[vpn-help] Shrewsoft VPN Client - Zywall USG 100 - Multiple Subnet Access
Kevin VPN
kvpn at live.com
Wed Aug 15 21:25:26 CDT 2012
On 08/10/2012 10:08 PM, scott at onlinepcsupport.co.uk wrote:
> Hi Everyone,
>
> I have setup the Shrewsoft VPN client to connect to my Zywall USG 100
> and it is working perfectly.
>
> Behind the Zywall USG I have 3 x Subnets - 10.0.0.x, 192.168.0.x and
> 172.0.0.x
>
> At the moment the VPN is setup directly to the 192.168.0.x subnet
> behind my Zywall USG 100. I have been playing around but am unable to
> find a way of connecting and having access to all 3 x subnets at the
> same time.
>
> Has anyone else had the same problem ?
>
> Hope I have explained myself, if you need any more information let me
> know
>
> I hope someone has an answer as this would be brilliant :)
>
Hi Scott,
Shrew can do this fairly easily, all you have to do is specify the
additional subnets on the Policy tab (if you don't have Tunnel All enabled).
The tricky bit will probably be your Zywall. I've not used one before,
so I'm using assumptions and guesses from the Zywall USG howto.
When a VPN client connects to a VPN gateway, one of the parts in the
connection negotiation involves the client specifying what resources (IP
addresses) it thinks it can reach behind the gateway. In the VPN
configuration there will be a section where the administrator specifies
what networks can be reached through the VPN. In the Zywall USG howto,
this is the "Local policy" in the Phase 2 settings. If the client and
gateway values don't match, gateways tend to ignore the connection attempt.
Assuming that the Zywall is aware of the three subnets (i.e. they are
part of the Zywall configuration and not routed using some other device
at the other end of the 192.168.0 subnet), you'll need to setup a policy
that allows VPN traffic to the other two subnets as well.
If it were easy as adding the subnets to the existing policy, I assume
you would have done it already. My guess is that you'll need to convert
the VPN to a full-tunnel VPN, where the network mask in the policy is
0.0.0.0/0. The Zywall policy would basically allow traffic to all IP
addresses (which would cover your 3 subnets).
What this will require on the Shrew client side is that you change the
settings on the Policy tab. You'll either have to enable "Obtain
Topology Automatically or Tunnel All" or you'll have to specify a Remote
Network Resource of 0.0.0.0 / 0.0.0.0.
Note that this will make Shrew send ALL traffic from your PC through the
VPN - likely you'll lose Internet access on the Shrew device until you
disconnect because your Zywall won't allow traffic from the VPN out to
the Internet.
Hope this helps!
More information about the vpn-help
mailing list