[Openswan Users] RoadWarrior default gateway through tunnel

John A. Sullivan III jsullivan at opensourcedevel.com
Tue Sep 13 00:54:19 CEST 2005 

Hello, all.  I have a scenario where there is a central RoadWarrior
gateway (RASGW) to whom all RoadWarriors connect using the lisipsectool
(http://sf.net/projects/lsipsectool) and the native Windows IPSec stack
(no L2TP).  The RASGW then has LAN-to-LAN tunnels configured to each of
the offices.  The RoadWarriors connect to RASGW with remote network
address of 0.0.0.0/0.0.0.0 and are then routed to the offices or
Internet as needed.

We used ISCS (http://iscs.sourceforge.net) to create iptables rule sets
which dynamically adapt to the users' X.509 DN.  Various rules in the
filter table control access to every single resource on the WAN, i.e.,
once the user connects to RASGW, RASGW will only forward traffic from
the users which is explicitly allowed, e.g., SMB to the file and print
servers but not to the web servers or telnet only to the manufacturing
host and only from the shop floor supervisors.

This all worked fine until we tried to use the tunnel as the default
gateway and especially if the users were directly connecting from the
Internet, i.e., they had a publicly routable address.  The problem arose
in the connection definitions between RASGW and the offices.

We set up RoadWarrior connections like this:
conn RASAny
        leftsubnet=0.0.0.0/0.0.0.0
        also=RAS

conn RAS
        right=%any
        rightsubnet=vnet:%priv,%no
        leftupdown=/etc/PEP/X509updown
        rekey=no
        auto=add

So we allow connections from anywhere going to anywhere with either
RFC1918 or public addresses as long as they have a trusted cert.  The
X509updown script takes care of the dynamic firewall rules so that we do
not have wide open RoadWarrior tunnels.  But then how do we get the
traffic from RASGW to a branch office? When we only had to worry about
RFC 1918 addresses, we could do something like:
conn Harvey10
        leftsubnet=10.0.0.0/8
        also=Harvey

conn Harvey192
        leftsubnet=192.168.0.0/16
        also=Harvey

conn Harvey172
        leftsubnet=172.16.0.0/12
        also=Harvey

conn Harvey
        right=x.x.x.250
        rightsubnet=10.7.0.0/16
        rightid="C=US,O=MyOrg,OU=VPNGateways,CN=HarveySGGW"
        auto=start

But this won't allow traffic from users with a public address.  If we
add a connection such as:
conn HarveyAny
        leftsubnet=0.0.0.0/0.0.0.0
        also=Harvey

The gateway becomes very confused, overflows its neighbor table and
seems to try to tunnel all traffic.  This makes sense if I am saying
send all traffic from 10.7.0.0/16 to anywhere to the RAS gateway.

To work around the problem, I played iptables games.  I added these
rules to the iptables-restore file:
*nat
-A POSTROUTING -o eth0 -j SNAT --to-source x.x.x.187
-A POSTROUTING -o ipsec+ -j SNAT --to-source 172.23.223.2-172.23.223.254
COMMIT

Thus RoadWarrio traffic for the Internet undergoes NAPT while all the
WAN traffic is NAT'd to the 172.23.223.0/24 network (more or less).  Now
I can define my office tunnels for only traffic from 172.23.223.0/24.

It works.  I preserve all my security as the filter table rules drop all
unallowed packets and only then do I NAT.  But somehow I feel like I
either cheated or worked too hard.  Is there a simpler way and I'm just
brain cramping? Thanks - John

PS - on a small side note, does anyone know how to import a PKCS#12
package into the Windows certificate store from the command line? Thanks
- John

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

More information about the Users mailing list