<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Gary Danko wrote:
<blockquote
cite="mid3086.68.15.15.34.1116343831.squirrel@webmail.s00p.com"
type="cite">
<blockquote type="cite">
<pre wrap="">Gary Danko wrote:
</pre>
<blockquote type="cite">
<pre wrap="">I've done quite a bit of research and I am led to believe my desired
configuration is not possible. Have a look at my small ASCII diagram and
let me know if you think I can pull this off.
<--- Begin Diagram --->
10.0.0.0/24 (Private HQ network)
|
|
10.0.0.1 (Smoothwall 2.0 w/Openswan 1.0.8 GREEN interface)
68.xx.xx.34 (Smoothwall RED interface)
|
|
Public Internet
|
|
209.xx.xx.244 (OpenSwan 2.3.1 on FC3 LeftIP)
209.xx.xx.0/24 (OpenSwan 2.3.1 on FC3 LeftSubnet, public COLO network)
<--- End Diagram --->
All of my reading has told me that because my LeftIP and LeftSubnet are
on
the same network I cannot have a VPN connection between my co-location
facility and my HQ's network.
Is there a way to facilitate this configration that I have overlooked?
I've checked documentation, usenet, the web, forums, and so forth.. I
cannot find anything supporting this sort of configuration.
Thanks in advance.
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<pre wrap="">I would think there would be some kind of work around... You probably
need to have some sort of virtual net interface which pretends to be a
LAN card and have a LAN IP. This would seem to be more secure than
trying to use your Internet IP as the LAN (private) IP on your server @
the co-lo. I'm kind of interested in this solution as well, because I
have 3 servers...it would be nice to be able to access a little bit more
than what other people can, and do it "directly". For instance...if I
wanted to run a Samba share over IPSEC...that'd be great :) I think
this is very possible, so keep on looking around for the answer if you
don't get it here :) I'm probably going to try to set this up some day
if possible.
-Phillip
</pre>
</blockquote>
<pre wrap=""><!---->
I tried a variation of what Paul suggested.
I changed the GREEN interface on my Smoothie at the datacenter to
192.168.1.1. I then added a second IP 192.168.1.197 (197 corresponds to
its public IP) to one of my machines at the datacenter. After that I added
a static route on the machine for testing purposes.
10.0.0.0 255.255.255.0 192.168.1.1
My VPN was a success. I can ping, remote desktop, everything back and
forth between the two.
I just need to assign the IP 192.168.1.2 to the router and add a static
route at that level.
So far so good.
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
Good news :) I don't know that adding a second IP would be the best
idea...guess it shouldn't be a problem as long as you have a few good
iptables rules. Theoritically someone could add an IP in the same
range and have access to your co-lo server AND your other location as
well...if iptables is not properly set up... I missed Paul's
suggestion, so he might of already suggested something of this nature,
so forgive me if I'm wasting your time :)<br>
<br>
-Phillip<br>
</body>
</html>