[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Private site to site IPSEC VPN
 Date:  Sun, 6 Feb 2005 16:43:41 -0800 (PST)
On Sat, 5 Feb 2005, Vincent Fleuranceau wrote:

> > Is it possible to create a private site to site IPSEC VPN over the 
> > internet between two points with Monowall. We are trying to route all 
> > packets from a small branch office over a VPN on the internet to a main 
> > campus regardless of the destination, emulating a point to point link. 
> > We are using DSL link for the office and a dedicated Internet connection 
> > for the main campus. Using 1.2b3 we created a tunnel between the two 
> > locations but any packets from the office destined for the Internet are 
> > not making it to the campus Monowall server, they are hitting the office 
> > Monowall server and then being routed directly to and from the internet. 
> > Packets to and from the main campus do travel over the IPSEC tunnel.
> > Is this possible with Monowall?
> 
> AFAIK:
> 
> Being able to bind your default route to a dedicated interface would
> help, but unfortunately IPsec implementation in m0n0wall does not use
> such a special interface... (NOTE: you may have the same limitation with
> other IPsec implementations, not only with racoon/m0n0wall)

It may work to specify 0.0.0.0/0 as one tunnel endpoint to get this
effect.  But this could be dangerous if IPsec is applied recursively
(though it should escape as long as the WAN IP is outside the tunnel
range).  It would also become important for m0n0wall's internal "IPnonsec
for m0n0wall<->LAN" policy to take precedence (i.e. be earlier).

> In conclusion, only traffic destined to the remote LAN can be routed
> through the tunnel.

Though the question arises as to why routing WAN traffic through the
tunnel is considered desirable.

					Fred Wright