On Mon, 2 Aug 2004, David Woodhouse wrote:
> I am looking at installing two monowall servers and I was hoping to
> get some advice. Each monowall will have 3 interfaces (LAN, WAN, DMZ).
> I want to enable traffic between the two LAN networks and the two DMZ
> networks but the DMZ's should not be able to access any of the LAN
> networks, all this traffic should be over a vpn.
> Monowall 1 Monowall 2
> Lan 1-------------------Lan 2 OK
> DMZ 1-------------------DMZ 2 OK
> Lan 1-------------------DMZ 2 NOT OK
> DMZ 1-------------------Lan 2 NOT OK
> Is the best method to create 2 vpns, 1 for the lans and 1 for the
> DMZ's? Previously (not using monowall) I've had problems creating 2
> vpns between the same endpoints. Or is there any easier way using
> static routes and firewall rules.
With m0n0wall's IPsec, you don't have the option of using static routes or
firewall rules, so two tunnels is what you'd need. As far as the protocol
is concerned, you can have multiple tunnels between the same endpoints,
but when doing this with preshared keys you need to use aggressive mode
with different identifiers for the two tunnels (unless you have multiple
WAN IPs available). The problem is that main mode with preshared keys
can't use anything other than the IP address as the identifier.
I'm not sure anyone has actually done this with m0n0wall, so
implementation restrictions can't be ruled out.
Since aggressive mode is a bit less secure than main mode, if you're
paranoid you might use main mode for the LAN tunnel and aggressive mode
for the DMZ tunnel. I *think* this should work since it still allows
different identifiers for the tunnels.