| Rev | Author | # | Line |
|---|---|---|---|
| 6 | JohnMcPherson | 1 | !!Setting up IPSEC tunnelling over a NAT'd M1122 |
| 1 | CraigBox | 2 | |
| 3 | I have an [IPSec] gateway server (FreeSwan) running on a public IP address, and I want to make tunnels from machines that | ||
| 4 | sit behind [ADSLModems] (in this case, a Nokia [M1122].) Thankfully, it was a bit easier to acheive than I thought it might be, and you don't have to worry about NatTraversal at all. | ||
| 3 | CraigBox | 5 | |
| 6 | This works because FreeSwan can identify its ends with the leftid= and rightid= parameters, without needing the IP address blocks to match. | ||
| 1 | CraigBox | 7 | |
| 8 | !Things to note | ||
| 9 | |||
| 10 | If you have multiple networks that have the same numbering, you can't tunnel them all together to the same server - how would the server know which was which? Along with that, if you're using a network between a firewall and a DSL modem (the 192.x examples below), it will also have to have a unique IP address. | ||
| 11 | |||
| 12 | This setup is designed to allow traffic between an internal mailserver and an external web site, for the purposes of [IMAP] mail. You can, however, modify it to suit. The entire internal network can still access the machine the tunnel ends on, and you also have to configure a tunnel between the __external__ IP of the firewall at the local site, or else the firewall can't access that machine (which makes using webmail internally a bit of a problem.) | ||
| 13 | |||
| 14 | !Network Layout | ||
| 15 | |||
| 16 | [[Hosting Server] - [[Hosting Firewall] <----> [[M1122] - [[Site Firewall] - [[Local Network] | ||
| 17 | |||
| 18 | Imagine a (reasonably standard) layout: (External IP __M1122__ 192.168.1.254) - (192.168.1.250 __Firewall__ 10.7.1.254). The hosting server is 203.204.205.206. | ||
| 19 | |||
| 3 | CraigBox | 20 | !!1. Configure the M1122 to enable ESP and ISAKMP passthrough to the internal (with some PinHoling): |
| 1 | CraigBox | 21 | |
| 22 | telnet router | ||
| 23 | configure | ||
| 24 | vcc1 | ||
| 25 | ip server-napt esp 192.168.1.250 0 0 65535 esp-ipsec | ||
| 26 | ip server-napt isakmp 192.168.1.250 500 500 1 udp | ||
| 27 | quit | ||
| 28 | save config startup | ||
| 29 | logout | ||
| 30 | |||
| 31 | !!2. Set up IPSEC connections | ||
| 32 | |||
| 33 | !SERVER END | ||
| 34 | |||
| 35 | conn site-hosting | ||
| 36 | left= site-external-ip (203.x.x.x) | ||
| 37 | leftsubnet= site-internal-net (10.7.1.0/24) | ||
| 38 | leftnexthop= | ||
| 39 | rightsubnet= hosting (203.204.205.206/32) | ||
| 40 | auto= start | ||
| 41 | also= site-hosting-keys | ||
| 42 | |||
| 43 | conn sitefw-hosting | ||
| 44 | left= site-external-ip (203.x.x.x) | ||
| 45 | leftsubnet= external-ip-of-fw (192.168.1.250/32) | ||
| 4 | CraigBox | 46 | leftnexthop= |
| 1 | CraigBox | 47 | rightsubnet= hosting (203.204.205.206/32) |
| 48 | auto= start | ||
| 49 | also= site-hosting-keys | ||
| 50 | |||
| 51 | conn site-hosting-keys | ||
| 52 | leftrsasigkey= ... | ||
| 53 | leftid= @firewall.site.co.nz | ||
| 54 | right= hosting-firewall (203.204.205.1) | ||
| 55 | rightnexthop= %defaultroute | ||
| 56 | rightrsasigkey= ... | ||
| 57 | rightid= @firewall.hosting.net.nz | ||
| 58 | |||
| 59 | |||
| 60 | !M1122 END | ||
| 61 | |||
| 3 | CraigBox | 62 | This end has to have some different IP addresses from the other end... |
| 2 | CraigBox | 63 | |
| 3 | CraigBox | 64 | conn site-hosting |
| 1 | CraigBox | 65 | left= %defaultroute |
| 66 | leftsubnet= site-internal-net (10.7.1.0/24) | ||
| 67 | leftnexthop= | ||
| 68 | rightsubnet= hosting (203.204.205.206/32) | ||
| 69 | auto= add | ||
| 70 | also= site-hosting-keys | ||
| 71 | |||
| 2 | CraigBox | 72 | conn sitefw-hosting |
| 1 | CraigBox | 73 | left= %defaultroute |
| 74 | leftsubnet= external-ip-of-fw (192.168.x.250/32) | ||
| 4 | CraigBox | 75 | leftnexthop= |
| 1 | CraigBox | 76 | rightsubnet= hosting (203.204.205.206/32) |
| 77 | auto= add | ||
| 78 | also= site-hosting-keys | ||
| 79 | |||
| 80 | conn site-hosting-keys | ||
| 81 | leftrsasigkey= ... | ||
| 82 | leftid= @firewall.site.co.nz | ||
| 83 | right= hosting-firewall (203.204.205.1) | ||
| 84 | rightnexthop= %defaultroute | ||
| 85 | rightrsasigkey= ... | ||
| 86 | rightid= @firewall.hosting.net.nz | ||
| 3 | CraigBox | 87 | |
| 88 | Comments welcomed. | ||
| 5 | HellaBreitkopf | 89 | |
| 90 | ---- | ||
| 91 | |||
| 92 | I came to this page for confirmation of following assumption: | ||
| 93 | |||
| 94 | leftsubnet might contain the leftnexthop and left.%%% | ||
| 95 | e.g leftsubnet is 10.110.30.0/16 , leftnexthop is 10.110.30.1, left is 10.110.30.42 | ||
| 96 | |||
| 97 | Haven't found a quick answer somwhere else so I did tests: Of course it does work. |
lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 2 times)