DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th September 2008
docrice docrice is offline
New User
 
Join Date: Sep 2008
Posts: 3
Thanked 0 Times in 0 Posts
Default Routing between site-to-site tunnels

I set up a few site-to-site tunnels between a main office and two branches using the instructions at OpenBSDsupport. It was relatively easy with hosts in the main office able to ping hosts in either branch. Hosts in either branch office can ping hosts in the main office.

The problem comes into play where hosts in one branch office wants to ping a host in the other branch office. Right now, the tunnels are from branch office to main office, but not between the branches (this is what I prefer). I updated pf.conf at the main office site, but I don't think this is the problem. If I do a traceroute from one branch to the other, it's going out directly through the Internet, not through the tunnel. I tried adding a route, but I'm only guessing at the syntax. The branch office subnets are 192.168.201.0/24 and 192.168.202.0/24, so I tried something like:

sudo route add -encap 192.168.201.0/24 -interface enc0

or variations on this theme. Can anyone point me in the right direction? As a last resort, I can always set up a tunnel between the branches, but I'd rather route everything through the main office for now, even though that's a single point of failure.
Reply With Quote
  #2   (View Single Post)  
Old 25th September 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

It looks to me like you'd have to set your main office server to be the gateway for the LAN on the other side, so 201 should route traffic destined for 202 to the main office, and 202 should route traffic destined for 201 to the main office. The main office server knows where both networks are, so it is capable of routing traffic between them (assuming IP forwarding is on already).

In pseudo code:

201: route add 202/24 main-office-ip
202: route add 201/24 main-office-ip

P.S.: the main office server knows where both networks are, your local NIC does not. Therefore that traffic just gets routed via the default gateway, which is its internet connection.

Last edited by DutchDaemon; 25th September 2008 at 11:45 PM.
Reply With Quote
  #3   (View Single Post)  
Old 25th September 2008
docrice docrice is offline
New User
 
Join Date: Sep 2008
Posts: 3
Thanked 0 Times in 0 Posts
Default

So if my main office gateway had two interfaces with its internal IP being 10.1.1.254 (this is a /24 as well), do I:

(on branch 1 gateway)
sudo route add -net 192.168.202.0/24 10.1.1.254

(on branch 2 gateway)
sudo route add -net 192.168.201.0/24 10.1.1.254

I'm not sure if this works, so perhaps my syntax is off.
Reply With Quote
  #4   (View Single Post)  
Old 26th September 2008
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,902
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by docrice View Post
Can anyone point me in the right direction?
Many of your questions are answered in the route(8) manpage.
Reply With Quote
  #5   (View Single Post)  
Old 26th September 2008
docrice docrice is offline
New User
 
Join Date: Sep 2008
Posts: 3
Thanked 0 Times in 0 Posts
Default

I've been through the man page already, although I seem to be missing something (or more likely, I'm just not "getting" something).
Reply With Quote
  #6   (View Single Post)  
Old 26th September 2008
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 337
Thanked 32 Times in 30 Posts
Default

You can only use a gateway when it's on a directly connected network (i.e. a network that your NIC knows about). I'm assuming your main office server has an IP address on both the 201 and the 202 LANs?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
connect to an other site using ipsec-nat wesley OpenBSD Security 30 23rd September 2009 09:41 AM
Posting to O'Reilly site Fritz_Katz Feedback and Suggestions 1 22nd July 2008 11:03 PM
Getting mentioned on the FreeBSD site scottro Feedback and Suggestions 6 1st June 2008 10:11 PM
Bare Minimum Site-to-Site VPN on OpenBSD ai-danno Guides 0 20th May 2008 12:45 AM
Transferring away from the other site... s2scott Feedback and Suggestions 2 5th May 2008 09:47 AM


All times are GMT. The time now is 03:16 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick