Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
706
Views
0
Helpful
1
Replies

Proxying HTTP-Traffic through VPN/GRE

dese.co.uk
Level 1
Level 1

‎11-17-2011 08:13 AM - edited ‎03-07-2019 03:27 AM

Dear community,

after 4 days incl. nightshift and went deep into the heart of the matter this support community seems to be my last resort to find

some relief from - meanwhile - desperation.

Scenario:

------------------

For one of my clients, a landlord, I maintain 3 wireless networks to provide a free internet access service for his teenants.

In order to comply with changed local law, we are now charged to log the www traffic for at least 6 week as these wifi-nets

are public though they are secured with WPA2 keys.

myr current technical equipment:

-----------------------------------------------

Client site:

1 x Cisco 3640 4x FE, PPPoE

2 x Linksys WRT-54GS

1 x Linksys WAP-54G

1 x ADSL Internet Connection, dynamic IP

my site:

fully equiped ISP NOC/PoP

leased line / peer to international backbone

Cisco 3745 for Main-Access / VPN

Sun Fire UltraSparc IIIi, Sun Solaris 11 (b130), Squid 3.1.16 64bit

my approach / idea:

-----------------------------

From the client site the C3640 connects over VPN to our PoP, the www-traffic from 2 of the 3 wifi-nets is redirected through the VPN/GRE tunnel

to our squid proxy where it is logged and then forwarded, all non-www traffic goes straight through the client's ADSL connection gateway. The 3rd wifi is

the personal wifi of the landlord and thus, no logging is required, he uses the direct way over his own ADSL Gateway.

The www-traffic from the 2 wifi-nets is either forwarded incorporating WCCPv2 or involving PBR with route-map and acl.

As each wifi user gets assigned a fix private CLASS-B address, we can keep track which user on which time has accessed this URL,

what is not the case if all using the ADSL-Gateway.

what I have set up so far:

------------------------------------

the VPN/GRE tunnel is properly configured, I can ping and reach all the EIGRP propagated networks on both sites.

On our site a tunnel is as multipoint gre configured, the client's C3640 initiates the IPSec connection

current network setup:

172.16.14.0/24 VPN-Gateway for PTP

172.16.15.0/24 network on our site in which we run the proxy server

172.16.16.0/24 wifi-net 1

172.16.17.0/24 wifi-net 2

what I have tried so far:

------------------------------------

> WCCPv2 approach:

WCCPv2 is out of a question - this is not to the Cisco Routers,

but a matter of combination between Squid and Sun Solaris.

Squid provides the WCCPv2/TPROXY facility only with linux netfilter what

is not included in the Solaris OS. For some reason - and this is

where the Squid developers should turn an eye on - even compiling

Squid on Sun Solaris enabling the ipf-transparent switch for the

Solaris included IPFilter, the WCCPv2/TPROXY support is not enabled.

Though being a Sun Solaris expert, I feel not realy the desire to re-compile

the Solaris kernel, but I will check, if the netfilter kernel modules can

be added to a running kernel.

> PBR/Policy Based Routing:

After many non-successful attempts I found out, that in this setup the

PBR with the following config:

    access-list 110 deny   tcp any any neq www

    access-list 110 deny   tcp host 172.16.15.2 any

    access-list 110 permit tcp any any

    !

    route-map spx-rdr permit 10

        match ip address 101

        set ip next-hop 172.16.15.2

    !

    interface Fa0/1

    !

will never work, but the cmd 'sh route-map'

shows according the packet counters that the policy matches,

but the packets are not forwarded to the hob.

I furthermore tested if the packets go at least to the server,

what is not the case, the packets do not leave the router at all.

The reason is quite simple, it is the hop counting:

    gw#traceroute 172.16.15.2

    Type escape sequence to abort.

    Tracing the route to 172.16.15.2

      1 172.16.14.1 40 msec 36 msec 40 msec

      2 172.16.15.2 40 msec 36 msec 40 msec

I have studied this reference without an usefull hint to

get the PBR in my setup running:

http://wiki.nil.com/EIGRP_next_hop_processing#NBMA_network_with_disabled_EIGRP_next-hop-self

On another reference in this community I read something about:

    sdm prefer routing

Apparently this is only available on Cisco switches, not on the routers.

my final question(s):

---------------------

Is there anything where I went wrong or have overlooked - maybe my

approach was not the best?

Do I have a chance to get this operational with PBR or with other

configurations?

Could it be, that the problem with regards to the hob counts maybe could have been

resolved using OSPF or BGP instead of EIGRP?

Thank you very much in advance for any advise and help,

I apologize for this long posting, but I believe that only

providing proper details in depth will lead to proper answers.

Best Regards,

David.

Labels:
0 Helpful
1 Reply 1

dese.co.uk
Level 1
Level 1

‎11-18-2011 03:05 AM

to follow up with my previous post,

I managed to setup OSPF instead of EIGRP.

Unfortunately I did not get this runnung - the OSPF

tries to find its neighbor on the public IP site, not

in on the internal where the VPN resides.

Is there any help & solution to get my route-map problem running?

Thank you & all the best.

David.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card