Re: [Users] Win2k road warrior - Linux FW + LAN behind firewall

From: Gert.Vandelaer_at_medisearch-int.com
Date: Tue Dec 10 2002 - 12:40:57 CET

• Next message: Gessler Gerhard: "[Users] RE: multiple security associations in ipsec6"
• Previous message: Andreas Steffen: "[Users] Re: [Bugs] Re: pluto/88"
• Maybe in reply to: Gert.Vandelaer_at_medisearch-int.com: "[Users] Win2k road warrior - Linux FW + LAN behind firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hya ;-)

>That's because ipsec routing is more complex then simply adding a kernel
>route. You need to add an entry to the SPD, an "eroute", by authorizing an
>additional tunnel.

Ahaa, I see ... I figured something like this, but I wasn't clear on the
fact whether or not there was a virtual ipsec interface needed on the Win2k
in the LAN range of the LinuxFS.

>On the FS gateway:

> conn roadwarrior-net
> leftsubnet=192.168.102.0/24
> also=roadwarrior

So this section allows incoming ipsec clients to access the
192.168.102.0/24 network, right ?
But it's allowed allready by the "conn roadwarrior" section you say, so
there is no explicit "lefsubnet=wan-ip-mask" necessary i know now.

>Did you intend to protect the "external" subnet with this connection?

My only intention is that "road warriors" get access to the LAN behind the
firewall, but I figured that on the Win2k there would be a virtual
interface that I needed to provide with a IP via dhcprelay ... but that
doesn't seem to be the case, because I can't see any "ipsec" interface on
the Win2k after "ipsec.exe" is started.
I'm not clear on the purpose of dhcprelay at all now ... but I guess that's
another issue.

> You've authorized communications between your roadwarriors and 1) the
gateway, via
>the "roadwarrior" conn and 2) the 192.168.102.0/24 subnet, via the
>"roadwarrior-net" conn.

Ok, I think I got that part.

>Think about the "leftsubnet" parameter as being the machine(s) you wish to
>communicate securely. If you leave it blank, then you want the gateway
itself
>protected.

>Regardless of your intent with the conn above, you can authorize
>192.168.0.0/24 by adding this new tunnel definition:

Great, just what I needed ...
everything is working just fine now, thnx to the great explanation from
you.

The only thing left now is creating a batch file for the Win2k road
warriors to start up the ipsec, probably adding a "ping -n 10 linuxFS" too
... and a passphrase on the pk12 key for Win2k, but that's just finishing
up ;-)

Cya,
Gert

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Gessler Gerhard: "[Users] RE: multiple security associations in ipsec6"
• Previous message: Andreas Steffen: "[Users] Re: [Bugs] Re: pluto/88"
• Maybe in reply to: Gert.Vandelaer_at_medisearch-int.com: "[Users] Win2k road warrior - Linux FW + LAN behind firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Dec 11 2002 - 05:21:06 CET