[ previous ] [ next ] [ threads ]
 
 From:  Mark Wass <mark dot wass at market dash analyst dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSEC Setup Questions
 Date:  Mon, 07 Nov 2005 10:03:38 +1000
Hi All

I'm in the process of setting up an IPSEC VPN between 2 m0n0wall routers 
and I have a couple of questions.

Firstly this is my intended layout.


OPT1            OPT2                LAN
Real IP's       192.168.21.0/24     192.168.20.0/24
  |               |                   |
  |               |                   |
  |               |                   |
  -------------m0n0wall----------------
           Site 2 |WAN Static Real IP = aaa.bbb.ccc.dd1
                  |
                  |
                  |(Internet)
                  |
                  |
           Site 1 |WAN Static Real IP aaa.bbb.ccc.dd2
  -------------m0n0wall----------------
  |               |                   |
  |               |                   |
  |               |                   |
OPT1            OPT2                 LAN
Real IP's       192.168.2.0/24       192.168.1.0/24


Q1. I need the all the LAN hosts on Site 1 to be able to access all the 
servers on the OPT2 of Site 2, is the following the correct setup for 
that VPN

On m0n0wall Site 1
Local Subnet = 192.168.1.0/24
Remote Subnet = 192.168.21.0/24
Remote Gateway = aaa.bbb.ccc.dd1

On m0n0wall Site 2
Local Subnet = 192.168.21.0/24
Remote Subnet = 192.168.1.0/24
Remote Gateway = aaa.bbb.ccc.dd2

Q2. Do I repeat this similar setup to connect any of the subnets at 
either site to each other. e.g. OPT2 on Site1 to OPT2 on Site2. Can I 
even establish an IPSEC VPN between OPT2 Site1 and OPT2 Site2?

Q3. Is it true that you cannot apply any firewall rules to IPSEC tunnels 
when using m0n0wall? I would have liked to limit what  traffic can be 
passed between these IPSEC VPN tunnels.

Q4. Can I have multiple IPSEC tunnels from OPT2 hosts on Site1 to 
different remote sites (not using m0n0) around the world, in conjuction 
with my m0n0wall to m0n0wall IPSEC VPN?

Thanks

Mark