[olug] SOHO vpn/router question
James Ringler
jringler at plainspower.com
Mon Apr 26 13:47:12 UTC 2010
Dan Linder wrote:
> My company is taking our local office virtual so I'll be working from home
> now. Currently I have three workstations that each bring up their own VPN
> into the corporate network for me to do my work. I'd really like to setup
> my home firewall to be the VPN concentrator for these machines so I can drop
> the independant VPN sessions. Currently I'm running a Vyatta firewall, but
> would switch back to Astaro or other Linux distribution if needed.
>
> Anyone have a quick pointer on setting up the Vyatta firewall to be the VPN
> endpoint and then perform NAT for my three systems back into corporate?
>
> Dan
>
>
it depends on the vpn device on the other side... if it's IPSec,
you create an IPSec interface and set the parameters of the VPN connection
ipsec {
esp-group ESPVPNtoWORK {
compression disable
proposal 1 {
encryption 3des
hash md5
}
}
ike-group IKEVPNtoWORK {
lifetime 28800
proposal 1 {
encryption aes256
hash md5
}
}
ipsec-interfaces {
interface eth0
Then set up your site to site information... the peer is your work
vpn connector
Local IP is obviously your IP at home.. (I think now you can use FQDN
there for ddns)
Local Subnet is your home inside addresses
Remote Subnet is your destination network addresses
site-to-site {
peer 99.99.99.99 {
authentication {
mode pre-shared-secret
pre-shared-secret MYPASSWORD
}
ike-group IKEVPNtoWork
local-ip 1.1.1.1
tunnel 1 {
allow-nat-networks disable
esp-group ESPVPNtoWORK
local-subnet 172.2.0.0/24
remote-subnet 10.26.16.0/24
}
}
Then to bypass your outbound NAT you have to set an exclude
statement.. this also has to be in a rule lower than your general
outbound NAT statement.
rule 1 {
destination {
address 10.26.16.0/24
}
exclude
outbound-interface eth0
type masquerade
this will pass the traffic through the VPN and not out your home router..
More information about the OLUG
mailing list