[Openswan Users] RE: Multi NAT subnets behing Firewall/VPN, server
r.j.hall at rhul.ac.uk
Mon Mar 7 10:01:15 CET 2005
Thanks for the response Trevor.
> If you want to allow a 'home network' to connect they will need to
> have a router/Linux server that can connect, with the clients
> behind that.
It will probably be just the admins who want to have a network
connected, and I'm not going to configure that bit until I manage to get
the Firewall/VPN server working and some single clients connected.
>> When I start the ipsec service all traffic on the Net2 network stops
>> reaching the outside world and my phone starts ringing, because the
>> default route has been changed. How can I ensure that only traffic
>> destined for the remote VPN clients are routed down the ipsec0 interface
>> and all normal traffic continues as before? I can look at the
>> /var/log/messages to see the firewall now allowing the traffic to pass
>> from eth3 to ipsec0 rather than to eth0 as before. The traffic then
>> just dissapears as I haven't got as far as setting up the other end of
>> the tunnel, besides this is traffic I don't want to use the VPN, I only
>> want the remote users traffic to use the VPN's. How Can I tell the
>> system to only route the road warriors traffic to the ipsec0 interface
>> and leave the normal traffic alone?
> Could this be an IP address clash? If you have a user with a
> NAT'd router with an address in one of your groups you are
> stuffed! (good technical term!)
I haven't actually connected anything yet, so it can't be an address
clash. It is as soon as I bring the ipsec up on the firewall it starts
routing all traffic to the ipsec0 interface. This machine will
generally not have many VPN's to it, so I don't want to use another
box. and normally the ipsec0 should just be waiting for a remote user to
connect. how can I stop it from messing with the default route so
normal traffic continues to flow?
More information about the Users