[ previous ] [ next ] [ threads ]
 From:  "Ron Carter" <wcarterjr at earthlink dot net>
 To:  "Jimmy Gelhaar" <jgelhaar at mac dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] IPSEC tunneling issue
 Date:  Thu, 15 Mar 2007 20:39:09 -0400
If your are using dhcp  and static on the servers it should not be a 
problem.  I have never done what you are trying. but I have seen it done. 
It is a firewall behind a firewall.

But from what I know I think this might be what you are trying to do.  This 
is what I would do:
I would setup one firewall router device lets say that this device has a 
external address of 208.x.x.x and a mask of  The internal 
address of this firewall would be 10.0.100.x mask of  I 
would then setup a second firewall  with a external address of 
and a mask of

The internal address of the second firewall would be 172.20.1.x with a mask 

Here is a example:

customer --- C - VPN -----------------------------FW1------------------FW2
                            \63.x.x.x                            208.x.x.x 
                             \ (In)               172.20.1.x (Int Network)
                                \-----C2 VPN

I hope this helps.

This should allow you to get to the other side of the vpn connection.  It is 
going to take quite a bit of management. I don't like this method but I 
think it would would work.

----- Original Message ----- 
From: "Jimmy Gelhaar" <jgelhaar at mac dot com>
To: <m0n0wall at lists dot m0n0 dot ch>
Sent: Thursday, March 15, 2007 9:44 AM
Subject: Re: [m0n0wall] IPSEC tunneling issue

>I have about 40 machines on my internal network and 4 Servers, so  that 
>won't be happening.  I know other appliances allow this, that's  the only 
>reason I'm trying to figure out a solution.  Thanks for the  comment.  I 
>hope I don't have to do something that drastic.
> Jimmy
> On Mar 15, 2007, at 5:28 AM, Ron Carter wrote:
> I had a similiar issue.  I just changed my internal network.  I had  about 
> 8 machines running and a ton of rules setup, but that was the  least 
> painful thing to do.
> RC
> ----- Original Message ----- From: "Jimmy Gelhaar" <jgelhaar at mac dot com>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Wednesday, March 14, 2007 9:59 PM
> Subject: [m0n0wall] IPSEC tunneling issue
>> I'm having a problem with an ipsec tunnel.
>> Here is the situation:
>> My internal single IP for the tunnel is:
>> My remote endpoint is
>> (I'm only tunneling one IP on each network to each other)
>> Unfortunately, the remote network I'm connecting to has a lot of VPN
>> tunnels and they already have a tunnel to another network with an
>> internal scheme of 172.20.1.x.
>> Essentially, I need to establish the tunnel from one IP on my
>> network, to one IP on the remote network.  Since they already have a
>> tunnel with someone else using my internal IP, I need to NAT
>> (essentially present it on their network as a different IP) my
>> internal IP over the tunnel to their network.
>> They have specified the NAT address I need to use, which is:
>> Needs to be Nat'ed to
>> Anyone have ideas if this is possible with M0n0wall?
>> Thanks,
>> Jimmy
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch