[clug] routing advice needed

Michael Manning michael at catman.homelinux.org
Wed Dec 3 09:59:22 GMT 2003


The only reason that I could see any advantage of trying to route some
packets through a VPN, even when they are not destined for a VPN IP,
would be to make them appear as being in the VPN subnet to the receiving
network.  This would/could create security issues for anyone that can
obtain an IP in the "second" internal subnet and allow them access to
anything using the VPN.

Maybe you would be better using some PREROUTING and POSTROUTING rules
for your internal subnet that redirect packets based on the origin IP or
origin interface, but still causes some security doubts??

Still seems like a recipe for days worth of troubleshooting should
anything go astray.

On Wed, 2003-12-03 at 20:34, Kim Holburn wrote:

> At 8:25 PM +1100 2003/12/03, Michael Manning wrote:
> 
> > I don't understand why you would want to route a packet destined for
> > your VPN back out to the internet.  Most times you would not be
> > using internet routable IP's in your VPN subnet anyway (unless you
> > had one real IP that was owned by the VPN server). Wouldn't you want
> > the packet addressed to the VPN (4.4.4.0/24) to be routed somewhere
> > in the VPN subnet?
> 
> 
> 
> All the IPs here are "real".  I want one internal subnet to connect to
> the remote subnet through the VPN as a peer and the other to see the
> remote subnet from the outside.  It's not that unusual is it?
> 
> 
> > Are you trying to establish some sort of VPN (using GRE IP
> > tunneling?) that is using a real world IP?
> 
> 
> 
> Yes. (only not GRE)
> 
> 
> > I am may be a little confused as to the outcomes you are trying
> > achieve. Could you elaborate a bit?
> > 
> > On Wed, 2003-12-03 at 20:02, Kim Holburn wrote:
> > 
> > > For you router guys out there I need some advice.
> > > 
> > > I have a machine with 3 interfaces.
> > > 
> > > eth0 -> 1.1.1.0/26 -> 1.1.1.1 -> internet
> > > 
> > > eth1 -> 2.2.2.0/24 -> 2.2.2.0/24
> > >                    -> 2.2.2.2 -> VPN to 4.4.4.0/24
> > > 
> > > eth2 -> 3.3.3.0/24 -> internal net
> > > 
> > > 
> > > default route is -> eth0 1.1.1.1
> > > 
> > > if I have a packet from eth2 to the special subnet 4.4.4.0/24 I
> > > want to it to go via a gateway on eth1 2.2.2.2 (say a VPN) but
> > > 
> > > if I have a packet from eth1 to 4.4.4.0/24 I want it to go via the
> > > default route (eth0).
> > > 
> > > I use the command:
> > > ip route 4.4.4.0/24 via 2.2.2.2 from 3.3.3.0/24
> > > 
> > > but what I get is the same as if I ran:
> > > 
> > > ip route 4.4.4.0/24 via 2.2.2.2
> > > 
> > > Anyone have an idea how to do that?
> > 
> > 
> > 
> > --
> > 
> > Michael Manning
> > Red Hat Certified Engineer
> > 
> > Email: michael at catman.homelinux.org
> 
> 
> 
> 
> 
> -- 
> 
> --
> Kim Holburn 
> Network Consultant - Telecommunications Engineering
> Research School of Information Sciences and Engineering
> Australian National University - Ph: +61 2 61258620 M: +61 0417820641
> Email: kim.holburn at anu.edu.au  - PGP Public Key on request
> 
> Life is complex - It has real and imaginary parts.
>      Andrea Leistra (rec.arts.sf.written.Robert-jordan)

Michael Manning
Red Hat Certified Engineer

Mail: michael at catman.homelinux.org
Web: https://catman.homelinux.org


More information about the linux mailing list