> yes, purely for experimenting...I have a lab of different pc'S and am
> LEARNING as much as possible about FreeBSD. Once I iron out this routing
> thing (that I don`t understand as well as most), I will move on to
> simulating a VPN between different sites throughout America. All the
> machines are currently in the same network, same subnet 192.168.0
If you are doing complete development, with no Internet in between, the
following diagram below may help. There are a couple of things to note:
- When setting up a net-net vpn, the internal network id's must be
different from each other. Note that I have used 192.168.0.0 on one side,
and 192.168.2.0 on the other. This has to be, due to routing issues, and
they will become more apparent when you search google for VPN setup
howto's.
- Note the 172.16.x.x addresses. This is the simulated WAN Link between
your VPN gateways. For testing, you will need these two router addresses
to be on the same subnet. IN the real world, any external Internet IP will
work, but they need to stay static so each VPN box can see each other all
of the time. Instead of using a DSL router, turn your Free box into a
PPPoE server so you can plug the modem directly into your server, as
opposed to going through a residental gateway. This will alleviate many
issues when setting up the VPN.
- To bring yourself up to speed with routing, search google for
'subnetting' and I think it will help clear up some misconceptions you
have.
- I did develop an automated Perl VPN setup program, where it will ask you
several questions, including IP's, hostnames and such, and will generate 2
scripts: 1 for the local gateway and one for the remote. These scripts are
put into the /usr/local/etc/rc.d directories and are run at startup. They
take the liberty of creating all required information for the vpn tunnel,
including configuring gif interfaces, configuring routing, setting up
natd, and configuring IPSec and the associated keys. Note that it is ONLY
capable of using manual keys at this time, but will be changed soon to use
Raccoon.
Advise if you would like to try it out and I will put it on one of my
sites for you.
Took me a few months to get this exact setup up and running, but patience,
diligence and many hours of reading users notes got me through it. I did
go in with a very strong knowledge of routing though. If you like, I can
send you some of the docs that I found. Let me know and when I get home I
can send you the links.
*** All hosts up here will have:
IP: 192.168.0.x
SN: 255.255.255.0 (/24)(default)
GW: 192.168.0.1
*** This router will need these routes set up: (shown as unix commands):
# route add 192.168.2.0/24 172.16.1.2
192.168.0.0 (all of your hosts get IP's on this network)
------------
|
|
|
-------------
192.168.0.1 (your FBSD router, this is your internal interface)
172.16.1.1 (external interface simulating WAN)
-------------
|
|
| (Simluated Internet link for VPN Experiment Setup)
| (Just use an X/0 cable)
|
|
-------------
172.16.1.2 (external interface on remote network router)
192.168.2.1 (internal iface. Note the different subnet!!!)
------------
|
|
|
--------------
192.168.2.0 (your hosts on your remote network get these ip's)
*** This router will need these routes set up: (shown as unix commands):
# route add 192.168.0.0/24 172.16.1.1
*** Hosts down here will have:
IP: 192.168.2.x
SN: 255.255.255.0 (/24)(default)
GW: 192.168.2.1
Following these minimum directions, you will be able to ping any host from
any host over the simulated WAN link, provided you don't have any IPFW (or
firewall) rules blocking traffic.
Once this config is complete, then you can proceed with the VPN config,
which is a whole other world.
If you are doing this over the Internet, be advised that you will not be
able to ping a host on 192.168.2 from 192.168.0 as the first true INternet
router will drop this traffic. The above setup will ONLY work in a test
environment. When you go hot online for real, in order to ping across, you
will need the VPN tunnel in place.
Hope this gives you at least some direction to where you are headed.
Steve
>
> Will
>
> =====
> Will Williams
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-questions" in the body of the message
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message
