[plug] Routing... through VPN

Bernd Felsche bernie at innovative.iinet.net.au
Wed Aug 4 08:51:45 WST 2004


On Wednesday 04 August 2004 08:36, Marc Wiriadisastra wrote:

> Bernd Felsche wrote:
> >I have a VPN tunnel (OpenVPN) working between two sites but have a
> >small problem with routing out from one site to another, through the
> >tunnel.
> >
> >In order to facilitate the VPN in addition to a real private
> >network, I've overlaid a new set of private IP addresses for key
> >hosts, so the topology looks something like this:
> >
> >+-----------------+        +-----------------+
> >
> >|    Server A     |  LAN   | Firewall A      |
> >| VPN 10.0.9.1    |--------| VPN 10.0.9.9    |
> >| LAN 192.168.9.1 |        | LAN 192.168.9.9 |
> >
> >+-----------------+        | TUN 10.1.0.9    |
> >
> >  |                        +-----------------+
> >  | LAN                            ||
> >  |
> >  |                                || Internet
> >
> >[Cisco]                            ||
> >
> >      |                    +-----------------+
> >      | Frame Relay        | Firewall+Serv B |
> >
> >[Cisco]                    | VPN 10.0.8.1    |
> >
> >     |               LAN   | LAN 192.168.8.1 |
> >
> >     +---------------------| TUN 10.1.0.8    |
> >                           +-----------------+
> >
> >Firewall A is the default gateway for Server A
> >IP forwarding is ON at Firewall A.
> >
> >I can ping, ssh, etc to Firewall A's VPN address from Firewall B.
> >I can ping, ssh, etc to Server A's VPN address from Firewall B.
> >I can ping, ssh, etc to Firewall B's VPN address from Firewall A.
> >
> >Problem:
> >I can't ping Firewall B's VPN or TUN address from Server A.
> >A traceroute stops at Firewall A.
> >
> >Routing on Firewall A is essentially a mirror of that on Firewall B.

> Gonna show how nooby I am.  Have you tried it without the firewall
> momentarily to see whether that is the cause of it.  I had a

Without the firewall, there's no connection. :-)

> situation where the firewall was open for tcp packets but udp
> packets where needed as well hence it wasn't working I narrowed it
> down by dropping the firewall and testing.

After double and triple-checking the routing, checking iptables had
corresponding entries (the respective tun0 interfaces are "internal"
as far as the firewall is concerned) I left it for a while to do
something else.

Checked again an hour later and it was working! Traffic in both
directions.

After some further testing it appears that the "statefull" firewall
was losing state fairly quickly (less than 30 seconds), and it
requires regular traffic from the "client" end to keep the
connection alive.

OpenVPN has a keepalive for a regular ping for precisely that
purpose.

-- 
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ /  ASCII ribbon campaign | I'm a .signature virus!
 X   against HTML mail     | Copy me into your ~/.signature
/ \  and postings          | to help me spread!





More information about the plug mailing list