[ previous ] [ next ] [ threads ]
 
 From:  Jimmy Gelhaar <jgelhaar at mac dot com>
 To:  "Carter, Ron (RBC Centura)" <Ron dot Carter at rbc dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSEC tunneling issue
 Date:  Thu, 22 Mar 2007 09:39:53 -0600 
All,

I'm still trying to resolve this one.  I haven't forgotten about  
you.  However, I think we're headed in a different direction.  I  
think what I'm going to do is install a Linksys RV042 on a new public  
IP and go that route.  The linksys is about $180 and does outbound  
NAT-ing of the ipsec traffic.  That's all I need for this to work.	

Jimmy


----- Original Message -----
From: "Ron Carter" <wcarterjr at earthlink dot net>
To: "Jimmy Gelhaar" <jgelhaar at mac dot com>; <m0n0wall at lists dot m0n0 dot ch>
Sent: Thursday, March 15, 2007 8:39 PM
Subject: Re: [m0n0wall] IPSEC tunneling issue


> Jimmy,
> If your are using dhcp  and static on the servers it should not be a
> problem.  I have never done what you are trying. but I have seen it
done.
> It is a firewall behind a firewall.
>
> But from what I know I think this might be what you are trying to do.
> This is what I would do:
> I would setup one firewall router device lets say that this device has
a
> external address of 208.x.x.x and a mask of 255.255.255.128.  The
internal
> address of this firewall would be 10.0.100.x mask of 255.255.255.254.
I
> would then setup a second firewall  with a external address of
10.0.100.2
> and a mask of 255.255.255.254.
>
> The internal address of the second firewall would be 172.20.1.x with a

> mask of 255.255.255.0.
>
> Here is a example:
>
> customer --- C - VPN
-----------------------------FW1------------------FW2
>                    \63.x.x.x  		      208.x.x.x(Out)
10.0.100.2(Out)
>                     \ 				10.0.100.1 (In)
172.20.1.x(Int Network)
>                      \
>                       \-----C2 VPN
>                          72.x.x.x(Out)
>                          172.20.1.x(Internal)
>
> I hope this helps.
>
> This should allow you to get to the other side of the vpn connection.
It
> is going to take quite a bit of management. I don't like this method
but I
> think it would work.
>
> RC
> ----- Original Message -----
> From: "Jimmy Gelhaar" <jgelhaar at mac dot com>
> To: <m0n0wall at lists dot m0n0 dot ch>
> Sent: Thursday, March 15, 2007 9:44 AM
> Subject: Re: [m0n0wall] IPSEC tunneling issue
>
>
>> I have about 40 machines on my internal network and 4 Servers, so
that
>> won't be happening.  I know other appliances allow this, that's  the
only
>> reason I'm trying to figure out a solution.  Thanks for the  comment.
I
>> hope I don't have to do something that drastic.
>>
>> Jimmy
>>
>>
>> On Mar 15, 2007, at 5:28 AM, Ron Carter wrote:
>>
>> I had a similar issue.  I just changed my internal network.  I had
>> about 8 machines running and a ton of rules setup, but that was the
>> least painful thing to do.
>> RC
>> ----- Original Message ----- From: "Jimmy Gelhaar" <jgelhaar at mac dot com>
>> To: <m0n0wall at lists dot m0n0 dot ch>
>> Sent: Wednesday, March 14, 2007 9:59 PM
>> Subject: [m0n0wall] IPSEC tunneling issue
>>
>>
>>> I'm having a problem with an IPSec tunnel.
>>>
>>> Here is the situation:
>>> My internal single IP for the tunnel is: 172.20.1.11.
>>> My remote endpoint is 156.30.21.200.
>>> (I'm only tunneling one IP on each network to each other)
>>>
>>> Unfortunately, the remote network I'm connecting to has a lot of VPN
>>> tunnels and they already have a tunnel to another network with an
>>> internal scheme of 172.20.1.x.
>>>
>>> Essentially, I need to establish the tunnel from one IP on my
>>> network, to one IP on the remote network.  Since they already have a
>>> tunnel with someone else using my internal IP, I need to NAT
>>> (essentially present it on their network as a different IP) my
>>> internal IP over the tunnel to their network.
>>>
>>> They have specified the NAT address I need to use, which is:
>>> 172.20.1.11 Needs to be Nat'ed to 10.0.200.129
>>>
>>> Anyone have ideas if this is possible with M0n0wall?
>>>
>>> Thanks,
>>>
>>> Jimmy
>>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>
_______________________________________________________________________

This e-mail may be privileged and/or confidential, and the sender  
does not waive any related rights and obligations.
Any distribution, use or copying of this e-mail or the information it  
contains by other than an intended recipient is unauthorized.
If you received this e-mail in error, please advise me (by return e- 
mail or otherwise) immediately.