opEnvpn clIEnTS vIa IpSEc TunnEl To rEmoTE SubnET

possibledisastrousSecurity

Dec 9, 2013 (3 years and 7 months ago)

68 views

How-To
SEITE 1
InHalTSvErzEIcHnIS
opEnvpn clIEnTS vIa IpSEc TunnEl To rEmoTE SubnET
Stand: 19. April 2009
IntroductIon .................................................................................................................................................................2
Gateway confIGuratIon .............................................................................................................................................2
openVPn - advanced client conguration .......................................................................................................................2
IPSec VPn - additional routes ..........................................................................................................................................2
SEITE 2
opEnvpn clIEnTS vIa IpSEc TunnEl To rEmoTE SubnET
InTroducTIon
this document describes the conguration steps needed to enable openVPn clients to establish connections to a
remote network connected via IPSec VPn. the document assumes that:
the Lan of the ¬ local gateway is 192.168.77.0/24,
the Lan of the ¬ remote gateway is 192.168.98.0/23 (the network the clients should reach),
the basic IPSec tunnel is already congured, ¬
the basic openVPn configuration on the ¬ local gateway works and allows clients to access the Lan,
the r ¬ emote gateway does not provide an openVPn Server on its own.
GaTEway confIGuraTIon
opEnvpn - advancEd clIEnT conGuraTIon
In order to tell the clients that the Lan of the remote gateway is reachable via their openVPn connection, an
additional route must be configured within the openVPn Server Settings (VPN - OpenVPN - Global Settings -
Advanced).
Figure 2.1: Additional routing
entry for OpenVPN
Figure 2.2: Routes on the local
gateway
note: Please note the VPn transit Subnets. they are required for the next step.
note: depending on the operating system the clients are using the additional routes might not work as expected.
for example, a Linux client will not accept the additional route 192.168.99.0/23 as the correct definition of this
network would be 192.168.98.0/23 (HostMin: 192.168.98.1, HostMax: 192.168.99.254). this behaviour might be
similar on clients using windows.
IpSEc vpn - addITIonal rouTES
the needed VPn transit Subnets must be added to the routes of the IPSec tunnel in order to establish correct Se-
curity associations and enable clients of those networks to enter the IPSec tunnel. the IPSec routes conguration is
accessible via VPN - IPSec VPN - Connection Status and Control - Edit. Please see figure 2.2 for the additional
route on the local gateway and figure 2.3 for the corresponding entry on the remote gateway:
SEITE 3
underground_8 secure computing GmbH assumes no responsibility for any inaccuracies in this document. underground_8 secure computing GmbH
reserves the right to change, modify, transfer or revise this publication without notice.
©2010 underground_8 secure computing GmbH. all rights reserved.
undErGround_8 SEcurE compuTInG GmbH | offIcE@undErGround8.com | www.undErGround8.com
opEnvpn clIEnTS vIa IpSEc TunnEl To rEmoTE SubnET
Figure 2.3: Routes on the remote
gateway
note: If openVPn clients use statically assigned addresses, the corresponding openVPn transit subnet must be
added to the IPSec routes too.