[vpn-help] Connect to multiple networks with one VPN connection

kevin shrew-vpn klmlk at hotmail.com
Mon Jun 28 21:24:45 CDT 2010 

Hi Tamas, what to change depends a little on how you've setup the VPN.

If you followed the SSG Howto and did not use the Proxy ID in the
AutoKey IKE Advanced configuration (aka the networks are defined in the
SSG policies), simply modify your policies:

SSG policy: zone Untrust -> zone Trust, source Dial-Up VPN ->
destination 192.168.44.0/23

Shrew policy: include 192.168.44.0 / 255.255.254.0

If you used the Proxy-ID, then you will also need to change the mask on
the Proxy-ID on the SSG (AutoKey IKE -> Edit -> Advanced) to Local IP /
Netmask: 192.168.44.0 /23


On Mon, 28 Jun 2010 18:37:59 +0000
Uracs Tamás <uracs.tamas at peetandcook.hu> wrote:

> Hi Kevin,
> 
> Thank You for the answer. Our luck is that the two net is in the same
> 'trust' zone. I created a second policy, but I don't know what did
> wrong: I can connect with only one policy at the same time. Could You
> give me a guide how to change the mask?
> 
> Best,
> 
> Tamas
> 
> ----------------------------------
> Tamas Uracs
> 
> This message was sent from Blackberry
> 
> ------ Eredeti üzenet ------
> Feladó: kevin shrew-vpn  <klmlk at hotmail.com>
> Címzett: Uracs Tamás
> Elküldve: Mon Jun 28 19:42:29 2010
> Tárgy: Re: [vpn-help] Connect to multiple networks with one VPN
> connection
> 
> Hi Tamas,
> 
> You might be able to change the mask on the Shrew Policy and SSG
> policy so the remote network is 192.168.44.0/23, but I don't think
> that will work if 192.168.45.0 is in a different zone.  You could
> also try setting up a second, completely separate, VPN configuration
> for the 192.168.45.0/24 network and have the clients connect twice
> (once for each network).
> 
> -----Original Message-----
> From: Uracs Tamás <uracs.tamas at peetandcook.hu>
> Date: Mon, 28 Jun 2010 14:48:02 
> To: <vpn-help at lists.shrew.net>
> Subject: [vpn-help] Connect to multiple networks with one VPN
> connection
> 
> Dear All,
>  
> I would like to ask for help in the following situation:
> We have one working connection to a network, 192.168.44.0/24.
> On the same SSG5 box we have another 192.168.45.0/24 network. I would
> like to modify our policy to reach not just the 44.0/24 net, but the
> 45.0/24 as well. I added the second network in the 'policy' tab of
> the VPN policy, but still cannot reach the 45.0 net. Allowed firewall
> traffic on the SSG5, and I can see the 45.0 route on my client
> computers route table with the next hop interface 192.168.44.50. Any
> help would be greatly appreciated. Best, 
> Tamas
>  
>  
> 
>

More information about the vpn-help mailing list