[ previous ] [ next ] [ threads ]
 From:  Robert Rich <rrich at gstisecurity dot com>
 To:  JSimoneau at lmtcs dot com
 Cc:  jftheroux at privalodc dot com, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPsec tunnels question
 Date:  Wed, 22 Dec 2004 11:57:39 -0500

On the remote office side, you configure the 'tunnel' with the 'my 
identifier', the static IP of the central office, the remote network and 
the local network (among other things).  On the mobile client and 
preshared key screens, you just configure the identifier and shared 
secrets, but no remote network information...

Does the remote office m0n0wall inform the central office of it's 
segment addressing when they negotiate the tunnel?  So, if i have as my 'central office' subnet, and 'LAN' as my local subnet 
(which for the sake of discussion is at, will the central 
office m0n0wall be able to tunnel all traffic to my end (i.e. will it 
know i 'own'  I'm assuming that it's fairly important to 
make sure that no remote client has overlapping networks (or at least 
none that want to hit the central box at the same time)

Also, if i split my home network into for LAN and for OPT1, can i just put in as a 'network' 
definition for the local subnet and have ipsec cover both segments, or 
do i need two tunnels?


JSimoneau at lmtcs dot com wrote:

>As long as you have a static IP on one side of the tunnel, you can do
>ipsec fine.
>When setting up the two monowall boxes on either side, one of them will be
>using the "tunnels" tab of the ipsec configuration. The other side will be
>using the "mobile clients" and "pre-shared key" tab. 
>In your case, you would want the central office with the static IP to be
>setup with the "mobile clients" and "pre-shared key" tabs. Notice that
>this part of the configuration does not require a static IP to be input
>anywhere. This side of the tunnel authenticates using an identifier and
>pre-shared key.  As an identifier, use something other than the IP
>address. I suggest using the 'domain name' option and using a random
>domain name. This domain name does NOT need to resolve to a particular IP
>address, it is simply an identifer used for the connection. You can use
>monowallisgreat.com as long as it is consistant on both ends.
>On the remote side(s) you want to setup the "tunnels" part of the ipsec
>configuration.  In this part you need to enter an IP for the remote
>gateway, which will be the static IP of the central office monowall. Make
>sure the pre-shared keys are the same on either end.
>That's it, let me know if you need more help.
>- Josh
>-----Original Message-----
>From: jftheroux at privalodc dot com [mailto:jftheroux at privalodc dot com] 
>Sent: Wednesday, December 22, 2004 10:53 AM
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: [m0n0wall] IPsec tunnels question
>	Maybe its the lack of sleep, or might just be that m0n0wall can't
>do this. I'm not sure, so I turn to you all knowledgeable people for this.
>	Say that you have your central office, which has obviously a
>static public IP. It will be the main hub for several IPsec tunnels to
>remote offices. Problem is, those remote offices don't have static IPs.
>	When you configure a tunnel in m0n0wall, you don't have a choice,
>you need to enter a static IP for the remote gateway. If I could enter a
>FQDN, I could use a dyndns.org setup and it'd be fine. Which I can't, as
>far as I can see.
>	So, is there a workaround for this with m0n0wall? Or, sadly, will
>I have to use a different solution. Don't talk about OpenVPN. This was
>already rejected, client wants a IPsec solution, or takes his business
>Jean-Francois Theroux
>Systems administrator
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch