[ previous ] [ next ] [ threads ]
 
 From:  "Ron Carter" <wcarterjr at earthlink dot net>
 To:  "Jimmy Gelhaar" <jgelhaar at mac dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSEC tunneling issue
 Date:  Thu, 15 Mar 2007 20:39:09 -0400
Jimmy,
If your are using dhcp  and static on the servers it should not be a 
problem.  I have never done what you are trying. but I have seen it done. 
It is a firewall behind a firewall.

But from what I know I think this might be what you are trying to do.  This 
is what I would do:
I would setup one firewall router device lets say that this device has a 
external address of 208.x.x.x and a mask of 255.255.255.128.  The internal 
address of this firewall would be 10.0.100.x mask of 255.255.255.254.  I 
would then setup a second firewall  with a external address of 10.0.100.2 
and a mask of 255.255.255.254.

The internal address of the second firewall would be 172.20.1.x with a mask 
of 255.255.255.0.

Here is a example:

customer --- C - VPN -----------------------------FW1------------------FW2
                            \63.x.x.x                            208.x.x.x 
(Out)              10.0.100.2(Out)
                             \ 
10.0.100.1 (In)               172.20.1.x (Int Network)
                              \
                                \-----C2 VPN
                                        72.x.x.x(Out)
                                        172.20.1.x(Internal)

I hope this helps.

This should allow you to get to the other side of the vpn connection.  It is 
going to take quite a bit of management. I don't like this method but I 
think it would would work.

RC
----- Original Message ----- 
From: "Jimmy Gelhaar" <jgelhaar at mac dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Thursday, March 15, 2007 9:44 AM
Subject: Re: [m0n0wall] IPSEC tunneling issue


>I have about 40 machines on my internal network and 4 Servers, so  that 
>won't be happening.  I know other appliances allow this, that's  the only 
>reason I'm trying to figure out a solution.  Thanks for the  comment.  I 
>hope I don't have to do something that drastic.
>
> Jimmy
>
>
> On Mar 15, 2007, at 5:28 AM, Ron Carter wrote:
>
> I had a similiar issue.  I just changed my internal network.  I had  about 
> 8 machines running and a ton of rules setup, but that was the  least 
> painful thing to do.
> RC
> ----- Original Message ----- From: "Jimmy Gelhaar" <jgelhaar at mac dot com>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Wednesday, March 14, 2007 9:59 PM
> Subject: [m0n0wall] IPSEC tunneling issue
>
>
>> I'm having a problem with an ipsec tunnel.
>>
>> Here is the situation:
>> My internal single IP for the tunnel is: 172.20.1.11.
>> My remote endpoint is 156.30.21.200.
>> (I'm only tunneling one IP on each network to each other)
>>
>> Unfortunately, the remote network I'm connecting to has a lot of VPN
>> tunnels and they already have a tunnel to another network with an
>> internal scheme of 172.20.1.x.
>>
>> Essentially, I need to establish the tunnel from one IP on my
>> network, to one IP on the remote network.  Since they already have a
>> tunnel with someone else using my internal IP, I need to NAT
>> (essentially present it on their network as a different IP) my
>> internal IP over the tunnel to their network.
>>
>> They have specified the NAT address I need to use, which is:
>> 172.20.1.11 Needs to be Nat'ed to 10.0.200.129
>>
>> Anyone have ideas if this is possible with M0n0wall?
>>
>> Thanks,
>>
>> Jimmy
>>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>