|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi all,
I just started using OpenVPN yesterday, after over a week of playing
with IPSEC, and so far it's been good to me. I'm having some trouble
that I can't figure out though, and I'm hoping someone more
knowledgeable here might tell me how to set things up, or that it's
impossible.
I have some external gateways that NAT for clients and some servers in a
NOC. I have those servers behind a VPN gateway machine, which NATs to
the servers. The gateway clients need to be able to access the servers
through the VPN. Sounds pretty basic, but now it gets fun!
The servers have the same network behind them, e.g. 10.0.0.0/8, and
server arbitrary numbers of hosts; could be dozens to thousands, so this
network (which is NATed by the gateway) needs to remain independent, aka
NATed, as far as the VPN is concerned. But wait, there's more! Some
gateways are themselves NATed, with a gateway and other machines ahead
of them. Here is a rough diagram:
(10.0.0.0/8) (10.0.0.0/8)
| |
+-----------------+ +----------------+
| gatewayA | | gatewayB |
| 10.0.0.1/8 | | 10.0.0.1/8 |
| 192.168.0.15/24 | | 11.22.33.44/24 |
| 10.8.0.4 | | 10.8.0.8 |
+-----------------+ +----------------+
| |
+----------------+ |
| gatewayAA | |
| 192.168.0.1/24 | |
| 66.77.88.99/24 | |
+----------------+ |
| |
(( big spooky Internet, woooooo! ))
|
+-----------------+
| OpenVPN gateway |
| 10.8.0.1 |
| 10.2.0.1/24 |
+-----------------+
|
+-------------+
| server(s) |
| 10.2.0.x/24 |
+-------------+
Note that the IPs are really accurate, but you can get the idea. I can
get the gateway machines to talk to the servers just fine, it's the
NATed clients that I can't get to work. Initially I had bad source
address errors from the 10/8 network, but I can't route to that (that I
know of) since there are multiple versions of them. I added NAT onto the
tun0 device, and still got the errors, from the external IP on the host
(e.g. 192.168.0.15 or 11.22.33.44 above). I tried adding a route command
for these but that seemed to break the VPN, I think because it broke
basic connectivity to it by redirecting things through the endpoint?
Anyway, I'm not sure if or how I can get this working.
This is all on FreeBSD, using ipfw and natd. The OpenVPN setup is pretty
much the default example config files with one route for the 10.2 server
network.
Thanks,
Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQFE02AaV/+PyAj2L+IRAjvuAJ9jQliMqtilwrsugj5pw4wf/RrEGwCdHiFM
CdTCDqv50ngW3cpPedPkU8s=
=KRsb
-----END PGP SIGNATURE-----
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-08/msg00063.html on line 247
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-08/msg00063.html on line 247
|