[ previous ] [ next ] [ threads ]
 From:  Jeff Buehler <jeff at buehlertech dot com>
 To:  daniele dot guazzoni at gcomm dot ch
 Cc:  Monowall User List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] how to add a route for a IPSEC VPN that lies on another box ?
 Date:  Mon, 17 Mar 2008 18:32:00 -0700
I see - thats not the way I have set up my IPSEC tunnels in the past.  
Perhaps I was doing something incorrectly, but I set them up like this:


I don't use a third private IP range to define the tunnel (is that what 
you are doing?).  I only have the two LANS, and a tunnel that makes all 
of the devices in LAN1 aware and part of LAN2, and all of the devices in 
LAN2 aware and part of LAN1.

So, for the IPSEC on system 1, the remote gateway and subnet are set to 
192.168.3.x and IPSEC gateway and subnet on system 2 would be 
192.168.2.x.  In this fashion every device on LAN1 can communicate with 
any device on LAN 2 by becoming part of LAN2 via the IPSEC VPN, and 
every device on LAN2 can communicate with LAN1 the same way.  So before 
IPSEC my wotkstation is only on LAN1, but after IPSEC 
tunnel it is also (or whatever) and can address that LAN 
as well.

In other words, every device on LAN1 now has two LAN IPs - one for LAN1, 
and another for LAN2 provided by the tunnel.  And vice versa.  I don''t 
know what you mean by "remote net" - it sounds like you are setting up 
your IPSEC tunnel as a third separate private IP range (?)- that is not 
the way I have done it in the past, but perhaps it is the correct way(?)

The IPSEC tunnel should basically behave in essence just like PPTP 
(except that PPTP is usually just one system/workstation which is 
assigned the new LAN IP upin connection) - when it is connected, LAN 
devices are assigned IP's via the router that correspond to the LAN that 
is being connected to, or so I thought...


Daniele Guazzoni wrote:
> IPsec scenario:
> (I omit the IPsec tunnel terminations for simplicity)
> Remote-A:
> local-net:
> remote-net:
> Remote-B:
> local-net:
> remote-net:
> Office (2 tunnels):
> Tunnel to A:
> local-net:
> remote-net:
> Tunnel to B:
> local-net:
> remote-net:
> Obviously the communication <--> and 
> <--> will work.
> But if you try for example <--> it will not 
> work because:
> - you don't match the remote-network at Remote-A
> - even if you would come through, you don't match the remote-net at 
> Remote-B
> IPsec looks at the IP header for matches:
> - source-IP has to be within local-net AND
> - destination-IP has to be within remote-net
> Any other combination will be dropped at the tunnel ingress point.
> I know that there are "dirty hacks" on FreeSWAN which allows routing 
> over IPsec but that's anything but standard...
> Daniele
> Jeff Buehler wrote:
>> Oh yeah, sorry, two LANS not one (It's been a while!).  However, the 
>> IPSEC tunnel in essence allows all devices attached to each end 
>> become part of the other LAN.  So if your home LAN is 192.168.22.x 
>> and your office LAN is 192.168.23.x and you have an IPSEC tunnel 
>> between them, then devices in either network should be able to 
>> address devices in the other.  Daniele, I'm not sure why you would 
>> say the endpoints would be unable to communicate - thats what the 
>> IPSEC tunnel is for, right? Or am I forgetting something - I haven't 
>> set up a IPSEC VPN in more than a year.
>> <http://www.buehlerarts.com>
>> Jeff
>> Daniele Guazzoni wrote:
>>> Michel Servaes wrote:
>>>> Is there a way to add routes on either monowall or pfsense, that 
>>>> would allow me to reach one of my collegues through the VPN of the 
>>>> office.
>>>> I don't want to make another VPN at home, I just want to be able to 
>>>> access all the VPN's with some kind of rule or route...
>>> With IPsec the communication goes from the defined local network to 
>>> the defined remote network (and vice versa) through the tunnel.
>>> Therefore you will not be able to directly communicate to other 
>>> IPsec endpoints as either the source or the destination network will 
>>> not match the IPsec definitions.
>>> Even routing will not help: think at the IPsec definition like a 
>>> firewall rule which allows only traffic if it match both source and 
>>> destination.
>>> With OpenVPN you can allow transit over the server (in pfSense is 
>>> the "client-to-client VPN" feature).
>>> I'm not sure if you can do that with PPTP.
>>> Or you use some sort of proxy in your office LAN...
>>> Hope this helps
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch