[ previous ] [ next ] [ threads ]
 
 From:  "Kris Shaw" <monowall at wealdclose dot co dot uk>
 To:  <gmiller at mainstaydata dot com>
 Cc:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSEC can not access DMZ
 Date:  Wed, 21 Sep 2005 09:18:56 +0100
Hello,

Assuming that B is going to be the VPN router:

On Firewall A: Create an IPSEC tunnel to B with Source 192.168.120/24 and 
Destination 192.168.123.0/24

On Firewall B: Create an IPSEC tunnel to A with Source 192.168.123/24 and 
Destination 192.168.120.0/24
On Firewall B: Create an IPSEC tunnel to C with Source 192.168.120/24 and 
Destination 192.168.123.0/24

On Firewall C: Create an IPSEC tunnel to B with Source 192.168.123/24 and 
Destination 192.168.120.0/24

I think that is the right way round.....

Regards,

Kris.

----- Original Message ----- 
From: <gmiller at mainstaydata dot com>
To: "Kristian Shaw" <monowall at wealdclose dot co dot uk>
Cc: <m0n0wall at lists dot m0n0 dot ch>
Sent: Wednesday, September 21, 2005 4:43 AM
Subject: Re: [m0n0wall] IPSEC can not access DMZ


> OK I dropped the supernet down to fit my local lan and dmz and that works
> like a charm.  I sort of understand the whole multiple ipsec tunnels but
> when I create them it does not work.  Here is what I have setup:
>
> Network A:  LAN: 192.168.120.0/24 IPSEC tunnel to B at 192.168.4.0/22
> Network B:  LAN: 192.168.6.0/24 DMZ: 192.168.5.0/24
> Network C:  LAN: 192.168.123.0/24 IPSEC tunnel to B at 192.168.4.0/22
>
> A and C can see LAN and DMZ just fine on B.  When I create a second IPSEC
> tunnel from both A and C to B with the following:
> LAN A(B) to 192.168.120.0/22
> It makes no difference.  Is this what you meant or am I way off?
>
>> Hello,
>>
>> 1) Don't make the supernet too big. It is important to not have
>> overlapping
>> ranges between VPNs, and not to overlap your real local networks (e.g.
>> Don't
>> use 192.168.0.0 / 255.255.0.0). Most of my IPSEC experience is with
>> Checkpoint, where overlapping 'encryption domains' are bad news.
>>
>> 2) I did try this quickly with Monowall a while back and it does seem 
>> that
>> you can use it as a 'VPN router'. e.g. A can contact B via C.
>>
>> e.g.
>>
>> A - Create a(n) IPSEC tunnel(s) to B that contain ranges for B and C
>> B - Create a(n) IPSEC tunnel(s) to B that contain ranges for A and C
>> C- Create a(n) IPSEC tunnel(s) to B that contain ranges for A and B
>>
>> Regards,
>>
>> Kris.
>>
>>
>> ----- Original Message -----
>> From: "Greg Miller" <gmiller at mainstaydata dot com>
>> To: <m0n0wall at lists dot m0n0 dot ch>
>> Sent: Tuesday, September 20, 2005 6:48 PM
>> Subject: RE: [m0n0wall] IPSEC can not access DMZ
>>
>>
>>>I did try creating a "supernet" like you say but I did it much broader
>>> (maybe this is where my problem lies?)  I had setup local lan on the
>>> m0n0wall to be 192.168.0.0 and then setup the other side of the tunnel
>>> accordingly.  The tunnel came up but I had no access to the DMZ.
>>>
>>> On a somewhat similar note I also have multiple remote locations via
>>> ipsec
>>> tunnels and would like to access remote A to remote B  through m0n0Wall
>>> at
>>> location C.  Would this same "supernet" work for this as well?
>>>
>>> --
>>> Greg Miller
>>> www.mainstaydata.com
>>> o. 616.855.2559
>>> c. 616.890.7813
>>> f.  616.777.0504
>>>
>>> -----Original Message-----
>>> From: Kristian Shaw [mailto:monowall at wealdclose dot co dot uk]
>>> Sent: Tuesday, September 20, 2005 1:45 PM
>>> To: Greg Miller
>>> Subject: Re: [m0n0wall] IPSEC can not access DMZ
>>>
>>> Hello,
>>>
>>> In my experience with IPSEC you will need to create seperate IPSEC
>>> tunnels -
>>>
>>> you can't add routes for this sort of situation.
>>>
>>> It is possible to create two tunnels, one for each subnet (LAN and DMZ).
>>> Just make sure that everything is the same (encryption methods, shared
>>> secret etc) apart from the subnets.
>>>
>>> Instead of creating two tunnels, you could perhaps supernet the
>>> 192.168.5
>>> and 192.168.6 subnets into one larger subnet, eg. 192.168.4.0 /
>>> 255.255.252.0 (22 bits) which would then cover both your LAN and DMZ
>>> ranges
>>> in one IPSEC entry. Just make sure that both ends agree otherwise the
>>> VPN
>>> won't come up!
>>>
>>> Regards,
>>>
>>> Kris.
>>>
>>> ----- Original Message -----
>>> From: "Greg Miller" <gmiller at mainstaydata dot com>
>>> To: <m0n0wall at lists dot m0n0 dot ch>
>>> Sent: Tuesday, September 20, 2005 5:27 PM
>>> Subject: RE: [m0n0wall] IPSEC can not access DMZ
>>>
>>>
>>>>I looked at that section of the documentation and implemented it (I
>>>> think)
>>>> but it did not work.  How would I have to setup my ipsec tunnels?
>>>> Right
>>>> now
>>>> I have subnet 192.168.123.0 at my remote lan and 192.168.6.0 for my
>>>> local
>>>> lan and 192.168.5.0 for my dmz.  .123 and .6 can access each other fine
>>>> and
>>>> ..6 can access .5 fine.  What would I have to do?  Create a rule?
>>>> Static
>>>> route? Both?  Something else?  Thanks.
>>>>
>>>> --
>>>> Greg Miller
>>>> www.mainstaydata.com
>>>> o. 616.855.2559
>>>> c. 616.890.7813
>>>> f.  616.777.0504
>>>>
>>>> -----Original Message-----
>>>> From: Chris Buechler [mailto:cbuechler at gmail dot com]
>>>> Sent: Tuesday, September 20, 2005 12:22 PM
>>>> Cc: m0n0wall at lists dot m0n0 dot ch
>>>> Subject: Re: [m0n0wall] IPSEC can not access DMZ
>>>>
>>>> On 9/20/05, Greg Miller <gmiller at mainstaydata dot com> wrote:
>>>>> How do I configure my m0n0wall to allow traffic from an IPSEC tunnel
>>>>> to
>>>>> access my mail server which is in the DMZ?
>>>>
>>>> http://img.m0n0.ch/docbook/faq-ipsec-multiple-subnets.html
>>>>
>>>> -chris
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>>
>>>>
>>>
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
>>>
>>
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>