[ previous ] [ next ] [ threads ]
 
 From:  Lonnie Abelbeck <lists at lonnie dot abelbeck dot com>
 To:  m0n0wall List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  IPSec mobile clients and split horizon
 Date:  Fri, 26 Jan 2007 13:18:40 -0600
Hi,

m0n0wall 1.22, Soekris net4801, WAN, LAN, DMZ

I had a common problem with others here, using IPSec mobile clients  
and the resulting split horizon, ie. only traffic to your local  
network is sent over the tunnel, all other traffic is sent direct, un- 
encrypted.

The particular problem for me was my public POP3 and SMTP servers.   
One solution would be to run some sort of local proxy for these  
services, but I prefer this solution as last resort.

I have solved this problem, and all comments are welcome.

In my IPSec client (IPSecuritas 3.0 on Mac OS 10.4) I define my local  
endpoint as "Host" and remote endpoint as "Networks" (plural).

I need to specify a local address for the "Host" (so the routing  
works), so I use an unused address in the DMZ.  (Would a static route  
be a better thing to do?)

The Networks are:

192.168.100.0/24   # local LAN
216.x.y.z/32  # public POP3 server
68.a.b.c/32  # public SMTP server

The final 'trick' is in the 'Options' tab is to check "Unique SAs".   
This forces m0n0wall to make policies for each of these networks.

In this scenario, remote traffic to the private LAN and public POP3  
and SMTP servers are included in the IPSec tunnel.

Hope this helps others.

Lonnie