192.168.100.0/24 and 192.168.101.0/24), and creating explicit routes in the gateway servers (gateway-A and gateway-B) that route traffic for the remote network through the VPN. I suggest putting the VPN servers on separate networks from the clients (e.g. Ping traffic is fine, because it goes out unencrypted, and comes back encrypted, but subsequent sent packets are identical to the first, so they are treated the same, as compared to a TCP connection which requires significant bidirectional communication even to get set up. Thus, as far as gateway-A is concerned, the connection between A and B is never set up, and further traffic from client A to client B on that connection is blocked. This means that gateway-A will never see the TCP SYN-ACK from client B. Since the VPN server A is on the same network as client A, any packet routed over the VPN will be delivered directly to client A, and NOT through gateway-A. In the diagram provided, it appears that traffic from client A to client B is routed over the interconnecting network directly (unencrypted) (because client A's gateway is gateway-A) and traffic from client B to client A is routed over the VPN (because client B's gateway is vpn-server-B). I've no info on / experience with the firewall or VPN you're using, so more detail is hard to offer. It suggests that either there is a routing problem (more info below), or a config problem with the firewall. This suggests to me that the connection tracking on the firewall isn't working as you might expect. Subsequent TCP ACK (handshake step 3): Blocked.Server TCP SYN-ACK (handshake step 2): Missing?.Initial TCP SYN (handshake step 1): Permited.The incoming request to access 192.168.1.0/24 at gateway-A should be just redirected to vpn-server-A. Probably an additional NAT is required but I do not understand why. As the last comment in the post linked above one should check the firewall. The problem seems to be that the gateway-A does not redirect correctly the traffic to the vpn-server-A. I set up the following in firewall builder.Ĭlient-A can ping successfully client-B but no http(s) conection can be established. I use firewall builder in order to configure the firewall and routing rules. So gateway-A should forward the traffic for 192.168.1.0/24 to vpn-server-A. Therefore, client-A sets gateway-A as its default gateway. Let us assume that client-B has vpn-server-B as its gateway.Ĭlient-A can access the webserver on client-B, if client-A uses vpn-server-A as its gateway.īut client-A also wants to access the internet via the gateway. The client-A wants to access client-B, for instance a webserver is hosted on client-B.įor simplicity I want to focus on site-A only. My question is about the correct routing / iptable settings for the following network topology, which includes a site-to-site VPN between site-A and site-B. The question is very similar to the one posted here:
0 Comments
Leave a Reply. |