Nagios Support Forum

Hi

I'm sure I put this message up earlier today but it seems to have vanished - if it turns up then please accept my apologies:

We are installing an instance of Nagios XI onto a hosted VPS from source onto CentOS 7 64bit.
We need to implement a VPN and so require Nagios to use the IP address of an internal loopback interface as it's source. Can you tell me how we do that please?

Thanks

The traffic will come out of whatever interface routes to your destination. Is there a particular reason for needing to use the loopback devices IP address?

Apologies for not responding, we were unable to use the external address of the server as the source as the intention was to have a route based VPN. We got round this by using a policy based VPN and it works fine now. Would have been neater to have the source for the snmp being the loopback address as then we could have multiple paths to the server if required however...

To clarify, would you be able to set a default gateway for that VPN routed network? Just trying to understand what you're looking to accomplish.

Hi

The problem is that with a routed VPN things become difficult when the source address of the snmp traffic and which is obviously part of the encryption domain is also the source peer address of the VPN tunnel itself - much cleaner to have the traffic coming from a subnet seperate to the peer addresses.

Normally we would have a firewall with it's external address forming the tunnel with the other end and the traffic would be from the inside/dmz vlans but in this case we simply have a hosted server with the vpn tunnel coming directly from it hence it would have been nice to be able to source the traffic from the loopback address rather than the external address. Sourcing traffic from a loopback is common with network equipment so that the application is not tied to a particular link. For example you can confingure the BGP source on a Cisco router to be the loopback so that the peering can route round any link outage.

I'm not entirely sure of a way to do this in Linux, I've been looking around, but have yet to see a great example of it. Everything I'm finding is networking gear.

We have fixed the issue but for the benefit of readers - just to re-iterate, the scenario is:

[Hosted Server running Nagios XI] -- VPN Tunnel -- [Customers Juniper SRX FW] -- Local LAN -- [Other customer kit to be monitored such as Juniper switches]

The issue arises because Nagios XI uses the outbound external IP address as the source and so this needs to be included in the VPN encryption domain - unfortunately that same address is also the VPN tunnel peer address with the Juniper FW. That means that a route based VPN cannot be used.

We had thought we'd got round the issue by using a policy based VPN instead of a route based VPN and so could handle the source traffic coming from that peer address and we had - for traffic going THROUGH the FW to a switch for example but as we were using a policy based VPN on the FW i.e. "untrust to trust" - that means that the switch is in the trust zone and all ok BUT to use Nagios XI to monitor the FW itself was a no go as the FW management engine is not in the trust zone but an internal zone called "junos-host" and so the traffic was not matching the policy for the VPN.

Easy - just add a VPN policy for "untrust to junos-host"?? - except that internal security policy in Junos does not allow traffic inbound to the "junos-host" zone from a policy based VPN - oops.

We fixed it by reverting to a route based VPN and using NAT rules in the Nagios XI server iptables FW to POSTROUTE source NAT any packets going from the server external address to the trust zone subnet to, say, 192.168.10.1/32 and PREROUTE destination NAT any packets coming the other way back to the server external address - this seems to work fine:
It would have been easier to be able to configure the source address of Nagios XI though

That... is definitely complex :)

Thanks for sharing though, it's a bit of an edge case but certainly will be helpful for anyone else in the same boat.

If it's alright with you, do you mind if we close this thread?