[ previous ] [ next ] [ threads ]
 
 From:  gmiller at mainstaydata dot com
 To:  "Kristian Shaw" <monowall at wealdclose dot co dot uk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC can not access DMZ
 Date:  Tue, 20 Sep 2005 23:43:08 -0400 (EDT) 
OK I dropped the supernet down to fit my local lan and dmz and that works
like a charm.  I sort of understand the whole multiple ipsec tunnels but
when I create them it does not work.  Here is what I have setup:

Network A:  LAN: 192.168.120.0/24 IPSEC tunnel to B at 192.168.4.0/22
Network B:  LAN: 192.168.6.0/24 DMZ: 192.168.5.0/24
Network C:  LAN: 192.168.123.0/24 IPSEC tunnel to B at 192.168.4.0/22

A and C can see LAN and DMZ just fine on B.  When I create a second IPSEC
tunnel from both A and C to B with the following:
LAN A(B) to 192.168.120.0/22
It makes no difference.  Is this what you meant or am I way off?

> Hello,
>
> 1) Don't make the supernet too big. It is important to not have
> overlapping
> ranges between VPNs, and not to overlap your real local networks (e.g.
> Don't
> use 192.168.0.0 / 255.255.0.0). Most of my IPSEC experience is with
> Checkpoint, where overlapping 'encryption domains' are bad news.
>
> 2) I did try this quickly with Monowall a while back and it does seem that
> you can use it as a 'VPN router'. e.g. A can contact B via C.
>
> e.g.
>
> A - Create a(n) IPSEC tunnel(s) to B that contain ranges for B and C
> B - Create a(n) IPSEC tunnel(s) to B that contain ranges for A and C
> C- Create a(n) IPSEC tunnel(s) to B that contain ranges for A and B
>
> Regards,
>
> Kris.
>
>
> ----- Original Message -----
> From: "Greg Miller" <gmiller at mainstaydata dot com>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Tuesday, September 20, 2005 6:48 PM
> Subject: RE: [m0n0wall] IPSEC can not access DMZ
>
>
>>I did try creating a "supernet" like you say but I did it much broader
>> (maybe this is where my problem lies?)  I had setup local lan on the
>> m0n0wall to be 192.168.0.0 and then setup the other side of the tunnel
>> accordingly.  The tunnel came up but I had no access to the DMZ.
>>
>> On a somewhat similar note I also have multiple remote locations via
>> ipsec
>> tunnels and would like to access remote A to remote B  through m0n0Wall
>> at
>> location C.  Would this same "supernet" work for this as well?
>>
>> --
>> Greg Miller
>> www.mainstaydata.com
>> o. 616.855.2559
>> c. 616.890.7813
>> f.  616.777.0504
>>
>> -----Original Message-----
>> From: Kristian Shaw [mailto:monowall at wealdclose dot co dot uk]
>> Sent: Tuesday, September 20, 2005 1:45 PM
>> To: Greg Miller
>> Subject: Re: [m0n0wall] IPSEC can not access DMZ
>>
>> Hello,
>>
>> In my experience with IPSEC you will need to create seperate IPSEC
>> tunnels -
>>
>> you can't add routes for this sort of situation.
>>
>> It is possible to create two tunnels, one for each subnet (LAN and DMZ).
>> Just make sure that everything is the same (encryption methods, shared
>> secret etc) apart from the subnets.
>>
>> Instead of creating two tunnels, you could perhaps supernet the
>> 192.168.5
>> and 192.168.6 subnets into one larger subnet, eg. 192.168.4.0 /
>> 255.255.252.0 (22 bits) which would then cover both your LAN and DMZ
>> ranges
>> in one IPSEC entry. Just make sure that both ends agree otherwise the
>> VPN
>> won't come up!
>>
>> Regards,
>>
>> Kris.
>>
>> ----- Original Message -----
>> From: "Greg Miller" <gmiller at mainstaydata dot com>
>> To: <m0n0wall at lists dot m0n0 dot ch>
>> Sent: Tuesday, September 20, 2005 5:27 PM
>> Subject: RE: [m0n0wall] IPSEC can not access DMZ
>>
>>
>>>I looked at that section of the documentation and implemented it (I
>>> think)
>>> but it did not work.  How would I have to setup my ipsec tunnels?
>>> Right
>>> now
>>> I have subnet 192.168.123.0 at my remote lan and 192.168.6.0 for my
>>> local
>>> lan and 192.168.5.0 for my dmz.  .123 and .6 can access each other fine
>>> and
>>> ..6 can access .5 fine.  What would I have to do?  Create a rule?
>>> Static
>>> route? Both?  Something else?  Thanks.
>>>
>>> --
>>> Greg Miller
>>> www.mainstaydata.com
>>> o. 616.855.2559
>>> c. 616.890.7813
>>> f.  616.777.0504
>>>
>>> -----Original Message-----
>>> From: Chris Buechler [mailto:cbuechler at gmail dot com]
>>> Sent: Tuesday, September 20, 2005 12:22 PM
>>> Cc: m0n0wall at lists dot m0n0 dot ch
>>> Subject: Re: [m0n0wall] IPSEC can not access DMZ
>>>
>>> On 9/20/05, Greg Miller <gmiller at mainstaydata dot com> wrote:
>>>> How do I configure my m0n0wall to allow traffic from an IPSEC tunnel
>>>> to
>>>> access my mail server which is in the DMZ?
>>>
>>> http://img.m0n0.ch/docbook/faq-ipsec-multiple-subnets.html
>>>
>>> -chris
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>
>
>