[ previous ] [ next ] [ threads ]
 
 From:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSEC can not access DMZ
 Date:  Tue, 20 Sep 2005 20:11:11 +0100
Hello,

1) Don't make the supernet too big. It is important to not have overlapping
ranges between VPNs, and not to overlap your real local networks (e.g. Don't
use 192.168.0.0 / 255.255.0.0). Most of my IPSEC experience is with
Checkpoint, where overlapping 'encryption domains' are bad news.

2) I did try this quickly with Monowall a while back and it does seem that
you can use it as a 'VPN router'. e.g. A can contact B via C.

e.g.

A - Create a(n) IPSEC tunnel(s) to B that contain ranges for B and C
B - Create a(n) IPSEC tunnel(s) to B that contain ranges for A and C
C- Create a(n) IPSEC tunnel(s) to B that contain ranges for A and B

Regards,

Kris.

----- Original Message ----- 
From: "Greg Miller" <gmiller at mainstaydata dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Tuesday, September 20, 2005 6:48 PM
Subject: RE: [m0n0wall] IPSEC can not access DMZ


>I did try creating a "supernet" like you say but I did it much broader
> (maybe this is where my problem lies?)  I had setup local lan on the
> m0n0wall to be 192.168.0.0 and then setup the other side of the tunnel
> accordingly.  The tunnel came up but I had no access to the DMZ.
>
> On a somewhat similar note I also have multiple remote locations via ipsec
> tunnels and would like to access remote A to remote B  through m0n0Wall at
> location C.  Would this same "supernet" work for this as well?
>
> --
> Greg Miller
> www.mainstaydata.com
> o. 616.855.2559
> c. 616.890.7813
> f.  616.777.0504
>
> -----Original Message-----
> From: Kristian Shaw [mailto:monowall at wealdclose dot co dot uk]
> Sent: Tuesday, September 20, 2005 1:45 PM
> To: Greg Miller
> Subject: Re: [m0n0wall] IPSEC can not access DMZ
>
> Hello,
>
> In my experience with IPSEC you will need to create seperate IPSEC 
> tunnels -
>
> you can't add routes for this sort of situation.
>
> It is possible to create two tunnels, one for each subnet (LAN and DMZ).
> Just make sure that everything is the same (encryption methods, shared
> secret etc) apart from the subnets.
>
> Instead of creating two tunnels, you could perhaps supernet the 192.168.5
> and 192.168.6 subnets into one larger subnet, eg. 192.168.4.0 /
> 255.255.252.0 (22 bits) which would then cover both your LAN and DMZ 
> ranges
> in one IPSEC entry. Just make sure that both ends agree otherwise the VPN
> won't come up!
>
> Regards,
>
> Kris.
>
> ----- Original Message ----- 
> From: "Greg Miller" <gmiller at mainstaydata dot com>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Tuesday, September 20, 2005 5:27 PM
> Subject: RE: [m0n0wall] IPSEC can not access DMZ
>
>
>>I looked at that section of the documentation and implemented it (I think)
>> but it did not work.  How would I have to setup my ipsec tunnels?  Right
>> now
>> I have subnet 192.168.123.0 at my remote lan and 192.168.6.0 for my local
>> lan and 192.168.5.0 for my dmz.  .123 and .6 can access each other fine
>> and
>> ..6 can access .5 fine.  What would I have to do?  Create a rule?  Static
>> route? Both?  Something else?  Thanks.
>>
>> --
>> Greg Miller
>> www.mainstaydata.com
>> o. 616.855.2559
>> c. 616.890.7813
>> f.  616.777.0504
>>
>> -----Original Message-----
>> From: Chris Buechler [mailto:cbuechler at gmail dot com]
>> Sent: Tuesday, September 20, 2005 12:22 PM
>> Cc: m0n0wall at lists dot m0n0 dot ch
>> Subject: Re: [m0n0wall] IPSEC can not access DMZ
>>
>> On 9/20/05, Greg Miller <gmiller at mainstaydata dot com> wrote:
>>> How do I configure my m0n0wall to allow traffic from an IPSEC tunnel to
>>> access my mail server which is in the DMZ?
>>
>> http://img.m0n0.ch/docbook/faq-ipsec-multiple-subnets.html
>>
>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>