[Openswan Users] Relaying traffic from public RoadWarriors
John A. Sullivan III
jsullivan at opensourcedevel.com
Mon Sep 19 16:11:18 CEST 2005
We're having some problems setting up a RAS openswan gateway, i.e., a
device on the Internet with a single NIC whose only purpose is to allow
RoadWarriors to connect, authenticate them, authorize their access and
then relay the traffic to branch office openswan gateways. In other
words, something like this:
--------------- ---------------
|branch office | |branch office |
--------------- ---------------
| |
| |
-----------------------------------------
| INTERNET |
-----------------------------------------
| |
| |
--------------- -----------------
| RoadWarrior | | RAS Gateway |
-------------- ----------------
It works fine when the RoadWarrior uses an RFC 1918 address and is
behind a NAT gateway. The RAS Gateway has one connection for right=%any
and then connections to each branch office where leftsubnet=<RFC1918
network address> and rightsubnet=<branch office subnet>.
The packets arrive from the RW to the %any connection, are decrypted and
reroute and encrypted to the branch office tunnel.
The problem arises when the RW has a public address. They can still
connect to the %any connection on the RAS gateway, but how do I get the
traffic to the branch office gateway? What would leftsubnet be? I can't
set it to 0.0.0.0/0 or else the branch office gateway will think it is
supposed to send all traffic to the RAS gateway instead of only the
traffic which came from the RAS gateway.
We can get around the problem with NAT but it breaks some important
protocols, particularly NetBIOS datagram used to register windows
clients. Any help would be greatly appreciated. Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
Financially sustainable open source development
http://www.opensourcedevel.com
More information about the Users
mailing list