Discussion:
VPN and routing
(too old to reply)
Matthias Scheler
2007-10-17 13:27:43 UTC
Permalink
How do I get my netbsd box to route on the same network?
192.168.0.0/24--->[netbsd box 192.168.0.1]
^
|
[via IPSEC VPN 192.168.0.200/24]--|
The netbsd box is running 4.0 rc2 racoon and pf.
How do I get the netbsd box to "listen" for vpn destine traffic, or is
this just not the way to do it.
I'm not sure whether I understand your problem correctly:
1.) You have a bunch of machines which are connected to the network
192.168.0.0/24.
2.) You want a NetBSD machine connected to this network to route IP packets
to another machine using the IP address 192.168.0.1 over an
IPsec VPN link.
3.) You don't want to have to configure the other machines connected to
192.168.0.0/24 to route packets to 192.168.0.1 over the NetBSD box.

Is that your problem?

Kind regards
--
Matthias Scheler http://zhadum.org.uk/

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Steve Pribyl
2007-10-17 13:46:22 UTC
Permalink
Matthias,

Thanks for the redirect.
Post by Matthias Scheler
How do I get my netbsd box to route on the same network?
192.168.0.0/24--->[netbsd box 192.168.0.1]
^
|
[via IPSEC VPN 192.168.0.200/24]--|
The netbsd box is running 4.0 rc2 racoon and pf.
How do I get the netbsd box to "listen" for vpn destine traffic, or is
this just not the way to do it.
1.) You have a bunch of machines which are connected to the network
192.168.0.0/24.
2.) You want a NetBSD machine connected to this network to route IP packets
to another machine using the IP address 192.168.0.1 over an
IPsec VPN link.
3.) You don't want to have to configure the other machines connected to
192.168.0.0/24 to route packets to 192.168.0.1 over the NetBSD box.
Is that your problem?
Almost,

I have a vpn server at 192.168.0.1.
A vpn client is at 192.168.0.200.
There are other boxes on 192.168.0.0/24.

Traffic from the local network boxes to 192.168.0.200 need to be routed
by the vpn server.

I have done something like this using ssh/ppp/iptables/linux and did not
need to setup routing on the local network nodes.

Steve Pribyl
Infrastructure Practitioner


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Matthias Scheler
2007-10-17 17:21:20 UTC
Permalink
Post by Steve Pribyl
I have a vpn server at 192.168.0.1.
A vpn client is at 192.168.0.200.
There are other boxes on 192.168.0.0/24.
Traffic from the local network boxes to 192.168.0.200 need to be routed
by the vpn server.
[I'm assuming that 192.168.0.0/24 is an ethernet network.]

You can use proxy ARP:
1.) Run "arp -s 192.168.0.200 xx:xx:xx:xx:xx:xx pub" on the VPN server
(replace "xx:xx:xx:xx:xx:xx" with the MAC address of 192.168.0.1).
Add the command to e.g. "/etc/netstart.local" to make sure it is
rerun during the reboot.
2.) Add "net.inet.ip.redirect=0" to "/etc/sysctl.conf" and use
"sysctl -w net.inet.ip.redirect=0" to make the change effective
immediately.

Kind regards
--
Matthias Scheler http://zhadum.org.uk/

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Michael Richardson
2007-10-17 15:24:21 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Matthias> [This really belongs on "tech-***@NetBSD.org]

Matthias> On Mon, Oct 15, 2007 at 02:08:53PM -0500, Steve Pribyl
How do I get my netbsd box to route on the same network?
192.168.0.0/24--->[netbsd box 192.168.0.1] ^
|
[via IPSEC VPN 192.168.0.200/24]--|
The netbsd box is running 4.0 rc2 racoon and pf.
How do I get the netbsd box to "listen" for vpn destine traffic,
or is this just not the way to do it.
Matthias> Is that your problem?

I don't think you got it.

I think he has extruded the IP 192.168.0.200 to this remote machine.
The gateway is 192.168.0.1. The question is, how can he make
192.168.0.1 pick up packets for .200 and send them over the link.
The answer is proxy-arp.

- --
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] ***@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRxYpJICLcPvd0N1lAQLRCgf6AqvL/f5Wq886xLXIvJR8AkBMD6hiSg+l
s5TpBQCYGCobnghwEs+kkImaU3ycqeoV5DZexXRtCp7Ss2fwoCytdNObwLK/N+26
7Hkm4hTlIvTGoigFYXlKqzuSdicrBA3Tm717BZnXYxCmD1NjRDWNd/B7gP8OxmoT
VSvQIg+HWzzJd2L6wmh8MgwGuYtPH4bhmlXWAm+A9kZtlVw9cEx5KSyrraxUeF9E
cBiyR29e98xZk8asse6HxrD3fhhrHcZ902JkjNeffowdfkfMrQi1MD2hZ0cD29wF
VKtEmQmavN3DyXfIw/n90t5ZzXE38WRAQTRrl556BPJb/AU5trK3HA==
=4Ny4
-----END PGP SIGNATURE-----

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Steve Pribyl
2007-10-17 20:30:54 UTC
Permalink
Post by Matthias Scheler
Post by Steve Pribyl
I have a vpn server at 192.168.0.1.
A vpn client is at 192.168.0.200.
There are other boxes on 192.168.0.0/24.
Traffic from the local network boxes to 192.168.0.200 need to be routed
by the vpn server.
[I'm assuming that 192.168.0.0/24 is an ethernet network.]
1.) Run "arp -s 192.168.0.200 xx:xx:xx:xx:xx:xx pub" on the VPN server
(replace "xx:xx:xx:xx:xx:xx" with the MAC address of 192.168.0.1).
Add the command to e.g. "/etc/netstart.local" to make sure it is
rerun during the reboot.
2.) Add "net.inet.ip.redirect=0" to "/etc/sysctl.conf" and use
"sysctl -w net.inet.ip.redirect=0" to make the change effective
immediately.
Kind regards
Excellent

However, what exactly does net.inet.ip.redirect control?

Thanks
Steve Pribyl
Infrastructure Practitioner


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Matthias Scheler
2007-10-17 20:57:56 UTC
Permalink
Post by Steve Pribyl
However, what exactly does net.inet.ip.redirect control?
It controls whether the network stack sends redirect. I've used a
similar configuration in the past which worked fine. But the NetBSD
VPN gateway kept sending ICMP redirect packets to any system which
tried to send packets to the VPN client. Those ICMP redirects told
the client to send packets to the VPN gateway instead of the
VPN gateway. Yes, that doesn't make any sense.

You can perhaps try whether this is still the case with an uptodate
version of NetBSD and submit a bug report which I forgot at that time.

Kind regards
--
Matthias Scheler http://zhadum.org.uk/

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de
Loading...