Multiple vpn tunnels - Networking

This is a discussion on Multiple vpn tunnels - Networking ; Hello Folks, I have the following situation: VPN Tunnel 1 VPN Tunnel 2 81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27 Gateway A Gateway B Gateway C I need all clients coming from gateway C to be able to use the vpn tunnel ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Multiple vpn tunnels

  1. Multiple vpn tunnels

    Hello Folks,

    I have the following situation:

    VPN Tunnel 1 VPN Tunnel 2
    81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27
    Gateway A Gateway
    B Gateway C

    I need all clients coming from gateway C to be able to use the vpn
    tunnel 1, so I have the following rule on Gateway B:

    iptables -t nat -A POSTROUTING -s 93.48.28.27 -d 81.129.40.0/24 -o
    eth0 -j MASQUERADE

    But does not work, what I'm missing here?

    Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping
    or telnet from Gateway C seems to work. I don't have access to Gateway
    A, so I can't verify if the packets get to Gateway A.

    I would really appreciate if you can help me fix this or find an other
    job


  2. Re: Multiple vpn tunnels

    said.abdel@gmail.com wrote:
    > Hello Folks,
    >
    > I have the following situation:
    >
    > VPN Tunnel 1 VPN Tunnel 2
    > 81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27
    > Gateway A Gateway
    > B Gateway C
    >
    > I need all clients coming from gateway C to be able to use the vpn
    > tunnel 1, so I have the following rule on Gateway B:
    >
    > iptables -t nat -A POSTROUTING -s 93.48.28.27 -d 81.129.40.0/24 -o
    > eth0 -j MASQUERADE
    >
    > But does not work, what I'm missing here?
    >
    > Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping
    > or telnet from Gateway C seems to work. I don't have access to Gateway
    > A, so I can't verify if the packets get to Gateway A.
    >
    > I would really appreciate if you can help me fix this or find an other
    > job



    The masquerade may be an overkill, unless you need to limit
    the visibility of the subnets to the other end of the tunnel.

    Did you:

    - tell gateway A that VPN tunnel 2 is reachable via VPN tunnel 1?
    - tell VPN tunnel 2 end that gateway A and the nets behind it
    are reachable via gateway C?
    - enable forwarding at gateway C?

    --

    Tauno Voipio
    tauno voipio (at) iki fi

  3. Re: Multiple vpn tunnels

    On Mar 26, 10:16 am, Tauno Voipio wrote:
    > said.ab...@gmail.com wrote:
    > > Hello Folks,

    >
    > > I have the following situation:

    >
    > > VPN Tunnel 1 VPN Tunnel 2
    > > 81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27
    > > Gateway A Gateway
    > > B Gateway C

    >
    > > I need all clients coming from gateway C to be able to use the vpn
    > > tunnel 1, so I have the following rule on Gateway B:

    >
    > > iptables -t nat -A POSTROUTING -s 93.48.28.27 -d 81.129.40.0/24 -o
    > > eth0 -j MASQUERADE

    >
    > > But does not work, what I'm missing here?

    >
    > > Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping
    > > or telnet from Gateway C seems to work. I don't have access to Gateway
    > > A, so I can't verify if the packets get to Gateway A.

    >
    > > I would really appreciate if you can help me fix this or find an other
    > > job

    >
    > The masquerade may be an overkill, unless you need to limit
    > the visibility of the subnets to the other end of the tunnel.
    >
    > Did you:
    >
    > - tell gateway A that VPN tunnel 2 is reachable via VPN tunnel 1?

    I don't have access to administration on Gateway A. The reason why we
    need this is that we wanted to save time to use a temporary tunnel but
    in the future (in couple months) they will provide us with a tunnel
    between Gateway A and Gateway C.

    > - tell VPN tunnel 2 end that gateway A and the nets behind it
    > are reachable via gateway C?

    It already knows that. tcpdump on gateway B shows that Gateway C is
    talking to Gateway A via Gateway B.

    > - enable forwarding at gateway C?

    Yes it is enabled.
    >
    > --
    >
    > Tauno Voipio
    > tauno voipio (at) iki fi


    Thanks a lot for your reply


  4. Re: Multiple vpn tunnels

    said.abdel@gmail.com wrote:
    > On Mar 26, 10:16 am, Tauno Voipio wrote:
    >
    >>said.ab...@gmail.com wrote:
    >>
    >>>Hello Folks,

    >>
    >>>I have the following situation:

    >>
    >>> VPN Tunnel 1 VPN Tunnel 2
    >>>81.129.39.9 ============ 59.20.93.49 ============= 93.48.28.27
    >>>Gateway A Gateway
    >>>B Gateway C

    >>
    >>>I need all clients coming from gateway C to be able to use the vpn
    >>>tunnel 1, so I have the following rule on Gateway B:

    >>
    >>>iptables -t nat -A POSTROUTING -s 93.48.28.27 -d 81.129.40.0/24 -o
    >>>eth0 -j MASQUERADE

    >>
    >>>But does not work, what I'm missing here?

    >>
    >>>Note: doing tcpdump host 93.48.28.27 on Gateway B and trying to ping
    >>>or telnet from Gateway C seems to work. I don't have access to Gateway
    >>>A, so I can't verify if the packets get to Gateway A.

    >>
    >>>I would really appreciate if you can help me fix this or find an other
    >>>job

    >>
    >>The masquerade may be an overkill, unless you need to limit
    >>the visibility of the subnets to the other end of the tunnel.
    >>
    >>Did you:
    >>
    >> - tell gateway A that VPN tunnel 2 is reachable via VPN tunnel 1?

    >
    > I don't have access to administration on Gateway A. The reason why we
    > need this is that we wanted to save time to use a temporary tunnel but
    > in the future (in couple months) they will provide us with a tunnel
    > between Gateway A and Gateway C.


    This will be a problem: The gateway should know to route your
    packets for tunnel 2 via the intermediate gateway. If you cannot
    change the routing here, the packets destined to the second
    tunnel will be sent to gateway A's default next-hop gateway.

    Could you think of splitting the subnet in tunnel 1 into
    two sub-subnets and assign it to tunnel 2?

    --

    Tauno Voipio
    tauno voipio (at) iki fi

+ Reply to Thread