Re: [m0n0wall] how to add a route for a IPSEC VPN that lies on another box ?

From:	Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
To:	Monowall User List <m0n0wall at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall] how to add a route for a IPSEC VPN that lies on another box ?
Date:	Wed, 19 Mar 2008 01:40:43 +0100
Michel

I see to solutions to your problem:

- Change your VPN from IPsec to OpenVPN as this allows client-to-client connectivity over the server
(in your case the office).
pfSense has per default OpenVPN in it, m0n0wall only the "old" versions or custom builds.
Disadvantage: the client-to-client traffic will always transit your office, thus major load on your
pfSense.
Advantage: you still stick on the current VPN topology.

- Create an additional IPsec tunnel between your remote locations.
Disadvantage: complexity if you need to interconnect more sites.
Advantage: You traffic goes directly to the destination.

Daniele

Michel Servaes wrote:
> No problem, it was indeed the second I was looking a solution for ;-)
> Well, not that it is a great problem, but just out of curiousity I 
> wanted to ask this question - I know a bit of IPSEC & VPN setups, and 
> routing as well... so I wanted to know if someone already succeeded in 
> setting up a Home A to Home B tunnel through (for example) the office...
> 
> Now that this is sorted out, I know I don't have to search any longer ;) 
> -thanks a lot
> 
> Jeff Buehler schreef:
>> Let me backtrack a bit on this - do you want  to be able to connect to 
>> your colleague who is on a LAN at the office (lets say 192.168.2.x) 
>> from your house (lets say the house LAN is 192.168.3.x)?  And if so, 
>> do you have an IPSEC tunnel from your home to the office system 
>> (192.168.3.x -> 192.168.2.x)?
>>
>> If that is the case, you should simply be able to address the 
>> colleagues system by its IP address (i.e. 192.168.3.51) or possibly 
>> its network name if running Windows and everything is set up properly.
>>
>> However, on rereading (this is probably what you were talking about, 
>> right, Daniele?  If so, sorry I wasn't following the reasoning but I 
>> get it now!), if you have two VPNs at the office (lets say 192.168.2.x 
>> and 192.168.1.x) and your home (192.168.3.x) IPSEC tunnel points to 
>> 192.168.2.x,  then you are out of luck getting to 192.168.1.x, I think 
>> for obvious reasons.  VPNs exist specifically to protect the integrity 
>> of a private addressing space - once you have access to a private LAN, 
>> you can do A LOT of damage if you don't belong there - having the 
>> ability to add a route across LANs wihtout going through some sort of 
>> security function (like a password protected encrypted VPN) would be a 
>> huge mistake in my estimation - it would be way to easy to take 
>> advantage of that sort of mechanism to hack into LANs you didn't 
>> belong to, and anyone else could do the same.
>>
>> Michael, if the second is what you were asking about, sorry I didn't 
>> get it clear the first time!  I guess it just doesn't make sense to me 
>> because of the obvious security problems.
>>
>> Jeff
>>
>>
>> Michel Servaes wrote:
>>> Ok, this is just a curiosity question - but it would be a great way 
>>> to solve some of my issues.
>>>
>>> I have a monowall at home -great product by the way, and a pfSense at 
>>> the office -another great product.
>>> I have multiple VPN's setup at the office to my collegues (and myself).
>>>
>>> Is there a way to add routes on either monowall or pfsense, that 
>>> would allow me to reach one of my collegues through the VPN of the 
>>> office.
>>> I don't want to make another VPN at home, I just want to be able to 
>>> access all the VPN's with some kind of rule or route...
>>>
>>> I know I can make a PPTP VPN to the pfSense at work, and work my way 
>>> through this VPN, but I'd really would love to have this option right 
>>> ontop of my one IPSEC VPN tunnel that I have to the office.
>>>
>>>
>>> - should I create rules on my box at the office, or would some static 
>>> routes on my monowall work as well ??
>>> - or, should I forget this, and create each IPSEC VPN individually...
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

-- 


regards


-------------------------------------------------------------
Daniele Guazzoni
Senior Network Engineer, CCNP, CCNA


Linux and AMD-x86_64 or do you still with Windows and Intel ?

-- 
This message has been scanned for viruses and
dangerous content by MailGate, and is
believed to be clean.