[ previous ] [ next ] [ threads ]
 
 From:  "Frederic J. Breitwieser" <frederic at woodbridgedata dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  VPN Configuration
 Date:  Sun, 24 Jan 2010 10:50:39 -0500
Greetings,

 

I'm a new m0n0wall user and built two generic PC's to act as firewalls.  One
for the primary site, one for a soho/secondary site.  For testing purposes,
both firewalls have their WAN ports plugged into my public segment and are
one address off from one another.  Once I get the VPN working one of them
will be edited and relocated to elsewhere.

 

FW1 - primary site

-          WAN - xx.xx.xx.xx / 240 

-          LAN - 172.16.0.1 / 16

 

FW2 - soho site

-          WAN - xx.xx.xx.xx+1 / 240

-          LAN - 192.168.1.1 / 24

 

The hope was to have users on the 192.168.1.0 segment be able to see servers
on the 172.16.0.0 segment, and vice versa.  Seemingly we have a
configuration error because that is not happening.  Ping, telnet, ssh, http,
etc.  Nothing passes.  If I try to hit a public service (google!) that works
flawlessly on both firewalls from their respective private segments (i.e.
NAT is working).

 

In other words, if I'm behind FW1 I should be able to type
http://192.168.1.10 and my browser would hit the server at that address,
even though I'm on the 172.16.0.0 segment and there are two m0n0wall
firewalls in between.  At least that is what I was hoping for J

 

In the diagnostics  area under IPsec, I can see the IPsec security
association (SAD tab) of both m0n0walls if they both are powered on, but do
not see the association if one is powered off (logical!).  They are always
listed under the SPD tab regardless.

 

I have verified they are using the same settings - blowfish, sh1, the same
passkey phrase, and the gateways in the IPsec definitions are each other so
they do point to one another.

 

Both systems created a firewall rule for PASS allowing anything and
everything through the IPsecVPN.

 

Do I need to create a static firewall rule to direct these two private
subnets to each other as well?  If so, what might it look like?