[olug] SOHO vpn/router question

Dan Linder dan at linder.org
Mon Apr 26 17:57:01 UTC 2010 

Thanks!  I am still hoping that the IT guy will work with me on this, rather
than just kill it outright because it isn't the usual host-to-site
connection.

Dan

On Mon, Apr 26, 2010 at 08:47, James Ringler <jringler at plainspower.com>wrote:

> Dan Linder wrote:
>
>> My company is taking our local office virtual so I'll be working from home
>> now.  Currently I have three workstations that each bring up their own VPN
>> into the corporate network for me to do my work.  I'd really like to setup
>> my home firewall to be the VPN concentrator for these machines so I can
>> drop
>> the independant VPN sessions.  Currently I'm running a Vyatta firewall,
>> but
>> would switch back to Astaro or other Linux distribution if needed.
>>
>> Anyone have a quick pointer on setting up the Vyatta firewall to be the
>> VPN
>> endpoint and then perform NAT for my three systems back into corporate?
>>
>> Dan
>>
>>
>>
>
>
> it depends on the vpn device on the other side...   if it's IPSec,
>
> you create an IPSec interface and set the parameters of the VPN connection
>
>
> ipsec {
>    esp-group ESPVPNtoWORK {
>        compression disable
>        proposal 1 {
>            encryption 3des
>            hash md5
>        }
>    }
>    ike-group IKEVPNtoWORK {
>        lifetime 28800
>        proposal 1 {
>            encryption aes256
>            hash md5
>        }
>    }
>    ipsec-interfaces {
>        interface eth0
>
>
> Then set up your site to site information...    the peer is your work vpn
> connector
> Local IP is obviously your IP at home..  (I think now you can use FQDN
> there for ddns)
> Local Subnet is your home inside addresses
> Remote Subnet is your destination network addresses
>
> site-to-site {
>        peer 99.99.99.99 {
>            authentication {
>                mode pre-shared-secret
>                pre-shared-secret MYPASSWORD
>            }
>            ike-group IKEVPNtoWork
>            local-ip 1.1.1.1
>            tunnel 1 {
>                allow-nat-networks disable
>                esp-group ESPVPNtoWORK
>                local-subnet 172.2.0.0/24
>                remote-subnet 10.26.16.0/24
>            }
>        }
>
>
>
> Then to bypass your outbound NAT you have to set an exclude statement..
>  this also has to be in a rule lower than your general outbound NAT
> statement.
>
>
>
> rule 1 {
>    destination {
>        address 10.26.16.0/24
>    }
>    exclude
>    outbound-interface eth0
>    type masquerade
>
>
>
> this will pass the traffic through the VPN and not out your home router..
>
>
>
>
>
>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>



-- 
***************** ************* *********** ******* ***** *** **
"Quis custodiet ipsos custodes?"
   (Who can watch the watchmen?)
   -- from the Satires of Juvenal
"I do not fear computers, I fear the lack of them."
   -- Isaac Asimov (Author)
** *** ***** ******* *********** ************* *****************

More information about the OLUG mailing list