News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Feature Requests
linktree Topic: Multiple Subnets in IPSEC VPN
Pages: [1]
Topic: Multiple Subnets in IPSEC VPN  (Read 5357 times)
« on: October 04, 2008, 16:48:20 »
yellowlemon *
Posts: 1
   
Dear Developers / interested users:

I am writing to seek an update on the current poor support of *multiple* LAN Subnets on
Site to Site IPSEC VPN's in monowall. Currently there are two possibilities: Summarising the subnets into 1 supernet (not always possible) or setting up multiple IPSec tunnels, one for each subnet.
http://doc.m0n0.ch/handbook/faq-ipsec-multiple-subnets.html

As yet it is still impossible to define multiple, noncontiguos, un-super-nettable subnets through a single IPSec tunnel. On a cisco router/firewall/PIX/ASA etc. this is as simple as adding another subnet to
the VPN access-list line.

There has been some good discussion on this before:

http://m0n0.ch/wall/list/showmsg.php?id=160/46
http://m0n0.ch/wall/list/showmsg.php?id=165/45
http://m0n0.ch/wall/list/showmsg.php?id=177/29

The problem keeps regularly resurfacing in the forums:

http://forum.m0n0.ch/index.php/topic,454.0.html
http://forum.m0n0.ch/index.php/topic,2115.0.html
http://forum.m0n0.ch/index.php/topic,2119.0.html
http://forum.m0n0.ch/index.php/topic,62.0.html
http://forum.m0n0.ch/index.php/topic,2074.0.html

The feature has been requested before:
http://forum.m0n0.ch/index.php/topic,1346.0.html

Are there any plans to add this functionality?

Kind regards,

Corwin Willys
« Reply #1 on: February 18, 2009, 20:45:52 »
dave_it4mt *
Posts: 4
Dear Corwin,
I can't speak for our developers but I want to testify that I have been able to establish
IPSec-VPN tunnels with dual arbitrary endpoints to both Cisco 3030 & ASA appliances
that declared these endpoints within a single tunnel.
I did this by simply declaring a seperate tunnel for each endpoint while keeping
all the other VPN parameters, including preshared key, the same.
This technique is mentioned in the manual:
http://doc.m0n0.ch/handbook-single/#id11633399

I was also able to establish "single" VPN tunnels with multiple endpoints by "stuffing" the /var/etc/racoon.conf file with additional SP entries that the XML parser cannot generate.
Personally I don't see any real advantage that would justify all the trouble of modifying
the XML parser just to accomodate a convenience like this unless my success is actually
an anomaly...  Undecided

-Dave
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines