[ previous ] [ next ] [ threads ]
 
 From:  Chris Taylor <chris at x dash bb dot org>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: AW: [m0n0wall] Routing to a VPN on OPT interface from LAN?
 Date:  Mon, 06 Feb 2006 16:54:04 +0000
Hi,

Thanks for the response Holger, I'm not sure if it helps me though.

I'm getting confused about VPNs now. I had assumed that when you set one 
up, it was applied to the interface that best matched the subnet you put 
in, so 192.168.100.0/24 matches up with my OPT interface and all VPN 
traffic "appears" to have originated on the OPT interface somehow.

However, this obviously can't be right if you can apply a bigger subnet 
and get it to cover two/more interfaces. Switching the OPT VPN subnet to 
192.168.0.0/16 would cover my LAN and OPT but this isn't what I want to 
do. All I want is to allow very limited traffic from my LAN to go via 
OPT and out the VPN. I do not want to make my entire LAN subnet 
accessible over the VPN.

I can see how using 192.168.0.0/16 at the remote end (as the Remote 
Subnet) may work but can anyone tell me if this would function? In this 
case, the Local Subnet (at the remote end) is 192.168.4.0/24 so there's 
obviously an overlap there. Would a tunnel between these subnets even 
work or would m0n0 reject it?

What I want to achieve is:
-------------------------
Many remote m0n0walls, each with LAN/WAN interfaces.

One (local) m0n0wall to act as a VPN concentrator for the remote units.

VPN tunnels from the remotes terminated to an OPT interface on the local 
m0n0.

At the local end, traffic should not be able to get between the VPN 
tunnels (and thus out to the remote LANs) - each remote LAN should 
remain segregated from all of the others (and the local LAN for that 
matter).

Traffic from any of the remote m0n0walls should be able to reach a 
single host (192.168.0.2) on the local LAN. I had planned to do this via 
NAT - this is for Syslog from each remote m0n0.

Traffic from 192.168.0.2 needs to be able to go across the local LAN and 
OPT and out of the relevant VPN tunnel - this is for picking up the SNMP 
data for ifgraph to make bandwidth graphs.

Local hosts physically connected to the OPT interface should have full 
access to all VPN tunnels and hence all remote LANs.
--------------------------

At present, the only realistic plan I can see involves totally 
reshuffling all of the IP ranges I'm using - this doesn't really appeal. 
I don't want to end up exposing my entire local LAN to the VPN tunnels 
if it can be avoided (this is why I've got this OPT interface) and I 
feel sure that there should be some way of doing what I want without 
several IPSec tunnels per remote host.

Really, all this comes down to is finding a way to allow traffic to/from 
a host on LAN to get to a host on the other side of a VPN terminated to 
OPT. I think the incoming half of the problem should be solved by NAT 
(is this right?) but I can't work out the outgoing side at all. If I try 
a static route on LAN using the LAN gateway to reach the remote subnet, 
I get "TTL Exceeded in transmit" messages from the LAN gateway.

Sorry for the long message but I felt some clarification was needed. I'm 
stumped on this one, hopefully one of you can shed some light on this 
problem for me :)

Thanks,

Chris Taylor

Holger Bauer wrote:
> I have answered a question like that in the past. You can find the answer here:
> http://m0n0.ch/wall/list/showmsg.php?id=160/29
>  
> Maybe I should get some documentation on that send to chris buechler to be added to the docs as
this question pops up quite frequently ;-)
>  
> Holger
> 
> 	-----Ursprüngliche Nachricht----- 
> 	Von: Chris Taylor [mailto:chris at x dash bb dot org] 
> 	Gesendet: Mo 06.02.2006 05:10 
> 	An: m0n0wall at lists dot m0n0 dot ch 
> 	Cc: 
> 	Betreff: [m0n0wall] Routing to a VPN on OPT interface from LAN?
> 	
> 	
> 
> 	Hi all,
> 	
> 	In a m0n0-to-m0n0 IPSec VPN, is it possible to have a VPN terminated to
> 	an OPT interface and yet still have the tunnel accessible from LAN?
> 	
> 	Remote LAN is 192.168.4.0/24, Local LAN is 192.168.0.0/24, Local OPT is
> 	192.168.100.0/24.
> 	
> 	The tunnel is up and running and it works correctly between Local OPT
> 	and Remote LAN. However, I'd like to be able to achieve some access
> 	to/from the Local LAN from the Remote LAN.
> 	
> 	I've got some NAT in place to allow access to 192.168.0.2 from the
> 	Remote LAN (via the OPT interface). I'm not sure if this is working but
> 	will test it when I can - this "pinhole" (both ways) is basically what I
> 	wish to achieve. At present, I can't seem to get any traffic to pass
> 	from the Local LAN to the Remote LAN via the VPN.
> 	
> 	Is this possible? It would be very handy for my purposes. Or, failing
> 	that, how would you recommend I achieve this kind of setup? My current
> 	thoughts are towards a second interface in 192.168.0.2 that will connect
> 	it to Local OPT (as well as Local LAN).
> 	
> 	Any help greatly appreciated :)
> 	
> 	Thanks,
> 	
> 	Chris Taylor
> 	
> 	---------------------------------------------------------------------
> 	To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> 	For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 	
> 	
> 
> 
> ____________
> Virus checked by G DATA AntiVirusKit
> 
> 
> 
> ------------------------------------------------------------------------
> 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.15.2/251 - Release Date: 04/02/2006