[Users] Win2k road warrior - Linux FW + LAN behind firewall

From: Gert.Vandelaer_at_medisearch-int.com
Date: Mon Dec 09 2002 - 16:23:49 CET

Hy all,

I've got several Linux boxes running CIPE for office-to-office VPN's
running quite smoothly,
but now I wanted to let remote users access the LAN too. IPsec looked just
perfect for this ...
I've gotten the Win2k to talk with the LinuxIpsec box just fine, but I'd
like the Win2k roadwarriors to access the LAN too ...
this I can't get to work ... I'm not quite sure I've set up everything
correctly so here's my confs:
test-setup "192.168.102.0/24 = external" "192.168.0.0/24 = Internal"

Linux-GW - ipsec.conf
config setup
        # THIS SETTING MUST BE CORRECT or almost nothing will work;
        # %defaultroute is okay for most simple cases.
        interfaces="ipsec0=eth1"
        # Debug-logging controls: "none" for (almost) none, "all" for
lots.
        klipsdebug=none
        plutodebug=none
        # Use auto= parameters in conn descriptions to control startup
actions.
        plutoload=%search
        plutostart=%search
        # Close down old connection when new one using same ID shows up.
        uniqueids=yes

conn %default
        keyingtries=1
        compress=yes
        disablearrivalcheck=no
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn roadwarrior-net
        leftsubnet=192.168.102.0/24
        also=roadwarrior

conn roadwarrior
        right=%any
        left=192.168.102.1
        leftcert=testwin2k.pem
        auto=add
        pfs=yes

Win2K RoadWarrior - ipsec.conf
conn roadwarrior
        left=%any
        right=192.168.102.1
        rightca
="C=BE,ST=blah,L=blah,O=blah,OU=blah,CN=blah,Email=gert.vandelaer_at_medisearch-int.com"
        network=auto
        auto=start
        pfs=yes

conn roadwarrior-net
        left=%any
        right=192.168.102.1
        rightsubnet=192.168.102.0/24
        rightca
="C=BE,ST=blah,L=blah,O=blah,OU=blah,CN=blah,Email=gert.vandelaer_at_medisearch-int.com"
        network=auto
        auto=start
        pfs=yes

So I can ping the 192.168.102.1 from Win2k fine, checked with tcpdump -i
ipsec0 ... but when I try to ping the 192.168.0.1 (which is 2nd interface
on Linux-GW) from the Win2k (after "route add 192.168.0.0 mask
255.255.255.0 192.168.102.10") I can see on the Linux-GW that the
'echo-requests' is coming in on "eth1" and the replies go back through
"ipsec0" ... but they don't arrive back on the Win2k (Request timed out)

So I assume that the Win2k routes it's packets for foreign networks not via
ipsec, but just through regular route.

I'm still in the process of figuring out the syntax of "ipsec", but it
seems that "left/rightnexthop" is the way to configure the LAN behind the
IP-Sec-gateway ... but I'm not quite sure on how to use them ... yet.

I'm also exploring the dhcp-relay option ...

I'll keep you guys updated (if interested at all).
But I just thought this might be an interesting issue, that hasn't been
adressed yet.

Bye,
Gert

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.5 : Wed Dec 11 2002 - 05:21:06 CET