Re: Connecting to VPN Router That's Behind Another Router
- From: Wolfgang Kueter <wolfgang@xxxxxxxxxxxx>
- Date: Thu, 31 Jan 2008 23:15:03 +0100
Jeff wrote:
- An Actiontec (from Verizon FiOS) broadband wireless router, dynamic
WAN IP, LAN IP 192.168.0.1. DHCP and wireless is enabled with minimal
security. This is so guests can connect to the internet but not to
the main LAN (see below); they're outsde the firewall.
- A Netgear fvs114 is connected via ethernet to the Actiontec, it has
a WAN address of 192.168.0.2 and a LAN address of 192.168.1.1, so
it's "WAN" is just the Actiontec router's LAN, firewall enabled. [...]
Read my lips: You do *NOT* want to terminate an IPSec VPN on a private IP behind a NAT device. You *want* to terminate it on a public, routable IP.
Dump the 2 devices, get a serious firewalling/VPN device with at least *three* physical interfaces (WAN, LAN1 (untrusted), LAN2 (trusted), deny all traffic from LAN1 to LAN2, build the VPN between the roaming clients and LAN2 and terminate it on the WAN interface (public IP).
The device with the three interfaces might be an old PC running Linux with 3 or more NICs if you want to use cheap hardware. OpenSWAN and iptables will do all what you want but you need some skills to get everything running.
OR: if you want to keep 2 routers: use a public routable network between the 2 routers, don't use NAT on the extermal router and terminate the VPN on the public IP of internal router.
I'm trying to get VPN working on the netgear.
For a serious thing get a serious device, netgear is mostly cheap crap.
Wolfgang
.
- References:
- Prev by Date: Re: IPS Placement
- Previous by thread: Re: Connecting to VPN Router That's Behind Another Router
- Next by thread: From Network World: Win the Cisco Press book 'Firewall Fundamentals'
- Index(es):
Relevant Pages
|
