Re: [Users] automatic tunnels

From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Nov 27 2002 - 08:03:21 CET

• Next message: Sam Sgro: "RE: [Users] freeswan routing question (route to 0/0)"
• Previous message: Sam Sgro: "Re: [Users] tunnel to Contivity dying"
• In reply to: Craig Taverner: "[Users] automatic tunnels"
• Next in thread: Craig Taverner: "RE: [Users] automatic tunnels"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 24 Nov 2002, Craig Taverner wrote:

> I'm interested in when a win2k/XP roadwarrior connects to one of my main
> office VPN machines (linux/freeswan), tunnels/route are automatically
> setup to all other offices so that the roadwarrior can access the entire
> WAN. I have some rather crude solutions to this, but I'd like to know if
> there is a neat and tidy way to do it.

I don't envy your situation. You've come up with some excellent answers,
however. #2 is the best.

I've got a crazy idea, however. Are Roadwarriors the only machines going to
connect to this first server? I wonder if there's a way to only MASQUERADE
packets, routed to the internal interface, which first came in from your
Roadwarriors? What I'm thinking is this: you could MASQUERADE them to a
ficticious IP, but one which you've already created static routes for on the
remote gateway's you are concerned about, leading back to your first IPSEC
server.

However, I think I might be cracked, here. :) You don't want to masquerade all
the traffic coming in on your internal interface, only traffic from your
Roadwarriors. Hmm. Perhaps you could make an _updown script that takes this
into account? Let's say eth1 is your internal interface, and 192.168.0.73 is
the fake IP.

/sbin/iptables -t nat -A POSTROUTING -o eth1 --to-source 192.168.0.73 -s
$PLUTO_PEER_CLIENT_NET -j SNAT

Consider this brainstorming, and feel free to point out flaws if you see 'em.

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPeRuOkOSC4btEQUtAQEsMAP/Q5pvvRQywav9KFCRPsrWycE+CFGrmi+m
/i9u7VamRemnfHq/HkPA1q+sZli2W3+zGkrRw7czMK4wdEJHB/7aEQ34OehRI/VS
e9TO2JJafvCWJShAh2t800hqhXsbGQ7UlwttcXtUxTXK5dfJkgeqeWBdNh2LABNa
BRPeGcShdQU=
=tHOs
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Sam Sgro: "RE: [Users] freeswan routing question (route to 0/0)"
• Previous message: Sam Sgro: "Re: [Users] tunnel to Contivity dying"
• In reply to: Craig Taverner: "[Users] automatic tunnels"
• Next in thread: Craig Taverner: "RE: [Users] automatic tunnels"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Thu Nov 28 2002 - 05:20:52 CET