Re: [leaf-user] nat between gateways ???

Sat, 09 Nov 2002 06:20:33 -0800 

Michael D. Schleif wrote:

"Michael D. Schleif" wrote:

<snip />


conn %default
        authby=rsasig
        auto=start
        # keyexchange=ike
        keyingtries=0
        # keylife=8h
        left=%defaultroute
        leftfirewall=yes
        [EMAIL PROTECTED]
        leftrsasigkey=_secret_key_for_other_vpns_
        ### leftsubnet=192.168.11.0/24
        ### leftsubnet=192.168.8.0/21

While we are here, *how* is it possible to define multiple (read, more
than one) subnets at leftsubnet= ?

In our case, we currently have:

	192.168.11.0/24
	192.168.12.0/24
	192.168.13.0/24
More details to come, but it's the weekend, and I'm on my way to a 10K run...

The above problem is very simple. You have a few options:

1) You can expand the leftsubnet definition to include all your networks. In the above case, you would have to use the 192.168.8.0/21 network specification you already have entered and commented out. Note that this includes several additional /24 networks which may or may not cause a problem. As always, proper subnetting and IP allocations can make life a lot easier...

2) Create multiple tunnels, one for each subnet. You will wind up with several connection descriptions in your ipsec.conf file, which can be greatly simplified by making approppriate use of the default parameters section and possibly some of the include functionality.

3) Combine the two approaches. In your case, you could create two connection descriptions instead of three by using:
192.168.11.0/24
192.168.12.0/23

I'm still digesting your previous post, and will provide more comments later today. To clarify, it looks like your VPN link is being made with the Cisco, rather than the Dicom box [B] as I had previously thought...is this correct?

Also, it *IS* possible to do Masquerading prior to the IPSec tunnel:
http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/firewall.html#NAT

You'll probably also want to keep the IPSec packet flow in mind when planning network architecture:
http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00006.html

Note that packets *DO* pass through the forward chain before hitting the ipsecN interface and getting encrypted. Also note that any packets hitting an ipsecN interface that *DO NOT* match an existing SA will be silently DROPPED.

--
Charles Steinkuehler
[EMAIL PROTECTED]




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to