[ previous ] [ next ] [ threads ]
 
 From:  "Holger Bauer" <Holger dot Bauer at citec dash ag dot de>
 To:  "Chris Buechler" <cbuechler at gmail dot com>, "sys read" <sysread at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: [m0n0wall] Site to Site IPSEC VPN with multiple LAN Subnets on one side.
 Date:  Thu, 21 Apr 2005 08:29:55 +0200
Ok, I have done something similiar to that. Here is how it goes:

On each side create 3 identifiers for the tunnel endpoints.
(you'll need 3 parallel tunnels for that setup)
identifier: subnet1, secret: secret1
identifier: subnet2, secret: secret2
identifier: subnet3, secret: secret3

create the first tunnel between both m0n0s like you did but use identifier subnet1 on both sides
with it's secret.
Local net on corporate side is 192.168.3.0/24, remote is 10.1.128.1
Be sure to use "aggressive mode" as mainmode won't work for identifiers other than you static IP.

Create the second tunnel between both m0n0s, exactly the same way, but using identifier subnet 2 now
Local net on corporate side is 10.1.0.0/22 now, remote is still 10.1.128.1.

The third tunnel should look like this: identifier subnet3, local on corporate 10.1.12.0/22, remote
10.1.128.1

(by the way, if subnet 3 for example can't be reached directly by the m0n0 at the corporate side
using a static route on corporate m0n0 with the appropriate gateway will make it reachable too).

Apply everything and all tunnels should come up when needed.

Regards,
Holger








Von: Chris Buechler [mailto:cbuechler at gmail dot com]
Gesendet: Donnerstag, 21. April 2005 07:46
An: sys read
Cc: m0n0wall at lists dot m0n0 dot ch
Betreff: Re: [m0n0wall] Site to Site IPSEC VPN with multiple LAN Subnets
on one side.


On 4/20/05, sys read <sysread at gmail dot com> wrote:
> Hello all,
> 
> I'm evaluating m0n0wall for use as our corporate O2O VPN setup.
> Here's the scenario.
> ( BTW, IP addresses are made up, the subnet masking is real )
> 
> Corporate has three internal networks:
> 
> 192.168.3.0/24
> 10.1.0.0/22
> 10.1.12.0/22
> 
>   m0n0wall:
>     external: 201.52.32.34/27
>     internal: 10.1.0.5
> 
> Remote site has one internal network:
> 
> 10.1.128.0/24
> 
>    m0n0wall:
>        external: 203.123.63.195/24
>        internal: 10.1.128.1
> 
> I've got the IPSEC tunnel working between the two sites.  I used a
> 10.1.0.0/17 network supermask to get both 10.1.1.0/22 and 10.1.12.0/22
> in the VPN tunnel.  The problem is that I can't get to 192.168.3.0 no
> matter what I do.  I've read FAQ 13.30 (
> http://m0n0.ch/wall/docbook/faq-ipsec-multiple-subnets.html ) and it
> doesn't really help ( well, it doesn't give enough specifics ).  I
> can't summarize the 192.168.3.0/24 subnet into 10.1.0.0/17 ( which I
> did for the other two networks ).  I've tried 13.30.2, but every
> incantation fails.   

Others have used the method in 13.30.2, which is why I added it.  I
haven't tried it myself, but I know there is more than one person out
there using a setup as described there.  I know it's light on details,
simply because I've never tried it myself (it's on my list of things
to try out).

Maybe someone that has this setup successfully can comment further. 
Those of you that are running similar setups, I'd like to know how you
have it set up for the sake of clarifying that FAQ (email me off
list).

-Chris

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch


____________
Virus checked by G DATA AntiVirusKit