Re: [Users] Help Please - want to use Open Source

From: Sam Sgro (sam_at_freeswan.org)
Date: Sun Dec 29 2002 - 05:45:31 CET

• Next message: Sam Sgro: "Re: [VF][Users] Cannot ping internal hosts but only internal interface"
• Previous message: delightful: "[Users] Hi,some questions"
• In reply to: bruceablk_at_ida.net: "*****SPAM***** [Users] Help Please - want to use Open Source"
• Next in thread: Bruce A. Black: "Re: [Users] Help Please - want to use Open Source"
• Reply: Bruce A. Black: "Re: [Users] Help Please - want to use Open Source"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 26 Dec 2002 bruceablk_at_ida.net wrote:

> Dear List,
>
> I tried to get FreeS/WAN working with both SSH Sentinel and Windows 2000
> ipsec according to Nate Carlson's how to. If I don't get this working I am
> going to have to fall back on a commercial solution such as Cisco or Sonic
> Wall. I would really like to use FreeS/WAN + X.509.
>
> My log indicates that an SA is established for ISAKMP and IPsec. However I
> cannot get to any resources. FreeS/WAN is not my gateway for the
> workstations on my LAN, would that matter?

Yes - a great deal. Unless responses for the opposite subnet know to return
via the FS gateway, they will not be addressed as such. Responses will go to
your default gateway instead.

Just to clarify, - "111.222.333.61" - does this represent a public IP? If so,
does this mean you have multiple gateways onto your LAN? (ie, you've got a
small public subnet, and a larger NAT'ed LAN behind it?)

Okay, brainstorming time... given that you have Roadwarriors... this could be
messy. You can never predict where the RW's will be coming from - thus, you
can't reliably route on the LAN's default gateway for them! You could consider
the use of Virtual IPs - an SSH Sentinel feature. However, you do want to use
Windows 2k...

Here is another option. Recently, Peter Roes posted a very detailed
description of how one could identify Roadwarriors locally via the creative
use of DNS, updown scripts, etc. The upshot is - you can assign virtual IPs to
your Roadwarriors without them actually having to have the client-side
capability. Assign them a separate, non-routeable subnet, and have your
default gateway route packets for that subnet via your IPSec gateway.

http://lists.freeswan.org/pipermail/users/2002-December/016859.html

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPg597kOSC4btEQUtAQF93QQAhSJltn7koN7DIxJ4vCeVOsJTDvZ/3wi6
EZYpB1CeqSu37GrhaC9HZ/SrEKTbKHF6vmZ+L2LVtnMRp6Bcd1dY+qlsuIDiCIHp
dQUYRA3t74A3oB08r1Dq5tNq3xMOmnWErVfjBNaDqTVVdDHzYk76qY7F0JaKl+3S
zf6v0llmTO0=
=Vlnh
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Sam Sgro: "Re: [VF][Users] Cannot ping internal hosts but only internal interface"
• Previous message: delightful: "[Users] Hi,some questions"
• In reply to: bruceablk_at_ida.net: "*****SPAM***** [Users] Help Please - want to use Open Source"
• Next in thread: Bruce A. Black: "Re: [Users] Help Please - want to use Open Source"
• Reply: Bruce A. Black: "Re: [Users] Help Please - want to use Open Source"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Thu Jan 02 2003 - 05:21:05 CET