[Openswan Users] VPN connection between two subnets on same server
petermcgill at goco.net
Wed Jun 4 16:37:59 EDT 2008
An IPSec VPN connection needs two endpoints, presumably on different computers.
There is absolutely no point to doing what your attempting, even if it worked,
it would provide no added functionality, and only serve to slow down your computer.
All you need to do to link the two subnets (eth1 and eth2) is to enable forwarding
and allow the traffic in your firewall.
The following basic firewall boot script does this, allowing the server, eth1 and
eth2 to communicate with the server, each other and the internet. Note, that this
is a very basic example that allows all traffic from internal subnets and server,
but nothing from the internet (except responses).
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P INPUT DROP
iptables -t filter -A INPUT -i eth1 -s 10.243.0.0/16 -j ACCEPT
iptables -t filter -A INPUT -i eth2 -s 10.241.0.0/16 -j ACCEPT
iptables -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -i eth1 -s 10.243.0.0/16 -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -s 10.241.0.0/16 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s ! [WANIP] -j MASQUERADE
Why bother attempting to encrypt the traffic only to send it to yourself?
IT Systems Analyst
Gra Ham Energy Limited
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Arjun Datta
Sent: June 4, 2008 4:03 PM
To: users at openswan.org
Subject: [Openswan Users] VPN connection between two subnets on same server
I am trying this setup and am curious to see if it is allowed.
Linux Openswan U2.4.5/K22.214.171.124-61.fc6 (netkey)
1 WAN NIC, 2 LAN NICs on separate subnets
eth0 = WAN
eth1 = 10.243.102.230
eth2 = 10.241.100.230
I want to create a VPN connection between the 2 subnets using this machine.
# Left Security gateway, subnet behind it, next hop toward right
# Right Security gateway, subnet behind it, next hop towards left
[root at vpn sysconfig]# ipsec auto --status | grep ggh-gghdev
000 "ggh-gghdev": 10.243.0.0/16===126.96.36.199---188.8.131.52...184.108.40.206---220.127.116.11===10.241.0.0/16; unrouted;
eroute owner: #0
000 "ggh-gghdev": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "ggh-gghdev": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ggh-gghdev": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 16,16; interface: ;
000 "ggh-gghdev": newest ISAKMP SA: #0; newest IPsec SA: #0;
NATing part of /etc/sysconfig/iptables:
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -d ! 10.0.0.0/255.0.0.0 -o eth0 -j MASQUERADE
Now, before I spend too much time troubleshooting this, is the above scenario possible/doable ? The VPN connection spans
the same machine as both left and right albeit between different subnets.
More information about the Users