Dear list,
(this is my first post to this list, but I'm subscribed)
thanks to the docs I was at last ablel to figure out that what I want to
do is called an extruded subnet.
I was able to set this up even with out the docs and it works (tm).
So my setup now is:
- a colocated server with 16 IPs (lets assume 10.0.0.0/28)
(the server has one additional IP where the /28 gets routed to:
10.1.0.1)
- some computers at home with an ipsec gateway (to the server)
- 8 of the 16 IPs are an extruded subnet at home
So I've
home network: 10.0.0.8/29
home gw: 10.0.0.15
home gw-ext: a.b.c.d (assigned by ISP)
||
|| IPsec
||
server-ext: 10.1.0.1
server network: 10.0.0.0/29
for the internet 10.0.0.0/28 is accessable via 10.1.0.1 and
everything work fine
My problem is that I've to pay traffic at my server, while my home
connection is flat, so routing all traffic from home to the internet
(and back) through my server twice (home <-> server <-> internet) is
not realy a financiable idea.
So i've tried to come up with a setup to
- route every traffic to my other 8 IPs through ipsec
- route a connection comming into my "home" IPs back to the server
- route the other connections from home to the internet directly.
home network: 10.0.0.8/29 and 192.168.0.0/24
home gw: 10.0.0.16 and 192.168.0.1
home gw-ext: a.b.c.d
| ||
| || IPsec (only for 10.0.0.0/28)
| ||
| server-ext: 10.1.0.1
| server network: 10.0.0.0/29
|
consumer internet for 192.168.0.0/24 (masqueraded)
Unfortunately i was unable to get this to work. :-(
I've tried use a private subnet at home, with a virtual interface for
the extruded IP. Any traffic intended to my other IPs is SNATed at the
originating box. Incoming traffic for the extrueded IPs is already for
the correct IP and does not need any NATing.
With this setup I'm no longer able to access the internet from the
private IPs as ipsec0 eats all packages for 0.0.0.0/0 but only forwards
thouse from the extruded IPs.
(the router is doing masqueradind correctly, and it works if I unroute
the IPsec tunnel)
I've not tried to SNAT and DNAT on the router and not use a virtual
interface directly at the target computer, but I don't think it will
help.
Can someone enlight me what I can try, did wrong, or should read
(googleing did not help).
Thanks,
Goetz.
--
/"\ Goetz Bock at blacknet dot de -- secure mobile Linux everNETting
\ / (c) 2003 as GNU FDL 1.1
X [ 1. Use descriptive subjects - 2. Edit a reply for brevity - ]
/ \ [ 3. Reply to the list - 4. Read the archive *before* you post ]
_______________________________________________
FreeS/WAN Users mailing list
[EMAIL PROTECTED]
https://mj2.freeswan.org/cgi-bin/mj_wwwusr
