[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC Setup Questions
 Date:  Sun, 6 Nov 2005 22:10:07 -0500
On 11/6/05, Mark Wass <mark dot wass at market dash analyst dot com> wrote:
>
> Q1. I need the all the LAN hosts on Site 1 to be able to access all the
> servers on the OPT2 of Site 2, is the following the correct setup for
> that VPN
>
> On m0n0wall Site 1
> Local Subnet = 192.168.1.0/24
> Remote Subnet = 192.168.21.0/24
> Remote Gateway = aaa.bbb.ccc.dd1
>
> On m0n0wall Site 2
> Local Subnet = 192.168.21.0/24
> Remote Subnet = 192.168.1.0/24
> Remote Gateway = aaa.bbb.ccc.dd2
>

that'll work, but I'd do it differently.


> Q2. Do I repeat this similar setup to connect any of the subnets at
> either site to each other. e.g. OPT2 on Site1 to OPT2 on Site2. Can I
> even establish an IPSEC VPN between OPT2 Site1 and OPT2 Site2?
>

to avoid having to create two tunnels for OPT2 and LAN on each side,
I'd change site 2 to 192.168.0.0/22 (which is
192.168.0.0-192.168.3.255), and site 1 to 192.168.20.0/23
(192.168.20.0-192.168.21.255).  Different masks because /22 is the
most specific that can cover both subnets on site 2.


> Q3. Is it true that you cannot apply any firewall rules to IPSEC tunnels
> when using m0n0wall? I would have liked to limit what  traffic can be
> passed between these IPSEC VPN tunnels.
>

outbound only, for site to site.  since you control both ends, that
isn't an issue.  define the rules appropriately on the interfaces the
traffic will be entering to go over the VPN and you're fine.


> Q4. Can I have multiple IPSEC tunnels from OPT2 hosts on Site1 to
> different remote sites (not using m0n0) around the world, in conjuction
> with my m0n0wall to m0n0wall IPSEC VPN?
>

you mean can you use IPsec VPN client software on OPT2 hosts in site 1
to connect to other VPN devices?  Sure, as long as the remote devices
you're connecting to work with clients behind NAT (i.e. support and
have NAT-T enabled).

-Chris