[ previous ] [ next ] [ threads ]
 
 From:  Claude Hecker <claude dot hecker at phoenix dash mecano dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>, sys read <sysread at gmail dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Site to Site IPSEC VPN with multiple LAN Subnets on one side.
 Date:  Thu, 21 Apr 2005 08:54:09 +0200
Hi Chris, Sysread....

If you only want to create one tunnel with routing policies for all subnets,

Up as follows:

Create the first tunnel with the gui interface ..
Switch to .../edit.php and edit /var/etc/racoon.conf like this

path pre_shared_key "/var/etc/psk.txt";

remote 201.52.32.34 {
    exchange_mode aggressive;
    my_identifier address  "203.123.63.195";
    peers_identifier address "201.52.32.34";
    initial_contact on;
    support_proxy on;
    proposal_check claim;

    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}

sainfo address 192.168.3.0/24 any address 10.1.128.0/24 any {
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    lifetime time 3600 secs;
}

sainfo address 10.1.0.0/22  any address 10.1.128.0/24 any {
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    lifetime time 3600 secs;
}

sainfo address 10.1.12.0/22  any address 10.1.128.0/24 any {
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    lifetime time 3600 secs;
}

Save this and then kill the running racoon daemon..


On the remote side do the same with the appropriate settings..
And everything should work fine..

Regards
Claude

Am 21.04.2005 7:46 Uhr schrieb "Chris Buechler" unter <cbuechler at gmail dot com>:

> On 4/20/05, sys read <sysread at gmail dot com> wrote:
>> > Hello all, 
>> > 
>> > I'm evaluating m0n0wall for use as our corporate O2O VPN setup.
>> > Here's the scenario.
>> > ( BTW, IP addresses are made up, the subnet masking is real )
>> > 
>> > Corporate has three internal networks:
>> > 
>> > 192.168.3.0/24
>> > 10.1.0.0/22 
>> > 10.1.12.0/22 
>> > 
>> >   m0n0wall: 
>> >     external: 201.52.32.34/27
>> >     internal: 10.1.0.5
>> > 
>> > Remote site has one internal network:
>> > 
>> > 10.1.128.0/24 
>> > 
>> >    m0n0wall: 
>> >        external: 203.123.63.195/24
>> >        internal: 10.1.128.1
>> > 
>> > I've got the IPSEC tunnel working between the two sites.  I used a
>> > 10.1.0.0/17 network supermask to get both 10.1.1.0/22 and 10.1.12.0/22
>> > in the VPN tunnel.  The problem is that I can't get to 192.168.3.0 no
>> > matter what I do.  I've read FAQ 13.30 (
>> > http://m0n0.ch/wall/docbook/faq-ipsec-multiple-subnets.html ) and it
>> > doesn't really help ( well, it doesn't give enough specifics ).  I
>> > can't summarize the 192.168.3.0/24 subnet into 10.1.0.0/17 ( which I
>> > did for the other two networks ).  I've tried 13.30.2, but every
>> > incantation fails.
> 
> Others have used the method in 13.30.2, which is why I added it.  I
> haven't tried it myself, but I know there is more than one person out
> there using a setup as described there.  I know it's light on details,
> simply because I've never tried it myself (it's on my list of things
> to try out). 
> 
> Maybe someone that has this setup successfully can comment further.
> Those of you that are running similar setups, I'd like to know how you
> have it set up for the sake of clarifying that FAQ (email me off
> list). 
> 
> -Chris 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>