|
sponsored links |
|
|
sponsored links
|
|
1
25th April 03:09
External User
Posts: 1
|
IPsec tunnel mode with private internal addresses
I've been trying and failing since Windows 2000 to set up this simple,
standard scenario on Windows. Windows 7 seems to have some richer command line tools, but I still can't find the magic combination. This has to be with *standard* IKEv1 and IPsec in tunnel mode, no L2TP, Cisco add-ons, etc. It's a basic VPN scenario. Assume user authentication is out of band also. Windows External Address: DHCP-assigned, internet routable Internal Address: Private address assigned by me out of band e.g 10.0.0.2 Server Some non-Microsoft system acting as an IPsec gateway, Static internet facing IP Internal network behind this system Setting up the IPsec policy is easy enough, with the GUI or with netsh. The problem is that when I initiate a connection, the connection becomes self-encapsulated. That is to say, the internal tunneled address is the same as the external address. I want it to be assigned the private address so that routing just works on the other end. This is a cookie-cutter standard configuration on Solaris, MacOS, Linux, etc. Solaris and MacOS implement it by having IPsec go over a tunnel interface (ip.tun0, gif0). Linux implements it by assigning an extra logical interface and having tunneling as a policy decision through ipsec-tools. The latest MacOS 10.6 also needs to have an extra logical address added to the physical interface so the assigned address is associated with the system as an endpoint. I think on Windows it is a policy decision and I need to have a DHCP address and static address at the same time, but this seems to be impossible. Also, is there some way to affect source address selection? I'm hoping I can get this working through routing commands if I can have a dhcp address and static address at the same time. Everything I've seen indicates this is not possible and multiple addresses can only be assigned if they are static. Can anyone help get this scenario working? Win7 ------------------> Server ----> host IPsec Tunnel Decrypt/Decap cleartext 111.111.111.11 222.222.222.222 (sees 10.0.0.2) 10.0.0.2 10.0.0.1 Thanks for any insights! Paul |
|
|
|
2
25th April 03:09
External User
Posts: 1
|
IPsec tunnel mode with private internal addresses
Yikes, the line wrapping messed up my nice ASCII-art
 Let me try again.Win7 IPsec Tunnel 111.111.111.111 (DHCP-assigned) 10.0.0.2 (private tunnel endpoint) | | Server/Gateway IPsec Decrypt/Decapsulate 222.222.222.222 10.0.0.1 (tunnel endpoint) | | Non-IPsec Host on LAN Cleartext Sees source address 10.0.0.2 Thanks, Paul |
|
|
Linear Mode
