[pptp-server] Dual DSL Connections and routing

Justin Kreger lists at earthling.2y.net
Thu May 24 05:45:37 CDT 2001


Setup a default route to the line that is used for the internet... then
setup any proxying/firewalling/natting you need on that, then, using
ipsec, connect the two offices together using freeswan.  In freeswan, tell
it the next hop for the ipsec connection on your end with two dsl lines,
is to the router on the second dsl line, make sure you have a route
allready in place for it, perhaps a backup default route.

assuming eth1 and eth2 are external interfaces, eth2 being for employee
internet access


route -add 0.0.0.0 netmask 0.0.0.0 gw nexthop-ip-on-eth2 metric 1 eth2
route -add 0.0.0.0 netmask 0.0.0.0 gw nexthop-ip-on-eth1 metric 5 eth1

That SHOULD give you some redundancy.  You should be able to use
ip masquerading, and have it run just fine.  If you really wanted to get
it to work perfictly, contact the isp, and talk about running a routing
protocol on the two lines.

Now, setup ipsec to use the gateway's ip on eth1 as the next hop for your
end of the tunnel (Freeswan now supports compression).  Freeswan will
handle the routing from there.

One bit of warning with dsl lines, I am working with a customer right now,
and they have dsl lines between two locations, and one of the locations
seems to have a bad phone line, so it cuts out for minutes at a
time.  This dose cause problems with ipsec, but it's easy to write a
script to check it, and restart the connection.


Justin Kreger, MCP MCSE CCNA
jkreger at earthling.2y.net jwkreger at uncg.edu jkreger at aristotle.wss.net


On Wed, 23 May 2001, tytyty wrote:

> Im not using Redhat but I belive I understand your point, basically I
> should NOT have a default route, but set individual routes on devices as
> I was thinking. These are the routes I am going to try:
> route add -net 999.1.34.221 netmask 255.255.255.255 gw 999.86.241.1 eth0
> < only pointing at home office 
> route add -net 0.0.0.0 netmask 0.0.0.0 gw 999.86.241.1 eth2 <- for
> internet
> 
> Thank you for your response.
> 
> George Vieira wrote:
> > 
> > I think your problem is your network configuration in your system. Is this
> > RedHat linux?
> > If so, check your /etc/sysconfig/network-scripts/ifcfg-eth0 and remove the
> > GATEWAY= settings and put it into ifcfg-eth1
> > 
> > If it doesn't exist then it may appear in /etc/sysconfig/network and the
> > same setting is in there.
> > 
> > If it's in the /etc/sysconfig/network file then your problem will be as you
> > said "both devices use the same gateway" then use the
> > /etc/sysconfig/static-routes file and specify the device NOT the
> > gateway..eg.
> > 
> > eth1 default dev eth1
> > 
> > not
> > 
> > eth0 default eth0
> > 
> > hopefully this will help. Basically make sure on reboot that both ETH
> > devices have default gateways turned off then apply the static route via the
> > device (ETH1, or whateva)..
> > 
> > good luck
> > 
> > thanks,
> > George Vieira
> > 
> > -----Original Message-----
> > From: Doug Olivier [mailto:dolivier at bondedcollections.com]
> > Sent: Thursday, May 24, 2001 12:57 AM
> > To: vpnd; pptp-server
> > Subject: [pptp-server] Dual DSL Connections and routing
> > 
> > Sorry to cross post to both mailing list but this situation seem to apply to
> > both protocols.
> > 
> > The Situation:
> > 
> > Remote office with 2 DSL connections provided by the same ISP.
> > 
> > This office has been running a vpnd connection to the main facility over 1
> > DSL connection for over 90 days. Due to an increase in employees and
> > requested Internet browsing, email etc.. We obtained a second DSL line at
> > their site.
> > 
> > Objective:
> > 
> > Use the original DSL connection for the vpnd link only (15 telnet
> > connections to db server). Use the 2nd DSL connection for Internet only
> > (web, email).
> > 
> > Results:
> > 
> > When I activated the routing for the second DSL using
> > route add -net 0.0.0.0 netmask 0.0.0.0 gw 999.86.241.1 eth2
> > and adjusted the ipchains to only allow web, email via eth2 it worked fine.
> > The commands were then added to the startup files.
> > The vpnd link was already up and running at this time.
> > 
> > However on a subsequent reboot all access to the internet was lost.
> > When I turned off the eth2 connection and removed the route and ipchains for
> > it I was able to reestablish the vpn link and internet access.
> > 
> > My theory is that the first DSL (eth0) is acquiring the default gw via the
> > route add default gw 999.86.241.1 netmask 0.0.0.0 metric 1
> > Since both DSL routes use the same gateway.
> > 
> > Since this is a production box and I have a limited time frame to manipulate
> > it (1-2 hrs. a day)
> > I'm looking for suggestions.
> > 
> > My Ideas:
> > 
> > Setup 2nd DSL on eth0 and let it have the default route and adjust the
> > firewall rules re that interface.
> > Setup a static route on the 2nd DSL line to point only at our home office IP
> > (i.e. route add -net 999.1.34.221 netmask 255.255.255.255 gw 999.86.241.1
> > eth2 even though that route gets set when vpnd links up.
> > 
> > Does anyone else have any other ideas, advice, words of wisdom on this
> > situation ?
> > 
> > Douglas J. Olivier
> > Network Administrator
> > Bonded Collections of Tucson Inc.
> > 
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
> _______________________________________________
> pptp-server maillist  -  pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
> 




More information about the pptp-server mailing list