One to One NAT query
From: Josh Howlett (bujfxh_at_shark.cse.bris.ac.uk)
Date: 05/06/04
- Next message: Doug Farrell: "Redhat Piranha load balancing and accessing the backend 'real' servers"
- Previous message: Nachiketh: "HTTP client program"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 6 May 2004 11:32:34 GMT
I am trying to do something a bit unusual :-). I hope someone
can help.
I have a Linux NAS that terminates PPP sessions. When the PPP
session is connected, the PPP users are required to start a
VPN session to a VPN server.
The VPN protocol is PPTP.
<-----------VPN---------->
<---PPP---->
User ---------- NAS -----+---- VPN server A
|
+---- VPN server B
|
\---- VPN server C
I have multiple VPN servers (A, B and C), and I want to be
able to control where the user's VPN gets terminated.
For example, one day I might want to terminate user Joe's
VPN session on server B; another day, I might want to
terminate it on server C.
I also didn't want this to be reliant on the user changing
the IP address of the destination VPN server. So, regardless
of what IP address the user uses, the VPN always goes to the
right VPN server.
I thought I might do this by using one-to-one NAT on the NAS.
iptables -t nat -A PREROUTING -i ppp0 -j DNAT --to <IP of VPN>
iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to <IP of VPN>
...where "IP of VPN" is the address of the VPN that I want to
direct the user's VPN session to.
However, this doesn't seem to work. This is an abbreviated
version of what I see (the user has dialed in and been
allocated 172.16.42.7; the user then attempts to VPN to
1.2.3.4, which I NAT to the desired address (XXX)):
Src Dst Proto Info
172.16.42.7 1.2.3.4 TCP 1659 > pptp [SYN]
1.2.3.4 172.16.42.7 TCP pptp > 1659 [SYN, ACK]
172.16.42.7 1.2.3.4 PPTP Start-Control-Connection-Request
So far so good; the PPTP TCP control channel is correctly
NATed. However, I think get:
XXX 172.16.42.7 PPP LCP Configuration request
172.16.42.7 XXX PPP LCP Configuration request
XXX 172.16.42.7 PPP LCP Configuration request
172.16.42.7 XXX PPP LCP Configuration request
etc...
(These are encapsulated in the PPTP session's GRE data channel).
The PPP LCP packets does not appear to get NATed! Instead, the REAL
IP of the VPN server is stamped on the packets. LCP negotiation
times out, presumably because the VPN client simply drops the
packets as it doesn't recognise the source address.
So... why are the GRE packets not getting NATed on the NAS?
josh.
-- ------------------------------------------------------------ Josh Howlett, Networking & Digital Communications, Information Systems & Computing, University of Bristol, U.K. 'phone: 0117 928 7850 email: josh.howlett@bris.ac.uk ------------------------------------------------------------
- Next message: Doug Farrell: "Redhat Piranha load balancing and accessing the backend 'real' servers"
- Previous message: Nachiketh: "HTTP client program"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
