[vpn-help] Shrewsoft VPN Client - Zywall USG 100 - Multiple Subnet Access

[Kevin VPN]

On 08/10/2012 10:08 PM, scott at onlinepcsupport.co.uk wrote:
> Hi Everyone,
>
> I have setup the Shrewsoft VPN client to connect to my Zywall USG 100
> and it is working perfectly.
>
> Behind the Zywall USG I have 3 x Subnets - 10.0.0.x, 192.168.0.x and
> 172.0.0.x
>
> At the moment the VPN is setup directly to the 192.168.0.x subnet
> behind my Zywall USG 100. I have been playing around but am unable to
> find a way of connecting and having access to all 3 x subnets at the
> same time.
>
> Has anyone else had the same problem ?
>
> Hope I have explained myself, if you need any more information let me
> know
>
> I hope someone has an answer as this would be brilliant :)
>

Hi Scott,

Shrew can do this fairly easily, all you have to do is specify the 
additional subnets on the Policy tab (if you don't have Tunnel All enabled).

The tricky bit will probably be your Zywall.  I've not used one before, 
so I'm using assumptions and guesses from the Zywall USG howto.

When a VPN client connects to a VPN gateway, one of the parts in the 
connection negotiation involves the client specifying what resources (IP 
addresses) it thinks it can reach behind the gateway.  In the VPN 
configuration there will be a section where the administrator specifies 
what networks can be reached through the VPN.  In the Zywall USG howto, 
this is the "Local policy" in the Phase 2 settings.  If the client and 
gateway values don't match, gateways tend to ignore the connection attempt.

Assuming that the Zywall is aware of the three subnets (i.e. they are 
part of the Zywall configuration and not routed using some other device 
at the other end of the 192.168.0 subnet), you'll need to setup a policy 
that allows VPN traffic to the other two subnets as well.

If it were easy as adding the subnets to the existing policy, I assume 
you would have done it already.  My guess is that you'll need to convert 
the VPN to a full-tunnel VPN, where the network mask in the policy is 
0.0.0.0/0.  The Zywall policy would basically allow traffic to all IP 
addresses (which would cover your 3 subnets).

What this will require on the Shrew client side is that you change the 
settings on the Policy tab.  You'll either have to enable "Obtain 
Topology Automatically or Tunnel All" or you'll have to specify a Remote 
Network Resource of 0.0.0.0 / 0.0.0.0.

Note that this will make Shrew send ALL traffic from your PC through the 
VPN - likely you'll lose Internet access on the Shrew device until you 
disconnect because your Zywall won't allow traffic from the VPN out to 
the Internet.

Hope this helps!