[ previous ] [ next ] [ threads ]
 
 From:  Jeff Buehler <jeff at buehlertech dot com>
 To:  Michel Servaes <michel at mcmc dot be>
 Cc:  Monowall User List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] how to add a route for a IPSEC VPN that lies on another box ?
 Date:  Mon, 17 Mar 2008 18:58:10 -0700
Let me backtrack a bit on this - do you want  to be able to connect to 
your colleague who is on a LAN at the office (lets say 192.168.2.x) from 
your house (lets say the house LAN is 192.168.3.x)?  And if so, do you 
have an IPSEC tunnel from your home to the office system (192.168.3.x -> 
192.168.2.x)?

If that is the case, you should simply be able to address the colleagues 
system by its IP address (i.e. 192.168.3.51) or possibly its network 
name if running Windows and everything is set up properly.

However, on rereading (this is probably what you were talking about, 
right, Daniele?  If so, sorry I wasn't following the reasoning but I get 
it now!), if you have two VPNs at the office (lets say 192.168.2.x and 
192.168.1.x) and your home (192.168.3.x) IPSEC tunnel points to 
192.168.2.x,  then you are out of luck getting to 192.168.1.x, I think 
for obvious reasons.  VPNs exist specifically to protect the integrity 
of a private addressing space - once you have access to a private LAN, 
you can do A LOT of damage if you don't belong there - having the 
ability to add a route across LANs wihtout going through some sort of 
security function (like a password protected encrypted VPN) would be a 
huge mistake in my estimation - it would be way to easy to take 
advantage of that sort of mechanism to hack into LANs you didn't belong 
to, and anyone else could do the same.

Michael, if the second is what you were asking about, sorry I didn't get 
it clear the first time!  I guess it just doesn't make sense to me 
because of the obvious security problems.

Jeff


Michel Servaes wrote:
> Ok, this is just a curiosity question - but it would be a great way to 
> solve some of my issues.
>
> I have a monowall at home -great product by the way, and a pfSense at 
> the office -another great product.
> I have multiple VPN's setup at the office to my collegues (and myself).
>
> Is there a way to add routes on either monowall or pfsense, that would 
> allow me to reach one of my collegues through the VPN of the office.
> I don't want to make another VPN at home, I just want to be able to 
> access all the VPN's with some kind of rule or route...
>
> I know I can make a PPTP VPN to the pfSense at work, and work my way 
> through this VPN, but I'd really would love to have this option right 
> ontop of my one IPSEC VPN tunnel that I have to the office.
>
>
> - should I create rules on my box at the office, or would some static 
> routes on my monowall work as well ??
> - or, should I forget this, and create each IPSEC VPN individually...
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>