Hi All
I have been doing some more reading about routing and IPSEC with m0n0
and I want to check my design with you all for your comments and
suggestions. Please find below my intended layout.
Server#1 IP=203.xxx.xxx.1
|
|
|
----------
|Cisco 1720|
----------
|IP = 192.168.22.2/24
|
|
|WAN = 192.168.22.1/24
----------
|m0n0wall#3|
----------
|LAN = 192.168.21.5/24
|
|
| -------
| | DMZ |
| -------
| |
| |
| |
| |OPT1 = 203.16x.xxx.xxx
| ---------- ----
---------------------|m0n0wall#2|----------------------|LAN
|192.168.20.0/24
OPT2 = 192.168.21.1/24 ---------- LAN = 192.168.20.1/24 ----
|
| WAN = xxx.xxx.xx1
|
|
| IPSEC VPN
| Between m0n0wall#1 and m0n0wall#2
|
|
| WAN = xxx.xxx.xx2
OPT2 = 192.168.3.1/24 ---------- ----
---------------------|m0n0wall#1|----------------------|LAN
|192.168.1.0/24
| ---------- LAN = 192.168.1.1/24 ----
|
---------
| SERVERS |
---------
192.168.3.0/24
Ok this is what I need to have work. Servers in the 192.168.3.0 network
need to be able to connect to Server#1 (Top of diagram).
I need the connections to appear to be coming from 192.168.22.1 the WAN
of m0n0wall#3 so there will be NAT at the m0n0wall#3 box.I cannot do any
NAT at the Cisco 1720 (not controlled by me).
This is the real clinching point, can I get hosts on the 192.168.3.0
network to appear to be coming from 192.168.22.1 when connecting to
Server#1. Is this possible?
In addition to this all the hosts on OPT2 (m0n0wall#2) need to be able
to connect to Server#1 and appear to be coming from 192.168.22.1 also.
Is this possible?
I was planning on setting up the following VPN, the plan was to route
multiple subnets over the VPN especially the 192.168.22.0/24 subnet.
IPSEC Settings m0n0wall#1:
======================
Mode: Tunnel
Disabled: Unchecked
Interface: WAN
Local subnet: Network 192.168.1.0/22 -----> covers subnets 192.168.1.0 - 192.168.3.0
Remote Subnet: 192.168.20.0 /22 -----> covers subnets 192.168.20.0 - 192.168.23.0
Remote Gateway: xxx.xxx.xxx.1
Description: m0n0wall#1 to m0n0wall#2
Negotiation mode: aggressive
My identifier: Domain name m0n0wall1.mydomain.com
Encryption algorithm: Blowfish
Hash algorithm: SHA1
DH key group: 2
Lifetime: 28800
Pre-Shared Key: TesT123
Protocol: ESP
Encryption algorithms: only Blowfish checked
Hash algorithms: only SHA1 checked
PFS key group: 2
Lifetime: 86400
IPSEC Settings m0n0wall#2:
======================
Mode: Tunnel
Disabled: Unchecked
Interface: WAN
Local subnet: Network 192.168.20.0/22 -----> covers subnets 192.168.20.0 - 192.168.23.0
Remote Subnet: 192.168.1.0/22 -----> covers subnets 192.168.1.0 - 192.168.3.0
Remote Gateway: xxx.xxx.xxx.2
Description: m0n0wall#2 to m0n0wall#1
Negotiation mode: aggressive
My identifier: Domain name m0n0wall2.mydomain.com
Encryption algorithm: Blowfish
Hash algorithm: SHA1
DH key group: 2
Lifetime: 28800
Pre-Shared Key: TesT123
Protocol: ESP
Encryption algorithms: only Blowfish checked
Hash algorithms: only SHA1 checked
PFS key group: 2
Lifetime: 86400
--------------------------------------------------------
I would then add a static route on m0n0wall#2 like so:
Interface Network Gateway
OPT2 192.168.22.0 192.168.21.5
Is this correct? do I need to add any routes on m0n0wall#1 to get to 192.168.22.0 network?
Are there any other static routes I would need to add?
What static routes will I need to add to the Cisco 1720 to allow connections to come back to the
192.168.3.0 subnet on m0n0wall#1
or will a connection from hosts on 192.168.3.0 be a stateful connection just like those from the
192.168.21.0 subnet?
Thanks in advance for the help | 