Hi!
I have a network with some offices around Europe. Every office has a FW-1.
Between the FW-1's there'a a full mesh network of VPN tunnels over the Internet.
Every office has it's own subnet, and all Internet traffic goes through the
local FW-1. Every FW-1 is the VPN server for it's own eomplyees.
After authentication VPN-1 decrypts the encrypted packet from the client and
transmits it onto the internal network, keeping it's original source address.
When the destination machine sends the reply, VPN-1 encrypts it and sends it to
the client. The source and destination addresses are the same on both sides of
the decryption/encryption. This requires that the reply goes out through the
same FW-1 as the original packet came in through.
This is not a problem as long as a Stockholm employee connected to the Stockholm
VPN-1 is accessing machines in the Stockholm network, but when he tries to
access a machine in the London network, the destination machine sends it's reply
through the London FW-1, which doesn't recognize the packet as belonging to the
VPN session. Therefor it's never encapsulated and encrypted, and the client
drops it.
What is the solution for this? Is it possible to make a rule that masquerades
the address of the VPN client using the internal address of FW-1, making the
London machine sending the reply to the Stockholm FW-1? Wouldn't this approach
cause problems if the client machine tried to access some public resources on
the DMZ at the same time as it's connected through the VPN session? Will FW-1
masquerade these packets as well? If so, is it a problem?
One idea is to masquerade the whole freaking Internet to the internal address of
the FW-1... fun idea, but every cell in my brain screams "Nooo!". ;)
Any ideas?
/P
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
