[ previous ] [ next ] [ threads ]
 
 From:  Louis Koutsovitis <louis dot koutsovitis at senecac dot on dot ca>
 To:  Fred Wright <fw at well dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Private site to site IPSEC VPN
 Date:  Mon, 07 Feb 2005 21:05:22 -0500
Fred
Thanks for the suggestion, we tried everything we could but the Internet 
traffic still missed the VPN tunnel. OPENVPN looks like it has the 
feature we need, we will be testing that next. The purpose of routing 
WAN traffic through the tunnel is to provide the same firewall, 
antispam, spyware and other vulnerability protection (from the Internet) 
to the small branch office network as is provided to the main campus 
network, using a less expensive DSL link. If it doesn't work we go back 
to the point to point ISDN service.

Louis



Fred Wright wrote:

>On Sat, 5 Feb 2005, Vincent Fleuranceau wrote:
>
>  
>
>>>Is it possible to create a private site to site IPSEC VPN over the 
>>>internet between two points with Monowall. We are trying to route all 
>>>packets from a small branch office over a VPN on the internet to a main 
>>>campus regardless of the destination, emulating a point to point link. 
>>>We are using DSL link for the office and a dedicated Internet connection 
>>>for the main campus. Using 1.2b3 we created a tunnel between the two 
>>>locations but any packets from the office destined for the Internet are 
>>>not making it to the campus Monowall server, they are hitting the office 
>>>Monowall server and then being routed directly to and from the internet. 
>>>Packets to and from the main campus do travel over the IPSEC tunnel.
>>>Is this possible with Monowall?
>>>      
>>>
>>AFAIK:
>>
>>Being able to bind your default route to a dedicated interface would
>>help, but unfortunately IPsec implementation in m0n0wall does not use
>>such a special interface... (NOTE: you may have the same limitation with
>>other IPsec implementations, not only with racoon/m0n0wall)
>>    
>>
>
>It may work to specify 0.0.0.0/0 as one tunnel endpoint to get this
>effect.  But this could be dangerous if IPsec is applied recursively
>(though it should escape as long as the WAN IP is outside the tunnel
>range).  It would also become important for m0n0wall's internal "IPnonsec
>for m0n0wall<->LAN" policy to take precedence (i.e. be earlier).
>
>  
>
>>In conclusion, only traffic destined to the remote LAN can be routed
>>through the tunnel.
>>    
>>
>
>Though the question arises as to why routing WAN traffic through the
>tunnel is considered desirable.
>
>					Fred Wright
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>