[Openswan Users] RE: Multi NAT subnets behing Firewall/VPN, server

Richard Hall r.j.hall at rhul.ac.uk
Mon Mar 7 10:01:15 CET 2005

Thanks for the response Trevor.

 > If you want to allow a 'home network' to connect they will need to
 > have a router/Linux server that can connect, with the clients
 > behind that.

It will probably be just the admins who want to have a network 
connected, and I'm not going to configure that bit until I manage to get 
the Firewall/VPN server working and some single clients connected.

 >> When I start the ipsec service all traffic on the Net2 network stops
 >> reaching the outside world and my phone starts ringing, because the
 >> default route has been changed.    How can I ensure that only traffic
 >> destined for the remote VPN clients are routed down the ipsec0 interface
 >> and all normal traffic continues as before?   I can look at the
 >> /var/log/messages to see the firewall now allowing the traffic to pass
 >> from eth3 to ipsec0 rather than to eth0 as before.   The traffic then
 >> just dissapears as I haven't got as far as setting up the other end of
 >> the tunnel, besides this is traffic I don't want to use the VPN, I only
 >> want the remote users traffic to use the VPN's.   How Can I tell the
 >> system to only route the road warriors traffic to the ipsec0 interface
 >> and leave the normal traffic alone?

 > Could this be an IP address clash?  If you have a user with a
 > NAT'd router with an address in one of your groups you are
 > stuffed! (good technical term!)

I haven't actually connected anything yet, so it can't be an address 
clash.  It is as soon as I bring the ipsec up on the firewall it starts 
routing all traffic to the ipsec0 interface.    This machine will 
generally not have many VPN's to it,  so I don't want to use another 
box. and normally the ipsec0 should just be waiting for a remote user to 
connect.   how can I stop it from messing with the default route so 
normal traffic continues to flow?


More information about the Users mailing list