[ previous ] [ next ] [ threads ]
 
 From:  "Frans King" <kingf at f333 dot net>
 To:  "'Jason Dwyer'" <jason dash dwyer at oxfordfunding dot com dot au>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] mobile ipsec setup
 Date:  Mon, 15 Mar 2004 12:17:37 -0000
> -----Original Message-----
> From: Jason Dwyer [mailto:jason dash dwyer at oxfordfunding dot com dot au]
> Sent: 15 March 2004 06:54
> To: Frans King; m0n0wall at lists dot m0n0 dot ch
> Subject: RE: [m0n0wall] mobile ipsec setup
> 
> Can you access your DMZ from your LAN internally?
> 
> -----Original Message-----
> From: Frans King [mailto:kingf at f333 dot net]
> Sent: Saturday, 13 March 2004 8:40 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] mobile ipsec setup
> 
> 
> Hi,
> 
> I have the following configuration using m0n0wall:
> 
> 
> WAN
> (dynamic)------------------------m0n0wall-------------------------LAN
> (10.0.0.0/24)
> 				                |
> 				                |
>                                         |
>                                        dmz (10.0.1.0/24)
> 
> I am trying to get a windows XP mobile client to connect using ipsec and
> soft remote LT. I've followed the instructions given on the m0n0wall
> documentation project site and managed to get an ipsec connection
> working so that remote computers can use our LAN. Unfortunately I can't
> seem to get the clients to access the DMZ. Is there a way to get this to
> work. I'm sure if it's a routing problem or whether ipsec will only
> allow you to go to one subnet.
> 
> Cheers,
> 
> Frans
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Yes I stop stop ICMP but allow things like ssh through from the LAN to the
DMZ. 

I've done some more testing and found that if I configure the remote party
addressing in SoftRemote as 10.0.0.0/24 (which is the LAN subnet) any
traffic for 10.0.1.2 doesn't get routed down the tunnel but out over the
internet unencrypted. No surprise there since 10.0.1.2 is outside of the
10.0.0.0/24 subnet. So I tried to set up the remote addressing as 10.0.0.0/8
instead but that didn't seem to work either. This time I could ping 10.0.1.2
(which should be blocked) and get a response not from 10.0.1.2 but
m0n0wall's WAN interface. 

Then I tried to set up a virtual adaptor specifying 10.0.0.50 as it's IP
address. This time I could ping 10.0.1.2 and get a correct response but
couldn't ping any machines in the lan subnet except m0n0wall. 

(N.B. the ICMP block rules stopping LAN clients pinging the DMZ seemed to
have no effect in this case).

I am doing some inbound port forwarding (web, ssh, smtp, imap and pop3) to
10.0.1.2 if that is of any help.

Regards,

Frans