tech-net: Re: "Gatewayless" VPN

Subject: Re: "Gatewayless" VPN
To: Bruce Martin <brucem@cat.co.za>
From: Hakan Olsson <ho@crt.se>
List: tech-net
Date: 02/18/2002 13:22:20
Hi,

this is already supported. Whether you have a VPN between two networks or
between a net and an IP does not really matter.

What matters is your SPD entries, i.e what src_net and mask to dst_net and
mask to match packets with. In you case from

  NetA (/NetAmask) --> NetB (/NetBmask)

which here should change to

  NetA (/NetAmask) --> PC (/32)

and vice versa on the other peer. These entries are what the packets must
match, otherwise they "fall back" to ordinary IP routing. IP routing in
the IPsec VPN context is slightly more complex than normal, but not much
more so.

This is also the the reason you could not ping the other side's gateway.
The ping packet (query or response) will use gateways external IP as src
(or dst), and this will of course cause it to not match the SPD entry, and
it won't be encapsulated in IPsec.

The "solution" is to add additional VPNs for NetA--GatewayB and
GatewayA--NetB (and possibly GatewayA--GatewayB). I normally just run the
basic network to network VPN only and accept these "limitations"...
usually the VPN gateway doubles as a firewall and won't respond to pings
anyway.

For KAME, I think 'setkey -DP' should display the SPD entries. (OpenBSD's
dito is 'netstat -rn -f encap'.)

To add several VPNs in the same isakmpd setup:
  [Phase 2]
  Connections=3D  vpn1,vpn2,vpn3,...

Otherwise I recommend looking at the examples under samples/. I don't know
if the pkg installs them anywhere. There are also numerous examples to be
found on the net.

/H

On Mon, 18 Feb 2002, Bruce Martin wrote:

> Hi All
>
> I have a VPN set up, happily running, which looks like:
>
> Network A =3D=3D=3D VPN Gateway A =3D=3D=3D INTERNET =3D=3D=3D VPN Gatewa=
y B =3D=3D=3D Network B
>
> with both gateways running isakmpd. However, I now have an application wh=
ere
> I want to do this:
>
> Network A =3D=3D=3D VPN Gateway A =3D=3D=3D INTERNET =3D=3D=3D Standalone=
 PC (e.g. laptop)
>
> I want the standalone PC to be able to access Network A through the VPN
> Gateway A. So, I want to do something like make this PC both a VPN
> encrypter/decrypter so that it looks like both VPN Gateway B and Network =
B
> in the first case.
>
> In the past, I could ping Network A from Network B and vice versa, but I
> could not ping Network A from VPN Gateway B, only from behind it. How do =
I
> now set up a laptop to act as both the gateway, and the PC "behind" the
> gateway?
>
> I hope I have explained this adequately, if I need to clarify anything,
> please shout.
>
> Thanks
>  Bruce
>
>

--
H=E5kan Olsson <ho@crt.se>        (+46) 708 437 337     Carlstedt Research
Unix, Networking, Security      (+46) 31 701 4264        & Technology AB