Re: [m0n0wall] Possible to do one way IPsec?

From:	"Joe Lagreca" <lagreca at gmail dot com>
To:	waa dash m0n0wall at revpol dot com
Cc:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] Possible to do one way IPsec?
Date:	Wed, 12 Apr 2006 09:28:50 -0700

I agree its not ideal nor very secure, but I don't want to run 2
m0n0's on my side.  My office is already cluttered with stuff.

Thanks again for the ideas.



On 4/12/06, mtnbkr <waa dash m0n0wall at revpol dot com> wrote:
> I would not trust anyone.
>
> Since you do not soley manage the Netscreen, your best bet is probably
> to do what Moreno said:  "2) use 2 monowall on you side (one behind the
> other)"
>
> This way you have control over what their machines have access to on
> your network. A bit much possibly in terms of management etc, but safest
> way when you don't control the other side.
>
> Cheers
>
> --
> Bill Arlofski
> Reverse Polarity
>
>
> Joe Lagreca wrote:
> > I thought about that, but its not very secure, because they, as well
> > as other consultants, have access to the netscreen, and can change
> > those rules anytime.
> >
> > I was thinking the best would be to block their traffic on my side.
> > That way they couldn't disable the rules to prevent them from
> > accessing my network segment.
> >
> > I guess at this point I will just have to trust them.
> >
> >
> >
> > On 4/12/06, mtnbkr <waa dash m0n0wall at revpol dot com> wrote:
> >> Joe Lagreca wrote:
> >>> Is it possible to create a one way IPsec VPN?
> >>>
> >>> For example, I have created a IPsec VPN from my office m0n0wall, to
> >>> one of my clients Netscreen's.  Is there some way I can set it up so
> >>> that I can access resources on their LAN, but not let them have them
> >>> have access to my LAN?
> >>>
> >>> I have tried creating a few rules to try and prevent them having
> >>> access, but haven't had any success.
> >>>
> >>> Has anyone tried this before?  Is this even a possibility?
> >> Hi Joe.
> >>
> >> Yes, and yes. But it depends on Netscreen's capabilities. I do this with
> >> many of my clients - but all from m0n0wall <-> m0n0wall.
> >>
> >> To do this you will need to think in reverse. That is, on the CLIENT's
> >> Netscreen you will need to set up rule(s) to block all traffic TO your lan.
> >>
> >> If that is not possible on the Netscreen, you may consider moving them
> >> to a m0n0wall.
> >>
> >>
> >> --
> >> Bill Arlofski
> >> Reverse Polarity
> >>
>
>