From: Aldo S. Lagana (alagana_at_discmail.com)
Date: Fri Oct 18 2002 - 23:06:38 CEST
we kind of had the same problem, but in our scenario all the IPSec
gateways were freeswan boxes. We came up with the theory that all we
really needed was access to one box at the 'other end' so we built
tunnels from LAN-BOX. The most changes we had to do was if there was
already a server occupying one of those IP addresses, then we changed
it's IP to an unused one:
192.168.1.0 <--> 192.168.2.1
192.168.1.0 <--> 192.168.2.2
192.168.1.0 <--> 192.168.2.3
etc.
this says basically that anyone from 192.168.1.0 can connect to those
three 'servers' via separate tunnels using three separate IPSec
endpoints.
we did that all through ipsec.conf with the rightsubnet being the
server's ip address.
> -----Original Message-----
> From: users-admin_at_lists.freeswan.org
> [mailto:users-admin_at_lists.freeswan.org] On Behalf Of Corey Rogers
> Sent: Friday, October 18, 2002 10:54 AM
> To: Jordan Share
> Cc: users_at_lists.freeswan.org
> Subject: RE: [Users] FreeSWAN+Netscreen interoperability
> Question. Itworks... but how ?
>
>
> On Thu, 2002-10-17 at 19:37, Jordan Share wrote:
> > > -----Original Message-----
> > > From: Corey Rogers [mailto:corey_at_wamcodm.com]
> > > Sent: Wednesday, October 16, 2002 8:03 PM
> > > To: Jordan Share
> > > Cc: users_at_lists.freeswan.org
> > > Subject: RE: [Users] FreeSWAN+Netscreen interoperability
> Question.
> > > It works... but how ?
> > >
> > >
> > > On Wed, 2002-10-16 at 17:18, Jordan Share wrote:
> > > > What happens when you do try to set a specific subnet behind
> > > the Netscreen?
> > > >
> > > > Jordan
> > > >
> > > >
> > >
> > >
> > > In short, nothing. It fails at phase2 with the message:
> > >
> > > #6: max number of retransmissions (2) reached STATE_QUICK_I1. No
> > > acceptable response to our first Quick Mode message: perhaps peer
> > > likes no proposal
> > >
> > > When I use a subnet of 0.0.0.0/0 it works. But not when I use the
> > > subnet of the netscreens trusted side which in this case would be
> > > 10.201.11.0/24. I'm taking a guess that it requires the subnet to
> > > correspond to one of the addresses listed in the address table on
> > > the trusted side. However this hasn't worked as yet but
> still I have
> > > further to go.
> >
> > Well, what do the logs on the Netscreen say?
> >
> > I threw this together, based on an old post that I made:
> > http://debby.jwiz.org/~jshare/netscreen-and-freeswan.html
> >
> >
> > > Do you know how freeswan is able to route traffic through the
> > > correct tunnel if for example all the subnets at multiple remote
> > > locations are identical .. ie. for example 192.168.10.0/24?
> >
> > I am pretty sure that you can?t have 2 routes to 2 subnets that are
> > the different, but the numbered the same. Generally
> speaking, even,
> > regardless of whether freeswan is involved. How would you
> know where
> > to send a packet to? If a ping starts on one machine, destined for
> > 192.168.10.1, how can you possibly know which 192.168.10.1
> it should
> > go to, if you have more than one?
> >
> > Or am I completely misunderstanding your comment?
> >
> > Jordan
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users_at_lists.freeswan.org
> > http://lists.freeswan.org/mailman/listinfo/users
> >
>
> Thats the question I'm asking. How do you tunnel to 2 or more
> networks all of which have similar subnets using 1 freeswan
> enabled machine. I'm sure there is a way afterall this is linux.
>
>
>
> --
> Corey Rogers
> Junior System Administrator
> Wamco Technology Group Ltd (Barbados)
> #3 Mahogany Court, Wildey, St. Michael
> Phone: (246)437-3154 FAX: (246)228-4319
>
>
> There's nothing remarkable about it. All one has to do is hit the
> right keys at the right time and the instrument plays itself ....
> ----- Johann Sebastian Bach -----
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sun Oct 20 2002 - 05:20:29 CEST