[techtalk] linux vpn/routing

Neale Green neale at neale.org
Wed May 2 12:16:33 EST 2001 

Jen,

There is one problem that I can see with what you're proposing, which may, or 
may not, be relevant, depending on what you're actually planning to implement. 

IF you're planning a "proper" VPN, you should have a Firewall setup which 
prevents ANY traffic which does not pass through the VPN, to ensure that 
everything that goes through is authenticated at the VPN, and transmitted in 
encrypted form (otherwise, why bother with a VPN?). 

If you block non-VPN traffic in this way, pings would not be able to get 
through the link, unless you use static routing between the two ends of the VPN 
link AND the user has been authenticated at the VPN.

With the above scenario I am, of course, presuming that you're using 
authentication at the VPN, if you're using a static VPN link, the proviso on 
user authentication is invalid (though the use of static addresses is risky if 
the environment is visible outside your network). I am also presuming that 
you're not planning on just passing specific traffic on a given port through 
the VPN, an allowing other traffic to utilise other routes. as noted above, 
though, this would, in effect, invalidate the use of the VPN, unless this is 
only an exercise in the creation of a VPN.

Sorry to rabbit on, as you may have guessed, I work in computer security ;^)

Hope this is of use.

Regards,

Neale
> 
> I have two clusters of web servers that I need to set up a
> VPN between. Each server has 2 nics: eth0 has a public address
> 				     eth1 has a private address,192.168.x.x
> 

> Before I can start adding encryption into the mix I need to resolve
> some routing issues. Will it be possible for me to get 192.168.1.170
> to ping 192.168.2.4 ?
> what routes are neccessary?
> 
> please let me know what other information I can provide to be more
> helpful. I guess first i need to know if this is possible. It seems to me
> that you can probably do it as long as both public interfaces can reach
> eachother. I just feel like I am not looking at this correctly.
> 
> thanks in advance,
> 
> 
> Jen
> 
> 
> x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x
> 	batgirl at sdf.lonestar.org
> x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x
> 
> 
> 
> _______________________________________________
> techtalk mailing list
> techtalk at linuxchix.org
> http://www.linux.org.uk/mailman/listinfo/techtalk

More information about the Techtalk mailing list