Re: [Users] Win2k road warrior - Linux FW + LAN behind firewall

From: Sam Sgro (sam_at_freeswan.org)
Date: Mon Dec 09 2002 - 18:18:04 CET

• Next message: martin f krafft: "Re: ????: [Users] VPN between two dynamic IPs"
• Previous message: hugh: "[Users] EbStatusDesc("
• In reply to: Gert.Vandelaer_at_medisearch-int.com: "[Users] Win2k road warrior - Linux FW + LAN behind firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Mon, 9 Dec 2002 Gert.Vandelaer_at_medisearch-int.com wrote:

> So I can ping the 192.168.102.1 from Win2k fine, checked with tcpdump -i
> ipsec0 ... but when I try to ping the 192.168.0.1 (which is 2nd interface
> on Linux-GW) from the Win2k (after "route add 192.168.0.0 mask
> 255.255.255.0 192.168.102.10") I can see on the Linux-GW that the
> 'echo-requests' is coming in on "eth1" and the replies go back through
> "ipsec0" ... but they don't arrive back on the Win2k (Request timed out)
>

That's because ipsec routing is more complex then simply adding a kernel
route. You need to add an entry to the SPD, an "eroute", by authorizing an
additional tunnel.

On the FS gateway:

> conn roadwarrior-net
> leftsubnet=192.168.102.0/24
> also=roadwarrior

Did you intend to protect the "external" subnet with this connection? You've
authorized communications between your roadwarriors and 1) the gateway, via
the "roadwarrior" conn and 2) the 192.168.102.0/24 subnet, via the
"roadwarrior-net" conn.

Think about the "leftsubnet" parameter as being the machine(s) you wish to
communicate securely. If you leave it blank, then you want the gateway itself
protected.

Regardless of your intent with the conn above, you can authorize
192.168.0.0/24 by adding this new tunnel definition:

conn roadwarrior-net2
        leftsubnet=192.168.0.0/24
        also=roadwarrior
 
> conn roadwarrior
> right=%any
> left=192.168.102.1
> leftcert=testwin2k.pem
> auto=add
> pfs=yes
>
> Win2K RoadWarrior - ipsec.conf
> conn roadwarrior
> left=%any
> right=192.168.102.1
> rightca
> ="C=BE,ST=blah,L=blah,O=blah,OU=blah,CN=blah,Email=gert.vandelaer_at_medisearch-int.com"
> network=auto
> auto=start
> pfs=yes
>
> conn roadwarrior-net
> left=%any
> right=192.168.102.1
> rightsubnet=192.168.102.0/24
> rightca
> ="C=BE,ST=blah,L=blah,O=blah,OU=blah,CN=blah,Email=gert.vandelaer_at_medisearch-int.com"
> network=auto
> auto=start
> pfs=yes

and here, do the same:

conn roadwarrior-net2
        left=%any
        right=192.168.102.1
        rightsubnet=192.168.0.0/24
        rightca="C=BE,ST=blah,L=blah,O=blah,OU=blah,CN=blah,Email=gert.vandelaer_at_medisearch-int.com"
        network=auto
        auto=start
        pfs=yes

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPfTQTkOSC4btEQUtAQEXUQP/dwLey+5cZ7QE111sQPgV4gavlGmv5iS5
IlXFvOVTZXTLl1As8z6G+Xxj1/UdLmBG86R7/Co3fSl9fpq+N8yWm/vtYCL8ObyK
6znHQplj9k+aQKvC1Nc28JyxC6v+6+Y+c4JW3rWT8RgcHcnksx6b2W1QvVlq+DsD
at1YICyM9f4=
=Shrd
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: martin f krafft: "Re: ????: [Users] VPN between two dynamic IPs"
• Previous message: hugh: "[Users] EbStatusDesc("
• In reply to: Gert.Vandelaer_at_medisearch-int.com: "[Users] Win2k road warrior - Linux FW + LAN behind firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Tue Dec 10 2002 - 05:21:07 CET