[Openswan Users] Multi NAT subnets behing Firewall/VPN server

Trevor Hennion trevor-os at thennion.demon.co.uk
Thu Mar 3 22:11:24 CET 2005

On Thursday 03 March 2005 18:26, Richard Hall wrote:
> I have three subnets behind my firewall, each subnet is on an RFC1918
> address range.   The firewalls external IP addresses are real world
> addresses (several virtual interfaces as well as the main one).   The
> firewall is running Gentoo as the OS.
> Addresses are modified for security.
> Net1=
> Net2=
> Net3=
> I would like to have 3 classes of remote user connect to the VPN on the
> firewall to enable access to the internal networks.
> Group A = Connects to Net1, Net2 and Net3
> Group B = Connects to Net2 and Net3
> Group C = Connects to Net2 only
> I want each group to be able to access certain services as if they were
> directly connected to the network.
> Each of these groups of users should be able to connect a single machine
> or possibly a home network (not sure about this yet) to the VPN sever.
>   They should also have the choice of whether to use Linux or windows as
> the client.   I am not sure if I want to give the clients a virtual
> presence on the internal network by assigning them an IP or whether to
> use the IP address they have,   I am open to suggestions here.

If you want to allow a 'home network' to connect they will need to have a 
router/Linux server that can connect, with the clients behind that. 
Choice of Linux or Windows is possible - I do that - one at a time - with the 
same certificate. Home IP address mustn't clash with the one of your own IP 
address ranges.

> I want internal systems on the three networks to function normally when
> the ipsec service is started and only traffic for the remote VPN client
> or network to be routed through the VPN tunnels
> Initially to get my head round OpenSWAN I am just setting up the Group C
> users VPN.   So far I am not having much luck,   I have tried following
> the Nate Carlson howto as well as information from the OpenSWAN WiKi and
> some configs from UCLA.   I have all the software compiled on the
> firewall fine and have created and installed the certificates where
> told. I have enabled both port 500 UDP and ESP on the interface I want
> to act as the VPN server on the firewall.
> When I start the ipsec service all traffic on the Net2 network stops
> reaching the outside world and my phone starts ringing, because the
> default route has been changed.    How can I ensure that only traffic
> destined for the remote VPN clients are routed down the ipsec0 interface
> and all normal traffic continues as before?   I can look at the
> /var/log/messages to see the firewall now allowing the traffic to pass
> from eth3 to ipsec0 rather than to eth0 as before.   The traffic then
> just dissapears as I haven't got as far as setting up the other end of
> the tunnel, besides this is traffic I don't want to use the VPN, I only
> want the remote users traffic to use the VPN's.   How Can I tell the
> system to only route the road warriors traffic to the ipsec0 interface
> and leave the normal traffic alone?

Could this be an IP address clash?  If you have a user with a NAT'd router 
with an address in one of your groups you are stuffed! (good technical term!)
> Is it possible to have a virtual network for example a
> Net4= that machines connecting to the VPN get an IP on so
> communications with them can be routed to ipsec0 and all other traffic
> will continue uninterrupted?   I'm just guessing now.   This is a live
> firewall I am trying to set this up on as I don't have a spare to test
> with, and I can't leave it dropping traffic for more than a few moments.
> My last question which I haven't even got close to trying yet is how can
> I determine which Group a remote user is in, and set up the access to
> the appropriate internal network?   Bearing in mind we have a CA already
> set up here and I would like users to have as few certificates as
> possible, all within the tree of our root CA to minimize the amount of
> management overhead?

You can define a connection for each user - based on the certificate, that has 
access to the required groups. Becomes a problem when you have lots of users!
As long as the certificates are all signed by your root CA they will be 

If you had a spare box with two network cards it should be possible to put 
that in parallel with your firewall, with the internal interface NAT'd and 
the external IP with a routeable address, and only allow VPN traffic through 
that. The traffic then looks as if it is part of your network. The firewall 
should know it has to send traffic for that IP address to the VPN gateway. 
> Sorry for all the questions,   and thanks for any help you can give
> Rich

I'm working with Openswan 1.0.9 and seem to have less problems that are 
sometimes reported here.


Trevor Hennion
> Current Config:
> version 2
> config setup
>          interfaces=%defaultroute
>          klipsdebug=none
>          plutodebug=none
>          uniqueids=yes
>          nat_traversal=yes
> virtual_private=%v4:,%v4:,%v4:
> overridemtu=1360
> conn %default
>          keylife=70m
>          keyingtries=3
>          disablearrivalcheck=no
>          authby=rsasig
> # left = client, right = server
> conn test-vpn
>          left=
>          leftca=""C=UK/ST=county/L=Town/O=TEST CERT/OU=TEST CERT/CN=TEST
> Root Cert/E=<email Address>"
>          leftrsasigkey=%cert
>          right=
>          rightsubnet=
>          rightnexthop=
>          rightcert=/etc/ipsec.d/vpn.example.org.pem
>          rightid="C=UK/ST=county/L=Town/O=TEST CERT/OU=TEST CERT/CN=TEST
> Root Cert/E=<email Address>"
>          rightca=%same
>          rightrsasigkey=%cert
>          auto=add
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list