[olug] SOHO vpn/router question

James Ringler jringler at plainspower.com
Mon Apr 26 13:47:12 UTC 2010

Dan Linder wrote:
> My company is taking our local office virtual so I'll be working from home
> now.  Currently I have three workstations that each bring up their own VPN
> into the corporate network for me to do my work.  I'd really like to setup
> my home firewall to be the VPN concentrator for these machines so I can drop
> the independant VPN sessions.  Currently I'm running a Vyatta firewall, but
> would switch back to Astaro or other Linux distribution if needed.
> Anyone have a quick pointer on setting up the Vyatta firewall to be the VPN
> endpoint and then perform NAT for my three systems back into corporate?
> Dan

it depends on the vpn device on the other side...   if it's IPSec,

you create an IPSec interface and set the parameters of the VPN connection

ipsec {
     esp-group ESPVPNtoWORK {
         compression disable
         proposal 1 {
             encryption 3des
             hash md5
     ike-group IKEVPNtoWORK {
         lifetime 28800
         proposal 1 {
             encryption aes256
             hash md5
     ipsec-interfaces {
         interface eth0

Then set up your site to site information...    the peer is your work 
vpn connector
Local IP is obviously your IP at home..  (I think now you can use FQDN 
there for ddns)
Local Subnet is your home inside addresses
Remote Subnet is your destination network addresses

 site-to-site {
         peer {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret MYPASSWORD
             ike-group IKEVPNtoWork
             tunnel 1 {
                 allow-nat-networks disable
                 esp-group ESPVPNtoWORK

Then to bypass your outbound NAT you have to set an exclude 
statement..    this also has to be in a rule lower than your general 
outbound NAT statement.

 rule 1 {
     destination {
     outbound-interface eth0
     type masquerade

this will pass the traffic through the VPN and not out your home router.. 

More information about the OLUG mailing list