[ previous ] [ next ] [ threads ]
 
 From:  "Don Munyak" <don dot munyak at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  two IPSEC tunnels from one router..
 Date:  Wed, 27 Dec 2006 16:52:26 -0500
re: two IPSEC tunnels from one router (LAN and OPT1) to remote router (LAN)

I have a situation where I 'think' I need a second IPSEC tunnel.

We currently have one(1) IPSEC tunnel from our m0n0wall to another
m0n0wall at a co-lo. This allows tech staff on our LAN to access
servers at the co-lo securely. Our m0n0wall has three(3) ports; Lan,
Wan, Dmz.

I now have a server that is in the DMZ and needs a secure connection
to the co-lo as well. I tried setting up a second IPSEC connection,
but it failed. Effectively, I tried duplicating the following xml
scheme, except changing the remote-subnet on the co-lo config to that
of the DMZ network. m0n0wall just complained and swiftly advised me I
screwed up :(.

From the LAN, if I need access to a given server at the co-lo, I
simply type \\ip\share from a command prompt.
When I use this same methodolgy from the DMZ, the connection dies.

How can I set up a second tunnel...or can I ?

Here's the xml for both sides of a working tunnel.

<ipsec>
	<tunnel>
		<interface>wan</interface>
		<local-subnet>
			<network>lan</network>
		</local-subnet>
		<remote-subnet>192.168.18.0/24</remote-subnet>
		<remote-gateway>x.x.102.250</remote-gateway>
		<p1>
			<mode>main</mode>
			<myident>
				<myaddress/>
			</myident>
			<encryption-algorithm>blowfish</encryption-algorithm>
			<hash-algorithm>sha1</hash-algorithm>
			<dhgroup>2</dhgroup>
			<lifetime>86400</lifetime>
			<pre-shared-key>***************</pre-shared-key>
			<private-key/>
			<cert/>
			<peercert/>
			<authentication_method>pre_shared_key</authentication_method>
		</p1>
		<p2>
			<protocol>esp</protocol>
			<encryption-algorithm-option>blowfish</encryption-algorithm-option>
			<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
			<pfsgroup>2</pfsgroup>
			<lifetime>14400</lifetime>
		</p2>
		<descr>ipsec tunnel</descr>
	</tunnel>
	<enable/>
</ipsec>

<ipsec>
	<tunnel>
		<interface>wan</interface>
		<local-subnet>
			<network>lan</network>
		</local-subnet>
		<remote-subnet>192.168.222.0/24</remote-subnet>
		<remote-gateway>x.x.155.45</remote-gateway>
		<p1>
			<mode>main</mode>
			<myident>
				<myaddress/>
			</myident>
			<encryption-algorithm>blowfish</encryption-algorithm>
			<hash-algorithm>sha1</hash-algorithm>
			<dhgroup>2</dhgroup>
			<lifetime>86400</lifetime>
			<pre-shared-key>***************</pre-shared-key>
			<private-key/>
			<cert/>
			<peercert/>
			<authentication_method>pre_shared_key</authentication_method>
		</p1>
		<p2>
			<protocol>esp</protocol>
			<encryption-algorithm-option>blowfish</encryption-algorithm-option>
			<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
			<pfsgroup>2</pfsgroup>
			<lifetime>14400</lifetime>
		</p2>
		<descr>ipsec tunnel</descr>
	</tunnel>
	<enable/>
</ipsec>

Thanks

Don