FireBrick Road Warrior FireBrick Config: Difference between revisions

← Older edit Newer edit →

Content deleted Content added

Inline

@@ Line 1: / Line 1: @@
 <indicator name="RoadW">[[File:Menu-Road-Warrior.svg|link=:Category:FireBrick_IPsec_Road_Warrior|30px|Back up to the FireBrick Road Warrior Category Page]]</indicator>
 = FireBrick IPsec config =
+==A note on IP Allocations==
+There are two common ways to use the IPsec roaming pools:
+'''Separate pool:'''
+Choose an IP range not used anywhere else in your FB config
+(and to avoid confusion choose something non-routable eg from 10...)
+Set the NAT flag on the ipsec roaming pool definition.
+In this scenario all traffic arriving at the FB from the remote
+device will be NATed (with FB source address) before being routed
+onwards.  This provides what most people would expect - remote
+device has a non-routable NATed address.  Sessions originating
+on the device can talk to anywhere the FB can - but other
+devices cannot initiate sessions to the remote device.
+'''IPs from the existing LAN'''
+Choose a "real" range of IP addresses already known to the FB.
+Typically this would be a subset of one of the FB's LAN subnets.
+[Take care if doing this to not have an overlap with any DHCP
+allocations which the FB may do on that subnet.]  In this case
+the roaming pool NAT setting should not be set.  Normally you
+will want your FB LAN devices to be able to communicate with the
+remote client, so you should set "proxy-arp" on the FB subnet
+definition.
+In this scenario, the remote device behaves just like a device
+connected on the LAN, and, if the LAN subnet is routable, the
+remote device will also be able to communicate externally.
 ==Overview==