[Openswan Users] Tricky routing question

John A. Sullivan III jsullivan at opensourcedevelopmentcorp.com
Mon Sep 6 09:06:20 CEST 2004

On Mon, 2004-09-06 at 05:44, Ralf Guenthner wrote:
> Hi list
> I'm faced with the following situation:
> Roadwarriors  <->  GwA  <-> GwB ---NetB
>                     -NetA
> In words: A group of roadwarriors using SSH Sentinel connects to a 
> gateway, using x.509 certificates and with a remote network setting for 
> NetA (which is directly connected to GwA). GwA is running a DHCP server 
> and we assign private IPs to the RWs via DHCP-over-IPSEC as described in 
> papers by Andreas Steffen and others.
> GwA also has a site-2-site-VPN with GwB, so that NetA can reach NetB and 
> vice versa. Now the roadwarriors want to be able to access servers in 
> NetB also. Is there a way to do this except having the RW connect to GwB 
> directly? I've looked at various docs but no scenario I've found seems 
> to quite fit our requirements. Subnets is not the solution, since NetA 
> and NetB are totally different (one is private, one is public IP space).
Yes, I believe we cover this scenario in the training slides on
http://iscs.sourceforge.net.  If not directly, then it can be adapted
from the slides about the GNOC setup.

It has been a while since I've done this but I believe this is an
accurate summary of what is needed:

You will need to define NetB in Sentinel with the termination point at
GwA.  If I recall correctly, Sentinel is limited to using a
DHCP-over-IPSec address to only one connection.  If that is the case,
you will need to somehow summarize both NetA and NetB in the same subnet
even if it is and then overridden within Sentinel for local
subnets.  This will have the advantage/disadvantage of running the
Internet traffic through the VPN.

That should take care of the tunneling -- assuming you have defined a
tunnel between GwA and GwB between the subnet assigned via
DHCP-over-IPSec and NetB.  If you need to restrict which tunnels on GwA
the RWs can use, e.g., you have a NetC on either GwA or GwB (or any
other gateway on the WAN) which RWs should not access, you can restrict
the access with iptables.

You will need to ensure that the routing directs packets to the gateways
for all the involved subnets.

Those are the basics.  More details including ipsec.conf files are in
the slides. Good luck - John
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development

More information about the Users mailing list