Rev | Author | # | Line |
---|---|---|---|
6 | JohnMcPherson | 1 | !!Setting up IPSEC tunnelling over a NAT'd M1122 |
1 | CraigBox | 2 | |
3 | I have an [IPSec] gateway server (FreeSwan) running on a public IP address, and I want to make tunnels from machines that | ||
4 | sit behind [ADSLModems] (in this case, a Nokia [M1122].) Thankfully, it was a bit easier to acheive than I thought it might be, and you don't have to worry about NatTraversal at all. | ||
3 | CraigBox | 5 | |
6 | This works because FreeSwan can identify its ends with the leftid= and rightid= parameters, without needing the IP address blocks to match. | ||
1 | CraigBox | 7 | |
8 | !Things to note | ||
9 | |||
10 | If you have multiple networks that have the same numbering, you can't tunnel them all together to the same server - how would the server know which was which? Along with that, if you're using a network between a firewall and a DSL modem (the 192.x examples below), it will also have to have a unique IP address. | ||
11 | |||
12 | This setup is designed to allow traffic between an internal mailserver and an external web site, for the purposes of [IMAP] mail. You can, however, modify it to suit. The entire internal network can still access the machine the tunnel ends on, and you also have to configure a tunnel between the __external__ IP of the firewall at the local site, or else the firewall can't access that machine (which makes using webmail internally a bit of a problem.) | ||
13 | |||
14 | !Network Layout | ||
15 | |||
16 | [[Hosting Server] - [[Hosting Firewall] <----> [[M1122] - [[Site Firewall] - [[Local Network] | ||
17 | |||
18 | Imagine a (reasonably standard) layout: (External IP __M1122__ 192.168.1.254) - (192.168.1.250 __Firewall__ 10.7.1.254). The hosting server is 203.204.205.206. | ||
19 | |||
3 | CraigBox | 20 | !!1. Configure the M1122 to enable ESP and ISAKMP passthrough to the internal (with some PinHoling): |
1 | CraigBox | 21 | |
22 | telnet router | ||
23 | configure | ||
24 | vcc1 | ||
25 | ip server-napt esp 192.168.1.250 0 0 65535 esp-ipsec | ||
26 | ip server-napt isakmp 192.168.1.250 500 500 1 udp | ||
27 | quit | ||
28 | save config startup | ||
29 | logout | ||
30 | |||
31 | !!2. Set up IPSEC connections | ||
32 | |||
33 | !SERVER END | ||
34 | |||
35 | conn site-hosting | ||
36 | left= site-external-ip (203.x.x.x) | ||
37 | leftsubnet= site-internal-net (10.7.1.0/24) | ||
38 | leftnexthop= | ||
39 | rightsubnet= hosting (203.204.205.206/32) | ||
40 | auto= start | ||
41 | also= site-hosting-keys | ||
42 | |||
43 | conn sitefw-hosting | ||
44 | left= site-external-ip (203.x.x.x) | ||
45 | leftsubnet= external-ip-of-fw (192.168.1.250/32) | ||
4 | CraigBox | 46 | leftnexthop= |
1 | CraigBox | 47 | rightsubnet= hosting (203.204.205.206/32) |
48 | auto= start | ||
49 | also= site-hosting-keys | ||
50 | |||
51 | conn site-hosting-keys | ||
52 | leftrsasigkey= ... | ||
53 | leftid= @firewall.site.co.nz | ||
54 | right= hosting-firewall (203.204.205.1) | ||
55 | rightnexthop= %defaultroute | ||
56 | rightrsasigkey= ... | ||
57 | rightid= @firewall.hosting.net.nz | ||
58 | |||
59 | |||
60 | !M1122 END | ||
61 | |||
3 | CraigBox | 62 | This end has to have some different IP addresses from the other end... |
2 | CraigBox | 63 | |
3 | CraigBox | 64 | conn site-hosting |
1 | CraigBox | 65 | left= %defaultroute |
66 | leftsubnet= site-internal-net (10.7.1.0/24) | ||
67 | leftnexthop= | ||
68 | rightsubnet= hosting (203.204.205.206/32) | ||
69 | auto= add | ||
70 | also= site-hosting-keys | ||
71 | |||
2 | CraigBox | 72 | conn sitefw-hosting |
1 | CraigBox | 73 | left= %defaultroute |
74 | leftsubnet= external-ip-of-fw (192.168.x.250/32) | ||
4 | CraigBox | 75 | leftnexthop= |
1 | CraigBox | 76 | rightsubnet= hosting (203.204.205.206/32) |
77 | auto= add | ||
78 | also= site-hosting-keys | ||
79 | |||
80 | conn site-hosting-keys | ||
81 | leftrsasigkey= ... | ||
82 | leftid= @firewall.site.co.nz | ||
83 | right= hosting-firewall (203.204.205.1) | ||
84 | rightnexthop= %defaultroute | ||
85 | rightrsasigkey= ... | ||
86 | rightid= @firewall.hosting.net.nz | ||
3 | CraigBox | 87 | |
88 | Comments welcomed. | ||
5 | HellaBreitkopf | 89 | |
90 | ---- | ||
91 | |||
92 | I came to this page for confirmation of following assumption: | ||
93 | |||
94 | leftsubnet might contain the leftnexthop and left.%%% | ||
95 | e.g leftsubnet is 10.110.30.0/16 , leftnexthop is 10.110.30.1, left is 10.110.30.42 | ||
96 | |||
97 | Haven't found a quick answer somwhere else so I did tests: Of course it does work. |
lib/blame.php:177: Warning: Invalid argument supplied for foreach() (...repeated 2 times)