LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-19-2009, 11:52 AM   #1
Gangrif
Member
 
Registered: Feb 2004
Distribution: Fedora 19
Posts: 58

Rep: Reputation: 15
Linux Freeswan to Cisco Pix VPN, routing?


I have a little project. I need to connect a remote network back to our main office. I've decided to use a Smoothwall for the remote firewall/gateway.

I have the device setup here at the main office, connected to an external network (outside of our pix firewall).

As far as i can tell, the Smoothwall (Express 3.0 SP1) uses Freeswan for the connection.

I've configured the vpn connection using Smoothwall's web interface (the only way i can find to configure the connection that doesn't get overwritten later).

The situation is such that i've got 4 networks off of different interfaces off of the pix, with their own ip schemes.
10.40.x.x, 10.60.x.x, 10.80.x.x, and 10.100.x.x

I've given the remote network IP's of 10.100.1.x/24

So what we have is:

Code:
[Remote network]
 [10.200.1.0/24]
       |
  [Smoothwall]
  [10.200.1.1] 
       |
   [internet]
       |
     [PIX]
  [10.100.196.1]
  [10.80.196.1]
  [10.60.196.1]
  [10.40.196.1]
       |
 [Local Network]
 [10.100.196.0/22]
 [10.80.196.0/22]
 [10.60.196.0/22]
 [10.40.196.0/22]
The best way ive been able to configure this on the smoothie is to setup 4 vpn connections, all with the same left and right information, except that i change the left network to match the destination network at the main office.

All of the connections establish, but here's the issue.

I can ping the pix's 100 network interface, 10.100.196.1, but nothing else behind that on the 100 network.
and i cannot ping, even the pix's interface, on the other 3 networks.

My smoothwall's ipsec.conf:
Code:
version 2

config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        plutowait=no
        uniqueids=yes

conn clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn private-or-clear
        auto=ignore

conn private
        auto=ignore

conn block
        auto=ignore

conn packetdefault
        auto=ignore

conn AFI80NET
        ike=3des-md5
        esp=3des-md5
        authby=secret
        keyingtries=0
        left=(Smoothwall's outside interface IP)
        leftsubnet=10.200.1.0/24
        leftnexthop=%defaultroute
        right=(Pix's outside interface ip)
        rightsubnet=10.80.196.0/22
        rightnexthop=%defaultroute
        compress=no
        auto=start

conn AFI60NET
        ike=3des-md5
        esp=3des-md5
        authby=secret
        keyingtries=0
        left=(Smoothwall's outside interface IP)
        leftsubnet=10.200.1.0/24
        leftnexthop=%defaultroute
        right=(Pix's outside interface ip)
        rightsubnet=10.60.196.0/22
        rightnexthop=%defaultroute
        compress=no
        auto=start

conn AFI40NET
        ike=3des-md5
        esp=3des-md5
        authby=secret
        keyingtries=0
        left=(Smoothwall's outside interface IP)
        leftsubnet=10.200.1.0/24
        leftnexthop=%defaultroute
        right=(Pix's outside interface ip)
        rightsubnet=10.40.196.0/22
        rightnexthop=%defaultroute
        compress=no
        auto=start

conn AFI100NET
        ike=3des-md5
        esp=3des-md5
        authby=secret
        keyingtries=0
        left=(Smoothwall's outside interface IP)
        leftsubnet=10.200.1.0/24
        leftnexthop=%defaultroute
        right=(Pix's outside interface ip)
        rightsubnet=10.100.196.0/22
        rightnexthop=%defaultroute
        compress=no
        auto=start
The smoothwall's ipsec.secrets:
Code:
(smoothwall's outside ip) (pix's outside ip) : PSK "mysecret"
(smoothwall's outside ip) (pix's outside ip) : PSK "mysecret"
(smoothwall's outside ip) (pix's outside ip) : PSK "mysecret"
(smoothwall's outside ip) (pix's outside ip) : PSK "mysecret"
Yes, i tried to set things up using a single connection, changing the internal ip's on the remote network to a different private ip space, and then setting the right network to 10.0.0.0/8 (which should route everything 10.x.x.x over the vpn) and it failed completely. connected, couldnt get to anything across the tunnel.


So, any assistance would be greatly appreciated. A lot of my configuration is bound to what i can do in the smootwall's web interface, any changes i make in the config's directly are overwritten the next time i have the vpn connections re-connect using the web interface. I;m rather sure i can find ways to make changes if needed though.

Thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Openswan/Cisco PIX: NATting a VPN Tunnel SnotRocket Linux - Networking 1 01-28-2007 09:13 PM
Cisco VPN Client routing problem on Debian Sarge pohl886 Linux - Networking 9 09-10-2006 05:49 PM
Cisco PIX shipon_97 Linux - Networking 1 02-20-2006 01:57 AM
Cisco PIX 500 Series Secure Firewall (PIX-520) robertwolfe Linux - Networking 1 01-19-2006 04:37 AM
Help routing traffic over Freeswan VPN Trd79 Linux - Networking 0 06-17-2004 05:38 AM


All times are GMT -5. The time now is 04:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration