| Home | Register | Members | Search | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
Hello Folks,
I have the following situation: VPN Tunnel 1 VPN Tunnel 2 81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27 Gateway A Gateway B Gateway C I need all clients coming from gateway C to be able to use the vpn tunnel 1, so I have the following rule on Gateway B: iptables -t nat -A POSTROUTING -s 93.48.28.27 -d 81.129.40.0/24 -o eth0 -j MASQUERADE But does not work, what I'm missing here? Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping or telnet from Gateway C seems to work. I don't have access to Gateway A, so I can't verify if the packets get to Gateway A. I would really appreciate if you can help me fix this or find an other job  |
|
|
|
|||
|
|
| |
|
Guest
Posts: n/a
|
(E-Mail Removed) wrote:
> Hello Folks, > > I have the following situation: > > VPN Tunnel 1 VPN Tunnel 2 > 81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27 > Gateway A Gateway > B Gateway C > > I need all clients coming from gateway C to be able to use the vpn > tunnel 1, so I have the following rule on Gateway B: > > iptables -t nat -A POSTROUTING -s 93.48.28.27 -d 81.129.40.0/24 -o > eth0 -j MASQUERADE > > But does not work, what I'm missing here? > > Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping > or telnet from Gateway C seems to work. I don't have access to Gateway > A, so I can't verify if the packets get to Gateway A. > > I would really appreciate if you can help me fix this or find an other > job The masquerade may be an overkill, unless you need to limit the visibility of the subnets to the other end of the tunnel. Did you: - tell gateway A that VPN tunnel 2 is reachable via VPN tunnel 1? - tell VPN tunnel 2 end that gateway A and the nets behind it are reachable via gateway C? - enable forwarding at gateway C? -- Tauno Voipio tauno voipio (at) iki fi |
|
|
|
|
|||
|
Guest
Posts: n/a
|
On Mar 26, 10:16 am, Tauno Voipio <tauno.voi...@INVALIDiki.fi> wrote:
> said.ab...@gmail.com wrote: > > Hello Folks, > > > I have the following situation: > > > VPN Tunnel 1 VPN Tunnel 2 > > 81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27 > > Gateway A Gateway > > B Gateway C > > > I need all clients coming from gateway C to be able to use the vpn > > tunnel 1, so I have the following rule on Gateway B: > > > iptables -t nat -A POSTROUTING -s 93.48.28.27 -d 81.129.40.0/24 -o > > eth0 -j MASQUERADE > > > But does not work, what I'm missing here? > > > Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping > > or telnet from Gateway C seems to work. I don't have access to Gateway > > A, so I can't verify if the packets get to Gateway A. > > > I would really appreciate if you can help me fix this or find an other > > job > > The masquerade may be an overkill, unless you need to limit > the visibility of the subnets to the other end of the tunnel. > > Did you: > > - tell gateway A that VPN tunnel 2 is reachable via VPN tunnel 1? I don't have access to administration on Gateway A. The reason why we need this is that we wanted to save time to use a temporary tunnel but in the future (in couple months) they will provide us with a tunnel between Gateway A and Gateway C. > - tell VPN tunnel 2 end that gateway A and the nets behind it > are reachable via gateway C? It already knows that. tcpdump on gateway B shows that Gateway C is talking to Gateway A via Gateway B. > - enable forwarding at gateway C? Yes it is enabled. > > -- > > Tauno Voipio > tauno voipio (at) iki fi Thanks a lot for your reply  |
|
|
|
|
|||
|
Guest
Posts: n/a
|
(E-Mail Removed) wrote:
> On Mar 26, 10:16 am, Tauno Voipio <tauno.voi...@INVALIDiki.fi> wrote: > >>said.ab...@gmail.com wrote: >> >>>Hello Folks, >> >>>I have the following situation: >> >>> VPN Tunnel 1 VPN Tunnel 2 >>>81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27 >>>Gateway A Gateway >>>B Gateway C >> >>>I need all clients coming from gateway C to be able to use the vpn >>>tunnel 1, so I have the following rule on Gateway B: >> >>>iptables -t nat -A POSTROUTING -s 93.48.28.27 -d 81.129.40.0/24 -o >>>eth0 -j MASQUERADE >> >>>But does not work, what I'm missing here? >> >>>Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping >>>or telnet from Gateway C seems to work. I don't have access to Gateway >>>A, so I can't verify if the packets get to Gateway A. >> >>>I would really appreciate if you can help me fix this or find an other >>>job >> >>The masquerade may be an overkill, unless you need to limit >>the visibility of the subnets to the other end of the tunnel. >> >>Did you: >> >> - tell gateway A that VPN tunnel 2 is reachable via VPN tunnel 1? > > I don't have access to administration on Gateway A. The reason why we > need this is that we wanted to save time to use a temporary tunnel but > in the future (in couple months) they will provide us with a tunnel > between Gateway A and Gateway C. This will be a problem: The gateway should know to route your packets for tunnel 2 via the intermediate gateway. If you cannot change the routing here, the packets destined to the second tunnel will be sent to gateway A's default next-hop gateway. Could you think of splitting the subnet in tunnel 1 into two sub-subnets and assign it to tunnel 2? -- Tauno Voipio tauno voipio (at) iki fi |
|
|
|
|
|||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Number of max. VPN Tunnels .... | leventtr | Windows Networking | 0 | 03-07-2007 07:31 AM |
| WEP/WPA vs Secure Tunnels | Frank Hahn | Wireless Internet | 7 | 08-09-2006 11:16 PM |
| Slow GRE Tunnels | kavitha | Linux Networking | 0 | 12-02-2005 08:59 PM |
| ssh tunnels | Chris Dobbs | Linux Networking | 0 | 02-21-2004 01:00 PM |
| Ad-hoc tunnels down the streets? | Mitchua | Wireless Internet | 3 | 11-26-2003 01:14 PM |
Linear Mode
