Re: [m0n0wall] Possible to do one way IPsec?

From:	"Joe Lagreca" <lagreca at gmail dot com>
To:	waa dash m0n0wall at revpol dot com
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Possible to do one way IPsec?
Date:	Wed, 12 Apr 2006 08:28:35 -0700

I thought about that, but its not very secure, because they, as well
as other consultants, have access to the netscreen, and can change
those rules anytime.

I was thinking the best would be to block their traffic on my side. 
That way they couldn't disable the rules to prevent them from
accessing my network segment.

I guess at this point I will just have to trust them.



On 4/12/06, mtnbkr <waa dash m0n0wall at revpol dot com> wrote:
> Joe Lagreca wrote:
> > Is it possible to create a one way IPsec VPN?
> >
> > For example, I have created a IPsec VPN from my office m0n0wall, to
> > one of my clients Netscreen's.  Is there some way I can set it up so
> > that I can access resources on their LAN, but not let them have them
> > have access to my LAN?
> >
> > I have tried creating a few rules to try and prevent them having
> > access, but haven't had any success.
> >
> > Has anyone tried this before?  Is this even a possibility?
>
> Hi Joe.
>
> Yes, and yes. But it depends on Netscreen's capabilities. I do this with
> many of my clients - but all from m0n0wall <-> m0n0wall.
>
> To do this you will need to think in reverse. That is, on the CLIENT's
> Netscreen you will need to set up rule(s) to block all traffic TO your lan.
>
> If that is not possible on the Netscreen, you may consider moving them
> to a m0n0wall.
>
>
> --
> Bill Arlofski
> Reverse Polarity
>