12,270
edits
FireBrick Road Warrior FireBrick Config: Difference between revisions
FireBrick Road Warrior FireBrick Config (view source)
Revision as of 20:29, 17 February 2016
, 17 February 2016no edit summary
mNo edit summary |
|||
|
<indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick_IPsec_Road_Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator>
= FireBrick IPsec config =
==A note on IP Allocations==
There are two common ways to use the IPsec roaming pools:
'''Separate pool:'''
Choose an IP range not used anywhere else in your FB config
(and to avoid confusion choose something non-routable eg from 10...)
Set the NAT flag on the ipsec roaming pool definition.
In this scenario all traffic arriving at the FB from the remote
device will be NATed (with FB source address) before being routed
onwards. This provides what most people would expect - remote
device has a non-routable NATed address. Sessions originating
on the device can talk to anywhere the FB can - but other
devices cannot initiate sessions to the remote device.
'''IPs from the existing LAN'''
Choose a "real" range of IP addresses already known to the FB.
Typically this would be a subset of one of the FB's LAN subnets.
[Take care if doing this to not have an overlap with any DHCP
allocations which the FB may do on that subnet.] In this case
the roaming pool NAT setting should not be set. Normally you
will want your FB LAN devices to be able to communicate with the
remote client, so you should set "proxy-arp" on the FB subnet
definition.
In this scenario, the remote device behaves just like a device
connected on the LAN, and, if the LAN subnet is routable, the
remote device will also be able to communicate externally.
==Overview==
| |||