[ previous ] [ next ] [ threads ]
 
 From:  sys read <sysread at gmail dot com>
 To:  Claude Hecker <claude dot hecker at phoenix dash mecano dot com>
 Cc:  Chris Buechler <cbuechler at gmail dot com>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Site to Site IPSEC VPN with multiple LAN Subnets on one side.
 Date:  Thu, 21 Apr 2005 14:46:39 -0700
wow, thanks guys!

I spent a little more time thinking about it, cleared all the tunnels
and static routes I had and started over.  I created a 10.1.0.0/17
tunnel first, and added a static route to 10.1.0.0/17 to the default
LAN gateway that the inside m0n0wall is plugged in to.  then I did a
new tunnel 192.168.0.0/16, added a route to that network through the
local side that that network is connected to.  works like a champ.   I
think what I was missing when I tried to make the tunnels before is
that the second ( 192.168/16 ) tunnel needed a route because the
m0n0walls default route is on the WAN side. ( it was sending the
packets out the WAN interface cause it didn't know about 192.168./16
)...

btw, I don't have edit.php, is that in 1.2b7?

-sysread

On 4/20/05, Claude Hecker <claude dot hecker at phoenix dash mecano dot com> wrote:
>  Hi Chris, Sysread....
>  
>  If you only want to create one tunnel with routing policies for all
> subnets, you've to set it
>  Up as follows:
>  
>  Create the first tunnel with the gui interface ..
>  Switch to .../edit.php and edit /var/etc/racoon.conf like this
>  
>  path pre_shared_key "/var/etc/psk.txt";
>  
>  remote 201.52.32.34 {
>      exchange_mode aggressive;
>      my_identifier address  "203.123.63.195";
>      peers_identifier address "201.52.32.34";
>      initial_contact on;
>      support_proxy on;
>      proposal_check claim;
>  
>      proposal {
>          encryption_algorithm 3des;
>          hash_algorithm sha1;
>          authentication_method pre_shared_key;
>          dh_group 2;
>      }
>  }
>  
>  sainfo address 192.168.3.0/24 any address 10.1.128.0/24 any {
>      encryption_algorithm 3des;
>      authentication_algorithm hmac_sha1;
>      compression_algorithm deflate;
>      lifetime time 3600 secs;
>  }
>  
>  sainfo address 10.1.0.0/22  any address 10.1.128.0/24 any {
>      encryption_algorithm 3des;
>      authentication_algorithm hmac_sha1;
>      compression_algorithm deflate;
>      lifetime time 3600 secs;
>  }
>  
>  sainfo address 10.1.12.0/22  any address 10.1.128.0/24 any {
>      encryption_algorithm 3des;
>      authentication_algorithm hmac_sha1;
>      compression_algorithm deflate;
>      lifetime time 3600 secs;
>  }
>  
>  Save this and then kill the running racoon daemon..

>  
>  On the remote side do the same with the appropriate settings..
>  And everything should work fine..
>  
>  Regards
>  Claude
>  
>  Am 21.04.2005 7:46 Uhr schrieb "Chris Buechler" unter
> <cbuechler at gmail dot com>:
>  
>  
> On 4/20/05, sys read <sysread at gmail dot com> wrote: 
>  > Hello all, 
>  > 
>  > I'm evaluating m0n0wall for use as our corporate O2O VPN setup. 
>  > Here's the scenario. 
>  > ( BTW, IP addresses are made up, the subnet masking is real ) 
>  > 
>  > Corporate has three internal networks: 
>  > 
>  > 192.168.3.0/24 
>  > 10.1.0.0/22 
>  > 10.1.12.0/22 
>  > 
>  >   m0n0wall: 
>  >     external: 201.52.32.34/27 
>  >     internal: 10.1.0.5 
>  > 
>  > Remote site has one internal network: 
>  > 
>  > 10.1.128.0/24 
>  > 
>  >    m0n0wall: 
>  >        external: 203.123.63.195/24 
>  >        internal: 10.1.128.1 
>  > 
>  > I've got the IPSEC tunnel working between the two sites.  I used a 
>  > 10.1.0.0/17 network supermask to get both 10.1.1.0/22 and 10.1.12.0/22 
>  > in the VPN tunnel.  The problem is that I can't get to 192.168.3.0 no 
>  > matter what I do.  I've read FAQ 13.30 ( 
>  >
> http://m0n0.ch/wall/docbook/faq-ipsec-multiple-subnets.html
> ) and it 
>  > doesn't really help ( well, it doesn't give enough specifics ).  I 
>  > can't summarize the 192.168.3.0/24 subnet into 10.1.0.0/17 ( which I 
>  > did for the other two networks ).  I've tried 13.30.2, but every 
>  > incantation fails.   
>  
>  Others have used the method in 13.30.2, which is why I added it.  I 
>  haven't tried it myself, but I know there is more than one person out 
>  there using a setup as described there.  I know it's light on details, 
>  simply because I've never tried it myself (it's on my list of things 
>  to try out). 
>  
>  Maybe someone that has this setup successfully can comment further. 
>  Those of you that are running similar setups, I'd like to know how you 
>  have it set up for the sake of clarifying that FAQ (email me off 
>  list). 
>  
>  -Chris 
>  
> ---------------------------------------------------------------------
>  To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>  For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch 
>  
>  
>