On 08/10/2012 10:08 PM, [email protected] wrote:
Hi Everyone,
I have setup the Shrewsoft VPN client to connect to my Zywall USG 100
and it is working perfectly.
Behind the Zywall USG I have 3 x Subnets - 10.0.0.x, 192.168.0.x and
172.0.0.x
At the moment the VPN is setup directly to the 192.168.0.x subnet
behind my Zywall USG 100. I have been playing around but am unable to
find a way of connecting and having access to all 3 x subnets at the
same time.
Has anyone else had the same problem ?
Hope I have explained myself, if you need any more information let me
know
I hope someone has an answer as this would be brilliant :)
Hi Scott,
Shrew can do this fairly easily, all you have to do is specify the
additional subnets on the Policy tab (if you don't have Tunnel All enabled).
The tricky bit will probably be your Zywall. I've not used one before,
so I'm using assumptions and guesses from the Zywall USG howto.
When a VPN client connects to a VPN gateway, one of the parts in the
connection negotiation involves the client specifying what resources (IP
addresses) it thinks it can reach behind the gateway. In the VPN
configuration there will be a section where the administrator specifies
what networks can be reached through the VPN. In the Zywall USG howto,
this is the "Local policy" in the Phase 2 settings. If the client and
gateway values don't match, gateways tend to ignore the connection attempt.
Assuming that the Zywall is aware of the three subnets (i.e. they are
part of the Zywall configuration and not routed using some other device
at the other end of the 192.168.0 subnet), you'll need to setup a policy
that allows VPN traffic to the other two subnets as well.
If it were easy as adding the subnets to the existing policy, I assume
you would have done it already. My guess is that you'll need to convert
the VPN to a full-tunnel VPN, where the network mask in the policy is
0.0.0.0/0. The Zywall policy would basically allow traffic to all IP
addresses (which would cover your 3 subnets).
What this will require on the Shrew client side is that you change the
settings on the Policy tab. You'll either have to enable "Obtain
Topology Automatically or Tunnel All" or you'll have to specify a Remote
Network Resource of 0.0.0.0 / 0.0.0.0.
Note that this will make Shrew send ALL traffic from your PC through the
VPN - likely you'll lose Internet access on the Shrew device until you
disconnect because your Zywall won't allow traffic from the VPN out to
the Internet.
Hope this helps!
_______________________________________________
vpn-help mailing list
[email protected]
http://lists.shrew.net/mailman/listinfo/vpn-help
