Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] FreeS/WAN Tunneling Problem with WLAN clients

From: Andreas Steffen (andreas.steffen_at_strongsec.com)
Date: Thu Apr 04 2002 - 07:40:29 CEST

Next message: Jérôme Steunenberg: "[Users] DSL connection problems"
Previous message: James Austin: "[Users] New install of freeswan with problems"
Next in thread: Jussi Torhonen: "Re: [Users] FreeS/WAN Tunneling Problem with WLAN clients"
Reply: Jussi Torhonen: "Re: [Users] FreeS/WAN Tunneling Problem with WLAN clients"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

At home I have a VPN setup with two WLAN laptops "Soggy" and
"Wroclaw" running SSH Sentinel 1.3-beta2 under Win98 and Win ME,
respectively, tunneling all Internet traffic to a Linux FreeS/WAN
gateway (freeswan-1.96 with x509patch-0.9.9) which then either tunnels
the traffic further to my university (strongsec-zhw) or feeds it
directly into the Internet via NAT.

I have the following working setup:

client soggy \ /
160.85.106.3 == | / NAT to Internet
|| 160.85.106.0/28 /
how || to \ / WLAN ipsec1 | ipsec0
get || rid of | == ACCESS ===== FreeS/WAN GW ======= strongsec-zhw
this|| conn? POINT eth1 eth0 (dyn. IP)
|| \ / (Bridge) 160.85.106.1
160.85.106.8 == |
client wroclaw

In ipsec.conf I specify the two WLAN tunnels as follows:

config setup
        interfaces="%defaultroute ipsec1=eth1"
        # Use auto= parameters in conn descriptions to control startup actions.
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn %default
       disablearrivalcheck=no
       # use RSA public key authentication with certificates
        authby=rsasig
        rightrsasigkey=%cert
        leftrsasigkey=%cert
        # load connections at startup
        auto=add

conn soggy
        left=160.85.106.3
        leftsubnet=160.85.106.3/32
        leftid=@soggy.strongsec.com
        leftnexthop=%direct
        right=160.85.106.1
        rightsubnet=0.0.0.0/0
        rightid=@firewall.strongsec.com
        rightnexthop=%direct
        rightupdown=/usr/local/lib/ipsec/updown1.ipchains

conn wroclaw
        left=160.85.106.8
        leftsubnet=160.85.106.8/32
        leftid=@wroclaw.strongsec.com
        leftnexthop=%direct
        right=160.85.106.1
        rightsubnet=0.0.0.0/0
        rightid=@firewall.strongsec.com
        rightnexthop=%direct
        rightupdown=/usr/local/lib/ipsec/updown1.ipchains

conn strongsec-zhw
        left=160.85.139.240
        leftid=@pluto.zhwin.ch
        leftsubnet=160.85.128.0/20
        right=%defaultroute
        rightsubnet=160.85.106.0/28
        rightid=@firewall.strongsec.com
        rightupdown=/usr/local/lib/ipsec/updown0.ipchains
        keyingtries=0

The third connection sets up a VPN tunnel to my university via ipsec0.
With all three tunnels established, the following routing table entries
result:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
160.85.139.240 217.162.112.1 255.255.255.255 UGH 0 0 0 ipsec0
160.85.106.3 160.85.106.3 255.255.255.255 UGH 0 0 0 ipsec1
160.85.106.8 160.85.106.8 255.255.255.255 UGH 0 0 0 ipsec1
160.85.106.0 0.0.0.0 255.255.255.240 U 0 0 0 eth1
160.85.106.0 0.0.0.0 255.255.255.240 U 0 0 0 ipsec1
217.162.112.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
217.162.112.0 0.0.0.0 255.255.252.0 U 0 0 0 ipsec0
160.85.128.0 217.162.112.1 255.255.240.0 UG 0 0 0 ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 217.162.112.1 0.0.0.0 UG 0 0 0 eth0

Both WLAN clients can access the Internet via NAT and the ZHW net
through the ipsec0 tunnel. But client soggy cannot reach client wroclaw
via the Linux GW. Pinging wroclaw from soggy and vice-versa
and monitoring ipsec1 using tcpdump shows that the ping is
tunneled to the FreeS/WAN gateway and appears at the ipsec1
interface and I expected that it would enter ipsec1 again to be
tunneled via eth1 to the WLAN peer. But this does not happen.
Is FreeS/WAN supposed to work this way or I am doing something
wrong? The ipchains rules on the eth1 / ipsec1 ports to not
deny any packets entering or leaving these interfaces.

The only solution up to now to allow traffic between the two WLAN
clients is to set up a direct VPN tunnel

160.85.106.3/32==160.85.106.3--160.85.106.8=160.85.106.8/32

Using SSH Sentinel I make sure that this VPN connection is defined
in front of the general 0.0.0.0/0 tunnel.

The reason that I would like to tunnel all WLAN traffic via the Linux
Gateway is scalability with a growing number of WLAN hosts. For a full
mesh of e.g. 10 mobile hosts 45 VPN connections would have to be set up
whereas a centralized solution would require one tunnel per WLAN
client only.

Who has succeeded in establishing such a setup?

Regards

Andreas

======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zuerichweg 20 fax: +41 52 268 74 34
CH-8952 Schlieren (Switzerland) web: http://www.strongsec.com
======================================================================
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Jérôme Steunenberg: "[Users] DSL connection problems"
Previous message: James Austin: "[Users] New install of freeswan with problems"
Next in thread: Jussi Torhonen: "Re: [Users] FreeS/WAN Tunneling Problem with WLAN clients"
Reply: Jussi Torhonen: "Re: [Users] FreeS/WAN Tunneling Problem with WLAN clients"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:48 CEST