Vpn 1 is connected to VPN Server (Openwrt Racoon Site to Site)
Vpn 2 is connected to VPN Server (Openwrt Racoon Site to Site)

How am i Able to make VPN 1 able to Reach VPN 2 through VPN Server?

static routes?

Hm. never tried that but maybe something like this works.

Assumptions:

- VPN1 Net 192.168.1.0/24
- VPN2 Net 192.168.2.0/24
- Gateway Net 10.10.10.0/24
- VPN2 accesses VPN1 with addresses 192.168.5.0/24
- VPN1 accesses VPN2 with addresses 192.168.6.0/24

Settings on VPN1 Router

config tunnel 'to_gateway'
  list sainfo '1'
  list sainfo '2'

config sainfo '1' <- shoud exist
  option 'remote_subnet' '10.10.10.0/24'
  option 'local_subnet' '192.168.1.0/24'
config sainfo '2' <- new
  option 'remote_subnet' '192.168.6.0/24'
  option 'local_subnet' '192.168.1.0/24'

Settings on VPN2 Router

config tunnel 'to_gateway'
  list sainfo '1'
  list sainfo '2'

config sainfo '1' <- shoud exist
  option 'remote_subnet' '10.10.10.0/24'
  option 'local_subnet' '192.168.2.0/24'
config sainfo '2' <- new
  option 'remote_subnet' '192.168.5.0/24'
  option 'local_subnet' '192.168.2.0/24'

Settings on Gateway

config tunnel 'to_vpn1'
  list sainfo '1'
  list sainfo '2'
config tunnel 'to_vpn2'
  list sainfo '3'
  list sainfo '4'

config sainfo '1' <- shoud exist
  option 'remote_subnet' '192.168.1.0/24'
  option 'local_subnet' '10.10.10.0/24'
config sainfo '2' <- new
  option 'remote_subnet' '192.168.1.0/24'
  option 'local_subnet' '192.168.6.0/24'
config sainfo '3' <- shoud exist
  option 'remote_subnet' '192.168.2.0/24'
  option 'local_subnet' '10.10.10.0/24'
config sainfo '4' <- new
  option 'remote_subnet' '192.168.2.0/24'
  option 'local_subnet' '192.168.5.0/24'

- Afterwards you need netmap address translation in the firewall rules of gateway

iptables -t nat -A somewhere_in_prerouting -d 192.168.6.0/24 -s 192.168.1.0/24 -j NETMAP --to 192.168.2.0/24
iptables -t nat -A somewhere_in_prerouting -d 192.168.5.0/24 -s 192.168.2.0/24 -j NETMAP --to 192.168.1.0/24

maybe not complete but at least some indication.

Good luck.

Markus

@maurer: static routes will not help. Kernel does policy based ipsec routing based on the setkey definitions.

So we need rules that enforce tunneling packets as I tried above.

Markus

Training on demand, which is all about online training solutions, can go a long way towards achieving an exceptional and successfulcareer sitesincentive program. These training solutions typically use online training software or programs.

Why am I not able to establish the Routing direct through the VPN Gateway
without using range 192.168.5.0 & 192.168.6.0

iptables -t nat -A somewhere_in_prerouting -d 192.168.6.0/24 -s 192.168.1.0/24 -j NETMAP --to 192.168.2.0/24
iptables -t nat -A somewhere_in_prerouting -d 192.168.5.0/24 -s 192.168.2.0/24 -j NETMAP --to 192.168.1.0/24

Building a tunnel between two sites includes building SAs. These tell the kernel thorugh wich tunnel packets must be routed. E.g. take gateway tunnel to VPN1 after adding the additional VPN definitions WITHOUT modifing the ranges:

receive packets 192.168.1.0/24 -> 192.168.2.0/24 through tunnel to VPN1
send packets 192.168.2.0/24 -> 192.168.1.0/24 through tunnel to VPN1

now add the same to VPN2

receive packets 192.168.2.0/24 -> 192.168.1.0/24 through tunnel to VPN2
send packets 192.168.1.0/24 -> 192.168.2.0/24 through tunnel to VPN2

This won't work becuase of two equal definitions for source/destination ranges. Just have a look at "setkey -PD" for details.

Markus

After two days of thinking IT should be possible to save the networks. This requires using the local_Nat rule in vpn 1 and 2

(Last edited by birnenschnitzel on 25 Apr 2012, 08:22)

You are funny, this is my 3 week using openwrt, so it is my 3 week using iptables, this is to much complex for now, but i will try nex week