Complex VPN?

Hi,

subject could also have been something similar to "with 2x NA(P)T,
N2N, P2N, 2x DSL + 2x T1" but I didn't want to scare anyone... :-)

I want to set up a VPN between 2 sites of a company and for road
warriors. VPN GW and road warriors should be NATed on both sides via
(2) FW. Looks more or less as follows (only one side, other is the
same. road warriors connected via dyn. IPs):

LAN1--+--FW2/NAT--+--FW1/NAT---DSL
| | |
| | +------T1
VPN DMZ
-GW

LAN1: 192.168.1.x
VPN-GW: 192.168.1.250
FW2/NAT: 192.168.1.251 and 192.168.100.251
- does NA(P)T from 192.168.1.x to 192.168.100.x
- marks certain traffic)
DMZ: 192.168.100.x
FW1/NAT: 192.168.100.250 and 131.84.219.250
- does NA(P)T from 192.168.100.x to 131.84.219.x
- sends marked traffic over DSL, other over T1

You can comment on this network setup but please don't suggest
completely different setup - it is like that and won't easily be
changed in the near future... :-)

I would like to put the VPN GW inside the LANx on each side - but if
you think this is complete bullshit, please tell me. Moreover, I would
really like to use Linux with FreeS/WAN or OpenBSD on both sides. Road
warriors can have different OSes. Firewalls are based on netfilter.

Is something like this possible with ESP in tunnel mode and IPSec
PassThrough.

I would really appreciate some nice comments on this. I started
learning about the whole VPN thing some weeks ago and have learned a
lot so far. But some things are still quite confusing...

Greetings,

René Matthäi

René Matthäi wrote:
> Hi,
>
> subject could also have been something similar to "with 2x NA(P)T,
> N2N, P2N, 2x DSL + 2x T1" but I didn't want to scare anyone... :-)
>
> I want to set up a VPN between 2 sites of a company and for road
> warriors. VPN GW and road warriors should be NATed on both sides via
> (2) FW. Looks more or less as follows (only one side, other is the
> same. road warriors connected via dyn. IPs):
>
> LAN1--+--FW2/NAT--+--FW1/NAT---DSL
> | | |
> | | +------T1
> VPN DMZ
> -GW
>
> LAN1: 192.168.1.x
> VPN-GW: 192.168.1.250
> FW2/NAT: 192.168.1.251 and 192.168.100.251
> - does NA(P)T from 192.168.1.x to 192.168.100.x
> - marks certain traffic)
> DMZ: 192.168.100.x
> FW1/NAT: 192.168.100.250 and 131.84.219.250
> - does NA(P)T from 192.168.100.x to 131.84.219.x
> - sends marked traffic over DSL, other over T1
>
> You can comment on this network setup but please don't suggest
> completely different setup - it is like that and won't easily be
> changed in the near future... :-)
>
> I would like to put the VPN GW inside the LANx on each side - but if
> you think this is complete bullshit, please tell me. Moreover, I would
> really like to use Linux with FreeS/WAN or OpenBSD on both sides. Road
> warriors can have different OSes. Firewalls are based on netfilter.
>
> Is something like this possible with ESP in tunnel mode and IPSec
> PassThrough.
>
> I would really appreciate some nice comments on this. I started
> learning about the whole VPN thing some weeks ago and have learned a
> lot so far. But some things are still quite confusing...
>
> Greetings,
>
> René Matthäi

CIPE would be better to do this rather than FreeS/WAN, since you can
route CIPE traffic, unlike IPSec.

--



"Windows: In a world without fences, who needs gates?"

What does the dataflow look like? I am not sure I follow where the
roadie connects, I assumed from your description you have something like:
a---------big internet-----a
where "a" is your diagram below, and big ineternet is eitehr T1 or DSL
connection. But I don't see the VPN connection, I don't know what yoru
shorthand with it just hanging off the intranet means. Could you explain?
thanks
bob

René Matthäi wrote:

> Hi,
>
> subject could also have been something similar to "with 2x NA(P)T,
> N2N, P2N, 2x DSL + 2x T1" but I didn't want to scare anyone... :-)
>
> I want to set up a VPN between 2 sites of a company and for road
> warriors. VPN GW and road warriors should be NATed on both sides via
> (2) FW. Looks more or less as follows (only one side, other is the
> same. road warriors connected via dyn. IPs):
>
> LAN1--+--FW2/NAT--+--FW1/NAT---DSL
> | | |
> | | +------T1
> VPN DMZ
> -GW
>
> LAN1: 192.168.1.x
> VPN-GW: 192.168.1.250
> FW2/NAT: 192.168.1.251 and 192.168.100.251
> - does NA(P)T from 192.168.1.x to 192.168.100.x
> - marks certain traffic)
> DMZ: 192.168.100.x
> FW1/NAT: 192.168.100.250 and 131.84.219.250
> - does NA(P)T from 192.168.100.x to 131.84.219.x
> - sends marked traffic over DSL, other over T1
>
> You can comment on this network setup but please don't suggest
> completely different setup - it is like that and won't easily be
> changed in the near future... :-)
>
> I would like to put the VPN GW inside the LANx on each side - but if
> you think this is complete bullshit, please tell me. Moreover, I would
> really like to use Linux with FreeS/WAN or OpenBSD on both sides. Road
> warriors can have different OSes. Firewalls are based on netfilter.
>
> Is something like this possible with ESP in tunnel mode and IPSec
> PassThrough.
>
> I would really appreciate some nice comments on this. I started
> learning about the whole VPN thing some weeks ago and have learned a
> lot so far. But some things are still quite confusing...
>
> Greetings,
>
> René Matthäi

Hi,

bob smith <(E-Mail Removed)> wrote in message news:<X9UZa.1389$(E-Mail Removed)>...
>
> Ren Matth i wrote:
>
> > LAN1--+--FW2/NAT--+--FW1/NAT---DSL
> > | | |
> > | | +------T1
> > VPN DMZ
> > -GW
> >
> > LAN1: 192.168.1.x
> > VPN-GW: 192.168.1.250
> > FW2/NAT: 192.168.1.251 and 192.168.100.251
> > - does NA(P)T from 192.168.1.x to 192.168.100.x
> > - marks certain traffic)
> > DMZ: 192.168.100.x
> > FW1/NAT: 192.168.100.250 and 131.84.219.250
> > - does NA(P)T from 192.168.100.x to 131.84.219.x
> > - sends marked traffic over DSL, other over T1
>
> What does the dataflow look like? I am not sure I follow where the
> roadie connects, I assumed from your description you have something like:
>
> a---------big internet-----a
> where "a" is your diagram below, and big ineternet is eitehr T1 or DSL
> connection. But I don't see the VPN connection, I don't know what yoru
> shorthand with it just hanging off the intranet means. Could you explain?

The VPN connection is from the intranet on the one side through the
firewall1, Internet and FW2 to the other side's VPN gateway inside the
other side's intranet. In short: From intranet to intranet
(NA(P?)Ted).

Road warriors also connect to the VPN GW inside intranet (on one
company's site, not both).

We have only one point on either side with internet access to: the
FWs. So the VPN GW, which should therefore be on a special machine,
lies behind the GW, NA(P?)Ted, with such things like portforwarding.

Greetings,

René