[ILUG] VPN, ADSL modem - what goes where?
Ronan Cunniffe
ronan at iaa.es
Tue Aug 1 17:16:59 IST 2006
info at kennedysoftware.ie wrote:
> Hello,
>
> Trying to configure a VPN tunnel between 2 SuSE (SLES) servers, eth1
> in both cases, across ADSL from eircom. It works OK if we have an
> external router/modem box between eth1 and the eircom line. When we
> replace the external box with an ADSL MODEM, and re-config the servers
> as "Routers" (etc?), seems everything still works OK, but we hit VPN
> config issues... The initial "Hi There" packet from the Client never
> arrives at the VPN server...
>
> Servers:
> - eth0 is internal local LAN
> - eth1 connected to an ADSL "Modem" (eircom)
> - PPPoE, with static IP, from eircom
> - Firewall (SuSEFirewall2) running on eth1
> - "Routes" show ppp0, etc
>
> Conceptually, does anyone know which bit links to which bit in this
> setup: ppp0, dsl0, eth1, firewall... Ie, from inside, are we talking
> to ppp0, which hooks to eth1, etc... or....
>
> I hope the presence of the Firewall should be insignificant, in that
> we can, theoretically, run it or not, without having to change any
> other "configs". Put another way... in the IPSEC file, do we set LEFT
> to "eth1", or to an address we assign to eth1, or to the static IP
> from eircom (also assigned to eth1)... or to ppp0... whew!!
>
> In the IPSEC file, we've been fiddling with
> interfaces="ipsec0=eth1/ppp0", left=, leftsubnet=, leftnexthop=, NAT,
> etc, but we're now only digging a bigger hole!!
>
> Very many thanks for any suggestions or pointers.
OpenVPN?
IPSEC is the all-powerful conquering VPN solution. OpenVPN only does
point-to-point tunnels, uses ordinary ssh keys, and is vastly simpler.
As to what goes where....
I think you have two problems: PPPoE and the VPN, and are getting them
mixed up to some extent.
I'll suggest:
Step 1: Forget about VPN.
Step 2: get ADSL working.
Step 3: Get the firewall working exactly as you want.
Step 4: Configure OpenVPN.
Step 5: Change the routing tables so that traffic to the remote network
(but not the VPN endpoint itself....!) are sent via the new "tun0"
encrypting interfaces that OpenVPN has created, instead of out over the
working DSL link.
Step 6: Modify the firewall rules to allow the OpenVPN traffic
There's good manuals and worked examples for openvpn online, but you
might still puzzle for a while before the light dawns. Hint: OpenVPN
does *not* handle the question of where-do-I-send-my-packets. Your
ordinary routing table does this, and probably what is puzzling you
about OpenVPN's configuration is best understood by asking "how is the
routing going to work?"
Regards,
Ronan
More information about the ILUG
mailing list