Chris, 

I got this working. I didn't use any mobile clients, just regular IPSEC.
I had tried this earlier and couldn't get it to work and figured I was
doing the wrong thing, or that m0n0wall doesn't know what to do with a
VPN endpoint for a subnet that it isn't part of. You were right though,
as long as it has a way to reach that subnet thorough a static route it
worked.

Thanks for your help with this issue and all the rest of the time you
put into m0n0wall support.

Regards,
Josh


-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com] 
Sent: Monday, June 26, 2006 6:00 PM
To: Josh Simoneau
Subject: Re: [m0n0wall] Accessing Remote Networks Through VPN

On 6/26/06, Josh Simoneau <jsimoneau at lmtcs dot com> wrote:
>
> Can the central m0n0wall have a VPN endpoint that is not any of its 
> interfaces?

As long as it knows how to reach those networks (proper static routes),
yes.


> From what I can see on the "Mobile clients" and through my experience,

> the endpoint for the VPN connection is just set as the LAN network and

> you cannot change this. Perhaps the endpoint is determined by the 
> remote side initiating the connection?
>

Both ends have to agree on the subnet in the SPD for it to successfully
negotiate the SAD.

On the Tunnels tab, you can select "LAN subnet", or you can select
"network" and manually enter whatever network you desire.  As for mobile
clients, I have no idea how that would or wouldn't work, I haven't ever
used that with multiple subnets.  I was assuming you were talking about
tunnels with static IP's on both ends.

-Chris