Welcome, Guest. Please login or register.
Did you miss your activation email?
Friday 22 November 2024, 09:33:05 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14258 Posts in 4377 Topics by 6516 Members
Latest Member: DaveH
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  VPN Support
| | |-+  IPSec and multiple subnets
0 Members and 2 Guests are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: IPSec and multiple subnets  (Read 10769 times)
trymes
Full Member
***
Offline Offline

Posts: 36


« on: Saturday 28 July 2012, 04:55:27 am »

I have an Endian box with GREEN and BLUE local networks. I would like to connect this box to another Endian box via IPSec and be able to reach the remote network from both BLUE and GREEN networks. Generally, I would do this using IPSec and the "left subnets={.../xx yyy.yyy.yyy.yyy/yy}" option in the config file.

However, the GUI does not provide a method for specifying multiple subnets.

I can accomplish the same thing by adding two different tunnels to the same location, but that seems like a kludge, and is likely not the best option for performance.

Is there a way to do this already, or should I suggest an improvement to the developers?\

Many thanks,

Tom
Logged
trymes
Full Member
***
Offline Offline

Posts: 36


« Reply #1 on: Saturday 28 July 2012, 05:17:57 am »

A quick update with another method to work around this...provided that your network numbering allows it.

Details:

Site 1 - GREEN = 10.0.0.0/24
Site 2 - GREEN = 10.99.0.0/24 BLUE=10.99.1.0/24

If you would like all three LAN segments to be able to talk to each other, then you can specify "10.99.0.0/16" for the local subnet of Site 2 when setting up the IPSec tunnel. This will eliminate the need for the second tunnel.

HOWEVER: This would not work if the subnets are not conveniently numbered (ie: if Site 2 had subnets GREEN=10.99.0.0/24 and BLUE=192.168.1.0/24, or if another site used a subnet in the 10.99.0.0/16 range.

Additionally, this could be considered less than ideal if there were subnets at Site 2 that you did not want to be able to communicate with Site 1 over the tunnel. For example, if Site 2 also had ORANGE 10.99.2.0/24, and you did not want ORANGE to be able to access Site 1, then you would have to resort to the Firewall to limit that traffic.

As luck would have it, I have non-conveniently numbered networks, so it'll have to be two tunnels for me...

Tom
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.051 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com