News: This forum is now permanently frozen.
Pages: [1]
Topic: Site-to-Site IPSec Tunnel without exposing internal network?  (Read 2060 times)
« on: October 09, 2009, 17:18:14 »
Wallace *
Posts: 1

Howdy,

We have a very specific scenario for IPSec that I am looking to see if m0n0wall is capable of doing:

1. IP Space

     Corporate HQ:  Internal IP 192.168.0.x/24, external IP 4.4.4.x/24

     Branch 1:  Internal IP 192.168.0.x/24, external IP 5.5.5.x/24
     Branch 2:  Internal IP 192.168.0.x/24, external IP 6.6.6.x/24
     Branch 3:  Internal IP 192.168.0.x/24, external IP 7.7.7.x/24
     Branch 4:  Internal IP 192.168.0.x/24, external IP 8.8.8.x/24 (etc. etc.)

     Also please assume that all firewall interfaces (both internal/external) ends with .1 (x.x.x.1)

2. There is a web application published on the corporate office at 4.4.4.100:80 (port-forwarded to 192.168.0.100:80)

3. We would like branch office users to be able to access the web server, encrypted, through IPSec.  We are NOT allowed to deploy SSL certs on the web server.

4. We CANNOT change branch office nor HQ internal IP subnet.

5. HQ does not need to access any information in the branches.



Since every location uses the same internal IP, traditionally it is impossible to do any IPSec tunel as the traffic would not be routable, unless we use an advanced VPN concentrator that does NAT on each inbound tunnel.  ($$$$$ - can't afford it.)

Therefore, the solution is to only encrypt their public IP addresses on each side - aka all traffic is NAT'ed by each location's firewall before entering the IPSec tunnel.  Since public IPs are unique, there will not be any routing issues.

Long story short, we would want the IPSec configuration on Branch-1 to be as follow:

Peer:  4.4.4.1 (HQ firewall)
Local network: 5.5.5.1/32 (Branch outside IPs)
Remote network: 4.4.4.100/32 (HQ Web Server public IP)

(Phase-1/2 auth/encryption is irrelevant in this conversation as we can choose whatever we want, we just need to set them to be identical.)

Can it be done on a m0n0wall?

Note:  We know for fact that this is a "legal" IPSec implementation, and have successfully done so with Cisco firewalls (PIX 501, 515, 5510 all works).  Therefore it is not "impossible".  What I'd like to know is whether m0n0wall will support this,since even a cheap PIX with unlimited license approaches $1k.

I did looked at m0n0wall a few years ago as a potential solution, but back then this feature was specifically stated as "not-supported".  However I think m0n0wall was still in 1.1 or 1.2 when I last looked at it.  That said, I wonder if anyone knows whether the latest m0n0wall version supports this IPSec tunnel implementation - I looked around the forum and the documentation for a good hour and couldn't find a definitive answer.

If there is an existing thread that you can point me to, it will also be greatly appreciated.  Thanks in advance for all your help!!

Best regards,



Wallace
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines