LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-12-2013, 03:06 AM   #1
opti2k4
LQ Newbie
 
Registered: Oct 2012
Posts: 11

Rep: Reputation: Disabled
Routing packets to IPsec tunnel


Hello,

i have following situation. I have 2 servers with public IP and i created IPsec site-to-site VPN. On 2nd server i am running OpenVPN server. How can i force 1st server that packets destined for OpenVPN are forced into the ipsec tunnel? IPsec is configured in transport mode.

Thanks
 
Old 05-14-2013, 07:14 AM   #2
nyshtyak
Member
 
Registered: Nov 2008
Distribution: Arch
Posts: 38

Rep: Reputation: 1
You are too misty in your explanations. Thus you will hardly get good advice. Bring more details on your network setup. The best way is the image, of course, but addresses and routes could be enough too.
 
Old 05-14-2013, 07:32 AM   #3
opti2k4
LQ Newbie
 
Registered: Oct 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Why? Explanation is pretty simple.

I have 2 servers with a public IP. There is site-to-site VPN created between them (transport mode , openswan). Lets say 1st server is front end, 2nd server is back end. On 2nd server openvpn is installed. I want to use 1st server as indeterminate server for Openvpn meaning when i "dial" VPN on TCP port 443 on 1st server, request is routed trough the tunnel to actual VPN server where vpn connection will be established. VPN access on backend server will be denied for all traffic except the one coming from the IPsec tunnel.
 
Old 05-14-2013, 03:45 PM   #4
nyshtyak
Member
 
Registered: Nov 2008
Distribution: Arch
Posts: 38

Rep: Reputation: 1
That's much more clear. You have to configure DNAT (port forwarding) on frontend server. Don't forget reverse route on backend.
 
Old 05-14-2013, 04:13 PM   #5
opti2k4
LQ Newbie
 
Registered: Oct 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Thanks for answer. But how i can force that traffic trough site-to-site tunnel? With DNAT (as far as i know and i am not linux guru) i can only tell to forward traffic to back end IP which in the end is not pushing that traffic trough the tunnel to the destination server and also i am dealing here with public IP addresses only, for DNAT i would have to use private addresses.
 
Old 05-15-2013, 01:15 AM   #6
nyshtyak
Member
 
Registered: Nov 2008
Distribution: Arch
Posts: 38

Rep: Reputation: 1
>for DNAT i would have to use private addresses.
Not really. DNAT (as well as SNAT) is just replacing ip packet destination address by certain rules. You can easily change one public address by another one.

Also, you said you have VPN tunnel already up between front-end and back-end. So you have private network between these servers (with private addresses).

Just DNAT traffic that comes to port 443 on front-end public address into port 443 of backend VPN address(not public). Of course there will be routing and NAT caveats, but for start it is good at least reach backend VPN server. Hope I understood your problem correctly.
 
Old 05-15-2013, 01:50 AM   #7
opti2k4
LQ Newbie
 
Registered: Oct 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
The thing is i don't have private address on front end or back end server so when you actually create general DNAT rule traffic goes directly to the destination IP (public IP) without going trough the tunnel.
 
Old 05-15-2013, 02:52 AM   #8
nyshtyak
Member
 
Registered: Nov 2008
Distribution: Arch
Posts: 38

Rep: Reputation: 1
Yes, sorry. I'm not familiar with VPN in transport mode.
So you need something like mirroring.
1) Packet from client arrives to front-end port 443;
2) You perform DNAT in prerouting and change packet dst address from front-end's to back-end's;
3) Front-end makes routing decision;
4) Because now packet destination address is address of your back-end, packet has to be sent through VPN tunnel in this case;
5) On postrouting you have to change packet source address to front-end's address so back-end will not send response to client directly;
6) Packet is arriving to back-end, back-end sends response with destination address of front-end (through VPN again) and source address of back-end
7) Response packet arriving to front-end;
8) Connection tracker (conntrack) performs reverse translation of dst and src addresses for both DNAT and SNAT;

But this is the theory. I doubt if packets with modified external ip header (#5) will be considered as valid at #6 as well as in #4 true.

May be changing VPN to tunnel mode is the case.
 
Old 05-15-2013, 03:03 AM   #9
opti2k4
LQ Newbie
 
Registered: Oct 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
>4) Because now packet destination address is address of your back-end, packet has to be sent through VPN tunnel in this case;

Well how do you make sure packet is actually going trough the VPN and not directly? It looks to me this is actually the hardest part.
 
Old 05-15-2013, 06:09 AM   #10
nyshtyak
Member
 
Registered: Nov 2008
Distribution: Arch
Posts: 38

Rep: Reputation: 1
Well, the easiest way to check is to capture the traffic on backend server. I cannot say definitely how traffic passed through tunnel distinguish from traffic passed from other world, but I suspect there should be VPN trailers (ESP/AH?) in it.
 
Old 05-16-2013, 06:59 AM   #11
opti2k4
LQ Newbie
 
Registered: Oct 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
I am pretty sure i can configure destination server to accept traffic on VPN ports only where source is ESP so when i block accessing those ports from Internet i still did not tell the traffic to use the tunnel instead.
 
Old 05-17-2013, 01:49 AM   #12
nyshtyak
Member
 
Registered: Nov 2008
Distribution: Arch
Posts: 38

Rep: Reputation: 1
Iptables filter (traffic blocker) doesn't have impact on routing decision, does it?
 
Old 06-26-2013, 07:39 AM   #13
amirn
LQ Newbie
 
Registered: Mar 2011
Distribution: Fedora,Ubunutu
Posts: 15

Rep: Reputation: 0
maybe this can help

Did you make sure that in the server that also runs the OpenVPN ip forwarding enabled (otherwise it will act as a router forward any packets)?
if not just type "sysctl -w net.ipv4.ip_forward=1" and it should do it.

I'm not sure you have to use iptables at al in this case, since implementations like openswan know how to route packets between two private subnets

It will help if you could provide your ipsec configuration file

I also have an example for how to configure openswan with l2tp (l2tp is different from OpenVPN but the server and IPSec configuration should be the same)
here it is
Amir
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Why does IPsec needs its own tunnel mode? Skaperen Linux - Networking 2 02-09-2013 08:16 PM
Strongswan - IPsec tunnel - can we have one way tunnel vishalwithme Linux - Networking 4 04-05-2012 12:07 AM
Encapsulate ("tunnel") local outgoing packets using IPsec arrowheart Linux - Security 2 02-12-2009 02:05 PM
IPsec fails to open tunnel KaMakani Linux - Networking 0 10-12-2005 11:54 PM
IPSEC Tunnel behind NAT pssst_yeah_you Linux - Networking 0 06-23-2004 04:54 PM


All times are GMT -5. The time now is 04:33 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration