Im a bit of a linux newbie, so please bear with me here.

I have set up my first firewall using Smoothwall GPL. Its simple, rocks, and Im very happy with it, if anyone else is considering doing the same.

Now I want to sort out the VPN option so I can connect to another base and do remote admin/file sharing and that sort of thing. The problem is that the only part of the Smoothwall documentation that is confusing is the VPN config.

I dont quite get the whole left/right/next hop thing.

Can anyone help and explain to me how I do this. I have 2 bases (lets call them BASE X and BASE Y).

Both have seperate ISP's, but the main config is exactly the same...both on DSL, both using DHCP and the firewall is NAT translating to 192.168.X.X

BASE X has internal network 192.168.1.x/24 and external network A.B.C.D/29. This firewalls Green Eth Card is set to 192.168.1.1

BASE Y has internal network 192.168.2.x/24 and external network E.F.G.H/28. This firewalls Green Eth Card is set to 192.168.2.1

My question is, how do I fill in the following fields (in both BASE X and BASE Y)

name
left
left next hop
left subnet
right
right next hop
right subnet

I have tried it already, but It told me that the subnet was wrong. I dont want to screw it up, so was hoping that someone who has done this already can basically tell me the settings using the algebraic settings as above.

And There's a virtual (or real if you live close to Leeds, UK) pint in it for anyone who can help....

Thanks.
Dylan

Yeah,
it's a pity it is so simple, and we cannot understand it until it works!!! You're certainly not alone with this...

First,
the next hop is for "routing".
If you exit the VPN you are unencrypted, and maybe on an incorrect network segment, so the 'next hop' is a "routing" function to push the packets to the next router/gateway down the line until they find the correct network, rather than being dumped on Smoothie's local network...Oops! Not correct. Read the thread below please!
Use them if you need to, or leave them blank.
2nd, make sure you are using the v1.0 software rather than the Beta versions. Some people are playing with the iptables scripts forgetting that there cannot be any SNATing on the ipsec channel!!
3rd, enter the subnets that you use in the local network, so, without a hop, match the settings on each Smoothie's GREEN interface
4th, make sure you use different GREEN ip ranges so local routing knows they are remote addresses...
5th, make the ip numbers in 'left' & 'right' as static as possible, even if this means leaving the VPN up all the time.
6th, copy the "secret" to each machine.
7th, make sure the information is "identical" in each Smoothie. "left" is eg 195.117.7.xxx in each Smoothie. Don't swap the left/right numbers at each end...

Comments...
Especially for Dynamic numbers... figure out how often your DSL numbers rotate. If it's a real bugger, get static numbers. This is how often you will need to change the left/right numbers.
There is a Smoothwall GPL mailing-list forum from their website for any newbie/technical questions, and an archive for historically "similar" questions.

Thanks for that Peter. I think i must still be doing something wrong though.

I have set up the following:

Name = VPN1
Left = Green Interface IP (leeds base)
Left Next Hop = Red Interface IP (leeds base)
subnet= Green Interface Subnet (255.255.255.0)

Right= Green Interface IP (manchester base)
Right Next Hop= Red Interface IP (manchester base)
subnet= Green Interface Subnet (255.255.255.0)

I have clicked ADD but get the message: RIGHT SUBNET IS INVALID.

Um....? Any ideas? Perhaps im just being really thick...

Kind Regards.
Dylan

Sorry for the earlier mistake...

From the built-in Smoothie help file in the VPN tag...
"Name: A simple name to reference this connection. Use lowercase letters only.
Left = vpn1 (Leeds)
Right = vpn2 (Manchester)

Left/Right: The internet IP address of the Left/Right side of the connection.
Left = Leeds RED ip number
Right = Manchester RED ip number

Left/Right next hop: The next hop from Left/Right side back into the Internet (i.e. the default gateway of the left/right RED device).
Left = ISP gateway ip number Leeds Smoothwall is using in routing table
Right = ISP gateway ip number Manchester Smoothwall is using in routing table

Left/Right subnet: The network of the left/right hand side (e.g. 192.168.0.0/24 would include 192.168.0.*).
Left = Leeds network 192.168.1.0/24
Right = Manchester network 192.168.2.0/24

Secret: The password for the connection.

Left/Right subnet: The network of the left/right hand side (e.g. 192.168.0.0/24 would include 192.168.0.*).
Left = Leeds network 192.168.1.0/24
Right = Manchester network 192.168.2.0/24

Hello guys, I am trying to set up a vpn as well using your information. But I don't really understand the information about the above (/24) so I would like to ask Kalliste what the exact subnets are he used to make his vpn work.

regards, gerry

The * is a wildcard.
so, 192.168.1.* for you
and, 192.168.2.* for the other end will work.

Gerry I hope I can answer your question about the 192.168.1.0/24

The first thing I believe I need to tell you about is the 24. The 24 is another way of saying 255.255.255.0

remembering that you can use the numbers from 0 to 255 that is 256 possible numbers to use. 256 in decimal is 11111111 in binary. Therefore in binary the subnet is 11111111.11111111.11111111.00000000 ok now... after explaining that now the question is how many 1 binary bits are used when the subnet mask is 255.255.255.0? 24, that is where the 24 comes from.

Now because 255.255.255 is used for the subnet mask that means the subnet is 192.168.1

I hope that clears up any confusion

Regards

Phantom

What if you have VLans configured? What subnets do you put it in then? The subnet of the device you want to retrieve files from or the subnet of the router?

Also is this a site to site VPN or can it be access outside from any network?