[Swan] routing across two tunnels
Bob Miller
bob at computerisms.ca
Sun Jun 7 03:23:26 EEST 2015
Hi,
I am not sure if I am being dense and not seeing what is there, or if
what I am looking for really isn't there.
I have a firewall running libreswan that has an ipsec/psk net2net tunnel
configured between it and a sonicwall device. This firewall also has
multiple road warriors connecting to the local network behind it.
Remote windows machines are configured with ikev2.
the gist:
192.168.0.0/24(sonicwall)<=>ETH0:libreswan:ETH1<=>192.168.25.0(LAN)
10.25.0.0/24(roadwarriors)<=^ ^=>Internet
each segment works fine;
remotelan<=>LAN, RW<=>LAN, Internet<=>LAN works great
RW<=>LAN, RW<=>Internet works great.
remotelan<=>internet doesn't work, which is great.
Now I want the roadwarriors to access the remote lan, but I can't seem
to figure it out.
It happens I have another identical situation, with the singular
difference that the road warriors are connecting via l2tp. I have tried
to get the same thing working on that one in the hopes that something
about l2tp would magically work and grant me understanding.
I have been at it for a while now, it would be tough to list all I have
done, but generally I started at iptables, thinking it would be a simple
forwarding thing. I made sure I wasn't nat'ing my traffic, forward
rules are in place, etc. maybe there is a problem there, but I don't
see it if there is.
Next I played with left/rightsubnets (as opposed to singular subnet) as
per what I found in the ipsec.conf man page. I think I tried every
combination at least twice, but nothing changed there.
I looked through more of the docs. I found passthrough conns, which
seem like what I might want, but the only examples I can find are for
extruded subnets, where one side is a smaller subset of a larger subnet
on the other side. regardless, tried a bunch of ways to make that work
but no success. I also looked through the multi-net examples, but those
seem related to klips, and I think I need to find and study the context
of those examples to get value from them...
On google, I found a limited number of posts that discuss the topic. In
the posts that seemed relevant, I could follow the discussion, but in no
cases could I translate the examples to a working config on this firewall.
I am not afraid to read and try and figure it out on my own, but I don't
think I am reading the right stuff. or if I am I haven't recognized it
yet. could someone kindly point me at the definitive thing I need to
read and understand to achieve my goal?
--
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca
More information about the Swan
mailing list