[Openswan Users] advanced routing? ipsec l2tp

John A. Sullivan III john.sullivan at nexusmgmt.com
Tue Mar 23 07:52:24 CET 2004 

On Tue, 2004-03-23 at 04:36, foren titze wrote:
> hello,
> 
> i habe set up an ipsec/l2tp tunnel between windows an linux with help of jacco 
> de leeuw.
> 
> now i connect my windows roadwarrior to the linux server and get a correct lan 
> ip from the inner side of the gateway. e.g. 192.168.121.251
> 
> now i would like to connect from the roadwarrior over putty to an computer 
> behind the gateway. the topology is like:
> 
> roadwarrior====vpn_gate---INTERNET---firewall---computer(213.x.x.x, extern ip)
> 
> so from the roadwarrior over the vpn_gate to an computer in the internet, 
> which can only accessed with an ip of the inner lan, e.g. 192.168.121.x/24. 
> all other world wide ip's are droped.
> 
> but, when i try to connet to this computer, i arrive with the extern ip of the 
> vpn_gate.
> 
> how can i masquerade or route it? thanks for help!!!
<snip>
I'm not entirely sure of what you are doing here.  The target computer
has a public address but is protected by a firewall? Access is only
across the Internet?

If so, you cannot send a packet with a source address of a private
address - the Internet routers will not be able to route the reply
packet back.

You will need to tunnel the packet -- which is what I assume you want. 
Your road warrior will tunnel the packet to the VPN gateway and then the
VPN gateway will need to tunnel the packet to the target computer.

However, there needs to be a tunnel termination point on the side where
the target lives.  In other words, the VPN gateway takes your road
warrior packet with address 192.168.121.x, stuffs it into an ESP packet
with the public address of the VPN gateway and sends it either to the
firewall or to the target host.  At whichever one terminates the tunnel,
there needs to be the ability to extract the 192.168.121.x packet from
the publicly addressed packet and send it to the IP stack on the target
host.  This host must then have the ability to send the reply packet
addresses to 192.168.121.x back to its tunnel termination point where it
will reenter the tunnel and return eventually to the road warrior.

This is the basic concept of VPN tunneling.  Then again, perhaps I have
misunderstood you and you are really asking something more complex. 
Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan at nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net

More information about the Users mailing list