[Openswan Users] VPN connection between two subnets on same server

Peter McGill petermcgill at goco.net
Wed Jun 4 16:37:59 EDT 2008 

Arjun,

An IPSec VPN connection needs two endpoints, presumably on different computers.
There is absolutely no point to doing what your attempting, even if it worked,
it would provide no added functionality, and only serve to slow down your computer.

All you need to do to link the two subnets (eth1 and eth2) is to enable forwarding
and allow the traffic in your firewall.

The following basic firewall boot script does this, allowing the server, eth1 and
eth2 to communicate with the server, each other and the internet. Note, that this
is a very basic example that allows all traffic from internal subnets and server,
but nothing from the internet (except responses).

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P INPUT DROP
iptables -t filter -A INPUT -i eth1 -s 10.243.0.0/16 -j ACCEPT
iptables -t filter -A INPUT -i eth2 -s 10.241.0.0/16 -j ACCEPT
iptables -t filter -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -A FORWARD -i eth1 -s 10.243.0.0/16 -j ACCEPT
iptables -t filter -A FORWARD -i eth2 -s 10.241.0.0/16 -j ACCEPT
iptables -t filter -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -s ! [WANIP] -j MASQUERADE

Why bother attempting to encrypt the traffic only to send it to yourself?
 

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

 


________________________________

	From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Arjun Datta
	Sent: June 4, 2008 4:03 PM
	To: users at openswan.org
	Subject: [Openswan Users] VPN connection between two subnets on same server
	
	
	I am trying this setup and am curious to see if it is allowed.
	
	VPN server:
	2.6.22.9-61.fc6
	Linux Openswan U2.4.5/K2.6.22.9-61.fc6 (netkey)
	1 WAN NIC, 2 LAN NICs on separate subnets
	eth0 = WAN
	eth1 = 10.243.102.230
	eth2 = 10.241.100.230
	
	I want to create a VPN connection between the 2 subnets using this machine.
	
	conn ggh-gghdev
	        # Left Security gateway, subnet behind it, next hop toward right
	        left=WAN IP
	        leftsubnet=10.241.0.0/16
	        leftnexthop=WAN GATEWAY
	        # Right Security gateway, subnet behind it, next hop towards left
	        right=WAN IP
	        rightsubnet=10.243.0.0/16
	        rightnexthop=WAN GATEWAY
	        keyingtries=0
	        authby=secret
	        type=tunnel
	        auto=start
	
	[root at vpn sysconfig]# ipsec auto --status | grep ggh-gghdev
	000 "ggh-gghdev": 10.243.0.0/16===216.191.52.91---216.191.52.65...216.191.52.65---216.191.52.91===10.241.0.0/16; unrouted;
eroute owner: #0
	000 "ggh-gghdev":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
	000 "ggh-gghdev":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
	000 "ggh-gghdev":   policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 16,16; interface: ;
	000 "ggh-gghdev":   newest ISAKMP SA: #0; newest IPsec SA: #0;
	
	NATing part of /etc/sysconfig/iptables:
	*nat
	:PREROUTING ACCEPT [0:0]
	:POSTROUTING ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A POSTROUTING -d ! 10.0.0.0/255.0.0.0 -o eth0 -j MASQUERADE
	COMMIT
	
	Now, before I spend too much time troubleshooting this, is the above scenario possible/doable  ? The VPN connection spans
the same machine as both left and right albeit between different subnets.
	
	-- 
	Regards,
	 
	Arjun Datta

More information about the Users mailing list