[33740] in North American Network Operators' Group
OSPF/Gated simple exchange
daemon@ATHENA.MIT.EDU (Jennifer Swiftlock)
Mon Jan 22 15:06:09 2001
From: "Jennifer Swiftlock" <swiftlockjen@hotmail.com>
To: nanog@nanog.org
Date: Mon, 22 Jan 2001 20:01:47 -0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F160tRpeVPOEcyhJzqN0000707f@hotmail.com>
Errors-To: owner-nanog-outgoing@merit.edu
Hi,
Sorry in advance if this is way off topic.
I'm trying to use gated between two machines, a firewall and an IPSEC
gateway. I would like to use OSPF as it seems to be the most efficient
approach. Here is a nice ASCII diagram for you that describes the setup
and you'll see the reasoning behind the madness:
( Dynamic IP dumb VPN Clients )
|
|
__|__
( )
( Inet )
(____)
| 24.12.42.x/30
___|___ / | _______
(default gw for fw) | Cisco | _/ \| |
|__3660_|-------| IPSec |
| |___GW__|
| | 192.168.15.1/30
( NAT Interface ) ___|___ |
| |192.168.15.2|/30
| FW |------------
|_______|
|10.0.0.1 ( default gw )
|
|
|
|-------------------------|
10.0.0/24
( Internal hosts to be accessed
by dumb VPN clients on the Net )
So as you can see, the VPN clients will be able to talk to the IPSec
gateway at its global IP of 24.12.42.x, which will allow for that VPN client
to talk to 10.0.0/24. From that point the traffic from the VPN client will
pass through the firewall at the 192.168.15.2 interface. After passing
through the firewall the VPN client traffic will hit the host it's trying to
communicate with on the 10.0.0/24 network.
The return traffic is where OSPF comes into play. The return traffic from
the 10.0.0./24 back to the VPN client must pass back through the IPSec
gateway, but since the IPSec gateway isn't a default gateway for anything
and traffic doesn't normally pass through it the firewall must know to route
return traffic for that VPN client address through the IPSec gateway. Thus,
I'm trying to figure out how to properly do this with Gated/OSPF. The
documentation is fairly foggy at merit.edu and I'm a novice when it comes to
gated.
Some might ask why I don't just put the IPSec gateway into the default
flow of traffic. I would, but the interface between the firewall and the
Cisco router performs network address translation on all traffic passing
through it so that the users on 10.0.0/24 can use the Internet, so that
destroys the IPSec flows.
If you know how to setup gated to exchange these routes between the IPSec
gateway and the firewall whenever a VPN client accesses the IPSec gateway,
have any other ideas on how to properly approach this, or think I'm
completely out of my mind please reply back ASAP.
Thank you in advance,
Jennifer Swiftlock -- Network Admin
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
