[Openswan Users] Tricky routing question

John A. Sullivan III jsullivan at opensourcedevelopmentcorp.com
Mon Sep 6 11:09:50 CEST 2004

On Mon, 2004-09-06 at 08:38, Ralf Guenthner wrote:
> John,
> thank you very much for your reply. Shame on me, I hadn't even heard 
> about the ISCS project as of yet <s>
> I've looked through the training slides. So far I've not found the one 
> pertaining to my situation, could you elaborate on which one you meant? 
> Sorry, if I'm being blind here..
No, as I reviewed them in response to your question, I see that there is
less information than I thought.  The most pertinent slide is the next
to last where we show our "GNOC" configuration.  In this case, users on
your NetA are accessing NetB but through GwA and using Sentinel clients
- one might say internal Road Warriors.
> Also, one sentence in your reply isn't quite clear to me:
> > subnets.  This will have the advantage/disadvantage of running the
> > Internet traffic through the VPN.
> What Internet traffic is this referring to? RWs are not supposed to surf 
> the Web or do other Internet stuff while connected to our VPN, for 
> security reasons.
That is the advantage!  In other words, some folks might see this as a
disadvantage in that all the Road Warriors Internet traffic must pass
through the VPN and they would prefer to short cut it directly to the

Other, more security conscious organizations, cringe at the thought of a
user having simultaneous Internet and VPN access and would prefer that
all Internet traffic be passed through the internal network where
various security measures could be imposed or all Internet traffic could
be blocked.

It sounds like your desire is the latter in which case your solution
should be simple even if Sentinel restricts you to only one
DHCP-over-IPSec connection.  Send all traffic down the VPN tunnel with
the termination point as GwA.  Have iptables on GwA ACCEPT all
acceptable traffic and DROP all unallowed traffic.  For the allowed
traffic, routing will take over and pass the NetB traffic through the
tunnel to GwB.  As long as the reply packets are sent to GwB, GwBwill
send them back to GwA which will send them back to the RW.  You will be
decrypting and re-encrypting each packet but it should work.  If the RWs
are on a LAN, you may need Sentinel connection records to bypass the
tunnel for LAN traffic.

ISCS (http://iscs.sourceforge.net) would make this a somewhat trivial
matter but it is not quite ready for production.  I hope this helps -
> Thanks again
> Ralf
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development

More information about the Users mailing list