FreeS/WAN relaying

From: Rennie deGraaf (
Date: 06/06/02

From: (Rennie deGraaf)
Date: 6 Jun 2002 08:35:36 -0700

Will FreeS/WAN (particularly version 1.8) allow packets that come in
one a particular interface to exit again through that interface as
part of a different VPN stream? I believe that Cisco's PIX firewall
doesn't. If not, is there any way I could get around this using IP

Some details on what I am trying to do:
I have two networks connected by a VPN between two gateways running
FreeS/WAN. There are also several roaming clients (running Win2k)with
dynamic IP's who can connect to the VPN using SSH Sentinel.

However, one of these people cannot connect to the gateway for one of
our two networks, due to what seem to be problems with his ISP. So, I
want to allow him to connect to both networks through one gateway

Both gateways have only one externally-visible interface, using the
only "real" IP address at its site (the rest of both networks are
using 192.168 addresses). So, I want messages for network 2 to come
in on the gateway for network 1, and be sent back out the same
interface to the gateway for network 2. The gateways are both on the
firewalls for their networks.

A simplified view of my networks looks something like this:

Network 2 ISP's router network 1
----- ------ ------
| | _ __ __ __ __ __ __ __ _ __ | | __________________ | |
| | | | X | |
----- ------ ------
                                  | | Laptop
                                  | | dynamic IP

I can establish an IPSec connection between Laptop and the gateway for
Network 1. I have IPSec connections between the IPSec gateways for
both networks. I want to use both of those connections to communicate
between Laptop and Network 2.

Theoretically, it should be possible. Stuff reaching the gateway for
Network 1 gets through the firewall, and since it has reached the end
of its VPN tunnel, gets decrypted to plain TCP packets. That gateway
has a route to Network 2, so it *should* be encapsulated again and
sent via the other IPSec connection

However, those packets never seems to reach the firewall for network
2, and I can't find any evidence (from tcpdump) of them ever leaving
the IPSec gateway for network 1. I think the problem may be due to
the fact that the data is sent back out from the gateway for network 1
on the same interface that it just arrived on.

The route for the data *should* look like this:

ISP's router
Gateway for Network 1
ISP's router
Gateway for Network 2

Note that the same ISP router appears twice - once arriving at network
1, and once leaving.

more details about what I am trying to do in thread "IPSec Relaying"

Rennie deGraaf

Relevant Pages

  • Re: MSN Messenger while on VPN
    ... The property "Use default gateway on the remote network" makes use of the ... VPN server as the default gateway and routes all the traffic. ... MSN ...
  • Re: VPN routing from NAT to NAT
    ... You have two routes to the network using different ... think you are connecting to the gateway is that it is ... VPN connections are finicky depending on your exact network ... >it is a remote machine and not on my 100BaseTX LAN. ...
  • Re: RASd in : why traffic sent through VPN router ?
    ... inet gateway to 10+ secs when routed through remote VPN inet gateway. ... Exchange Server on the local network, ...
  • Re: Offsite DNS question
    ... > Work network = DHCP internaly assigned address and associated IP ... > always told to use their network's DNS server, ... mind, when using a VPN, the VPN interface becomes the default interface. ...
  • Re: Win2K3 end point routers on separate Win2K3 networks
    ... to the Win2K3 VPN router (if and only if that traffic is ... the VPN server as thier default gateway - but I do NOT ... that article were based upon a peer to peer network, ...