Shorewall users - Jul 2003 - IPSEC, multiple subnets and multiple road warriors, oh my! :)

Hi all,

I''ve been using Shorewall 1.42 for a month on two firewalls at work and
my own personal colocated server and love it.  While pretty familiar 
with iptables, I don''t like dealing with it on a daily basis, and 
Shorewall certainly makes life easier.  I''ve deployed Shorewall on both
our Toronto and Ottawa office firewalls, and have configured a 
FreeS/WAN IPSEC VPN between them, and all works quite nicely.

The next phase of the project involves granting access to both the 
Toronto and Ottawa networks to roadwarriors with IPSEC clients.  This 
is where I''ve become a bit confused.  I''m not really looking
for
specific help with my config settings, as I can likely figure those out 
myself.  I just want to wrap my head around the logical configuration 
issues.

I''ve read about Dynamic IPSEC connections in the docs, and it seems 
like overkill to have a custom updown script/zone for each roadwarrior 
connection ... but it''s my understand that''s the only way to
deal with
multiple roadwarriors connecting from multiple, unknown/dynamic IP 
addresses?

I''d also like to grant the roadwarriors access to the Toronto subnet, 
but only have a single IPSEC gateway in Ottawa for them to connect to - 
any traffic to Toronto would then be routed over the ''static'' 
Ottawa-Toronto VPN ...  from what I''ve read on the FreeS/WAN mailing 
lists, the usual recommendation when dealing with multiple subnets is 
to set up multiple tunnels.  I''d rather avoid that, as some of the 
users are very non-technical and multiple clicks to start up multiple 
connections would scare them.  Any suggestions for doing it another 
way?  The problem I see is that the Toronto shorewall box would have no 
knowledge of the dynamic roadwarrior connections in Ottawa and would 
toss the traffic into the bitbucket.

I think the solution to my problems is to relay DHCP across IPSEC to 
give each roadwarrior a known internal IP address, which I can then 
handle on the remote Toronto gateway.  I thought I''d get a couple 
second and third opinions though, just in case.  :)

Thanks in advance,
- Mike Kelly