|
Title: IPSec and multiple subnets Post by: trymes on Saturday 28 July 2012, 04:55:27 am I have an Endian box with GREEN and BLUE local networks. I would like to connect this box to another Endian box via IPSec and be able to reach the remote network from both BLUE and GREEN networks. Generally, I would do this using IPSec and the "left subnets={.../xx yyy.yyy.yyy.yyy/yy}" option in the config file.
However, the GUI does not provide a method for specifying multiple subnets. I can accomplish the same thing by adding two different tunnels to the same location, but that seems like a kludge, and is likely not the best option for performance. Is there a way to do this already, or should I suggest an improvement to the developers?\ Many thanks, Tom Title: Re: IPSec and multiple subnets Post by: trymes on Saturday 28 July 2012, 05:17:57 am A quick update with another method to work around this...provided that your network numbering allows it.
Details: Site 1 - GREEN = 10.0.0.0/24 Site 2 - GREEN = 10.99.0.0/24 BLUE=10.99.1.0/24 If you would like all three LAN segments to be able to talk to each other, then you can specify "10.99.0.0/16" for the local subnet of Site 2 when setting up the IPSec tunnel. This will eliminate the need for the second tunnel. HOWEVER: This would not work if the subnets are not conveniently numbered (ie: if Site 2 had subnets GREEN=10.99.0.0/24 and BLUE=192.168.1.0/24, or if another site used a subnet in the 10.99.0.0/16 range. Additionally, this could be considered less than ideal if there were subnets at Site 2 that you did not want to be able to communicate with Site 1 over the tunnel. For example, if Site 2 also had ORANGE 10.99.2.0/24, and you did not want ORANGE to be able to access Site 1, then you would have to resort to the Firewall to limit that traffic. As luck would have it, I have non-conveniently numbered networks, so it'll have to be two tunnels for me... Tom |