Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-12-2013, 04:06 AM
|
#1
|
LQ Newbie
Registered: Oct 2012
Posts: 11
Rep:
|
Routing packets to IPsec tunnel
Hello,
i have following situation. I have 2 servers with public IP and i created IPsec site-to-site VPN. On 2nd server i am running OpenVPN server. How can i force 1st server that packets destined for OpenVPN are forced into the ipsec tunnel? IPsec is configured in transport mode.
Thanks
|
|
|
05-14-2013, 08:14 AM
|
#2
|
Member
Registered: Nov 2008
Distribution: Arch
Posts: 38
Rep:
|
You are too misty in your explanations. Thus you will hardly get good advice. Bring more details on your network setup. The best way is the image, of course, but addresses and routes could be enough too.
|
|
|
05-14-2013, 08:32 AM
|
#3
|
LQ Newbie
Registered: Oct 2012
Posts: 11
Original Poster
Rep:
|
Why? Explanation is pretty simple.
I have 2 servers with a public IP. There is site-to-site VPN created between them (transport mode , openswan). Lets say 1st server is front end, 2nd server is back end. On 2nd server openvpn is installed. I want to use 1st server as indeterminate server for Openvpn meaning when i "dial" VPN on TCP port 443 on 1st server, request is routed trough the tunnel to actual VPN server where vpn connection will be established. VPN access on backend server will be denied for all traffic except the one coming from the IPsec tunnel.
|
|
|
05-14-2013, 04:45 PM
|
#4
|
Member
Registered: Nov 2008
Distribution: Arch
Posts: 38
Rep:
|
That's much more clear. You have to configure DNAT (port forwarding) on frontend server. Don't forget reverse route on backend.
|
|
|
05-14-2013, 05:13 PM
|
#5
|
LQ Newbie
Registered: Oct 2012
Posts: 11
Original Poster
Rep:
|
Thanks for answer. But how i can force that traffic trough site-to-site tunnel? With DNAT (as far as i know and i am not linux guru) i can only tell to forward traffic to back end IP which in the end is not pushing that traffic trough the tunnel to the destination server and also i am dealing here with public IP addresses only, for DNAT i would have to use private addresses.
|
|
|
05-15-2013, 02:15 AM
|
#6
|
Member
Registered: Nov 2008
Distribution: Arch
Posts: 38
Rep:
|
>for DNAT i would have to use private addresses.
Not really. DNAT (as well as SNAT) is just replacing ip packet destination address by certain rules. You can easily change one public address by another one.
Also, you said you have VPN tunnel already up between front-end and back-end. So you have private network between these servers (with private addresses).
Just DNAT traffic that comes to port 443 on front-end public address into port 443 of backend VPN address(not public). Of course there will be routing and NAT caveats, but for start it is good at least reach backend VPN server. Hope I understood your problem correctly.
|
|
|
05-15-2013, 02:50 AM
|
#7
|
LQ Newbie
Registered: Oct 2012
Posts: 11
Original Poster
Rep:
|
The thing is i don't have private address on front end or back end server so when you actually create general DNAT rule traffic goes directly to the destination IP (public IP) without going trough the tunnel.
|
|
|
05-15-2013, 03:52 AM
|
#8
|
Member
Registered: Nov 2008
Distribution: Arch
Posts: 38
Rep:
|
Yes, sorry. I'm not familiar with VPN in transport mode.
So you need something like mirroring.
1) Packet from client arrives to front-end port 443;
2) You perform DNAT in prerouting and change packet dst address from front-end's to back-end's;
3) Front-end makes routing decision;
4) Because now packet destination address is address of your back-end, packet has to be sent through VPN tunnel in this case;
5) On postrouting you have to change packet source address to front-end's address so back-end will not send response to client directly;
6) Packet is arriving to back-end, back-end sends response with destination address of front-end (through VPN again) and source address of back-end
7) Response packet arriving to front-end;
8) Connection tracker (conntrack) performs reverse translation of dst and src addresses for both DNAT and SNAT;
But this is the theory. I doubt if packets with modified external ip header (#5) will be considered as valid at #6 as well as in #4 true.
May be changing VPN to tunnel mode is the case.
|
|
|
05-15-2013, 04:03 AM
|
#9
|
LQ Newbie
Registered: Oct 2012
Posts: 11
Original Poster
Rep:
|
>4) Because now packet destination address is address of your back-end, packet has to be sent through VPN tunnel in this case;
Well how do you make sure packet is actually going trough the VPN and not directly? It looks to me this is actually the hardest part.
|
|
|
05-15-2013, 07:09 AM
|
#10
|
Member
Registered: Nov 2008
Distribution: Arch
Posts: 38
Rep:
|
Well, the easiest way to check is to capture the traffic on backend server. I cannot say definitely how traffic passed through tunnel distinguish from traffic passed from other world, but I suspect there should be VPN trailers (ESP/AH?) in it.
|
|
|
05-16-2013, 07:59 AM
|
#11
|
LQ Newbie
Registered: Oct 2012
Posts: 11
Original Poster
Rep:
|
I am pretty sure i can configure destination server to accept traffic on VPN ports only where source is ESP so when i block accessing those ports from Internet i still did not tell the traffic to use the tunnel instead.
|
|
|
05-17-2013, 02:49 AM
|
#12
|
Member
Registered: Nov 2008
Distribution: Arch
Posts: 38
Rep:
|
Iptables filter (traffic blocker) doesn't have impact on routing decision, does it?
|
|
|
06-26-2013, 08:39 AM
|
#13
|
LQ Newbie
Registered: Mar 2011
Distribution: Fedora,Ubunutu
Posts: 16
Rep:
|
maybe this can help
Did you make sure that in the server that also runs the OpenVPN ip forwarding enabled (otherwise it will act as a router forward any packets)?
if not just type "sysctl -w net.ipv4.ip_forward=1" and it should do it.
I'm not sure you have to use iptables at al in this case, since implementations like openswan know how to route packets between two private subnets
It will help if you could provide your ipsec configuration file
I also have an example for how to configure openswan with l2tp (l2tp is different from OpenVPN but the server and IPSec configuration should be the same)
here it is
Amir
|
|
|
All times are GMT -5. The time now is 11:48 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|