Hi all,

Sorry for the unhelpful title - hopefully my description of the current setup will help. I'm trying to replace two Microsoft ISA servers with Untangle servers. I'm afraid my networking knowledge is relatively limited too, so please forgive me if what I'm trying to do is either impossible or actually very simple; I have searched for a solution to the problem and have found similar issues, but nothing quite the same as far as I can tell.

Our network consists of the following:

1. An ISA server with connected to a DSL modem with a DHCP assigned address (192.168.200.1), as well as an internal office address (10.0.0.250). This box is our internet gateway and is called "isa-web". (DSL is a temporary solution until we get a leased line which will give us a publicly addressable connection, but that's not that important at the moment).

2. An ISA server connected to our internal network (10.0.0.251), and to a Cisco router which provides us access to a VPN. We call this "isa-bt-vpn". The Cisco router is managed by British Telecom and provides us with access to the UK healthcare system's VPN. isa-bt-vpn's default gateway is set to be the Cisco router, 195.192.107.1, and its IP address on that range is 195.192.107.2.

3. A Windows 2003 server running Routing and Remote Access with a bunch of static routes. It's the default gateway for DHCP clients on our internal network. Let's call this server "gateway" (imaginative, I know). Its default gateway is isa-web.

4. Windows XP, Vista, and 2003 clients with addresses on 10.0.0.0.

5. VPN clients to our network on 10.0.1.0.

The network's operation is straightforward; all traffic goes through 'gateway' which either forwards it to isa-web, or isa-bt-vpn, depending whether there is a static route configured for the destination. That is, if our internal clients need to access a server on the BT VPN, we simply create a static route for that server on 'gateway', it routes the traffic to isa-bt-vpn, and it routes it out via the Cisco router. It's not brilliant, but we only have a small number of static routes, and it works well.

The problem arises when we clients VPN into our internal network. We need those clients to be able to access the hosts set up on the BT VPN (they cannot connect to the BT VPN directly since all traffic *has* to go via isa-bt-vpn since it is physically our gateway to the BT network).

So, what we need to do is something like:

10.0.0.0 > 10.0.0.251 > 195.192.107.2 > 195.192.107.1 > BT VPN host.

I'm guessing I need to set the default gateway for VPN clients on 10.0.1.0 to be 'gateway', which will then route traffic just as if the client was actually in the office. I can't work out how to do that though.

The only thing I can see that might do what I want is the 'redirect-gateway' directive in OpenVPN. This is not a problem; I don't mind if all VPN clients' traffic goes through the office network. I'd rather not do that if possible, but it's not a big deal.

I'd also like to keep the topology roughly as it is, with a gateway for internet traffic and a separate one for BT VPN traffic. I know I could potentially put another network card in a single box and route from a single point, but I'd like to isolate isa-bt-vpn if possible; we have the hardware and this was the intended topology. We're finding ISA annoying, think Untangle looks great, and if we can avoid it, we'd rather not spend a fortune on licences for Windows 2003 and ISA. I'm quite happy for the static routes to be moved onto an Untangle box.

I hope that adequately explains what I'm trying to do; if I had to put it in a sentence it would be: route traffic between 2 VPNs.

I'd be very grateful for any assistance. Apologies for my wordiness.

Tom

Incidentally, I did put:

push "redirect-gateway"

in the server configuration file, but when I restarted the server from the rack, it overwrote my changes so I'm not sure what next. Can you tell the client to use a particular gateway?

Many thanks.

:(

No ideas? Sorry if I overly complicated things.

I took the plunge anyway, knowing that we couldn't be any worse off than we currently are with ISA (e.g. VPN clients cannot see the other VPN - perhaps this thread would be better titled 'bridging VPNs'), and I'm delighted to say I now have two Untangle boxes co-operating quite happily with static routes (at least as far as internal clients are concerned).

So my problem remains, if anyone does have any bright ideas. Basically, I need VPN traffic to be aware of static routes and use them accordingly.

Okay. This is REALLY frustrating. If I sit on a VPN client and hit a site I'm trying to expose, I can see the router flash up blocked traffic in the real-time monitor, however it's not showing anything in the log.

Is there a way I can log every request and block to the router?

In a shameless attempt to keep this in focus... :)

Our VPN clients can hit websites on our internal LAN, as you'd expect, and their IP addresses are recorded in the web server's log as coming from the addresses in the VPN pool - as you'd expect.

What I need to know, is if I hit a web address on the external network of the other Entangle box - the one defined by the static routes - from a VPN client, what IP address will that web address see? It's entirely possible that addresses on that network are expecting to see the Entangle box's external IP. If that Entangle box is routing the VPN addresses, rather than NAT'ing them as it is with the other internal clients that aren't on the VPN, the external network addresses will drop the packets at their firewall.

Unfortunately I have no control over the other network so I can't check their firewall logs to see what they're receiving/dropping. Can anyone explain what the expected behaviour here would be?

Just as a follow up, I've swapped emails and telephone calls with Untangle's tech support (who I found very willing to help), and their conclusion is that what I want to do - push static routes out to VPN clients - is not something they've done in the past. I'm not sure this can be true, but I'm guessing that it's something to do with the way OpenVPN works; all this used to work with PPTP on Microsoft ISA, so I'm going to try M0n0wall or Endian and see whether a distribution that implements its VPN using IPSec will do what I want.

On your VPN settings, what is on your exported address? If you export the other side, you should be able to get to it.

Hi! A reply. :)

On the VPN server, the exported hosts/networks, are as in the attached diagram (name changed for security):

http://badgerama.com/images/untangle.png

And here is a network diagram for the whole network:

http://badgerama.com/images/network-2.jpg

So what do you think I need to add to the exported hosts on the VPN settings?

I appreciate your time, gotkimchi.

From your diagram, does both the Untangle's have the same internal subnets? (10.0.0.x) If you change the other one to 10.0.10.x, then export this on the other one, this should fix it.

Sorry, just so I'm clear...

Yes, both gateway boxes are on the same internal subnet; 10.0.0.100, and 10.0.0.101.

You're saying that www-gateway should have 192.168.200.4 (its external address), and 10.0.0.100, and that the other gateway should have 10.0.1.101 as well its external address?

I think what he was talking about, is have both networks exported. The local lan and the remote vpn network in the exported hosts list on the web Untangle. So you would have the 1st network in like you do, then add the remote network address that they are trying to get to. If an address doesn't lie within what has been specified as exported, the router will block the traffic.

Yes, not following you on your last statement. " should have 10.0.1.101 as well its external address"? I would make sure it is a different subnet, so 10.0.1.101 is good.

Oh, I see, so you mean duplicate the static route as an exported network? Like this:

http://badgerama.com/images/exported-hosts.png?

Afraid that doesn't work either...

I do appreciate you taking the time guys, I've really been banging my head against a wall with this one and I'm *sure* it's something simple I'm missing.

no, what I meant, put 10.0.1.x on the export as well.

Okay, I tried your suggestion, but it didn't make any difference I'm afraid.

The best I can do is get to the point where I can watch the router module flash traffic and show that *something* is hitting it, but nothing happens after that. I've created a small web page on one of the servers that simply logs all environment variables to a text file on the server, but that file doesn't get written when the traffic goes out.

It looks to my (admittedly completely amateur) eye, that the traffic is not being NAT'd, and that the IP address the server sees is that of the VPN client - which its firewall then rejects. It seems to be that something about NAT/routing/static routes is incompatible with OpenVPN.

Just as a follow-up, I solved the problem with a combination of a leased line, m0n0wall, and common sense.

m0n0wall is now our perimeter machine. It has a publicly addressable interface connected to a leased line (previously Untangle's 'public' address was that supplied by the DSL modem). m0n0wall has an advantage (for us), in that it supports PPTP VPN connections; I configured this and was able to connect as expected.

I also configured the private network of the other gateway machine (still Untangle), with the addresses of the VPN as configured in m0n0wall; once I did that, it routed traffic correctly and I didn't get the annoying 'blocked' flashing up. I believe that was the actual solution to my problem, but since I've also introduced PPTP, m0n0wall, and a public address into the equation, I can't say for sure. I'll try and get the Untangle box running in the same way and post back to confirm.

We're going to stick with m0n0wall as the perimeter box regardless, since it supports PPTP VPNs and we prefer this to OpenVPN (as nice as OpenVPN is, we need to be able to connect from Windows clients with no additional software except a certificate). I might still put an Untangle box back in as a transparent bridge so it can do all the good stuff it does, but it won't be our perimeter machine.

Thanks for all contributions. Will follow up if/when I get a chance to test Untangle.