel 1? > > I don't have access to administration on Gateway A. The reason why we > need this is that we wanted to save time to use a temporary tunnel but > in the future (in couple months) they will provide us with a tunnel > between Gateway A and Gateway C. This will be a problem: The gateway should know to route your packets for tunnel 2 via the intermediate gateway. If you cannot change the routing here, the packets destined to the second tunnel will be sent to gateway A's default next-hop gateway. Could you think of splitting the subnet in tunnel 1 into two sub-subnets and assign it to tunnel 2? -- Tauno Voipio tauno voipio (at) iki fi
|
Linear Mode
