Charles Steinkuehler wrote: > > Michael D. Schleif wrote: > > "Michael D. Schleif" wrote: > > > > <snip /> > > > >> conn %default > >> authby=rsasig > >> auto=start > >> # keyexchange=ike > >> keyingtries=0 > >> # keylife=8h > >> left=%defaultroute > >> leftfirewall=yes > >> [EMAIL PROTECTED] > >> leftrsasigkey=_secret_key_for_other_vpns_ > >> ### leftsubnet=192.168.11.0/24 > >> ### leftsubnet=192.168.8.0/21 > > > > While we are here, *how* is it possible to define multiple (read, more > > than one) subnets at leftsubnet= ? > > > > In our case, we currently have: > > > > 192.168.11.0/24 > > 192.168.12.0/24 > > 192.168.13.0/24 > > More details to come, but it's the weekend, and I'm on my way to a 10K > run...
Great! We really appreciate your participation in this interesting dilemma. > The above problem is very simple. You have a few options: > > 1) You can expand the leftsubnet definition to include all your > networks. In the above case, you would have to use the 192.168.8.0/21 > network specification you already have entered and commented out. Note > that this includes several additional /24 networks which may or may not > cause a problem. As always, proper subnetting and IP allocations can > make life a lot easier... Yes, this works for the other tunnels; and, yes, better subnet design upfront would have made this easier -- O, hindsight ;> > 2) Create multiple tunnels, one for each subnet. You will wind up with > several connection descriptions in your ipsec.conf file, which can be > greatly simplified by making approppriate use of the default parameters > section and possibly some of the include functionality. > > 3) Combine the two approaches. In your case, you could create two > connection descriptions instead of three by using: > 192.168.11.0/24 > 192.168.12.0/23 I was wondering if there was a way to define leftsubnet=_a_string_of_many_disparate_networks_ -- apparently not? > I'm still digesting your previous post, and will provide more comments > later today. To clarify, it looks like your VPN link is being made with > the Cisco, rather than the Dicom box [B] as I had previously > thought...is this correct? Yes, the cisco is doing the ipsec. > Also, it *IS* possible to do Masquerading prior to the IPSec tunnel: > http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/firewall.html#NAT Unfortunately, Andre wants us to do "ipsec before nat" or "nat between gateways". By-the-by, the reason that the /21 subnet is commented out is this link's suggestion: "omit the leftsubnet= parameter". > You'll probably also want to keep the IPSec packet flow in mind when > planning network architecture: > http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/msg00006.html Yes, duly noted. > Note that packets *DO* pass through the forward chain before hitting the > ipsecN interface and getting encrypted. Also note that any packets > hitting an ipsecN interface that *DO NOT* match an existing SA will be > silently DROPPED. OK. -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
