|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
multiplexing traffic
Hi,
I have a routing problem I can't firgure out how to solve, here is what I wish to have: There are two routers, one running OpenBSD and the other one running Linux, the network represented on this graph are physical sites of a given company, the two on top belongs to company1 and the two at the bottom to company2. My problem is how to link those sites together while keeping each company separated one from each other given that both companies can use the same network addresses as they wish (for example 192.168.0.0/24 may be used here by both sites on the right). The problem get a little more complicated since we have limited control over the Linux router and the technologies we have available is restricted, we have ipip but not ipsec for example. How this problem is usually solved ? I suppose I am not the first one to try something like that. I am interested to hear your solution even between two OpenBSD. Edit: I also have acess to gre tunnels which can have a key fields to allow multiple tunnels with same src/dst, sadly the key fields is not implemented under OpenBSD... Last edited by schmurfy; 21st March 2012 at 01:34 PM. Reason: added gre |
|
||||
The typical solution to joining networks is to use a VPN, and if complete freedom of IP addressing is required a VPN with NAT is required. (This example of a NAT/IPSec solution from the OpenBSD Journal describes the issue and one way of resolving it.)
As you have described your problem, I understand you have these constraints:
But that doesn't solve the problem, and pointing out to your partner that IPSec has been available for many many years on Linux systems may only strain your new relationship. And, due to the NAT requirement, having their "technician" suddenly say yes to IPSec may not solve the problem -- there might be differences in IPSec/NAT implementations between their Linux and OpenBSD that limit integration.My second thought is to just to hand them an OpenBSD router for use at the partner company, and ask them to route traffic destined for your network(s) through it. There are a number of possible topologies, including a separate ISP connection, placement between the Linux router and the ISP, or sharing the subnet between their router and their ISP. If no physical investment can be made in linking your organizations together, and if IPSec is a non-starter for ... um ... political reasons, you and they must look for other possible solutions. Here are one or two VPN solutions that might work: OpenSSH should be available on that Linux platform and it is part of OpenBSD. VPNs may be configured with "ssh -w". I've never tried to configure it with NAT at both ends, however, and if this is of interest, I recommend setting up a small laboratory to experiment. (Hint: virtual machines might be used.) Last edited by jggimi; 21st March 2012 at 05:14 PM. Reason: two typos, clarity |
|
|||
The linux router is where the xDSL lines we rent are terminated, the company providing them to us provides this router and let us manage it to route our traffic where and how we want but do not support adding software on it. They intentionally kept out ipsec for performance reason, I think that was done for harware reason, openvpn is sadly unavailable too :/
For tunneling purpose we have access to gre, ipip and openSSH, gre looked like a good candidates but without the key field support in OpenBSD it solves nothing. I never thought about using openSSH like this but may be a lead although I am not sure how to route the traffic while keeping the companies isolated from each other. I need to do some testing to see if the server can support ssh tunnels without using too much cpu. Thanks for you answer ! |
|
||||
Quote:
Quote:
Quote:
Quote:
In 2009 I discovered I could isolate RFC1918 subnets at the OpenSSH VPN gateways if I used IPv6 on the tun(4) devices instead of IPv4. NAT was used. There were diagrams linked to the thread, but I no longer have them. http://www.daemonforums.org/showthread.php?t=141 |
|
|||
Can you add OpenBSD gateways in front of the two (company) networks directly connected to the linux router? You could easily connect your networks with IPsec that way, and more or less ignore that garbage linux router.
edit: I'm stupid. jggimi already suggested it! Last edited by denta; 22nd March 2012 at 05:01 PM. |
|
|||
The lack of security for gre and ipip is a minor problem, the two servers are on a private network. I know most of their clients simply use the router provided and don't need much more, in this context the limitations make sense.
The problem is that we need more control than he others ^^ Connecting a router on the company's site directly with our backbone router is one of the solutions yes, good idea. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PF Traffic Shaping question. | MarcRiv | OpenBSD Security | 6 | 28th October 2009 07:22 PM |
See what process is generating DNS traffic? | Bruco | FreeBSD General | 3 | 2nd July 2009 05:57 PM |
PF Blocking VPN Traffic | plexter | OpenBSD Security | 6 | 23rd January 2009 05:25 PM |
Dynamic Traffic Shaping | LordZ | OpenBSD Security | 6 | 19th January 2009 04:30 PM |
Suggestions for Web Traffic Logging? | Bruco | FreeBSD Ports and Packages | 16 | 18th September 2008 10:54 PM |