[ previous ] [ next ] [ threads ]
 
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  Monowall User List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] how to add a route for a IPSEC VPN that lies on another box ?
 Date:  Tue, 18 Mar 2008 02:05:42 +0100
IPsec scenario:
(I omit the IPsec tunnel terminations for simplicity)

Remote-A:
local-net:	192.168.2.0/24
remote-net: 	192.168.1.0/24

Remote-B:
local-net:	192.168.3.0/24
remote-net: 	192.168.1.0/24

Office (2 tunnels):
Tunnel to A:
local-net:	192.168.1.0/24
remote-net:	192.168.2.0/24
Tunnel to B:
local-net:	192.168.1.0/24
remote-net:	192.168.3.0/24

Obviously the communication  192.168.2.0/24 <--> 192.168.1.0/24 and 192.168.3.0/24 <-->
192.168.1.0/24 will work.
But if you try for example 192.168.2.10 <--> 192.168.3.10 it will not work because:
- you don't match the remote-network at Remote-A
- even if you would come through, you don't match the remote-net at Remote-B

IPsec looks at the IP header for matches:
- source-IP has to be within local-net 
AND
- destination-IP has to be within remote-net
Any other combination will be dropped at the tunnel ingress point.

I know that there are "dirty hacks" on FreeSWAN which allows routing over IPsec but that's anything
but standard...


Daniele


Jeff Buehler wrote:
> Oh yeah, sorry, two LANS not one (It's been a while!).  However, the 
> IPSEC tunnel in essence allows all devices attached to each end become 
> part of the other LAN.  So if your home LAN is 192.168.22.x and your 
> office LAN is 192.168.23.x and you have an IPSEC tunnel between them, 
> then devices in either network should be able to address devices in the 
> other.  Daniele, I'm not sure why you would say the endpoints would be 
> unable to communicate - thats what the IPSEC tunnel is for, right? Or am 
> I forgetting something - I haven't set up a IPSEC VPN in more than a year.
> 
> <http://www.buehlerarts.com>
> Jeff
> 
> Daniele Guazzoni wrote:
>>
>> Michel Servaes wrote:
>>> Is there a way to add routes on either monowall or pfsense, that 
>>> would allow me to reach one of my collegues through the VPN of the 
>>> office.
>>> I don't want to make another VPN at home, I just want to be able to 
>>> access all the VPN's with some kind of rule or route...
>>
>> With IPsec the communication goes from the defined local network to 
>> the defined remote network (and vice versa) through the tunnel.
>> Therefore you will not be able to directly communicate to other IPsec 
>> endpoints as either the source or the destination network will not 
>> match the IPsec definitions.
>> Even routing will not help: think at the IPsec definition like a 
>> firewall rule which allows only traffic if it match both source and 
>> destination.
>>
>> With OpenVPN you can allow transit over the server (in pfSense is the 
>> "client-to-client VPN" feature).
>>
>> I'm not sure if you can do that with PPTP.
>>
>> Or you use some sort of proxy in your office LAN...
>>
>> Hope this helps
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

-- 


regards


-------------------------------------------------------------
Daniele Guazzoni
Senior Network Engineer, CCNP, CCNA


Linux and AMD-x86_64 or do you still with Windows and Intel ?

-- 
This message has been scanned for viruses and
dangerous content by MailGate, and is
believed to be clean.