Re: How to allow an ipsec tunnel endpoint to communicate with an internal IP on the other side?

From: Joachim Schipper (jDOTschipper_at_math.uu.nl)
Date: 07/05/05

  • Next message: Joachim Schipper: "Re: modsecurity for Apache"
    Date: 05 Jul 2005 08:50:56 GMT
    
    

    kent@cpttm.org.mo wrote:
    > Hi,
    >
    > My setup is like this: There are two sites. The internal network on one
    > site
    > is 192.168.0.0/24 and the other side is 192.168.1.0/24. There is an
    > ipsec
    > server (let's call them r001 and r002 respectively) on each site
    > establishing
    > a VPN tunnel. Of course both r001 and r002 have a public IP. The VPN is
    > working
    > fine for the computers on the internal networks.
    >
    > However, the question is, how to allow r001 itself connect to a host on
    >
    > 192.168.1.0/24 (eg, ping, ssh)? In most cases r001 will pick its public
    > IP
    > (because that interface is on the way to the default gateway). This
    > causes a
    > problem because a public IP can't connect to a private IP.
    >
    > How to solve this problem? Thanks in advance!

    What's a VPN? The KAME port's IPSec (ipsec-tools+26sec)? OpenVPN?
    OpenS/WAN+KLIPS? Some other combination?

    If the VPN is working correctly, r001 should tunnel any traffic through
    the VPN, on the public interface. I'm assuming the traffic is emitted,
    but not moving through the VPN? Have you verified this? (Please note
    that with at least the one VPN implementation I have used, a localhost
    tcpdump will see stuff that isn't on the wire, because decrypted packets
    are re-submitted to the network stack.)

                    Joachim


  • Next message: Joachim Schipper: "Re: modsecurity for Apache"

    Relevant Pages