DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 21st March 2012
schmurfy schmurfy is offline
Port Guard
 
Join Date: Aug 2011
Posts: 12
Default multiplexing traffic

Hi,
I have a routing problem I can't firgure out how to solve, here is what I wish to have:
There are two routers, one running OpenBSD and the other one running Linux, the network represented on this graph are physical sites of a given company, the two on top belongs to company1 and the two at the bottom to company2.

My problem is how to link those sites together while keeping each company separated one from each other given that both companies can use the same network addresses as they wish (for example 192.168.0.0/24 may be used here by both sites on the right).

The problem get a little more complicated since we have limited control over the Linux router and the technologies we have available is restricted, we have ipip but not ipsec for example.

How this problem is usually solved ? I suppose I am not the first one to try something like that. I am interested to hear your solution even between two OpenBSD.

Edit: I also have acess to gre tunnels which can have a key fields to allow multiple tunnels with same src/dst, sadly the key fields is not implemented under OpenBSD...

Last edited by schmurfy; 21st March 2012 at 01:34 PM. Reason: added gre
Reply With Quote
  #2   (View Single Post)  
Old 21st March 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

The typical solution to joining networks is to use a VPN, and if complete freedom of IP addressing is required a VPN with NAT is required. (This example of a NAT/IPSec solution from the OpenBSD Journal describes the issue and one way of resolving it.)

As you have described your problem, I understand you have these constraints:
  • IPSec cannot be used
  • A NAT solution must be chosen that operates with the existing routers
My first thought is to wonder why there is a no-IPSec-on-Linux constraint, and who the idiot is at the partner company who made that decision for you.
But that doesn't solve the problem, and pointing out to your partner that IPSec has been available for many many years on Linux systems may only strain your new relationship. And, due to the NAT requirement, having their "technician" suddenly say yes to IPSec may not solve the problem -- there might be differences in IPSec/NAT implementations between their Linux and OpenBSD that limit integration.
My second thought is to just to hand them an OpenBSD router for use at the partner company, and ask them to route traffic destined for your network(s) through it. There are a number of possible topologies, including a separate ISP connection, placement between the Linux router and the ISP, or sharing the subnet between their router and their ISP.

If no physical investment can be made in linking your organizations together, and if IPSec is a non-starter for ... um ... political reasons, you and they must look for other possible solutions. Here are one or two VPN solutions that might work:
OpenSSH should be available on that Linux platform and it is part of OpenBSD. VPNs may be configured with "ssh -w". I've never tried to configure it with NAT at both ends, however, and if this is of interest, I recommend setting up a small laboratory to experiment. (Hint: virtual machines might be used.)

OpenVPN is a third party program that runs on both Linux and OpenBSD, and offers certain types of NAT translations which might fit your needs. I have not used OpenVPN in many years, and never used it to join gateway routers. As with the SSH VPN solution above, investigation and experimentation are recommended.


Last edited by jggimi; 21st March 2012 at 05:14 PM. Reason: two typos, clarity
Reply With Quote
  #3   (View Single Post)  
Old 22nd March 2012
schmurfy schmurfy is offline
Port Guard
 
Join Date: Aug 2011
Posts: 12
Default

The linux router is where the xDSL lines we rent are terminated, the company providing them to us provides this router and let us manage it to route our traffic where and how we want but do not support adding software on it. They intentionally kept out ipsec for performance reason, I think that was done for harware reason, openvpn is sadly unavailable too :/
For tunneling purpose we have access to gre, ipip and openSSH, gre looked like a good candidates but without the key field support in OpenBSD it solves nothing.

I never thought about using openSSH like this but may be a lead although I am not sure how to route the traffic while keeping the companies isolated from each other.
I need to do some testing to see if the server can support ssh tunnels without using too much cpu.

Thanks for you answer !
Reply With Quote
  #4   (View Single Post)  
Old 22nd March 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by schmurfy View Post
The linux router is where the xDSL lines we rent are terminated, the company providing them to us provides this router and let us manage it to route our traffic where and how we want but do not support adding software on it.
Can it be configured to operate in "bridge" mode so that it merely moves packets between DSL and Ethernet without inspection or translation? If so, then you could implement a solution external to their device and its limitations, or the limitations of your xDSL service provider, or both.
Quote:
They intentionally kept out ipsec for performance reason...
I find that difficult to believe. Any other VPN solution is going to consume similar computing resources (CPU/RAM) or significantly more. In particular, VPN solutions with TCP tunnels (such as OpenSSH) will definitely consume more resources than IPSec.
Quote:
For tunneling purpose we have access to gre, ipip and openSSH, gre looked like a good candidates but without the key field support in OpenBSD it solves nothing.
Both GRE and IP/IP encapsulation can provide a "virtual network" connection via tunnel, but they offer no privacy or security. Traffic is sent in the clear, without encryption.
Quote:
I never thought about using openSSH like this but may be a lead although I am not sure how to route the traffic while keeping the companies isolated from each other....
I recall doing some testing several years ago, and searched on the forum.

In 2009 I discovered I could isolate RFC1918 subnets at the OpenSSH VPN gateways if I used IPv6 on the tun(4) devices instead of IPv4. NAT was used.

There were diagrams linked to the thread, but I no longer have them.

http://www.daemonforums.org/showthread.php?t=141
Reply With Quote
  #5   (View Single Post)  
Old 22nd March 2012
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

Can you add OpenBSD gateways in front of the two (company) networks directly connected to the linux router? You could easily connect your networks with IPsec that way, and more or less ignore that garbage linux router.

edit: I'm stupid. jggimi already suggested it!

Last edited by denta; 22nd March 2012 at 05:01 PM.
Reply With Quote
  #6   (View Single Post)  
Old 22nd March 2012
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

We don't know the root cause of their stupidity -- it could be the ISP's lack of interest in service, lack of adequate or proper technical staffing, equipment management limitation decisions, outsourcing of services to others with limited scope of control ....

But...

Mit der Dummheit kämpfen Götter selbst vergebens.
(Against stupidity the very gods themselves contend in vain.)

Friedrich Schiller
Reply With Quote
  #7   (View Single Post)  
Old 26th March 2012
schmurfy schmurfy is offline
Port Guard
 
Join Date: Aug 2011
Posts: 12
Default

The lack of security for gre and ipip is a minor problem, the two servers are on a private network. I know most of their clients simply use the router provided and don't need much more, in this context the limitations make sense.
The problem is that we need more control than he others ^^

Connecting a router on the company's site directly with our backbone router is one of the solutions yes, good idea.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PF Traffic Shaping question. MarcRiv OpenBSD Security 6 28th October 2009 07:22 PM
See what process is generating DNS traffic? Bruco FreeBSD General 3 2nd July 2009 05:57 PM
PF Blocking VPN Traffic plexter OpenBSD Security 6 23rd January 2009 05:25 PM
Dynamic Traffic Shaping LordZ OpenBSD Security 6 19th January 2009 04:30 PM
Suggestions for Web Traffic Logging? Bruco FreeBSD Ports and Packages 16 18th September 2008 10:54 PM


All times are GMT. The time now is 05:41 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick