Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 12878 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Routing between IPSEC tunnels, additional subnets?

Comnet
Heya guys, was hoping there might be some frees/wan gurus trolling the forums.  I am trying to establish some routing between two IPSEC tunnels and have found this is not as straight forward as I would have hoped.  I have posted on this topic before, but will hopefully get better results this time.  Does anybody know how to specify additional subnet routes and point them down specific tunnels?  Surely this scenario would also cover anybody running additional subnets behind a router that would like to get to the far end of a tunnel as well.  Any ideas?  I have been looking through the ipsec.conf file as well as the frees/wan project site in hopes of finding someway of adding these additional routes...is this really that tricky?  Initially I was attempting simple device routes from the  command line as such:

route add -net 10.10.10.0 netmask 255.255.255.0 gw 10.10.1.1 dev ipsec0

but quickly realized this would do absolutely nothing for me as I have no way of specifying the actual tunnel to route this traffic through.

HELP!  I just dont figure that this should be that hard...any superhero ipsec junkies out there??

PS If it matters at all, all Astaro boxen affected are V5.017


This thread was automatically locked due to age.
  • 0
    Well, it would appear that I have posted too soon.  After some more digging at the frees/wan project site, I found the exact scenario I am having, as well as the suggested config.  For the benefit of anybody else running into this issue, I will post the suggested config. This is straight from the project site at:  

    http://www.freeswan.org/freeswan_trees/freeswan-2.06/doc/adv_config.html#adv_config

    Here is the text of the site:

    ----------------------------------------
    For example, one user recently asked on a mailing list about this network configuration:

            netA---gwA---gwB---netB
                                |----netC

       netA and B are secured netC not.
       netA and gwA can not access netC

    The user had constructed only one tunnel, netA to netB, and wanted to know how to use ip-route to get netC packets into it. This is entirely unnecessary. One of the replies was:

      The simplest way and indeed the right way to
      solve this problem is to set up two connections:

            leftsubnet=NetA
            left=gwA
            right=gwB
            rightsubnet=NetB
      and
            leftsubnet=NetA
            left=gwA
            right=gwB
            rightsubnet=NetC

    This would still be correct even if we added nets D, E, F, ... to the above diagram and needed twenty tunnels.

    -------------------------------------

    So, it would appear that in order to get additional subnets working, you should create another  tunnel with the additional subnet as the "remote subnet" within the IPSEC connection config.  I have done this and have not yet been able to get it to work (im still trying to route between tunnels, not just an additional subnet behind the firewall), but this may answer the question for somebody else.  

    If anyone else has anything to add to this, it would be of great interest.  =)
  • 0 in reply to Comnet
    Quick followup post:

    The routing between the two IPSEC tunnels is now working, using the solution I posted previously.  This is definitely the solution for anybody else in the same situation, although for any situation with multiple endpoints and multiple subnets behind each endpoint, or just the need for any ipsec endpoint to reach any other ipsec endpoint, this solution scales very very badly.  Any new endpoint will require an additional tunnel on that endpoint for each pre-existing endpoint , as well as on all of the other endpoints.  

    Can anyone say...nightmare?  A solution allowing one to simply add a route to a remote gw (only reachable via the tunnel) would be much more elegant, as well as simple in regards to administration.  This does not seem to be possible with frees/wan.

    On the other hand, as long as the subnets on all of the remote endpoints were able to be covered beneath a single netmask (IE, all subnets were within the 10.X.X.X  reserved space), then a single tunnel would be possible, with the remote subnet in the policy being defined as 255.X.X.X.  

    Ok, enough rambling.  I was just excited to finally get this working.  

     
  • 0 in reply to Comnet

    Yes, it's a nightmare...!

     

    Do you have a solution after more than 13 years?

     

    We do have an IPsec tunnel between Site A and Site B with 11 networks at Site A 7 and networks at Site B.

    The UTM at Site A therefore builds a tunnel with 77 SAs (11 x 7) - every local network can connect to every remote network.

     

    Site B is using Watchguard and they don't want us to be able to access every network. They can configure there tunnel like...

     

    Remote network A1 can access / be accessed by local network B1, B3

    Remote network A2 can access / be accessed by local network B1, B2

     

    They don't have 77 SAs and i see errors in the dashboard because of SAs with no connection.

     

    For me, it would be the best to establish one tunnel between a kinf of transfer network with routing and firewall rules on both sites.

  • 0 in reply to ChristianBock1

    Christian, wouldn't the easiest be to have different tunnels for A1<-->B1,B3 and A2<-->B1,B2?  It seems like that would be clearer for others to follow.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML