Home Forums Archive VaporSec More than one network behind a VPN gateway?

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
  • #354936

    (sorry everyone, I posted this to the Vapor forum instead of the VaporSec forum. This is a repost.)


    Just got VaporSec 0.9 working. I made it harder on myself because I thought it *had* to be harder than this! Nice work.

    I have a problem, though. I have a bunch of networks behind my SonicWALL firewall, and I can’t figure out how to access more than one of them at a time.

    The obvious solution is to set up several connections in VaporSec, all to the same firewall, with the same shared secret, but with different destination networks. When I try this, I can access machines on any of the networks – but after I’ve contacted a machine on a particular network, I can’t connect to any of the other networks until I “Flush ’em” and “Vaporize”.

    The Windows SonicWALL client works fine when it’s set up like this, so it’s not a problem on the SonicWALL end.

    Any ideas?

    Thanks again,



    [quote:639cad324d]What we most likely need to do here is to create some gif tunnels with ifconfig and then add some routing statements to your OSX machine to let it know that separate networks are behind the IPSec conection. We just started doing this to some degree with the Draytek routers that need this to work well, but we were not considering multiple disparate remote networks off of the same connection. [/quote:639cad324d]

    Nope, you don’t have to do all of that. You only need to properly define all of the networks behind the remote SonicWall when initializing setkey.

    The main issues VaporSec and multiple networks are:

    (This is how I see it, based on my admittedly limited experience with VaporSec, but a pretty good understanding of the IPSec implementation in Mac OS X. It certainly isn’t a knock of the app.)

    1. VaporSec doesn’t use a config file for the setkey setup. While not a deal-breaker, it makes it harder to see what’s going on (IMHO) (unless I simply can’t find where VaporSec puts it). If there was a setkey config file you could easily modify it to allow the Mac to negoiate to all of the networks behind the remote gateway.

    2. VaporSec relies on the “anonymous” identifier for phase 1 & 2 in the racoon.conf file. While not really a problem if you are connecting to only a single gateway, it pretty much rules out connecting to multiple gateways simultaneously.

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.

Comments are closed