Hi,
We have a scenario where our support team require access to customer sites over IPSEC tunnel whilst "on the road", but only when the PPTP client is in a specific IP Address range.
We have a M0n0wall in place providing both a PPTP Server and connecting multiple IPSEC tunnels to some of our clients on the same device.
When a user is on the local LAN and needs to connect to a customer network they must be within a specific IP and subnet to allow traffic over an IPSEC tunnel, and it works great. M0n0wall also is great for allowing PPTP clients to access the LAN from home/road, etc..
As for utilising the RADIUS server and assiging an IP Address from MS Active Directory, this also works as expected. So we can either use the m0n0wall PPTP server to auto assign from its own "pool" or hard code an IP with Active Directory.
However, the scenario we are trying to achieve is having a specific IP Address assigned in AD for a given support member which falls within the permitted IP Address range for the IPSEC tunnels to then gain access to the customer network via a PPTP connection. Setting up the IP and being assigned works okay, but we cannot get traffic to the customer site over the IPSEC tunnel. Is this at all possible using M0n0wall, or is it too complex to achieve and does anyone have any suggestions/alternatives?
A quick "guide" of what we want to achieve.
IPSEC tunnel to customer site already in place. Customer IP address range is 123.123.123.0/24 with local ip permitted as 10.10.10.0/24 and appropriate LAN firewall rules & Gateways setup.
Normal PPTP range assigned from M0n0wall is 10.20.10.0/28
Engineer PPTP dials in --> is assigned IP 10.10.10.10 from AD instead of M0n0wall --> assigned Address is then within IPSEC permitted range --> Engineer can then connect over PPTP routed thru m0n0, over IPSEC tunnel to customer site and VNC/RDP to a customer machine.
i.e. PPTP client --> m0n0wall --> IPSEC tunnel --> customer network.
Any suggestions or alternatives to achieve the above would be most welcome.
|