nanog mailing list archives

Previous By Date Next
Previous By Thread Next

OSPF/Gated simple exchange

From: "Jennifer Swiftlock" <swiftlockjen () hotmail com>
Date: Mon, 22 Jan 2001 20:01:47 -0000

Hi,

 Sorry in advance if this is way off topic.
I'm trying to use gated between two machines, a firewall and an IPSEC gateway. I would like to use OSPF as it seems to be the most efficient approach. Here is a nice ASCII diagram for you that describes the setup and you'll see the reasoning behind the madness: 


           ( Dynamic IP dumb VPN Clients )
                       |
                       |
                     __|__
                    (     )
                   (  Inet )
                     (____)
                       |         24.12.42.x/30
                    ___|___    / |  _______
(default gw for fw) | Cisco | _/   \|       |
                   |__3660_|-------| IPSec |
                       |           |___GW__|
                       |                | 192.168.15.1/30
  ( NAT Interface ) ___|___             |
                   |       |192.168.15.2|/30
                   |  FW   |------------
                   |_______|
                       |10.0.0.1 ( default gw )
                       |
                       |
                       |
            |-------------------------|
                   10.0.0/24
          ( Internal hosts to be accessed
            by dumb VPN clients on the Net )
So as you can see, the VPN clients will be able to talk to the IPSec gateway at its global IP of 24.12.42.x, which will allow for that VPN client to talk to 10.0.0/24. From that point the traffic from the VPN client will pass through the firewall at the 192.168.15.2 interface. After passing through the firewall the VPN client traffic will hit the host it's trying to communicate with on the 10.0.0/24 network.
The return traffic is where OSPF comes into play. The return traffic from the 10.0.0./24 back to the VPN client must pass back through the IPSec gateway, but since the IPSec gateway isn't a default gateway for anything and traffic doesn't normally pass through it the firewall must know to route return traffic for that VPN client address through the IPSec gateway. Thus, I'm trying to figure out how to properly do this with Gated/OSPF. The documentation is fairly foggy at merit.edu and I'm a novice when it comes to gated.
Some might ask why I don't just put the IPSec gateway into the default flow of traffic. I would, but the interface between the firewall and the Cisco router performs network address translation on all traffic passing through it so that the users on 10.0.0/24 can use the Internet, so that destroys the IPSec flows.
If you know how to setup gated to exchange these routes between the IPSec gateway and the firewall whenever a VPN client accesses the IPSec gateway, have any other ideas on how to properly approach this, or think I'm completely out of my mind please reply back ASAP. 

Thank you in advance,

    Jennifer Swiftlock -- Network Admin
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com
Previous By Date Next
Previous By Thread Next

Current thread: