Greetings:
We need to build a VPN configuration which permits wireless clients
(not other networks) to access the Internet only when connected
through the VPN. When no VPN connection is established, clients
should be permitted access to certain local services on the private
(protected) lan, eg. http, smtp, irc, etc. in an 'intranet' setting.
These wireless clients are to be assigned an ip address by dhcp from
a private address space (eg. 172.16.5.0/24). The local (protected)
lan is also on a private address space (eg. 10.0.0.0/24) which should
be NAT'ed in the border router for outgoing internet access and for
redirected incomding access to http, dns, smtp, etc to certain hosts
on the internal (protected) network.
This application is different from the usual roaming VPN application in
that it must service clients on a private address space, not clients on
the public Internet needing to tunnel into a private lan; these clients
will when authenticated need to access the Internet and also a subset of
redirected services on the private (protected) lan (not on their own
subnet). For sake of discussion the subnet serving the wireless clients
could be termed a PSN.
registered (public) ip subnet
on Internet (perhaps a /30)
|
|
|
-------------------
| |
| router: |------------unregistered (private)
| OpenBSD or | ip subnet(/24) "WAPNET"
| GmatBOX ? | |
| | |
------------------- |
| |
| <--NATTED ---------
| | WAP |
unregistered (private) | | 802.11 wireless
ip subnet (/24) "INTERNAL-NET" --------- access point
| \
| /
----------- \
| | ----------
| servers | | client | wireless client
| | ---------- gets ip on
----------- "WAPNET" by dhcp
We've tried this scenario using OpenBSD/ISAKMPD/pf; the tunnel is
established from the client's assigned ip address on "WAPNET" to the
"INTERNAL-NET" network. All works well except for ip header checksum
problems over ESP when the client accesses ip addresses on the Internet
(well-known NAT/IpSec conflict).
We have not yet attempted to tunnel from the WAPNET client to the public
Internet subnet, mainly because we don't yet have an address block and
this would also defeat the purpose of serving a large number of wireless
clients with a small block of registered ip addresses.
How would one implement this secnario on GnatBOX?
We're also confused about how to use 'virtual ip' tunnel addresses for
the client; for our tests we could only get the tunnel to work with the
assigned ip. Here's the problem:
In order to not need to use proxy-arp, the 'virtual ip' of the client
must be on a unique subnet vs. the far endpoint of the tunnel. If we
say the far endpoint of the tunnel is on the 10.0.0.0/24 subnet (the
protected network) and the client virtual ip is on an arbitrary unique
subnet, say 10.0.3.0/24), there is no intervening router to assign as a
gateway at the client. In Win9x tcp/ip we tried assigning the local
interface as the gateway but this didn't work. Therefore there is no
default route. How does the GnatBOX VPN and client software handle
this situation?
All replies are very much appreciated.
Michael Grigoni
Cybertheque Museum
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
To subscribe to the digest version first unsubscribe, then
e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archive of the last 1000 messages:
http://www.mail-archive.com/[EMAIL PROTECTED]
