Topic: VPN how to get all the traffic over the tunnel?

[Medimo]

Hi,

Have 2 offices (SME-boxes) with IPSEC-tunnel.

I want to get al the web and mail for these domains to go over the vpn-tunnel.

SME1:
External 81.207.xxx.xxx
Internal 172.16.1.xxx

SME2:
External 62.166.xxx.xxx
Internal 172.16.2.xxx

Now, if you're on subnet SME1 and you want to mail something to SME2, I want the mail to go over the tunnel. However the normal smtp goes over the external interface and not over the tunnel

Other example, if you're on subnet SME2 and you want to access an intranet webservice on SME1, you'll want the traffic to go over the tunnel (without remembering ip-numbers). Otherwise the www goes over the external interface and traffic is blocked.

If I use virtual domains for this all my mail is mixed up. mark@sme1 then equals mark@sme2.

Anybody a clue?

Thx,

Richard.

[briank]

Dont know if this might help - it is for advanced routing with pptp-client but the principle as the same
http://pptpclient.sourceforge.net/routing.phtml
There is also a Linux Advanced Routing & Traffic Control HOWTO if you really want some light bedside reading.
Good luck
Brian Kirk

[Brave Dave]

I think you have the wrong question - All traffic over the tunnel

I think you want all mail over the tunnel - all traffic between the nets is probably ok

you problem will be your mx records - and there won't be a simple solution - ie. you will need to manually configure your dns - i would think yuk ..

do you need 2 mail servers, could you perhaps use the sme manager interface to point the mail alias over to one side and point your mail clients to there. - so they "pop"ed and "smtp"ed from the one point.

[Medimo]

Thanx for the reply,

Looks lke a good link Briank, need to get in to that one, sometime.

I needed 2 seperate servers, since the 2 servers are for 2 companies that work together (but they have there own users, mail etc.)

My problem is solved, however.
Didn't mangle the dns, though.

Because one of the SME servers used to be behind a natting router, only NET-2-NET ipsec was set up. (others can't work: external gateway ip != true ip)
Therefore redirecting or changed DNS was nessecary to get the traffic on the internal interface.

We changed the setup of the DSL, so the external interface was truly the external interface, and all 3 tunnels were enabled. NET-2-NET, GATEWAY-2-GATEWAY, and NET-2-GATEWAY. Problem solved: all traffic will arive locally over the ipsec.
 

As allways the solution just lies in front of you.

Little note for he who wants to now:
Some DSL providers have a gateway address which is not on the same subnet as your external ip. The standard _updown script in /usr/local/lib/ipsec/_updown will choke in the routing (Can't add route)
In the updown script add a extra route for dev ipsec0:
route add [yourgatewayhere] dev ipsec0

Grz,

Richard.