Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > One to One NAT query

Reply
Thread Tools Display Modes

One to One NAT query

 
 
Josh Howlett
Guest
Posts: n/a

 
      05-06-2004, 11:32 AM
I am trying to do something a bit unusual :-). I hope someone
can help.

I have a Linux NAS that terminates PPP sessions. When the PPP
session is connected, the PPP users are required to start a
VPN session to a VPN server.

The VPN protocol is PPTP.

<-----------VPN---------->
<---PPP---->
User ---------- NAS -----+---- VPN server A
|
+---- VPN server B
|
\---- VPN server C

I have multiple VPN servers (A, B and C), and I want to be
able to control where the user's VPN gets terminated.

For example, one day I might want to terminate user Joe's
VPN session on server B; another day, I might want to
terminate it on server C.

I also didn't want this to be reliant on the user changing
the IP address of the destination VPN server. So, regardless
of what IP address the user uses, the VPN always goes to the
right VPN server.

I thought I might do this by using one-to-one NAT on the NAS.

iptables -t nat -A PREROUTING -i ppp0 -j DNAT --to <IP of VPN>
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to <IP of VPN>

....where "IP of VPN" is the address of the VPN that I want to
direct the user's VPN session to.

However, this doesn't seem to work. This is an abbreviated
version of what I see (the user has dialed in and been
allocated 172.16.42.7; the user then attempts to VPN to
1.2.3.4, which I NAT to the desired address (XXX)):

Src Dst Proto Info

172.16.42.7 1.2.3.4 TCP 1659 > pptp [SYN]
1.2.3.4 172.16.42.7 TCP pptp > 1659 [SYN, ACK]
172.16.42.7 1.2.3.4 PPTP Start-Control-Connection-Request

So far so good; the PPTP TCP control channel is correctly
NATed. However, I think get:

XXX 172.16.42.7 PPP LCP Configuration request
172.16.42.7 XXX PPP LCP Configuration request
XXX 172.16.42.7 PPP LCP Configuration request
172.16.42.7 XXX PPP LCP Configuration request
etc...

(These are encapsulated in the PPTP session's GRE data channel).

The PPP LCP packets does not appear to get NATed! Instead, the REAL
IP of the VPN server is stamped on the packets. LCP negotiation
times out, presumably because the VPN client simply drops the
packets as it doesn't recognise the source address.

So... why are the GRE packets not getting NATed on the NAS?

josh.

--
------------------------------------------------------------
Josh Howlett, Networking & Digital Communications,
Information Systems & Computing, University of Bristol, U.K.
'phone: 0117 928 7850 email: (E-Mail Removed)
------------------------------------------------------------
 
Reply With Quote
 
 
 
Reply

« Can't get Linux to connect to the internet - 2 ethernet boards | Redhat Piranha load balancing and accessing the backend 'real' servers »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Sky query Woody Broadband 7 04-08-2008 06:31 PM
Sky BB MAX query Marauder Broadband 11 03-24-2007 11:12 AM
query Martinpara Home Networking 7 12-06-2006 10:29 PM
IIS query!!! Harry Windows Networking 3 11-09-2006 04:21 AM
VPN query gethrog Wireless Internet 5 05-03-2004 03:18 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11