[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Help or Advice with ipsec / IP Accounting / NAT setup


Your mail has been scanned by InterScan. Votre email a ete scanne par IMSS. Ihre E-Mail wurde von IMSS auf Viren gescannt.



could someone please give me a pointer.



Chris Moules wrote:
> Hello,
> Please could you CC me in on replies, I have set my subscription to digest.
> I have an interesting setup that I need to add IP Accounting to.
> Overview:
> I have a number of client networks with VPN connections to my OpenBSD
> 3.6 GENERIC box. The hosts on these networks need to authenticate with
> this machine and then are allowed access to the internet. This is
> provided via NATing on the Public IP. This all works fine.
> Now I need to do accounting for the data transfer *per host* for the
> networks. I also need to monitor the traffic to check for idle timeouts
> and re-block the IP (pf table entry).
> I have been looking at using ipaudit for the accounting. There is only
> one problem. Having patched it to also read the enc0 interface it only
> 'sees' the IP address from the VPN gateway and not the traffic from the
> hosts behind.
> Guess at solution:
> I think that the solution that I need is to add 2 virtual interfaces and
> bridge them. Routing all the VPN traffic from the networks into one end
> and then work from the other for ipaudit and NAT source. I assume that
> this way the packets will have completely left the VPN tunnel (not the
> case on enc0???) and be then workable.
> Does this make sense? If not how should I approach this, short of a 2
> port NIC and a short crossover for which there is no space in the 1U box.
> I am not sure which virtual interface is best for the job (I assume tun0
> and tun1) and if it is possible to bridge two such interfaces in this
> manner.
> Attempt at Diagram:
> ------------\     (tun0)-bridge-(tun1)
> VPN |-(em0)-(enc0)-/               \--NAT-(fxp0)----INTERNET
> --------------\
>              ^^^^^                 ^^^
>   here is still Gateway IP         Here 'original' IP's
> As this is a live working system and I do not have the facilities to
> build a dummy equivalent I am hesitant to start messing without a clear
> plan and knowing that it should/will work.
> Thanks for any help
> Chris