Date: Mon, 17 Mar 2003 12:05:21 -0800 (PST) From: "W. J. Williams" <will@willardjwilliams.com> To: IAccounts <iaccounts@northnetworks.ca> Cc: freebsd-questions@freebsd.org Subject: Re: five networks Message-ID: <20030317200521.24044.qmail@web13505.mail.yahoo.com> In-Reply-To: <20030317114901.N27870-100000@diana.northnetworks.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
ps: yes! very interested in your links as well as your perl script...I also have been doing research and decided on Racoon as the program to use to setup my vpn...I was planning on following a doc written by Dru Lavigne http://www.onlamp.com/lpt/a/3043 what do you think? --- IAccounts <iaccounts@northnetworks.ca> wrote: > > yes, purely for experimenting...I have a lab of different pc'S and am > > LEARNING as much as possible about FreeBSD. Once I iron out this > routing > > thing (that I don`t understand as well as most), I will move on to > > simulating a VPN between different sites throughout America. All the > > machines are currently in the same network, same subnet 192.168.0 > > > If you are doing complete development, with no Internet in between, the > following diagram below may help. There are a couple of things to note: > > - When setting up a net-net vpn, the internal network id's must be > different from each other. Note that I have used 192.168.0.0 on one > side, > and 192.168.2.0 on the other. This has to be, due to routing issues, and > they will become more apparent when you search google for VPN setup > howto's. > > - Note the 172.16.x.x addresses. This is the simulated WAN Link between > your VPN gateways. For testing, you will need these two router addresses > to be on the same subnet. IN the real world, any external Internet IP > will > work, but they need to stay static so each VPN box can see each other > all > of the time. Instead of using a DSL router, turn your Free box into a > PPPoE server so you can plug the modem directly into your server, as > opposed to going through a residental gateway. This will alleviate many > issues when setting up the VPN. > > - To bring yourself up to speed with routing, search google for > 'subnetting' and I think it will help clear up some misconceptions you > have. > > - I did develop an automated Perl VPN setup program, where it will ask > you > several questions, including IP's, hostnames and such, and will generate > 2 > scripts: 1 for the local gateway and one for the remote. These scripts > are > put into the /usr/local/etc/rc.d directories and are run at startup. > They > take the liberty of creating all required information for the vpn > tunnel, > including configuring gif interfaces, configuring routing, setting up > natd, and configuring IPSec and the associated keys. Note that it is > ONLY > capable of using manual keys at this time, but will be changed soon to > use > Raccoon. > > Advise if you would like to try it out and I will put it on one of my > sites for you. > > Took me a few months to get this exact setup up and running, but > patience, > diligence and many hours of reading users notes got me through it. I did > go in with a very strong knowledge of routing though. If you like, I can > send you some of the docs that I found. Let me know and when I get home > I > can send you the links. > > *** All hosts up here will have: > IP: 192.168.0.x > SN: 255.255.255.0 (/24)(default) > GW: 192.168.0.1 > > *** This router will need these routes set up: (shown as unix commands): > # route add 192.168.2.0/24 172.16.1.2 > > 192.168.0.0 (all of your hosts get IP's on this network) > ------------ > | > | > | > ------------- > 192.168.0.1 (your FBSD router, this is your internal interface) > 172.16.1.1 (external interface simulating WAN) > ------------- > | > | > | (Simluated Internet link for VPN Experiment Setup) > | (Just use an X/0 cable) > | > | > ------------- > 172.16.1.2 (external interface on remote network router) > 192.168.2.1 (internal iface. Note the different subnet!!!) > ------------ > | > | > | > -------------- > 192.168.2.0 (your hosts on your remote network get these ip's) > > *** This router will need these routes set up: (shown as unix commands): > # route add 192.168.0.0/24 172.16.1.1 > > *** Hosts down here will have: > IP: 192.168.2.x > SN: 255.255.255.0 (/24)(default) > GW: 192.168.2.1 > > > > Following these minimum directions, you will be able to ping any host > from > any host over the simulated WAN link, provided you don't have any IPFW > (or > firewall) rules blocking traffic. > > Once this config is complete, then you can proceed with the VPN config, > which is a whole other world. > > If you are doing this over the Internet, be advised that you will not be > able to ping a host on 192.168.2 from 192.168.0 as the first true > INternet > router will drop this traffic. The above setup will ONLY work in a test > environment. When you go hot online for real, in order to ping across, > you > will need the VPN tunnel in place. > > Hope this gives you at least some direction to where you are headed. > > Steve > > > > > > Will > > > > ===== > > Will Williams > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > ===== Will Williams To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030317200521.24044.qmail>