[Openswan Users] SuSE 9.2 tunneling 2 LANS

Ludwig Nussel ludwig.nussel at suse.de
Thu Mar 10 10:30:32 CET 2005


Tom Reijnders wrote:
> I solved my problems. I was strugling with the way ipsec is implemented in 
> 6.2 and how to get the firewall (SuSEfirewall2) to handle it properly.
> 
> In the end, it all boiled down that to firewall configuration problems.
> 
>  - On the linux gateway I added:
>   leftsourceip= < LAN ip address>
> 
> (Or you hav to set up a second tunnel to allow traffic from the public IP 
> address to the other LAN)
> All this is necessary because of the way masquerading kicks in now.
> 
> In the firewall (SuSEfirewall2) I had to (besides allowing the normal isakmp, 
> esp, ah settings) set the TRUST_IPSEC to int and ALLOW_CLASS_ROUTING to true.

Keep in mind that ALLOW_CLASS_ROUTING affects all zones so if you
have e.g. two external zones you probably don't want to set that.

If your two networks are 10.10.0.0/16 and 192.168.1.0/24 something
like this might work as well:

FW_FORWARD="10.10.0.0/16,192.168.1.0/24,,,ipsec 192.168.1.0/24,10.10.0.0/16,,,ipsec"
FW_MASQ_NETS="0/0,!192.168.1.0/24

(You still need to set FW_IPSEC_TRUST to something so that the ipsec
flag actually works as expected)

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   SUSE LINUX Products GmbH, Development
 V_/_  http://www.suse.de/


More information about the Users mailing list