VPN

Hey gang, I have a conundrum….

My office uses a checkpoint firewall and I have a site to site VPN to a monowall at a remote office – that works OK, but it isn’t that quick – certainly not as fast as a site to site VPN between to monowalls.

I had a idea of adding an interface on my checkpoint firewall that had an IP address that fell within another LAN behind a monowall – then site to site between two monowalls removing checkpoint from the picture.

I tried this and have it sort of working – traffic moves correctly going from the main office to the remote branch but I cant get traffic to move from the branch back to the main office.

What works.
Traffic between the main office checkpoint LAN and the main office monowall lans-
Traffic between main office monowall LAN and remote office monowall LAN over the IPsec VPN
Traffic from main office check point LAN to remote office monowall LAN.

Here is the layout…..

Checkpoint at main office
Eth0 wan with static public IP
Eth1 Lan 192.168.151.1
Eth 2 to monowall lan (static) 10.40.40.2/24
In checkpoint there is a static route to 10.89.89.0/24 using IP 10.40.40.1 as the destination gateway via eth2 – and a static route to 10.40.40.0 via eth2

Physical cable from checkpoint eth2 to monowall LAN interface

Monowall at main office
Wan – static public IP (yes, its different from the checkpoint IP)
Lan – 10.40.40.1/24
Cat5 from checkpoint firewall plugged into LAN port


IPsec VPN…….


Remote monowall site
Wan – static public IP
Lan 10.89.89.0/24
Static route to 192.168.151.0/24 via LAN


When I ping from the remote office monowall, to the main office LAN, I get
 ping: sendto: Invalid argument
The system logs list kernel: arpresolve: can't allocate route for 10.40.40.1

Wouldn’t the IPsec connection let the remote monowall know how to find the gateway for the 10.40.40.0 network? Evidently not….

It is almost like as if the static routes page needs an option for IPsec as a possible interface….
I did try changing the config file to use IPsec…bummer, it didn’t work.

Does anyone have any ideas for me as to how I can make this fly?

Thanks in advance!

Best regards,

Mark-

I have just drawn this out and I think that you have a similar issue to one that I had.  The problem is really how Monowall looks at the VPN.  It isn't like another interface that you can point static traffic down.  What you have to to is set up the VPN with the configuration for the subnets that you want to get to. This means that you enter the 192.165.151.0/24 as the subnet that this link provides.  I would suggest that you set the subnet for the second subnet on the main site to 192.168.150.0/24 this way you can set the tunnel up with the local subnet as 192.168.150.0/23 which means that the remote site will route all traffic for 192.168.150.1-192.168.151.255 through the tunnel.

Hope this makes sense.

Have a look at this document that I used.

OK...so I have to supernet it so the main office monowall LAN includes the subnet of anything in the checkpoint LAN.
Duh...why didn't I think of that....

Markb, thanks for the quick response. I really appreaciate the help.

I've only been playing with m0n0 for the last 5 months and am quite impressed with the developers for making such a fine product and the community for how everyone pulls together to help each other.
It's quite an amazing group!

Best regards,
 
Mark-

I just implemented your suggestion (in under 10 min) and it worked flawlessly.

Woo Hoo!!!

Mark-

To be honest, when I set it up the first time, it didn't occur to me.  I was used to PPTP connections which give you a local IP address that you can add static routes to.  The clue for me was when I looked at the routing table (http(s)://<Monowall>/status.php) there were no additional routes in there but I knew that the tunnel was established and I could see the LAN at either end.  I suppose that you then have to plan a bit more carefully when you are choosing network segments when setting up your WAN.

I thought I would take a moment and document exactly what I did to make this work in case anyone else needs it. The monowall side was simple, but there was a slight pitfall on the checkpoint side mostly regarding anti-spoofing measures.

This is a simple overview of the settings, not a step by step instruction.

Checkpoint configuration…

1. Eth0 - Wan – public IP (not really relevant for this to work)
2. Eth1 - Lan 192.168.5.0 /24
3. Eth2 – the local mono lan – IP 192.168.4.0 /23
4. In CP console, create static route to the remote monowall network 192.168.20.0 /24  with 192.168.4.1 (the local mono gateway) as gateway to the remote monolan, via Eth2
5. Define in the GUI a new network of the remote monowall, and the local monowall.
6. Put the two newly created networks into a simple group – mono_vpn_nets
7. In GUI console, under the local CP gateway, topology, add Eth2 with the correct IP and subnet info (remember its CIDR /23 not /24) in the general tab, and in the topology tab you must define it as internal specific…then use the drop down to find your new mono_vpn_nets group. If you don’t do this CP spoofing rules will prevent this from working as addresses from the remote monowall would show a source from a LAN that in theory isn’t expected to come in on this interface.
8. Enter a rules to allow traffic from your lan to the new remote mono  lan 192.168.20.0
9. Crossover from Eth2 to the monowall lan port (or via switch etc)


Local Monowall configuration…very basic
1. wan static IP (I guess you could do dynamic with dynamic DNS….)
2. lan IP 192.168.4.1 make the LAN /23 (the /23 is key – the definition of this lan needs to include the CP lan.
3. Create standard IPsec VPN top your liking with the remote monowall as defined in the monowall handbook.
4. Enter a static route to the 192.168.5.0 /24 network via the gateway of 192.168.4.2 (IP that is Eth2 on the CP firewall)


Remote monowall….even more basic
1. Wan static IP
2. lan addresses – 192.168.20.0 /24
3. Get a basic IPsec VPN established with the monwall near the CP firewall.
4. Remember when configuring the site to site, you need to define the remote subnet on the monowall near the CP firewall as 192.168.4.0 /23 so the lan definition includes the /24 lan of the CP firewall.

Mark-