Teleworker in same subnet as company, how to config Shrew IPSec client?



  • Hi, I'm using pfSense 1.2.3 and I followed this excellent howto on how to configure the Shrew Soft VPN IPSec client in conjunction with pfSense and it's working perfectly.

    We're planning on providing 50 mobile laptop users with the Shrew Soft IPSec client to connect to our corporate network. The users will be working from anywhere (at home, on the road, at a client's) and some users will be trying to connect from a subnet identical to our corporate subnet. This leads to the laptop being unable to contact the corporate network.

    So the client would be in his home network of 10.0.0.0/24 using IP address 10.0.0.12, and tries to connect to our corporate network using 10.0.0.0/24, to a server with IP address 10.0.0.12 and another one with IP 10.0.0.13. We're planning on changing our subnet some time but not any time soon as it requires quite a lot of careful planning.

    With our current Draytek routers, in conjunction with the native Windows XP/Vista PPTP client, ticking an option called "use default gateway in remote network" would sometimes help as it would just send all traffic over the VPN connection.

    So I've got two questions:
    1. If my workaround (namely setting the VPN connection to route anything through it) is the right way to go, then how can I tell the Shrew Soft VPN client to do that? I tried playing around with Windows' routing tables, changing the 0.0.0.0 routes etc. but that didn't amount to much.

    2. Is mentioned workaround the right way to deal with it, if we exclude for a moment the option to change either the client's and the office's subnet?

    I'm open to alternatives, such as using other clients or working with batch files, though I'd rather keep it as simple as possible.

    Thanks to the folks at pfSense for making such a great product!



  • The moblie users must be on a seperate network.  I just setup mine up, It's the same way for either OpenVPN or IPSEC vpn.  That is the way I always read about it and it states in the configuration.
    RC



  • This is why it's a good idea to at least keep your VPN subnet away from common LAN subnets, especially so if you want it to work in random environments. Something somewhere randomly inside the 172.16.0.0/12 space is often a good choice as this space seems to be fairly uncommon to see on LANs, so you're less likely to have a conflict.

    Anyway, in your situation the only good choice is for one of you to renumber your network (probably easier to do this on the client side, though I'd consider planning for it on your end for the reason above). It might be possible to do NAT on the client side, but I don't know of an easy way to accomplish this. The other option would be to use OpenVPN in bridge mode.

    If you've just got mobile clients though, I don't think renumbering the VPN subnet would be a really huge deal. Update some firewall rules and access lists and that should be all you really need to do - but I don't know what your network looks like, so that's just a best guess.



  • Thanks for your answers!

    Renumbering the client networks is virtually impossible since we'd like the mobile users to be able to connect from anywhere so you never know what subnet you'll encounter.

    Renumbering our own subnet is also tricky because we're in an Active Directory with six sites and a load of servers (Exchange, DC, fileservers, cvs servers, webservers, etc.). So while it's not impossible it will most likely be quite a feat to renumber our own network. It grew so historically and I inherited it from my predecessor.

    Still I think changing our own subnet is the most sensible thing to do. Thanks for your input.


Locked