[Openswan Users] DHCP/Any Traffic over an established VPN tunnel

Carlos Lopez the_spide21 at yahoo.com
Fri Oct 9 11:33:20 EDT 2009 

Thanks Paul.

> You cannot really deal out 172.17.0.X that becomes the
> router for 172.17.0/24. It might work
> in some cases, but its an unstable design to stat from. 

OK, I got your point here.



OK, Then this is what I'll try to implement:

1- Build up the Linux Router (Corporate):

ISP IP= 1.2.3.4
LAN IP= 172.16.0.1/24

- The router will forward port 500,50 and 51 to VPN server.
- Do some sort of routing on the ROUTER side let pass traffic on both directions (172.17.1.x/24 [ExternalUsers'pc] from/to 172.16.0.1/24 [corporate LAN]). 


2- Buildup DHCP and DNS server with Bind9:

LAN IP= 172.16.0.2
IP POOLS corporate LAN= 172.16.0.10 - 172.16.0.254
IP POOLS ExternalUsers= 172.17.1.3 - 172.17.1.254 (Via VPN)


3- Buildup Email server with Qmail or anyother software:

LAN IP= 172.16.0.3

4- Buildup Web server with apache:

LAN IP = 172.16.0.4

5- Buildup the VPN server with OpenSwang:

LAN IP= 172.16.0.5
IP POOL = 172.17.0.2-254 (These are the IPs that Linksys or Dlink device will get after a successful authentication occurs)

then: 

- Configure Spenswang to do NAT to NAT traffic (I think). 

- Do some sort of routing on the VPN side, so It will let pass traffic on both directions (172.17.1.x/24 from/to 172.16.0.1/24). 

-Install a DHCP relay from ISC.org.

Then:

1- Configure device (Linksy or Dlink) with:

ISP IP= 1.2.3.5
VPN SERVER IP = 1.2.3.4:VPNPORT
VPN ASSIGNED IP FROM POOL= 172.17.0.2 (If it successful authenticate)
VPN SERVER KEY/PASS = "abcd"
NAT-T = ENABLED?

>> You could hand out 172.17.0.1 and tunnel 172.17.1.0/24 via this and hand that out locally. Note that this is using a subnet tunnel, not l2tp.

The question reside on this, how can I do to let users get theirs IPs from the corporate LAN's DHCP server (range 172.17.1.x/24)?, Is it possible to do that?

Sorry for the dummy quetions, I am totaly new to VPN. But I am still reading and trying to understand it.

2- Plugin a 24 port switch to device (linksys or Dlink) and from there the PC stations.

3- Try to ping from corporate LAN pc (172.16.0.11) to ExternalUsers (172.17.1.11) and viceversa.

4- Do some more traffic, let's say VNC.

Carlos.


      ____________________________________________________________________________________
¡Obtén la mejor experiencia en la web!
Descarga gratis el nuevo Internet Explorer 8. 
http://downloads.yahoo.com/ieak8/?l=e1

More information about the Users mailing list