[OpenSuSE 10.2]---------eth1-[RHEL4 Linux]-eth0-----------[Firewall]
10.0.0.101/16      10.0.0.100/16    192.168.1.225/24    192.168.1.1/24

Destination Gateway       Genmask       Flags Metric Ref Use Iface
192.168.1.0 192.168.1.225 255.255.255.0 UG    0      0   0   eth0
192.168.1.0 0.0.0.0       255.255.255.0 U     0      0   0   eth0
10.0.0.0    10.0.0.100    255.255.0.0   UG    0      0   0   eth1
10.0.0.0    0.0.0.0       255.255.0.0   U     0      0   0   eth1

Hi everyone,

I managed to get it working using the following:

The PC using 10.0.0.101/16, I set the gateway to point to 10.0.0.100/16. As for the PCs on 192.168.1.0/25, I set them to point to 192.168.1.225.

At the same time on RHEL4, I enabled iptables by the 'service iptables start' and enabled masquerading on both interfaces using the 'iptables -t nat -A POSTROUTING -j MASQUERADE' command.

I can ping any hosts on 192.168.1.0/24 from 10.0.0.0/16 and vise versa.

The idea of this design is that I intend to change 10.0.0.101 and 192.168.1.121 into Cisco routers so that I can do site-to-site VPN simulation. Are there any complications in this design?

hi,

i think you have missed the term site-to-site.
site-to-site is router-to-router connection.

in your design you only have one router.

why you can ping both machine? not sure which IP you have pinged, and whether you have set your router correctly.

HTH.

Hi rossonieri,

Thanks for the insight.

The idea of the design is that I wanted to simulate a site-to-site VPN. Yes, you are right about the router to router connection if VPN needs to be done.

The hosts at 10.0.0.101/16 and 192.168.1.121/24 will be replaced by Cisco 871 routers to do VPN. Because both side will have different public IPs, I have to design it in such a way that it simulates real world environment. However, in order for me to simulate a real world site-to-site VPN, I need 2 public IPs. However, I have a dynamic IP at my home and no where else to connect it. So ,the RHEL4 will act a many routers around the world put in one machine. I had problems trying to do IP forwarding and found another solution which I am not sure will world for my real world simulation.

But before I could start replacing the hosts to Cisco routers, I have to make sure the RHEL4 works so I placed 2 PCs at the sides and see if they can ping one another on both sides. That is where my question came along....

I did a MASQUERADing on the RHEL4 and both hosts on both sides of the network can ping each other. My question is that when I later replace the hosts to Cisco routers, will this be a good real-world environment test for VPN???? I am going to try later and see if it works...

I hope this clarifies what I am trying to do. I welcome any comments or ideas which you may have.

You'll find that the iptables masquerading will be doing all the work and will be letting that packets pass back and forth between the 2 networks. If you remove the iptable rules you will find that the packets will stop.

The reason being, is you have not added a route back to each of the networks, for example,when the 10 network receives a data packet from the 192 network, since it's not on the same network it will by default send it to that networks default gateway, and vice versa for the 192 network.

Best thing to do is to delete all the iptables rules and then add some routes to the gateway.

route add -net 192.168.1.0/24 gw 10.0.0.100
route add -net 10.0.0.0/8 gw 192.168.1.225

Or what ever address you have assigned to the network cards, those command should work although it has beens years since i've used them so you may need to check them out first.

very simple

[10.0.0.101/16]--------------[RHEL4]-------------[192.168.1.121/24]

your picture is OK. just make sure that the middle box become the cloud only. so your real router will be your 2 end-point.
you have to turn on NAT MASQ on both end point 101 and 121.

from there see how you must dealing with "real" NAT and VPN - because you must pass thru the middle-box.

activate default inbound-blocking iptables.

HTH.

OP,
When you do replace the 2 hosts we've been discussing w/ the Cisco routers, will there be be 2 subnets or 3? Will your regular/existing hosts be separate, or will they be included in one of the VPN test nets?

Do you have DHCP service on your LAN now? If so, what provides it?

What do they, the Cisco routers, cost?


All,
What is the best way to simulate "the cloud" -- the real 'Net -- after the Cisco routers are in place? Especially how should they, & their subnets, get their IP addresses? (I am not familiar w/ these routers.)

i'll try to answer, correct me if i'm wrong

still using the diagram :
[10.0.0.101/16]gw 0.1------[RHEL4]---------gw 1.1[192.168.1.121/24]

basically - vpn means to extending your LAN - hence local and remote subnet will be the same. unfortunately, if you use the same range before the vpn establish, your router get confuse picking the routing path. thus we need different subnet and some spare ip range in that subnet to be use for remote vpn client using either dhcp or static.

example :
subnet A 0.0/16 --> free 0.200 to 0.210 for remote vpn client,
subnet B 1.0/24 --> free 1.100 to 1.110 and so on...

you dont have to use VPN, why?
performing DNAT (overlapping NAT) for remote subnet will do OK.

example :
remote NATed subnet A 0.1 become 1.141 to 1.151 in subnet B.

why we need to simulate the cloud?
OK - the cloud will do just fine using LAN speed router, but this will be the challenge - because the WAN has much lower speed and barrier - including router IP in dynamic or static, performing NAT etc.

HTH.

OP,

We had a HAL-PC/HLUG Samba & Open Networking SIG meeting yesterday & discussed your situation. Consensus was you can't easily simulate Cisco hardware on an RHEL or SuSE box. You have already fallen into one trap by using iptables, a feature you can't, AFAIK, access on the Cisco routers, to make your test setup work. Best thing to do, if possible, is to put the Cisco's in your LAN now & proceed w/ testing them & learning about them. Have they been purchased yet?


Your test setup would look something like this: Your LAN stands in for the 'Net, your firewall for the ISP's they will ultimately be connected to.

When I needed to use my laptop to route traffic to my wireless router, I found that I needed to modprobe the ip_conntrack module before it would work. I didn't need to mess with iptable rules however.

A pair of VPNs would normally have public IPs on the internet side. Maybe placing a linux host in between the routers would make for a better simulation. It would represent the cloud, and it's IP addresses would be different from either subnet. You could have a pair of host routes. It just needs to transfer the encrypted traffic between the two routers.

Hi archtoad,

Thanks for the reply. We have the Cisco units with us already. It's running on IOS v12.4. We had problems pinging the boxes using our initial configuration but solved it using 'ip route'. But all in all, VPN doesn't seem to work even when using the SDM wizard or using CLI (with commands provided from http://www.vpnc.org/InteropProfiles/cisco-ios.txt).

With the diagram you have shown me, when I perform the VPN, if I am right, I should have Cisco #1 point to Cisco #2 and visa-versa, am I right?

What is the purpose of the firewall or ISP? Will it be there so that the 10.0.0.100/16 and 10.0.0.101/16 will be able to surf the Internet via the Cisco routers also?

I will get this setup up and ready immediately and test if it works.

Hi all,

Just want to update everything regarding the VPN project I am doing. By using archtoad's suggestion by putting both CISCO's WAN side on the same subnet, it works. On top of that, I removed the RHEL4 and placed both WAN side of the CISCO router to the same subnet and it works.

If I put my RHEL4 router in between the CISCO router and then performed VPN, it doesn't work. CISCO debug function could not contact the peer router. Both peer routers can ping each other but I had to do a 'ip route [WAN side network or peer router] [subnet mask] [receiving end of RHEL router]' on both CISCO routers.

I know that by using the 'iptables -t nat -A POSTROUTING -j MASQUERADE' would do a SNAT for any incoming packets going to it. Is this the reason why the VPN doesn't work?

So, on the Internet, as a packet is passed between routers, the source IP never changes.

I found another article on the Internet. They use IPCHAINS instead of IPTABLES. Here's the site: http://www.linuxjournal.com/article/5826. I don't know what does IPCHAINS does. What does it do and can we use this to simulate the Internet environment?

hi,

OK - what VPN type you use for your project?
was it basic GRE or IPSec?
does this cisco router become your internet gateway router also?
have you done NAT? if yes, have you allow the VPN traffic?
what is the debug ip traffic result?
check the vpn route.

post them so we can help.

well, IMHO - if you use the same subnet for VPN - dont bother doing VPN --> that is what we call basic switching - just turn on the firewall .

just check my and jschiwal previous post.

IPChains is the "old version" of IPTables.

HTH.

I am using IPSec

No, it doesn't. There's another gateway so I did a 'ip route 0.0.0.0 0.0.0.0 [gateway address]' and a 'ip route [private LAN network] [private LAN mask] [destination's local global IP]' for VPN traffic.

Yes. NATting was performed. SDM automatically creates the NATting.

I'll have them resimulated again....