Date: Mon, 17 Mar 2003 12:26:58 -0500 (EST) From: IAccounts <iaccounts@northnetworks.ca> To: "W. J. Williams" <will@willardjwilliams.com> Cc: Bill Moran <wmoran@potentialtech.com>, <freebsd-questions@FreeBSD.ORG> Subject: Re: five networks Message-ID: <20030317114901.N27870-100000@diana.northnetworks.ca> In-Reply-To: <20030315194054.93598.qmail@web13508.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> yes, purely for experimenting...I have a lab of different pc'S and am > LEARNING as much as possible about FreeBSD. Once I iron out this routing > thing (that I don`t understand as well as most), I will move on to > simulating a VPN between different sites throughout America. All the > machines are currently in the same network, same subnet 192.168.0 If you are doing complete development, with no Internet in between, the following diagram below may help. There are a couple of things to note: - When setting up a net-net vpn, the internal network id's must be different from each other. Note that I have used 192.168.0.0 on one side, and 192.168.2.0 on the other. This has to be, due to routing issues, and they will become more apparent when you search google for VPN setup howto's. - Note the 172.16.x.x addresses. This is the simulated WAN Link between your VPN gateways. For testing, you will need these two router addresses to be on the same subnet. IN the real world, any external Internet IP will work, but they need to stay static so each VPN box can see each other all of the time. Instead of using a DSL router, turn your Free box into a PPPoE server so you can plug the modem directly into your server, as opposed to going through a residental gateway. This will alleviate many issues when setting up the VPN. - To bring yourself up to speed with routing, search google for 'subnetting' and I think it will help clear up some misconceptions you have. - I did develop an automated Perl VPN setup program, where it will ask you several questions, including IP's, hostnames and such, and will generate 2 scripts: 1 for the local gateway and one for the remote. These scripts are put into the /usr/local/etc/rc.d directories and are run at startup. They take the liberty of creating all required information for the vpn tunnel, including configuring gif interfaces, configuring routing, setting up natd, and configuring IPSec and the associated keys. Note that it is ONLY capable of using manual keys at this time, but will be changed soon to use Raccoon. Advise if you would like to try it out and I will put it on one of my sites for you. Took me a few months to get this exact setup up and running, but patience, diligence and many hours of reading users notes got me through it. I did go in with a very strong knowledge of routing though. If you like, I can send you some of the docs that I found. Let me know and when I get home I can send you the links. *** All hosts up here will have: IP: 192.168.0.x SN: 255.255.255.0 (/24)(default) GW: 192.168.0.1 *** This router will need these routes set up: (shown as unix commands): # route add 192.168.2.0/24 172.16.1.2 192.168.0.0 (all of your hosts get IP's on this network) ------------ | | | ------------- 192.168.0.1 (your FBSD router, this is your internal interface) 172.16.1.1 (external interface simulating WAN) ------------- | | | (Simluated Internet link for VPN Experiment Setup) | (Just use an X/0 cable) | | ------------- 172.16.1.2 (external interface on remote network router) 192.168.2.1 (internal iface. Note the different subnet!!!) ------------ | | | -------------- 192.168.2.0 (your hosts on your remote network get these ip's) *** This router will need these routes set up: (shown as unix commands): # route add 192.168.0.0/24 172.16.1.1 *** Hosts down here will have: IP: 192.168.2.x SN: 255.255.255.0 (/24)(default) GW: 192.168.2.1 Following these minimum directions, you will be able to ping any host from any host over the simulated WAN link, provided you don't have any IPFW (or firewall) rules blocking traffic. Once this config is complete, then you can proceed with the VPN config, which is a whole other world. If you are doing this over the Internet, be advised that you will not be able to ping a host on 192.168.2 from 192.168.0 as the first true INternet router will drop this traffic. The above setup will ONLY work in a test environment. When you go hot online for real, in order to ping across, you will need the VPN tunnel in place. Hope this gives you at least some direction to where you are headed. Steve > > Will > > ===== > Will Williams > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030317114901.N27870-100000>