[techtalk] linux vpn/routing
Neale Green
neale at neale.org
Wed May 2 12:16:33 EST 2001
Jen,
There is one problem that I can see with what you're proposing, which may, or
may not, be relevant, depending on what you're actually planning to implement.
IF you're planning a "proper" VPN, you should have a Firewall setup which
prevents ANY traffic which does not pass through the VPN, to ensure that
everything that goes through is authenticated at the VPN, and transmitted in
encrypted form (otherwise, why bother with a VPN?).
If you block non-VPN traffic in this way, pings would not be able to get
through the link, unless you use static routing between the two ends of the VPN
link AND the user has been authenticated at the VPN.
With the above scenario I am, of course, presuming that you're using
authentication at the VPN, if you're using a static VPN link, the proviso on
user authentication is invalid (though the use of static addresses is risky if
the environment is visible outside your network). I am also presuming that
you're not planning on just passing specific traffic on a given port through
the VPN, an allowing other traffic to utilise other routes. as noted above,
though, this would, in effect, invalidate the use of the VPN, unless this is
only an exercise in the creation of a VPN.
Sorry to rabbit on, as you may have guessed, I work in computer security ;^)
Hope this is of use.
Regards,
Neale
>
> I have two clusters of web servers that I need to set up a
> VPN between. Each server has 2 nics: eth0 has a public address
> eth1 has a private address,192.168.x.x
>
> Before I can start adding encryption into the mix I need to resolve
> some routing issues. Will it be possible for me to get 192.168.1.170
> to ping 192.168.2.4 ?
> what routes are neccessary?
>
> please let me know what other information I can provide to be more
> helpful. I guess first i need to know if this is possible. It seems to me
> that you can probably do it as long as both public interfaces can reach
> eachother. I just feel like I am not looking at this correctly.
>
> thanks in advance,
>
>
> Jen
>
>
> x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x
> batgirl at sdf.lonestar.org
> x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x
>
>
>
> _______________________________________________
> techtalk mailing list
> techtalk at linuxchix.org
> http://www.linux.org.uk/mailman/listinfo/techtalk
More information about the Techtalk
mailing list