Re: How to allow an ipsec tunnel endpoint to communicate with an internal IP on the other side?

From: Joachim Schipper (jDOTschipper_at_math.uu.nl)
Date: 07/05/05

  • Next message: Joachim Schipper: "Re: modsecurity for Apache" 
    Date: 05 Jul 2005 08:50:56 GMT

    kent@cpttm.org.mo wrote:
    > Hi,
    >
    > My setup is like this: There are two sites. The internal network on one
    > site
    > is 192.168.0.0/24 and the other side is 192.168.1.0/24. There is an
    > ipsec
    > server (let's call them r001 and r002 respectively) on each site
    > establishing
    > a VPN tunnel. Of course both r001 and r002 have a public IP. The VPN is
    > working
    > fine for the computers on the internal networks.
    >
    > However, the question is, how to allow r001 itself connect to a host on
    >
    > 192.168.1.0/24 (eg, ping, ssh)? In most cases r001 will pick its public
    > IP
    > (because that interface is on the way to the default gateway). This
    > causes a
    > problem because a public IP can't connect to a private IP.
    >
    > How to solve this problem? Thanks in advance!

    What's a VPN? The KAME port's IPSec (ipsec-tools+26sec)? OpenVPN?
    OpenS/WAN+KLIPS? Some other combination?

    If the VPN is working correctly, r001 should tunnel any traffic through
    the VPN, on the public interface. I'm assuming the traffic is emitted,
    but not moving through the VPN? Have you verified this? (Please note
    that with at least the one VPN implementation I have used, a localhost
    tcpdump will see stuff that isn't on the wire, because decrypted packets
    are re-submitted to the network stack.)

                    Joachim

  • Next message: Joachim Schipper: "Re: modsecurity for Apache"

    Relevant Pages

    • Re: Secure VPN access
      ... Is there any document or a guidance one about configuring IPSec ... available in Microsoft SBS server side also. ... do you mean you want to create VPN between SBS and a ...
      (microsoft.public.windows.server.sbs)
    • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
      ... My belief is that your NAT ... My understanding is that IPSec AH protocol does not work with NAT devices ... IPSec operates in either one of two modes - transport mode or tunnel mode. ... provide a VPN remote access solution. ...
      (microsoft.public.win2000.security)
    • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
      ... and VPN client. ... >performing the gateway, routing and NATting. ... >> that do not have IPsec passthrough because the IP ... >> while tunnel mode protects the IP layer as well. ...
      (microsoft.public.win2000.security)
    • Re: Linux v Dedicated NAT routers - secure remote differences
      ... I think I have got the core of the issue, I assume you are using an IPsec ... VPN, so here is a quote form a Cisco paper on VPNs: ... NAT After IPSec ... then your Linux may not forward GRE for some reason. ...
      (comp.security.firewalls)
    • Re: If you hack a server joined to domain, how much info can you get ?
      ... way trust to the internal network where the internal network is the trusted ... user there domain administrator credentials on any domain ... Consider using ipsec in your domain. ... server could have a require ipsec policy ...
      (microsoft.public.security)