IPSec VPN and underlying routing

canopy · November 30, 2007, 3:56am

Reference this drawing:

http://www.butchevans.com/readarticle.php?article_id=16

I have this set up on my WISP like this:

T1-router – RB532 as Router A – two pairs of WDS links – PentiumIII-PC as Router B – switch – customer router – switch – customer

All assigned IPs are public except on the WDS links (they are given RFC 1918 IPs for management purposes). traceroutes show public IPs all the way … like this:

from outside to T1 to customer:
T1’s IP, Router A (eth3), Router B (eth2), customer router IP

from WISP to T1 to outside:
customer router, Router B (eth3), Router A (eth1), T1-router-eth, T1, the world

Physically, it goes like this due to OSPF programming as in Butch’s article (er, well, it’s supposed to):
T1, eth3-Router A, eth1-Router A, eth1-Router B, eth3-Router B, customer-Router, eth3-Router B, eth2-Router B, eth2-Router A, eth3-Router A, T1

The IP addresses on my “link 1” are different from the addresses on “link 2”. They have to be for this OSPF/'full-duplex" thing to work. Notice that all my eth1’s are with “link 1” and all my eth2’s are with “link 2”.

All packets that enter my WISP network (the customer) traverse “link 1” and all packets that leave my WISP network traverse “link 2”. It seems that everything works fine except:

Two issues:
When a customer goes to “http://whatismyip.org” they see only the eth3-Router A address, not their real one at their actual router.

I’m thinking I do not have my routing 100% correct on Router A and/or Router B. Can anyone help out here?

Also, supposedly, IPSec will not work from my WISP network to an outside IP address.
Does IPSec need the same physical path (in my context above) or same IP path to work properly? Customer says that VPN “comes up but won’t pass any data”.

I don’t ask questions very often. I hope someone can lend a hand here…

Thanks,
Michael

andrewluck · November 30, 2007, 3:54pm

When a customer goes to "> http://whatismyip.org> " they see only the eth3-Router A address, not their real one at their actual router

You don’t mention a proxy so I presume that you’re doing NAT on router A. If so, this is normal behaviour.

Also, supposedly, IPSec will not work from my WISP network to an outside IP address

ESP (IPSEC data packets) are not fully compatible with NAT. The customer needs to run NAT-T on both the client and the server.

Regards

Andrew

canopy · November 30, 2007, 5:41pm

Thank you sir, but I am not running NAT anywhere on that network diagram. Nor am I running a proxy. It’s merely OSPF programmed to force packets through a particular eth interface for “download” traffic and “upload” traffic through the other eth interface on both Router A and Router B. (both have three eth interfaces)

–Michael

andrewluck · November 30, 2007, 6:33pm

OK, but OSPF will not cause the source IP address of packets to change which is what your clients are seeing.

Regards

Andrew

canopy · December 1, 2007, 1:30pm

I’m inclined to agree

But any ideas as to why a particular implementation of IPSec VPN won’t work ?

Some IPSec VPNs do work across my network. In fact, it appears that 99.9% of network protocols work fine. But I have one customer who’s IPSec VPN does not work. A vendor of his says the link must be ‘synchronous’.

–michael

andrewluck · December 2, 2007, 5:59pm

IPSEC requires that the address it’s receiving packets from match the IPSEC peer policy setting. If you’re sending and receiving packets on different links then this will not be the case and the packets will be dropped.

Regards

Andrew