[ previous ] [ next ] [ threads ]
 
 From:  sai <sonicsai at gmail dot com>
 To:  "Tim Cary" <TDC at yesinc dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC Encryption Policy
 Date:  Wed, 22 Mar 2006 15:35:17 +0500
On 3/20/06, Tim Cary <TDC at yesinc dot com> wrote:
> Hello-
>
> I need to define an additional firewall encryption policy over the same
> IPEC tunnel.  I am not sure how to do this in M0n0Wall.
>
> Details:
>
> We own a Fortigate 200A.  It accepts IPSEC connections, and has a
> feature where you can define a concentrator so that "spokes" of the VPN
> hub can communicate with each other.  I have three separate networks
> that need to talk to each other.  The hub is the Fortigate, as it is at
> the main site.  The spokes are the M0n0Wall's at the remote sites.  I
> need the spokes to talk to each other by way of the hub.
>
> 172.16.0.0/16 - HUB (Fortigate- main site)
> 172.18.0.0/16- Spoke1 (remote site)
> 172.19.0.0/16- Spoke2 (remote site)
>
> The spokes are on DSL connections, so I have to use e-mail address as
> the identifier.  Fortigate accepts these as dial-up connections.
>
> Spoke1 and Spoke2 each make a tunnel to the hub.  So, hub can ping
> spoke1, spoke1 can ping hub, and hub can ping spoke2, and spoke2 can
> ping hub.  What is missing here is the ability to ping spoke1 from
> spoke2, and ping spoke2 from spoke1.
>
> Fortigate tech support tells me everything is set right on the
> Fortigate.  But they say I need to define an additional firewall encrypt
> rule (but NOT another tunnel) on each spoke to talk to the other spoke's
> network.  How do I do that on the M0n0Wall?  This makes sense, but I
> just can't see how to do it.
>
> Any advice is appreciated.
>
> Thank You.
>

This was on the list recently. I think that the solution was to have
another tunnel. The Fortigate guy is probably confused.

sai