LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   vpn via route (https://www.linuxquestions.org/questions/linux-networking-3/vpn-via-route-773302/)

saavik 12-03-2009 04:18 PM
vpn via route
 
Hello!

I have a Squid-Proxy also functioning as a VPN-Gateway behind my ISP Router which i am not able to configure.

Now I set up a vpn the following way:


Squid/VPNGW(IP:1) --> ISPRouter(IP:2) --> vpn Gateway(IP:3) --> web-Server(IP:4)

The task is to reach the web-Server trouw the vpn tunnel from the network behind my Squid/VPNGW.

The Vpn comes up perfectly and everything seems to work fine, but i think i have a routing problem.

My Squid/vpnGW has a public ip address (lets say this is 1) the default gw for my squid/vpnGW needs to be the ISPRouter ( lets say this one has the ip 2 ).

Now in my ipsec.conf I added nextlefthop=2 (the ip of the ISPRouter).

So because of that my "route -n" shows me, that the route for the ip:4 (which is a privat address something like 172.98.0.1) is via ISPRouter (IP:2) which (of cause) does not know anything about my ESP Tunnel.

How can that be solved ?

My ipsec.conf
Quote:
conn TEST
authby=secret
leftid=xx.x.x.82
left=xx.x.x.82
leftsubnet=192.168.0.0/24
leftnexthop=xx.x.x.81
rightid=xx.xxx.xx.14
right=xx.xxx.xx.xx
rightsubnet=172.16.198.0/24
ike=aes128-sha1-modp1536
esp=aes128-sha1
auto=add

nimnull22 12-03-2009 09:30 PM
Quote:
Originally Posted by saavik (Post 3778879)
Hello!
...
So because of that my "route -n" shows me, that the route for the ip:4 (which is a privat address something like 172.98.0.1) is via ISPRouter (IP:2) which (of cause) does not know anything about my ESP Tunnel.
I believe that you can easily add and remove any additional or useless routes.

saavik 12-04-2009 01:00 AM
Sure you can, but I just do not know what to add or remove.

I think the the leftnexthop should be my SquidGW (ip:1) but that does not work.

Also if I insert the Ip of the external VPNGW the ipsec.conf does not work.

What to do ?

nimnull22 12-04-2009 10:47 AM
Send here please "route -n"

saavik 12-04-2009 01:47 PM
/usr/sbin/ipsec auto --verbose --up TEST
002 "TEST" #1: initiating Main Mode
104 "TEST" #1: STATE_MAIN_I1: initiate
003 "TEST" #1: ignoring unknown Vendor ID payload [4f457a7d4646466667725f65]
003 "TEST" #1: received Vendor ID payload [Dead Peer Detection]
003 "TEST" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
002 "TEST" #1: enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)
...
..
.
004 "test" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x1f59524b <0x963d3ad7}
# route -n
Code:
Kernel IP Routentabelle
Ziel            Router          Genmask        Flags Metric Ref    Use Iface
xx.xxx.x.80    0.0.0.0        255.255.255.248 U    0      0        0 eth0
>>>>172.16.198.0    xx.xxx.x.81    255.255.255.0  UG    0      0        0 eth0
192.168.0.0    0.0.0.0        255.255.255.0  U    0      0        0 eth1
127.0.0.0      0.0.0.0        255.0.0.0      U    0      0        0 lo
0.0.0.0        xx.xxx.x.81    0.0.0.0        UG    0      0        0 eth0

>>>>> Is the interesting part. This is our ISP`s Router.

nimnull22 12-04-2009 03:43 PM
Quote:
Originally Posted by nimnull22 (Post 3779128)
So because of that my "route -n" shows me, that the route for the ip:4 (which is a privat address something like 172.98.0.1) is via ISPRouter (IP:2) which (of cause) does not know anything about my ESP Tunnel.
0.0.0.0 xxx.xxx.xxx.81 0.0.0.0 UG 0 0 0 eth0

leftnexthop=xx.x.x.81

I would say that everything is alright.

saavik 12-04-2009 04:47 PM
Thats what i thought, but i can`t reach the other network

saavik 12-07-2009 07:29 AM
Ok, GW for the ip`s in rightsubnet needs to be the gw-Server itselve. Than the ping lands in the ESP-Tunnel.

I already get an answer but this cannot be encrypted.

What the .... is that....let`s see...


All times are GMT -5. The time now is 12:37 PM.