[Openswan Users] Multi NAT subnets behing Firewall/VPN server

Richard Hall r.j.hall at rhul.ac.uk
Thu Mar 3 18:26:46 CET 2005

I have three subnets behind my firewall, each subnet is on an RFC1918 
address range.   The firewalls external IP addresses are real world 
addresses (several virtual interfaces as well as the main one).   The 
firewall is running Gentoo as the OS.

Addresses are modified for security.


I would like to have 3 classes of remote user connect to the VPN on the 
firewall to enable access to the internal networks.
Group A = Connects to Net1, Net2 and Net3
Group B = Connects to Net2 and Net3
Group C = Connects to Net2 only

I want each group to be able to access certain services as if they were 
directly connected to the network.

Each of these groups of users should be able to connect a single machine 
or possibly a home network (not sure about this yet) to the VPN sever. 
  They should also have the choice of whether to use Linux or windows as 
the client.   I am not sure if I want to give the clients a virtual 
presence on the internal network by assigning them an IP or whether to 
use the IP address they have,   I am open to suggestions here.

I want internal systems on the three networks to function normally when 
the ipsec service is started and only traffic for the remote VPN client 
or network to be routed through the VPN tunnels

Initially to get my head round OpenSWAN I am just setting up the Group C 
users VPN.   So far I am not having much luck,   I have tried following 
the Nate Carlson howto as well as information from the OpenSWAN WiKi and 
some configs from UCLA.   I have all the software compiled on the 
firewall fine and have created and installed the certificates where 
told. I have enabled both port 500 UDP and ESP on the interface I want 
to act as the VPN server on the firewall.

When I start the ipsec service all traffic on the Net2 network stops 
reaching the outside world and my phone starts ringing, because the 
default route has been changed.    How can I ensure that only traffic 
destined for the remote VPN clients are routed down the ipsec0 interface 
and all normal traffic continues as before?   I can look at the 
/var/log/messages to see the firewall now allowing the traffic to pass 
from eth3 to ipsec0 rather than to eth0 as before.   The traffic then 
just dissapears as I haven't got as far as setting up the other end of 
the tunnel, besides this is traffic I don't want to use the VPN, I only 
want the remote users traffic to use the VPN's.   How Can I tell the 
system to only route the road warriors traffic to the ipsec0 interface 
and leave the normal traffic alone?

Is it possible to have a virtual network for example a 
Net4= that machines connecting to the VPN get an IP on so 
communications with them can be routed to ipsec0 and all other traffic 
will continue uninterrupted?   I'm just guessing now.   This is a live 
firewall I am trying to set this up on as I don't have a spare to test 
with, and I can't leave it dropping traffic for more than a few moments.

My last question which I haven't even got close to trying yet is how can 
I determine which Group a remote user is in, and set up the access to 
the appropriate internal network?   Bearing in mind we have a CA already 
set up here and I would like users to have as few certificates as 
possible, all within the tree of our root CA to minimize the amount of 
management overhead?

Sorry for all the questions,   and thanks for any help you can give


Current Config:
version 2

config setup

conn %default

# left = client, right = server
conn test-vpn
         leftca=""C=UK/ST=county/L=Town/O=TEST CERT/OU=TEST CERT/CN=TEST 
Root Cert/E=<email Address>"
         rightid="C=UK/ST=county/L=Town/O=TEST CERT/OU=TEST CERT/CN=TEST 
Root Cert/E=<email Address>"

More information about the Users mailing list