Now it is clear.
Although m0n0wall does remote VPN access natively,
for small VPNs, Hub-and-Spoke can be emulated
using more tunnels.
----- Original Message -----
From: "dasz" <daszylstra at comcast dot net>
To: "Dan Firac" <dan dot firac at romtelecom dot ro>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Thursday, March 02, 2006 12:27 AM
Subject: Re: [m0n0wall] Hub-And-Spoke VPN
> Yes, I have a small Hub/spoke setup (1 hub, 2 "spokes"). The key is that
> you have to have multiple IPSEC tunnels to the hub for each spoke.
> In my case I have 2 spokes, so each remote Monowall has 2 IPSEC
> to the hub - 1 for traffic to the hub network, 1 for traffic through the
> for the remote spoke.
> Hub LAN = 192.168.1.0
> Spoke 1 = 192.168.2.0
> Spoke 2 = 192.168.3.0
> Hub IPSEC config:
> Spoke 1 = local 192.168.1.0/24<>remote 192.168.2.0/24
> (normal com between hub LAN and spoke 1 LAN)
> Spoke 1 = local 192.168.3.0/24<>remote 192.168.2.0/24
> (This tells Mono that when traffic comes from spoke 2 it gets sent to
> spoke 1)
> Spoke 2 = local 192.168.1.0/24<>remote 192.168.3.0/24
> (normal traffic between hub LAN and spoke 2 LAN)
> Spoke 2 = local 192.168.2.0/24<>remote 192.168.3.0/24
> (this tells Mono that when traffic comes from spoke 1 it gets sent to
> spoke 2)
> Spoke 1 IPSEC config: (all remote endpoints are Hub's public IP)
> Hub traffic= local 192.168.2.0/24<>remote 192.168.1.0/24
> Spoke 2 traffic = local 192.168.2.0/24<>remote 192.168.3.0/24
> Spoke 2 IPSEC config: (all remote endpoints are Hub's public IP)
> Hub traffic= local 192.168.3.0/24<>remote 192.168.1.0/24
> Spoke 2 traffic = local 192.168.3.0/24<>remote 192.168.2.0/24
> It gets confusing . . . . I'm confusing myself just typing the above
> explanation (if anyone has a better one, please post it) - it took me
> an hour to wrap my brain around how it works when I first got it working.
> . . adding 1 spoke to the above means you have to add 1 tunnel each to the
> spokes and 5 more to the Hub - each spoke gets as many tunnels as there
> spokes and the hub gets the number of spokes squared in tunnels (i.e. 10
> spokes = 10 tunnels on each spoke to hub, 100 tunnels on hub).
> In my case I have several outside vendors that connect to the hub using
> 192.168.0.0/23 with the appropriate tunnels added to the above hub/spoke
> config . . . . . . it gets real complicated, real fast . . . . .
> To Monowall's developers credit one of the vendors told me that they've
> never seen anyone get the routing between sites working that quickly and
> David Zylstra
> (586) 764 9858
> ----- Original Message -----
> From: "Dan Firac" <dan dot firac at romtelecom dot ro>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Wednesday, March 01, 2006 12:02 PM
> Subject: [m0n0wall] Hub-And-Spoke VPN
> Hello all,
> Can m0n0wall be configured for a Hub-And-Spoke VPN with communication
> between spokes?