The aim of this query is to enhance my capacity to technically apply the thought of routing particular visitors by means of an IPsec tunnel earlier than reaching the Web.
Thus far the most effective that I can perceive gateways over a VPN connection is with the OpenVPN protocol.
Please bear with me whereas I current my notion of the distinction with OVPN in distinction with IPsec.
The structure in OVPN is pretty easy. The OpenVPN server’s IP serves as gateway for that specific routing desk. Within the easiest instance, you’d have a neighborhood host in a LAN corresponding to 192.168.0.0/24 and, the routing desk for the machine would seem like this:
0.0.0.0/0 through
192.168.0.0/24 through
through
Voila!
Within the case of getting a number of networks, you may have both a number of routing tables for every of them or one thing completely different relying on the system and vendor (In MikroTik you may have lookup-only-in-table, in OPNSense with specifying the gateway of an outbound NAT rule it is sufficient.)
Now, given this framework, comes to position my level. Within the case of IPsec, to me it appears fairly completely different, and right here is why: protocols corresponding to OpenVPN work in a foundation of making a digital interface, whereas IPsec truly creates a ROUTE. I do not know if I am getting it fallacious, please state your case should you suppose so.
So, with OpenVPN you an simply say, – masquerade all visitors out by means of this interface. However with IPsec what do you say? The place (“the place” by way of “What IP”) to ship the packets that must be masqueraded after?
Now, hopefully I defined myself nicely sufficient. Nonetheless I am not completed.
There may be one other level which is the place all this got here from. one configuration a colleague made in a FortiGate system the place we have now this setup working (that means, two networks, e.g. 192.168.0.0/24 and 192.168.1.0/24, the place the primary one goes NAT’ed out from WAN1 and the second one way or the other will get NAT’ed out from the distant IPsec web site) and I noticed that the gateway IP for the second community talked about within the parenthesis was darn 0.0.0.0/0. It blew my thoughts. That is the rationale for this query. As a result of I need to know why this works, whether or not he did it in the easiest way and in what manner it might be the most effective as a substitute, in that case.
Joyful April, and thanks upfront for any form of assist. 🙂