From: Ken Bantoft (ken_at_networkoverlord.com)
Date: Wed Jul 31 2002 - 23:24:56 CEST
> >From the reading and searching I have done, I appearently have a fairly
> unique setup. I am using Freeswan connecting from home to my corporate LAN,
> to a Cisco 3660. Normal host to LAN tunnel works perfectly so far. I want to
> expand my setup to allow more than one system at my home to come across the
> tunnel. All my systems, including the one creating the tunnel are behind a
> NAT firewall.
> Here's the setup, basically:
>
> corp wan ----- internet ------- NAT router -- gateway system
>
> My ipsec.conf in normal configuration for the one client works fine, with:
>
> conn corp
> type=tunnel
> left=%defaultroute
> right=xxx.xxx.xxx.xxx
> rightsubnet=yyy.yyy.yyy.0/24
> keyexchange=ike
> auth=esp
> authby=secret
> lifetime=8h
> keylife=1h
> pfs=no
> spi=0x500
> esp=3des-md5-96
> auto=start
>
> I tried just adding, leftsubnet=zzz.zzz.zzz.0/24 to the above to get my home
> net routing through the gateway system. ip forwarding is enabled. When I do
> this, the subnet can route back and forth, but the gateway system cannot.
> With the leftsubnet directive removed, and nothing else changed, the gateway
> system can route back and forth fine.
> Any help in making this work would be greatly appreciated.
You'll need two tunnels defined... one with rightsubnet=yyy.yyy.yyy.0/24
defined, and one without a rightsubnet declaration.
This is because your gateway would be sending out ipsec0 with the source
IP set to xxx.xxx.xxx.xxx (external, public IP) which, of course, isn't
part of the rightsubnet=yyy.yyy.yyy.0/24
Ken
-- Ken Bantoft One Unix to rule them all, One Resolver to find them, ken_at_networkoverlord.com One IP to bring them all, and in the zone, bind them._______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:35 CEST