Hi, I have setted up a vpn as follow , how to allow to site B to access client machines linked to the Site A ? client site ------- OpenVPN via the www (10.8.0.0/24) ----->SiteA (192.168.1.240 shorewall) ----- VPN--------->Site B (192.168.2.0/24) Any computer on site A can access client machines throw 10.8.0.0/24 and shorewall What are the rules to setup in order to allow machines from siteB to access the client site machine ? Best Regards Steph ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Stéphane ANCELOT wrote:> Hi, > > > > I have setted up a vpn as follow , how to allow to site B to access > client machines linked to the Site A ? > > > client site ------- OpenVPN via the www (10.8.0.0/24) ----->SiteA > (192.168.1.240 shorewall) ----- VPN--------->Site B (192.168.2.0/24) > > > Any computer on site A can access client machines throw 10.8.0.0/24 and > shorewall > > What are the rules to setup in order to allow machines from siteB to > access the client site machine ? > Best Regards > Steph >Think I need a bit more info here, you have 2 vpns and you need to have traffic pass between the them? Some config files and a shorewall dump would be nice to see, the solution would depend on which way you have your present setup configured. Remember we know as much about your setup as you tell us. Jerry ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
> I have setted up a vpn as follow , how to allow to site B to access > client machines linked to the Site A ? > > > client site ------- OpenVPN via the www (10.8.0.0/24) ----->SiteA > (192.168.1.240 shorewall) ----- VPN--------->Site B (192.168.2.0/24)Hi Steph If I understand you correctly, both SiteA and SiteB is connected by VPN to "client site", and now you want to open a connection between SiteA and SiteB. The most obvious thing to do is create a new VPN directly between SiteA and SiteB. But I assume you have some reason for not wanting to do that. If SiteA and SiteB is configured to send ALL their traffic through the VPNs, I guess you can make this work by just changing your "client site" configuration. But probably, SiteA and SiteB are configured to route only the "client site" subnet through the VPN. In that case, you will need to change the SiteA and SiteB configuration to route the additional subnets through VPN. Or somehow fake the SiteA and SiteB addresses to be within the "client site" subnet (proxy-arp??? nat??? -- I don''t know). Rune ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
A little bit more detailed: I have got clients issuing vpn links throw the web to remote openvpn server in Site A All the LAN in site A (192.168.1.0/24) access the openvpn client throw the subnet 10.8.0/24 (the openvpn subnet) My shorewall firewall machine is located in Site A (firewall+openvpn server+gateway) Unfortunately, we have got another corporate site B that is linked to SiteA with a VPN link . The LAN in site B is 192.168.2.0/24 The main problem is how could we access 10.8.0.0/24 adresses from site B and being able to pass throw the firewall ? Thanks Steph Jerry Vonau wrote:> Stéphane ANCELOT wrote: > >> Hi, >> >> >> >> I have setted up a vpn as follow , how to allow to site B to access >> client machines linked to the Site A ? >> >> >> client site ------- OpenVPN via the www (10.8.0.0/24) ----->SiteA >> (192.168.1.240 shorewall) ----- VPN--------->Site B (192.168.2.0/24) >> >> >> Any computer on site A can access client machines throw 10.8.0.0/24 and >> shorewall >> >> What are the rules to setup in order to allow machines from siteB to >> access the client site machine ? >> Best Regards >> Steph >> > > Think I need a bit more info here, you have 2 vpns and you need to > have traffic pass between the them? Some config files and a shorewall > dump would be nice to see, the solution would depend on which way you > have your present setup configured. Remember we know as much about > your setup as you tell us. > > Jerry > > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the live > webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel?cmd=k&kid0944&bid$1720&dat1642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Tuesday 18 April 2006 01:03, Stéphane ANCELOT wrote:> A little bit more detailed: > > > I have got clients issuing vpn links throw the web to remote openvpn > server in Site A > > All the LAN in site A (192.168.1.0/24) access the openvpn client throw > the subnet 10.8.0/24 (the openvpn subnet) > My shorewall firewall machine is located in Site A (firewall+openvpn > server+gateway) > > Unfortunately, we have got another corporate site B that is linked to > SiteA with a VPN link . > The LAN in site B is 192.168.2.0/24 > > The main problem is how could we access 10.8.0.0/24 adresses from site B > and being able to pass throw the firewall ?This problem is 99% routing and OpenVPN and 01% Shorewall; so you are probably better off posting on the OpenVPN list. In Shorewall, all you need are ACCEPT rules (or policies) to pass the traffic (assuming that you have the two tunnels defined in /etc/shorewall/tunnels). So, I suggest that you first get it working with Shorewall disabled. If you then have problems getting Shorewall to allow the traffic after a "shorewall start", we can probably help you. In general, Shorewall doesn''t determine where traffic goes -- that''s the job of routing. Shorewall only determines if the traffic is allowed to go there or not. The two exceptions to this rule are Proxy ARP (with ''No" in the HAVEROUTE column) and Multi-ISP (entries in /etc/shorewall/providers), neither of which apply in this case. In those two cases, Shorewall will alter the firewall''s routing table(s) -- those are the only two cases. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key