[ previous ] [ next ] [ threads ]
 
 From:  Mark Wass <mark dot wass at market dash analyst dot com>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC Setup Questions
 Date:  Mon, 07 Nov 2005 13:38:05 +1000
Thanks Chris

>outbound only, for site to site.  since you control both ends, that
>isn't an issue.  define the rules appropriately on the interfaces the
>traffic will be entering to go over the VPN and you're fine.

Sorry mate can you elaborate on this a little more? Do you mean I can only specify firewall rules on
outgoing traffic over the VPN from each site? or I can only specify rules for traffic entering
m0n0wall on each site? 

Could you give me an explaination using the scenario of ONLY allowing http traffic between OPT2 on
Site1 and OPT2 on Site2 over the VPN, based on my diagram? :-)

>you mean can you use IPsec VPN client software on OPT2 hosts in site 1
>to connect to other VPN devices?  Sure, as long as the remote devices
>you're connecting to work with clients behind NAT (i.e. support and
>have NAT-T enabled). 

No, sorry if I was unclear. I'll try and explain what I need a little better. 

There will be a server on the OPT2 subnet (Site1) that needs to connect to a remote site via an
IPSEC VPN tunnel. Can I have m0n0wall create the tunnel to this remote site so that only this one
server on OPT2 can access the remote site. The remote site is not a m0n0wall setup it's some sort of
IPSEC compliant equipment (not sure exactly what it is yet). 

So I would need this tunnel, as well as the tunnel between LAN on Site1 and OPT2 on Site2, all
happening at the same time, can this be done?

I hope that's clearer, and thanks again for all your help Chris :-)

Mark



Chris Buechler wrote:

>On 11/6/05, Mark Wass <mark dot wass at market dash analyst dot com> wrote:
>  
>
>>Q1. I need the all the LAN hosts on Site 1 to be able to access all the
>>servers on the OPT2 of Site 2, is the following the correct setup for
>>that VPN
>>
>>On m0n0wall Site 1
>>Local Subnet = 192.168.1.0/24
>>Remote Subnet = 192.168.21.0/24
>>Remote Gateway = aaa.bbb.ccc.dd1
>>
>>On m0n0wall Site 2
>>Local Subnet = 192.168.21.0/24
>>Remote Subnet = 192.168.1.0/24
>>Remote Gateway = aaa.bbb.ccc.dd2
>>
>>    
>>
>
>that'll work, but I'd do it differently.
>
>
>  
>
>>Q2. Do I repeat this similar setup to connect any of the subnets at
>>either site to each other. e.g. OPT2 on Site1 to OPT2 on Site2. Can I
>>even establish an IPSEC VPN between OPT2 Site1 and OPT2 Site2?
>>
>>    
>>
>
>to avoid having to create two tunnels for OPT2 and LAN on each side,
>I'd change site 2 to 192.168.0.0/22 (which is
>192.168.0.0-192.168.3.255), and site 1 to 192.168.20.0/23
>(192.168.20.0-192.168.21.255).  Different masks because /22 is the
>most specific that can cover both subnets on site 2.
>
>
>  
>
>>Q3. Is it true that you cannot apply any firewall rules to IPSEC tunnels
>>when using m0n0wall? I would have liked to limit what  traffic can be
>>passed between these IPSEC VPN tunnels.
>>
>>    
>>
>
>outbound only, for site to site.  since you control both ends, that
>isn't an issue.  define the rules appropriately on the interfaces the
>traffic will be entering to go over the VPN and you're fine.
>
>
>  
>
>>Q4. Can I have multiple IPSEC tunnels from OPT2 hosts on Site1 to
>>different remote sites (not using m0n0) around the world, in conjuction
>>with my m0n0wall to m0n0wall IPSEC VPN?
>>
>>    
>>
>
>you mean can you use IPsec VPN client software on OPT2 hosts in site 1
>to connect to other VPN devices?  Sure, as long as the remote devices
>you're connecting to work with clients behind NAT (i.e. support and
>have NAT-T enabled).
>
>-Chris
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
>
>  
>