[ previous ] [ next ] [ threads ]
 
 From:  "Mauricio Culibrk" <Mauricio dot Culibrk at infohit dot si>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Site to Site IPSEC VPN with multiple LAN Subnetson one side.
 Date:  Thu, 23 Jun 2005 18:43:06 +0200
Hi everyone!


First of all I would like to excuse me for bad english and (maybe) dumb
questions/comments but...


How will this "multiple sainfo" configuration work in combination with
the spd info you should setup for the tunnel?
If I'm not wrong, you have to specify the
<network>/endpoint-endpoint/<network> information to establish an IPSec
tunnel. How will the different "unincluded" networks pass through or use
the mentioned spd policy?

Isn't the only possible way to 
a) have a supernet big enough to include all the interested subnets
b) setup different (multiple) IPSec tunnels to carry traffic for
different (super)networks

If I'm wrong I would kindly ask anyone to explain this multi-subnet
setup a little or to point me in some direction to find more information
about such setup.
I'm really interested in the possibility to define multiple,
noncontiguos, un-super-netable subnets through a SINGLE IPSec tunnel
(without using any other tunneling/encapsulation like ipip, gre...)

Thanks for any information,
Regards,
Mauricio

Original message follows
------------------------------------------------------
Hi Chris, Sysread....

If you only want to create one tunnel with routing policies for all
subnets,
you&#185;ve to set it
Up as follows:

Create the first tunnel with the gui interface ..
Switch to .../edit.php and edit /var/etc/racoon.conf like this

path pre_shared_key "/var/etc/psk.txt";

remote 201.52.32.34 {
    exchange_mode aggressive;
    my_identifier address  "203.123.63.195";
    peers_identifier address "201.52.32.34";
    initial_contact on;
    support_proxy on;
    proposal_check claim;

    proposal {
        encryption_algorithm 3des;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}

sainfo address 192.168.3.0/24 any address 10.1.128.0/24 any {
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    lifetime time 3600 secs;
}

sainfo address 10.1.0.0/22  any address 10.1.128.0/24 any {
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    lifetime time 3600 secs;
}

sainfo address 10.1.12.0/22  any address 10.1.128.0/24 any {
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
    lifetime time 3600 secs;
}

Save this and then kill the running racoon daemon..
Restart it with /usr/local/sbin/racoon &#173;d &#173;f
/var/etc/racoon.conf

On the remote side do the same with the appropriate settings..
And everything should work fine..

Regards
Claude

Am 21.04.2005 7:46 Uhr schrieb "Chris Buechler" unter <cbuechler at
gmail dot com>:

> On 4/20/05, sys read <sysread at gmail dot com> wrote:
>> > Hello all, 
>> > 
>> > I'm evaluating m0n0wall for use as our corporate O2O VPN setup.
>> > Here's the scenario.
>> > ( BTW, IP addresses are made up, the subnet masking is real )
>> > 
>> > Corporate has three internal networks:
>> > 
>> > 192.168.3.0/24
>> > 10.1.0.0/22 
>> > 10.1.12.0/22 
>> > 
>> >   m0n0wall: 
>> >     external: 201.52.32.34/27
>> >     internal: 10.1.0.5
>> > 
>> > Remote site has one internal network:
>> > 
>> > 10.1.128.0/24 
>> > 
>> >    m0n0wall: 
>> >        external: 203.123.63.195/24
>> >        internal: 10.1.128.1
>> > 
>> > I've got the IPSEC tunnel working between the two sites.  I used a
>> > 10.1.0.0/17 network supermask to get both 10.1.1.0/22 and
10.1.12.0/22
>> > in the VPN tunnel.  The problem is that I can't get to 192.168.3.0
no
>> > matter what I do.  I've read FAQ 13.30 (
>> > http://m0n0.ch/wall/docbook/faq-ipsec-multiple-subnets.html ) and
it
>> > doesn't really help ( well, it doesn't give enough specifics ).  I
>> > can't summarize the 192.168.3.0/24 subnet into 10.1.0.0/17 ( which
I
>> > did for the other two networks ).  I've tried 13.30.2, but every
>> > incantation fails.
> 
> Others have used the method in 13.30.2, which is why I added it.  I
> haven't tried it myself, but I know there is more than one person out
> there using a setup as described there.  I know it's light on details,
> simply because I've never tried it myself (it's on my list of things
> to try out). 
> 
> Maybe someone that has this setup successfully can comment further.
> Those of you that are running similar setups, I'd like to know how you
> have it set up for the sake of clarifying that FAQ (email me off
> list). 
> 
> -Chris 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0
dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0
dot ch
>