[ previous ] [ next ] [ threads ]
 
 From:  Mark Wass <mark dot wass at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSEC VPN and Routing Networks
 Date:  Thu, 24 Nov 2005 21:24:39 +1000
Hi All

I have been doing some more reading about routing and IPSEC with m0n0 
and I want to check my design with you all for your comments and 
suggestions. Please find below my intended layout.

   Server#1 IP=203.xxx.xxx.1
      |
      |
      |
  ----------
 |Cisco 1720|
  ----------
      |IP = 192.168.22.2/24
      |
      |
      |WAN = 192.168.22.1/24
  ----------
 |m0n0wall#3|
  ----------
      |LAN = 192.168.21.5/24     
      |                           
      |
      |                      -------
      |                     |  DMZ  |
      |                      -------
      |                         |
      |                         |
      |                         |
      |                         |OPT1 = 203.16x.xxx.xxx
      |                     ----------                        ----
      ---------------------|m0n0wall#2|----------------------|LAN 
|192.168.20.0/24
   OPT2 = 192.168.21.1/24   ---------- LAN = 192.168.20.1/24  ----
                                |
                                | WAN = xxx.xxx.xx1
                                |
                                |
                                | IPSEC VPN
                                | Between m0n0wall#1 and m0n0wall#2
                                |
                                |
                                | WAN = xxx.xxx.xx2
   OPT2 = 192.168.3.1/24    ----------                        ----
      ---------------------|m0n0wall#1|----------------------|LAN 
|192.168.1.0/24
      |                     ---------- LAN = 192.168.1.1/24   ----
      |
  ---------
 | SERVERS |
  ---------
192.168.3.0/24


Ok this is what I need to have work. Servers in the 192.168.3.0 network 
need to be able to connect to Server#1 (Top of diagram).

I need the connections to appear to be coming from 192.168.22.1 the WAN 
of m0n0wall#3 so there will be NAT at the m0n0wall#3 box.I cannot do any 
NAT at the Cisco 1720 (not controlled by me).

This is the real clinching point, can I get hosts on the 192.168.3.0 
network to appear to be coming from 192.168.22.1 when connecting to 
Server#1. Is this possible?

In addition to this all the hosts on OPT2 (m0n0wall#2) need to be able 
to connect to Server#1 and appear to be coming from 192.168.22.1 also. 
Is this possible?

I was planning on setting up the following VPN, the plan was to route 
multiple subnets over the VPN especially the 192.168.22.0/24 subnet.

IPSEC Settings m0n0wall#1:
======================
Mode: Tunnel
Disabled: Unchecked
Interface: WAN
Local subnet: Network 192.168.1.0/22 -----> covers subnets 192.168.1.0 - 192.168.3.0 
Remote Subnet: 192.168.20.0 /22 -----> covers subnets 192.168.20.0 - 192.168.23.0  
Remote Gateway: xxx.xxx.xxx.1
Description: m0n0wall#1 to m0n0wall#2
Negotiation mode: aggressive
My identifier: Domain name m0n0wall1.mydomain.com
Encryption algorithm: Blowfish
Hash algorithm: SHA1
DH key group: 2
Lifetime: 28800
Pre-Shared Key: TesT123
Protocol: ESP
Encryption algorithms: only Blowfish checked
Hash algorithms: only SHA1 checked
PFS key group: 2
Lifetime: 86400

IPSEC Settings m0n0wall#2:
======================
Mode: Tunnel
Disabled: Unchecked
Interface: WAN
Local subnet: Network 192.168.20.0/22 -----> covers subnets 192.168.20.0 - 192.168.23.0 
Remote Subnet: 192.168.1.0/22 -----> covers subnets 192.168.1.0 - 192.168.3.0
Remote Gateway: xxx.xxx.xxx.2
Description: m0n0wall#2 to m0n0wall#1
Negotiation mode: aggressive
My identifier: Domain name m0n0wall2.mydomain.com
Encryption algorithm: Blowfish
Hash algorithm: SHA1
DH key group: 2
Lifetime: 28800
Pre-Shared Key: TesT123
Protocol: ESP
Encryption algorithms: only Blowfish checked
Hash algorithms: only SHA1 checked
PFS key group: 2
Lifetime: 86400
--------------------------------------------------------

I would then add a static route on m0n0wall#2 like so:

Interface     Network         Gateway
 OPT2       192.168.22.0    192.168.21.5

Is this correct? do I need to add any routes on m0n0wall#1 to get to 192.168.22.0 network?

Are there any other static routes I would need to add?

What static routes will I need to add to the Cisco 1720 to allow connections to come back to the
192.168.3.0 subnet on m0n0wall#1
or will a connection from hosts on 192.168.3.0 be a stateful connection just like those from the
192.168.21.0 subnet?

Thanks in advance for the help