LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-03-2009, 04:18 PM   #1
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES11 / FC20/ OES / CentOS
Posts: 601

Rep: Reputation: 32
vpn via route


Hello!

I have a Squid-Proxy also functioning as a VPN-Gateway behind my ISP Router which i am not able to configure.

Now I set up a vpn the following way:


Squid/VPNGW(IP:1) --> ISPRouter(IP:2) --> vpn Gateway(IP:3) --> web-Server(IP:4)

The task is to reach the web-Server trouw the vpn tunnel from the network behind my Squid/VPNGW.

The Vpn comes up perfectly and everything seems to work fine, but i think i have a routing problem.

My Squid/vpnGW has a public ip address (lets say this is 1) the default gw for my squid/vpnGW needs to be the ISPRouter ( lets say this one has the ip 2 ).

Now in my ipsec.conf I added nextlefthop=2 (the ip of the ISPRouter).

So because of that my "route -n" shows me, that the route for the ip:4 (which is a privat address something like 172.98.0.1) is via ISPRouter (IP:2) which (of cause) does not know anything about my ESP Tunnel.

How can that be solved ?

My ipsec.conf
Quote:
conn TEST
authby=secret
leftid=xx.x.x.82
left=xx.x.x.82
leftsubnet=192.168.0.0/24
leftnexthop=xx.x.x.81
rightid=xx.xxx.xx.14
right=xx.xxx.xx.xx
rightsubnet=172.16.198.0/24
ike=aes128-sha1-modp1536
esp=aes128-sha1
auto=add

Last edited by saavik; 12-03-2009 at 04:34 PM.
 
Old 12-03-2009, 09:30 PM   #2
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by saavik View Post
Hello!
...
So because of that my "route -n" shows me, that the route for the ip:4 (which is a privat address something like 172.98.0.1) is via ISPRouter (IP:2) which (of cause) does not know anything about my ESP Tunnel.
I believe that you can easily add and remove any additional or useless routes.
 
Old 12-04-2009, 01:00 AM   #3
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES11 / FC20/ OES / CentOS
Posts: 601

Original Poster
Rep: Reputation: 32
Sure you can, but I just do not know what to add or remove.

I think the the leftnexthop should be my SquidGW (ip:1) but that does not work.

Also if I insert the Ip of the external VPNGW the ipsec.conf does not work.

What to do ?
 
Old 12-04-2009, 10:47 AM   #4
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Send here please "route -n"
 
Old 12-04-2009, 01:47 PM   #5
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES11 / FC20/ OES / CentOS
Posts: 601

Original Poster
Rep: Reputation: 32
/usr/sbin/ipsec auto --verbose --up TEST
002 "TEST" #1: initiating Main Mode
104 "TEST" #1: STATE_MAIN_I1: initiate
003 "TEST" #1: ignoring unknown Vendor ID payload [4f457a7d4646466667725f65]
003 "TEST" #1: received Vendor ID payload [Dead Peer Detection]
003 "TEST" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
002 "TEST" #1: enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)
...
..
.
004 "test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x1f59524b <0x963d3ad7}
# route -n
Code:
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
xx.xxx.x.80    0.0.0.0         255.255.255.248 U     0      0        0 eth0
>>>>172.16.198.0    xx.xxx.x.81    255.255.255.0   UG    0      0        0 eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         xx.xxx.x.81    0.0.0.0         UG    0      0        0 eth0

>>>>> Is the interesting part. This is our ISP`s Router.

Last edited by saavik; 12-04-2009 at 01:50 PM.
 
Old 12-04-2009, 03:43 PM   #6
nimnull22
Senior Member
 
Registered: Jul 2009
Distribution: OpenSuse 11.1, Fedora 14, Ubuntu 12.04/12.10, FreeBSD 9.0
Posts: 1,571

Rep: Reputation: 92
Quote:
Originally Posted by nimnull22 View Post
So because of that my "route -n" shows me, that the route for the ip:4 (which is a privat address something like 172.98.0.1) is via ISPRouter (IP:2) which (of cause) does not know anything about my ESP Tunnel.
0.0.0.0 xxx.xxx.xxx.81 0.0.0.0 UG 0 0 0 eth0

leftnexthop=xx.x.x.81

I would say that everything is alright.
 
Old 12-04-2009, 04:47 PM   #7
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES11 / FC20/ OES / CentOS
Posts: 601

Original Poster
Rep: Reputation: 32
Thats what i thought, but i can`t reach the other network
 
Old 12-07-2009, 07:29 AM   #8
saavik
Member
 
Registered: Nov 2001
Location: NRW, Germany
Distribution: SLES11 / FC20/ OES / CentOS
Posts: 601

Original Poster
Rep: Reputation: 32
Ok, GW for the ip`s in rightsubnet needs to be the gw-Server itselve. Than the ping lands in the ESP-Tunnel.

I already get an answer but this cannot be encrypted.

What the .... is that....let`s see...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Route a proxy from a VPN into the Internet an0r0c Linux - Networking 0 04-04-2009 11:47 AM
VPN; pppd; ip route m00f3r Linux - Networking 1 02-22-2009 03:20 PM
VPN - Connected, but need route command m00f3r Linux - Networking 1 02-18-2009 10:42 PM
VPN route vkmgeek Linux - Networking 5 08-01-2008 01:55 AM
trying to route though Cisco VPN client. DrkNite Linux - Networking 2 07-19-2005 11:35 PM


All times are GMT -5. The time now is 07:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration