It is currently 23.05.2017 05:03


All times are UTC




Post new topic Reply to topic  [ 6 posts ] 
Author Message
 Post subject: Zerina and IPCOP VPN - communication across subnets
PostPosted: 02.10.2009 14:49 
DES
DES

Joined: 02.10.2009 14:27
Posts: 3
Hi,

We have two offices, each connected together using the standard IPCOP (v1.4.21) VPN net2net connection. This has been working fine for years.

Each office also runs the zerina extension (v0.9.5b) for home office use, which has also been fine.

At the moment home workers have to log in to one of the two offices, unfortunately when they do this they can't access the network of the other office (only the one they have logged in to).

I've tried pushing both office subnets to clients but this doesn't appear to be sufficient to create the connection. I'm sure there is a simple routing solution to fix this, but my networking skills aren't up to the task.

Can anyone help with this?


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Zerina and IPCOP VPN - communication across subnets
PostPosted: 02.10.2009 17:38 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2183
Both Networks knows routes back home ?
I do not know why, but here problems "switched off". I simply added
2 routes for the far network ( local net and VPN-Net)

Way here just that moment:

home -> VPN-gate1 -> "local_office1"->VNP-gate2->-- net2net-tunnel --<-vpn_gate3 -> office_net2 ->testserver

I can reach my "local_office1" also, if I use the Roadwarriorgate at vpn_gate3.

Shortly all servers at local_office1 have 2 additional routes ( net-2-net tunnel and office_net2)
servers on office_net2 have also 2 additional routes ( net-2-net tunnel and local_office1 network.
local_net2 also known as routing infos on each vpn-gate

I am not sure about "overkill" ... it was quick and dirthy working..and nets have been made only for testing purposes here. May be in spring 2010 the will work real people.
Today I use only a simple aDSL (700..800kBits upload) infrastructure, routers are "powered" by alix-boards..

F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Zerina and IPCOP VPN - communication across subnets
PostPosted: 03.10.2009 07:20 
DES
DES

Joined: 02.10.2009 14:27
Posts: 3
Hi,

Many thanks for your reply - this is what I was trying to do but clearly getting it wrong. If I'm clearer about how our routing is currently set up and can you walk me through what you did to make it work?

The networks look like this:

OfficeNet1 (192.168.500.0)
|
(192.168.500.250 - eth0)
IPCOP1 <-> ZerinaVPN1 (10.72.180.0 - tun0)
(xx.xx.xx.xx - eth1)
|
(xx.xx.xx.yy)
ADSLRouter1
(zz.zz.zz.zz)
|
INTERNET (VPN Tunnel using ipsec0 from xx.xx.xx.xx to aa.aa.aa.aa)
|
(cc.cc.cc.cc)
ADSLRouter2
(aa.aa.aa.bb)
|
(aa.aa.aa.aa - eth1)
IPCOP2 <-> ZerinaVPN2 (10.72.181.0 - tun0)
(192.168.600.250 -eth0)
|
OfficeNet2 (192.168.600.0)

where xx.xx.xx.xx etc are Internet static IP addresses

My routing tables on IPCOP1 (for example) look like this - note that this box acts as the gateway for everything in OfficeNet1:

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.72.180.2     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
xx.xx.xx.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
xx.xx.xx.0     0.0.0.0         255.255.255.0   U     0      0        0 ipsec0
10.72.180.0     10.72.180.2     255.255.255.0   UG    0      0        0 tun0
192.168.500.0   xx.xx.xx.yy   255.255.255.0   UG    0      0        0 ipsec0
192.168.600.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         xx.xx.xx.yy   0.0.0.0         UG    0      0        0 eth1


Note that the IPCOP1 external address (xx.xx.xx.xx) isn't used directly in this table, although the very small subnet it is on as part of our Office1 static IP allocation is. This is the default setup for the IPCOP box.

All help gratefully received.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Zerina and IPCOP VPN - communication across subnets
PostPosted: 03.10.2009 10:14 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2183
rockgatherer wrote:
Hi,

Many thanks for your reply - this is what I was trying to do but clearly getting it wrong. If I'm clearer about how our routing is currently set up and can you walk me through what you did to make it work?

The networks look like this:

OfficeNet1 (192.168.500.0)




192.168.500 ??? it is nearly impossible to code 500 in 8 bits ;-)

Quote:
|
(192.168.500.250 - eth0)
IPCOP1 <-> ZerinaVPN1 (10.72.180.0 - tun0)
(xx.xx.xx.xx - eth1)
|
(xx.xx.xx.yy)
ADSLRouter1
(zz.zz.zz.zz)
|
INTERNET (VPN Tunnel using ipsec0 from xx.xx.xx.xx to aa.aa.aa.aa)
|
(cc.cc.cc.cc)
ADSLRouter2
(aa.aa.aa.bb)
|
(aa.aa.aa.aa - eth1)
IPCOP2 <-> ZerinaVPN2 (10.72.181.0 - tun0)
(192.168.600.250 -eth0)
|
OfficeNet2 (192.168.600.0)



same problem ... 600 numbers with 8 bit ...
Quote:
where xx.xx.xx.xx etc are Internet static IP addresses

My routing tables on IPCOP1 (for example) look like this - note that this box acts as the gateway for everything in OfficeNet1:

Code:
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.72.180.2     0.0.0.0         255.255.255.255 UH    0      0        0 tun0
xx.xx.xx.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1
xx.xx.xx.0     0.0.0.0         255.255.255.0   U     0      0        0 ipsec0
10.72.180.0     10.72.180.2     255.255.255.0   UG    0      0        0 tun0
192.168.500.0   xx.xx.xx.yy   255.255.255.0   UG    0      0        0 ipsec0
192.168.600.0   0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         xx.xx.xx.yy   0.0.0.0         UG    0      0        0 eth1


Note that the IPCOP1 external address (xx.xx.xx.xx) isn't used directly in this table, although the very small subnet it is on as part of our Office1 static IP allocation is. This is the default setup for the IPCOP box.

All help gratefully received.

tun0 and ipsec0

same tunneldevice ..or have you different tunnels ??

F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Zerina and IPCOP VPN - communication across subnets
PostPosted: 03.10.2009 11:42 
DES
DES

Joined: 02.10.2009 14:27
Posts: 3
Sorry, typos

192.168.500.0 and 192.168.600.0 should read 192.168.050.0 and 192.168.060.0 respectively in all cases. I tried to do some simplification of our rather more complex system, but did it too quickly.

Regarding the tunnels, as I said in my first post each IPCOP box has OpenVPN (Zerina) server used for roadwarrior users (tun interfaces) but the IPCOP boxes link with each other for a net2net connection using the standard IPCOP VPN ipsec interfaces. The problem is that users logged in via the Zerina (tun) interfaces, while able to see the local network associated with their IPCOP box, can't see across the net2net (ipsec) connection to the other office.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Zerina and IPCOP VPN - communication across subnets
PostPosted: 03.10.2009 18:09 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2183
yes they can !
Missing data (?).
for example
Code:
home -> VPN-gate1 -> "local_office1"->VNP-gate2->-- net2net-tunnel --<-vpn_gate3 -> office_net2 ->testserver


in thiis example VPN-Gate1
has (additional) route settings
net-2net-tunnel(VPN)
office net2

vpn-gate2 has (additional) route settings
vpn_gate1(vpn)

vpn-gate3
has (additional) route VPN_gate1(VPN)

Machine "home" will be reached only by its VPN-address

And - no , my VPN-gates are not "standardgateways", thats why they have all that routing entries

user here a
Code:
 route add -net  xxx/24 dev yyy

xxx= network; yyy = device like eth0, tun1, ..etc.

try with traceroute ! it works, (and all my samba-servers and mail-servers needed addtional entries , what networks to serve to....)

F.


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net