|
||||||||||
Hello, Assuming that B is going to be the VPN router: On Firewall A: Create an IPSEC tunnel to B with Source 192.168.120/24 and Destination 192.168.123.0/24 On Firewall B: Create an IPSEC tunnel to A with Source 192.168.123/24 and Destination 192.168.120.0/24 On Firewall B: Create an IPSEC tunnel to C with Source 192.168.120/24 and Destination 192.168.123.0/24 On Firewall C: Create an IPSEC tunnel to B with Source 192.168.123/24 and Destination 192.168.120.0/24 I think that is the right way round..... Regards, Kris. ----- Original Message ----- From: <gmiller at mainstaydata dot com> To: "Kristian Shaw" <monowall at wealdclose dot co dot uk> Cc: <m0n0wall at lists dot m0n0 dot ch> Sent: Wednesday, September 21, 2005 4:43 AM Subject: Re: [m0n0wall] IPSEC can not access DMZ > OK I dropped the supernet down to fit my local lan and dmz and that works > like a charm. I sort of understand the whole multiple ipsec tunnels but > when I create them it does not work. Here is what I have setup: > > Network A: LAN: 192.168.120.0/24 IPSEC tunnel to B at 192.168.4.0/22 > Network B: LAN: 192.168.6.0/24 DMZ: 192.168.5.0/24 > Network C: LAN: 192.168.123.0/24 IPSEC tunnel to B at 192.168.4.0/22 > > A and C can see LAN and DMZ just fine on B. When I create a second IPSEC > tunnel from both A and C to B with the following: > LAN A(B) to 192.168.120.0/22 > It makes no difference. Is this what you meant or am I way off? > >> Hello, >> >> 1) Don't make the supernet too big. It is important to not have >> overlapping >> ranges between VPNs, and not to overlap your real local networks (e.g. >> Don't >> use 192.168.0.0 / 255.255.0.0). Most of my IPSEC experience is with >> Checkpoint, where overlapping 'encryption domains' are bad news. >> >> 2) I did try this quickly with Monowall a while back and it does seem >> that >> you can use it as a 'VPN router'. e.g. A can contact B via C. >> >> e.g. >> >> A - Create a(n) IPSEC tunnel(s) to B that contain ranges for B and C >> B - Create a(n) IPSEC tunnel(s) to B that contain ranges for A and C >> C- Create a(n) IPSEC tunnel(s) to B that contain ranges for A and B >> >> Regards, >> >> Kris. >> >> >> ----- Original Message ----- >> From: "Greg Miller" <gmiller at mainstaydata dot com> >> To: <m0n0wall at lists dot m0n0 dot ch> >> Sent: Tuesday, September 20, 2005 6:48 PM >> Subject: RE: [m0n0wall] IPSEC can not access DMZ >> >> >>>I did try creating a "supernet" like you say but I did it much broader >>> (maybe this is where my problem lies?) I had setup local lan on the >>> m0n0wall to be 192.168.0.0 and then setup the other side of the tunnel >>> accordingly. The tunnel came up but I had no access to the DMZ. >>> >>> On a somewhat similar note I also have multiple remote locations via >>> ipsec >>> tunnels and would like to access remote A to remote B through m0n0Wall >>> at >>> location C. Would this same "supernet" work for this as well? >>> >>> -- >>> Greg Miller >>> www.mainstaydata.com >>> o. 616.855.2559 >>> c. 616.890.7813 >>> f. 616.777.0504 >>> >>> -----Original Message----- >>> From: Kristian Shaw [mailto:monowall at wealdclose dot co dot uk] >>> Sent: Tuesday, September 20, 2005 1:45 PM >>> To: Greg Miller >>> Subject: Re: [m0n0wall] IPSEC can not access DMZ >>> >>> Hello, >>> >>> In my experience with IPSEC you will need to create seperate IPSEC >>> tunnels - >>> >>> you can't add routes for this sort of situation. >>> >>> It is possible to create two tunnels, one for each subnet (LAN and DMZ). >>> Just make sure that everything is the same (encryption methods, shared >>> secret etc) apart from the subnets. >>> >>> Instead of creating two tunnels, you could perhaps supernet the >>> 192.168.5 >>> and 192.168.6 subnets into one larger subnet, eg. 192.168.4.0 / >>> 255.255.252.0 (22 bits) which would then cover both your LAN and DMZ >>> ranges >>> in one IPSEC entry. Just make sure that both ends agree otherwise the >>> VPN >>> won't come up! >>> >>> Regards, >>> >>> Kris. >>> >>> ----- Original Message ----- >>> From: "Greg Miller" <gmiller at mainstaydata dot com> >>> To: <m0n0wall at lists dot m0n0 dot ch> >>> Sent: Tuesday, September 20, 2005 5:27 PM >>> Subject: RE: [m0n0wall] IPSEC can not access DMZ >>> >>> >>>>I looked at that section of the documentation and implemented it (I >>>> think) >>>> but it did not work. How would I have to setup my ipsec tunnels? >>>> Right >>>> now >>>> I have subnet 192.168.123.0 at my remote lan and 192.168.6.0 for my >>>> local >>>> lan and 192.168.5.0 for my dmz. .123 and .6 can access each other fine >>>> and >>>> ..6 can access .5 fine. What would I have to do? Create a rule? >>>> Static >>>> route? Both? Something else? Thanks. >>>> >>>> -- >>>> Greg Miller >>>> www.mainstaydata.com >>>> o. 616.855.2559 >>>> c. 616.890.7813 >>>> f. 616.777.0504 >>>> >>>> -----Original Message----- >>>> From: Chris Buechler [mailto:cbuechler at gmail dot com] >>>> Sent: Tuesday, September 20, 2005 12:22 PM >>>> Cc: m0n0wall at lists dot m0n0 dot ch >>>> Subject: Re: [m0n0wall] IPSEC can not access DMZ >>>> >>>> On 9/20/05, Greg Miller <gmiller at mainstaydata dot com> wrote: >>>>> How do I configure my m0n0wall to allow traffic from an IPSEC tunnel >>>>> to >>>>> access my mail server which is in the DMZ? >>>> >>>> http://img.m0n0.ch/docbook/faq-ipsec-multiple-subnets.html >>>> >>>> -chris >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch >>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch >>>> >>>> >>> >>> >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch >>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch >>> >>> >> >> >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch > For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch > > |