RE: [m0n0wall] Private site to site IPSEC VPN

From:	"Barry Mather" <barry dot mather at dorecentres dot com dot au>
To:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] Private site to site IPSEC VPN
Date:	Tue, 8 Feb 2005 14:27:46 +1100
I use do something similar with my offices in the uk ...

I have block EVERYTHING from getting to the wan from the lan interface,
and have a proxy server at HQ, all clients use the proxy server to surf
via ipsec vpn, this means I only have to have 1 proxy, 1 antispam server
etc etc however, it does increase load on the hq connection ..

Just chuck a squid box in, that'll do the job for you ... and easy to
config too

-----Original Message-----
From: Louis Koutsovitis [mailto:louis dot koutsovitis at senecac dot on dot ca] 
Sent: Tuesday, 8 February 2005 1:05 PM
To: Fred Wright
Cc: m0n0wall at lists dot m0n0 dot ch
Subject: Re: [m0n0wall] Private site to site IPSEC VPN

Fred
Thanks for the suggestion, we tried everything we could but the Internet

traffic still missed the VPN tunnel. OPENVPN looks like it has the 
feature we need, we will be testing that next. The purpose of routing 
WAN traffic through the tunnel is to provide the same firewall, 
antispam, spyware and other vulnerability protection (from the Internet)

to the small branch office network as is provided to the main campus 
network, using a less expensive DSL link. If it doesn't work we go back 
to the point to point ISDN service.

Louis



Fred Wright wrote:

>On Sat, 5 Feb 2005, Vincent Fleuranceau wrote:
>
>  
>
>>>Is it possible to create a private site to site IPSEC VPN over the 
>>>internet between two points with Monowall. We are trying to route all

>>>packets from a small branch office over a VPN on the internet to a
main 
>>>campus regardless of the destination, emulating a point to point
link. 
>>>We are using DSL link for the office and a dedicated Internet
connection 
>>>for the main campus. Using 1.2b3 we created a tunnel between the two 
>>>locations but any packets from the office destined for the Internet
are 
>>>not making it to the campus Monowall server, they are hitting the
office 
>>>Monowall server and then being routed directly to and from the
internet. 
>>>Packets to and from the main campus do travel over the IPSEC tunnel.
>>>Is this possible with Monowall?
>>>      
>>>
>>AFAIK:
>>
>>Being able to bind your default route to a dedicated interface would
>>help, but unfortunately IPsec implementation in m0n0wall does not use
>>such a special interface... (NOTE: you may have the same limitation
with
>>other IPsec implementations, not only with racoon/m0n0wall)
>>    
>>
>
>It may work to specify 0.0.0.0/0 as one tunnel endpoint to get this
>effect.  But this could be dangerous if IPsec is applied recursively
>(though it should escape as long as the WAN IP is outside the tunnel
>range).  It would also become important for m0n0wall's internal
"IPnonsec
>for m0n0wall<->LAN" policy to take precedence (i.e. be earlier).
>
>  
>
>>In conclusion, only traffic destined to the remote LAN can be routed
>>through the tunnel.
>>    
>>
>
>Though the question arises as to why routing WAN traffic through the
>tunnel is considered desirable.
>
>					Fred Wright
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>  
>




Dore Achievement Centres (Pty) Ltd - Hotline: 1300 55 77 11

www.dorecentres.com.au

This e-mail message may contain confidential or privileged information 
and is intended solely for the individual to whom it is addressed. If you 
are not the named addressee you should not disseminate, distribute or 
copy this e-mail. If you have received it in error please notify us 
immediately by telephoning 1300 55 77 11 and destroy this e-mail and 
any attachments. E-mail transmission cannot be guaranteed to be 
secure or error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. The sender 
therefore does not accept liability for any errors or omissions in the 
contents of this message, which arise as a result of e-mail transmission. 
The content of this email is not necessarily that of the Dore Acievement 
Centres unless otherwise specified.  This email was scanned for possible 
viruses and was sent on 8/2/2005 by barry dot mather at dorecentres dot com dot au to m0n0wall at lists dot m0n0 dot ch