[ previous ] [ next ] [ threads ]
 From:  JSimoneau at lmtcs dot com
 To:  rrich at gstisecurity dot com
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPsec tunnels question
 Date:  Wed, 22 Dec 2004 12:15:50 -0500
The first paragraph sounds correct. On one side you need to do the tunnel
tab, on the other side you need the mobile clients and psk tab. In your
case you'll want the central office to be the mobile clients and psk tabs
since that has the static IP. This is a normal setup, since the central
office "accepts" mobile clients and the remote office "tunnels" into the
central office.

I prefer to select 'domain name' for the identifier and use any old domain
name. You'll need to put the same one in the pre-shared key tab as well.

I don't know if I fully understand your question in the second paragraph,
but if it helps I'll tell you that monowall should out all the routing for
you. You should not need to put in any rules or static routes for the two
private subnets. I've always used /24's on mine, so I can't say how it
handles anything else. Overlapping networks will create issues, although
I've found it can work with reduced funcionality.

I do not have a good answer for your last question.

Good luck,

-----Original Message-----
From: rrich at gstisecurity dot com [mailto:rrich at gstisecurity dot com] 
Sent: Wednesday, December 22, 2004 11:58 AM
To: Josh J Simoneau
Cc: jftheroux at privalodc dot com; m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] IPsec tunnels question


On the remote office side, you configure the 'tunnel' with the 'my
identifier', the static IP of the central office, the remote network and
the local network (among other things).  On the mobile client and
preshared key screens, you just configure the identifier and shared
secrets, but no remote network information...

Does the remote office m0n0wall inform the central office of it's segment
addressing when they negotiate the tunnel?  So, if i have as my 'central office' subnet, and 'LAN' as my local subnet
(which for the sake of discussion is at, will the central
office m0n0wall be able to tunnel all traffic to my end (i.e. will it know
i 'own'  I'm assuming that it's fairly important to make
sure that no remote client has overlapping networks (or at least none that
want to hit the central box at the same time)

Also, if i split my home network into for LAN and for OPT1, can i just put in as a 'network' 
definition for the local subnet and have ipsec cover both segments, or do
i need two tunnels?


JSimoneau at lmtcs dot com wrote:

>As long as you have a static IP on one side of the tunnel, you can do 
>ipsec fine.
>When setting up the two monowall boxes on either side, one of them will 
>be using the "tunnels" tab of the ipsec configuration. The other side 
>will be using the "mobile clients" and "pre-shared key" tab.
>In your case, you would want the central office with the static IP to 
>be setup with the "mobile clients" and "pre-shared key" tabs. Notice 
>that this part of the configuration does not require a static IP to be 
>input anywhere. This side of the tunnel authenticates using an 
>identifier and pre-shared key.  As an identifier, use something other 
>than the IP address. I suggest using the 'domain name' option and using 
>a random domain name. This domain name does NOT need to resolve to a 
>particular IP address, it is simply an identifer used for the 
>connection. You can use monowallisgreat.com as long as it is consistant
on both ends.
>On the remote side(s) you want to setup the "tunnels" part of the ipsec 
>configuration.  In this part you need to enter an IP for the remote 
>gateway, which will be the static IP of the central office monowall. 
>Make sure the pre-shared keys are the same on either end.
>That's it, let me know if you need more help.
>- Josh
>-----Original Message-----
>From: jftheroux at privalodc dot com [mailto:jftheroux at privalodc dot com]
>Sent: Wednesday, December 22, 2004 10:53 AM
>To: m0n0wall at lists dot m0n0 dot ch
>Subject: [m0n0wall] IPsec tunnels question
>	Maybe its the lack of sleep, or might just be that m0n0wall can't
>this. I'm not sure, so I turn to you all knowledgeable people for this.
>	Say that you have your central office, which has obviously a
>public IP. It will be the main hub for several IPsec tunnels to remote 
>offices. Problem is, those remote offices don't have static IPs.
>	When you configure a tunnel in m0n0wall, you don't have a choice,
>need to enter a static IP for the remote gateway. If I could enter a 
>FQDN, I could use a dyndns.org setup and it'd be fine. Which I can't, 
>as far as I can see.
>	So, is there a workaround for this with m0n0wall? Or, sadly, will
>have to use a different solution. Don't talk about OpenVPN. This was 
>already rejected, client wants a IPsec solution, or takes his business 
>Jean-Francois Theroux
>Systems administrator
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch