[Openswan Users] Multi NAT subnets behing Firewall/VPN server
r.j.hall at rhul.ac.uk
Thu Mar 3 18:26:46 CET 2005
I have three subnets behind my firewall, each subnet is on an RFC1918
address range. The firewalls external IP addresses are real world
addresses (several virtual interfaces as well as the main one). The
firewall is running Gentoo as the OS.
Addresses are modified for security.
I would like to have 3 classes of remote user connect to the VPN on the
firewall to enable access to the internal networks.
Group A = Connects to Net1, Net2 and Net3
Group B = Connects to Net2 and Net3
Group C = Connects to Net2 only
I want each group to be able to access certain services as if they were
directly connected to the network.
Each of these groups of users should be able to connect a single machine
or possibly a home network (not sure about this yet) to the VPN sever.
They should also have the choice of whether to use Linux or windows as
the client. I am not sure if I want to give the clients a virtual
presence on the internal network by assigning them an IP or whether to
use the IP address they have, I am open to suggestions here.
I want internal systems on the three networks to function normally when
the ipsec service is started and only traffic for the remote VPN client
or network to be routed through the VPN tunnels
Initially to get my head round OpenSWAN I am just setting up the Group C
users VPN. So far I am not having much luck, I have tried following
the Nate Carlson howto as well as information from the OpenSWAN WiKi and
some configs from UCLA. I have all the software compiled on the
firewall fine and have created and installed the certificates where
told. I have enabled both port 500 UDP and ESP on the interface I want
to act as the VPN server on the firewall.
When I start the ipsec service all traffic on the Net2 network stops
reaching the outside world and my phone starts ringing, because the
default route has been changed. How can I ensure that only traffic
destined for the remote VPN clients are routed down the ipsec0 interface
and all normal traffic continues as before? I can look at the
/var/log/messages to see the firewall now allowing the traffic to pass
from eth3 to ipsec0 rather than to eth0 as before. The traffic then
just dissapears as I haven't got as far as setting up the other end of
the tunnel, besides this is traffic I don't want to use the VPN, I only
want the remote users traffic to use the VPN's. How Can I tell the
system to only route the road warriors traffic to the ipsec0 interface
and leave the normal traffic alone?
Is it possible to have a virtual network for example a
Net4=192.168.4.0/24 that machines connecting to the VPN get an IP on so
communications with them can be routed to ipsec0 and all other traffic
will continue uninterrupted? I'm just guessing now. This is a live
firewall I am trying to set this up on as I don't have a spare to test
with, and I can't leave it dropping traffic for more than a few moments.
My last question which I haven't even got close to trying yet is how can
I determine which Group a remote user is in, and set up the access to
the appropriate internal network? Bearing in mind we have a CA already
set up here and I would like users to have as few certificates as
possible, all within the tree of our root CA to minimize the amount of
Sorry for all the questions, and thanks for any help you can give
# left = client, right = server
leftca=""C=UK/ST=county/L=Town/O=TEST CERT/OU=TEST CERT/CN=TEST
Root Cert/E=<email Address>"
rightid="C=UK/ST=county/L=Town/O=TEST CERT/OU=TEST CERT/CN=TEST
Root Cert/E=<email Address>"
More information about the Users