FreeS/WAN relaying
From: Rennie deGraaf (rendeg@my-dejanews.com)Date: 06/06/02
- Next message: cam: "ipchains too old?"
- Previous message: : "Re: linux virus"
- Next in thread: Simon Matthews: "Re: FreeS/WAN relaying"
- Reply: Simon Matthews: "Re: FreeS/WAN relaying"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: rendeg@my-dejanews.com (Rennie deGraaf) Date: 6 Jun 2002 08:35:36 -0700
Will FreeS/WAN (particularly version 1.8) allow packets that come in
one a particular interface to exit again through that interface as
part of a different VPN stream? I believe that Cisco's PIX firewall
doesn't. If not, is there any way I could get around this using IP
masquerade?
Some details on what I am trying to do:
I have two networks connected by a VPN between two gateways running
FreeS/WAN. There are also several roaming clients (running Win2k)with
dynamic IP's who can connect to the VPN using SSH Sentinel.
However, one of these people cannot connect to the gateway for one of
our two networks, due to what seem to be problems with his ISP. So, I
want to allow him to connect to both networks through one gateway
Both gateways have only one externally-visible interface, using the
only "real" IP address at its site (the rest of both networks are
using 192.168 addresses). So, I want messages for network 2 to come
in on the gateway for network 1, and be sent back out the same
interface to the gateway for network 2. The gateways are both on the
firewalls for their networks.
A simplified view of my networks looks something like this:
Network 2 ISP's router network 1
----- ------ ------
| | _ __ __ __ __ __ __ __ _ __ | | __________________ | |
| | 192.168.1.0/24 | | X 192.168.2.0/24 | |
----- ------ ------
|
|
|
|
|
------
| | Laptop
| | dynamic IP
------
I can establish an IPSec connection between Laptop and the gateway for
Network 1. I have IPSec connections between the IPSec gateways for
both networks. I want to use both of those connections to communicate
between Laptop and Network 2.
Theoretically, it should be possible. Stuff reaching the gateway for
Network 1 gets through the firewall, and since it has reached the end
of its VPN tunnel, gets decrypted to plain TCP packets. That gateway
has a route to Network 2, so it *should* be encapsulated again and
sent via the other IPSec connection
However, those packets never seems to reach the firewall for network
2, and I can't find any evidence (from tcpdump) of them ever leaving
the IPSec gateway for network 1. I think the problem may be due to
the fact that the data is sent back out from the gateway for network 1
on the same interface that it just arrived on.
The route for the data *should* look like this:
Laptop
.
.
.
ISP's router
Gateway for Network 1
ISP's router
.
.
.
Gateway for Network 2
destination
Note that the same ISP router appears twice - once arriving at network
1, and once leaving.
more details about what I am trying to do in thread "IPSec Relaying"
in comp.security.misc
http://groups.google.ca/groups?dq=&hl=en&lr=&threadm=7cad4b2a.0206051520.2dcafc43%40posting.google.com&prev=/groups%3Fhl%3Den%26lr%3D%26group%3Dcomp.security.misc
Thanks,
Rennie deGraaf
- Next message: cam: "ipchains too old?"
- Previous message: : "Re: linux virus"
- Next in thread: Simon Matthews: "Re: FreeS/WAN relaying"
- Reply: Simon Matthews: "Re: FreeS/WAN relaying"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
