[ previous ] [ next ] [ threads ]
 
 From:  Jimmy Gelhaar <jgelhaar at mac dot com>
 To:  Ron Carter <wcarterjr at earthlink dot net>, m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC tunneling issue
 Date:  Sat, 17 Mar 2007 00:28:08 -0600
Your suggestion makes sense and I was hoping to do this without  
additional equipment.  This should be something added to the  
implementation somehow.  The other company that I'm working with says  
they've done this a lot with other vpn routers, so it might make  
sense to look into adding this option.

The company that I'm working with has A LOT of clients tunneling in  
through VPN, so invariably there are going to be clients that share  
the same internal IP scheme making this a necessity for many of them.

Any thoughts on this from anyone?

Otherwise, I've sent a request back to them to ask if they have an  
alternative.  Otherwise, I'll have to essentially do what you're  
suggesting here.

Thanks a lot for your help and contribution, Ron.  I really  
appreciate it.

Jimmy


On Mar 16, 2007, at 10:26 PM, Ron Carter wrote:

I spoke to two different network engineer where I work and they both  
stated that it would be alot easier to change your ip.  However they  
did say that what I was recommeding would work for you.
RC
----- Original Message ----- From: "Ron Carter"  
<wcarterjr at earthlink dot net>
To: "Jimmy Gelhaar" <jgelhaar at mac dot com>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Thursday, March 15, 2007 8:39 PM
Subject: Re: [m0n0wall] IPSEC tunneling issue


> Jimmy,
> If your are using dhcp  and static on the servers it should not be  
> a problem.  I have never done what you are trying. but I have seen  
> it done. It is a firewall behind a firewall.
>
> But from what I know I think this might be what you are trying to  
> do. This is what I would do:
> I would setup one firewall router device lets say that this device  
> has a external address of 208.x.x.x and a mask of 255.255.255.128.   
> The internal address of this firewall would be 10.0.100.x mask of  
> 255.255.255.254.  I would then setup a second firewall  with a  
> external address of 10.0.100.2 and a mask of 255.255.255.254.
>
> The internal address of the second firewall would be 172.20.1.x  
> with a mask of 255.255.255.0.
>
> Here is a example:
>
> customer --- C - VPN ----------------------------- 
> FW1------------------FW2
>                            \63.x.x.x                             
> 208.x.x.x (Out)              10.0.100.2(Out)
>                             \ 10.0.100.1 (In)                
> 172.20.1.x (Int Network)
>                              \
>                                \-----C2 VPN
>                                        72.x.x.x(Out)
>                                        172.20.1.x(Internal)
>
> I hope this helps.
>
> This should allow you to get to the other side of the vpn  
> connection.  It is going to take quite a bit of management. I don't  
> like this method but I think it would would work.
>
> RC
> ----- Original Message ----- From: "Jimmy Gelhaar" <jgelhaar at mac dot com>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Thursday, March 15, 2007 9:44 AM
> Subject: Re: [m0n0wall] IPSEC tunneling issue
>
>
>> I have about 40 machines on my internal network and 4 Servers, so   
>> that won't be happening.  I know other appliances allow this,  
>> that's  the only reason I'm trying to figure out a solution.   
>> Thanks for the  comment.  I hope I don't have to do something that  
>> drastic.
>>
>> Jimmy
>>
>>
>> On Mar 15, 2007, at 5:28 AM, Ron Carter wrote:
>>
>> I had a similiar issue.  I just changed my internal network.  I  
>> had about 8 machines running and a ton of rules setup, but that  
>> was the least painful thing to do.
>> RC
>> ----- Original Message ----- From: "Jimmy Gelhaar" <jgelhaar at mac dot com>
>> To: <m0n0wall at lists dot m0n0 dot ch>
>> Sent: Wednesday, March 14, 2007 9:59 PM
>> Subject: [m0n0wall] IPSEC tunneling issue
>>
>>
>>> I'm having a problem with an ipsec tunnel.
>>>
>>> Here is the situation:
>>> My internal single IP for the tunnel is: 172.20.1.11.
>>> My remote endpoint is 156.30.21.200.
>>> (I'm only tunneling one IP on each network to each other)
>>>
>>> Unfortunately, the remote network I'm connecting to has a lot of VPN
>>> tunnels and they already have a tunnel to another network with an
>>> internal scheme of 172.20.1.x.
>>>
>>> Essentially, I need to establish the tunnel from one IP on my
>>> network, to one IP on the remote network.  Since they already have a
>>> tunnel with someone else using my internal IP, I need to NAT
>>> (essentially present it on their network as a different IP) my
>>> internal IP over the tunnel to their network.
>>>
>>> They have specified the NAT address I need to use, which is:
>>> 172.20.1.11 Needs to be Nat'ed to 10.0.200.129
>>>
>>> Anyone have ideas if this is possible with M0n0wall?
>>>
>>> Thanks,
>>>
>>> Jimmy
>>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>