Menu
▾
▴
Re: [IPCop-user] vpn from blue
|
From: Tony <pth...@gm...> - 2004-10-31 17:05:33
|
Success!! On Sun, 31 Oct 2004 15:16:37 GMT, Andrew Borland <an...@hi...> wrote: > Tony, >=20 > > After setting up an ipsec tunnel from blue- once the tunnel is up, the > > laptop can ping into green but loses access to the internet out via > > red. Only traffic for green is tunnelled, the rest is dropped. > > >=20 > Having fought this battle myself not so long ago.... >=20 > "Blue Access" and "VPN on Blue" appear to be mutually exclusive (note > 1), at least on a per-client basis. >=20 > If you want a Blue Client to access both Green and Red, what you do is > turn off "Blue Access" and set up a VPN such that ALL TRAFFIC (even that > destined for the outside world) from the client is routed down the > tunnel. IPCop will then send it in its separate directions. >=20 > In the IPCop VPN setup you want to set the "local subnet" to: > 0.0.0.0/0.0.0.0 I'd missed that- big help, thanks. I knew I needed the tunnel that wide, but lost it within the config pages! >=20 > You need to do the same thing for the "remote subnet" in your client > software. Spent about half an hour stuck on this one - anyone else using Marcus M=FCller's ipsec.exe tool from http://vpn.ebootis.de/ then your ipsec.conf will need to look something like.... conn MyConnectionName =09left=3D10.0.0.1 (ipcop blue address) =09leftsubnet=3D* =09right=3D10.0.0.101 (client address) =09rightca=3D"C=3Dcountrycode, O=3Dorganisation, CN=3DMyAuthority CA" =09network=3Dauto =09auto=3Dstart It was the leftsubnet=3D* that caught me- using 0.0.0.0/0.0.0.0 doesn't wor= k!!!! > (Note 1: I haven't investigated what happens if client 'A' routes > everything down a VPN, and then "Blue Access" is enabled to allow a > non-VPN client to just access the 'net. When I have a few spare minutes > I might just give it a whirl - if I ever get my RoadWarrior sorted out > first!) >=20 > Good luck. Thanks- I think I had it! I finally have a fully working ipsec on blue. [apart from needing to switch the XP firewall off :-( argggh ] Cheers, Tony |