[techtalk] linux vpn/routing
JLG
batgirl at SDF.lonestar.org
Tue May 1 23:13:41 EST 2001
On Wed, 2 May 2001, Neale Green wrote:
Neale,
Thanks for the quick reply, yes there are plans for a firewall.
This is my first Linux VPN though and at first I went full throttle into
FreesWan and things didn't quite work so I am stepping back and
approaching this in these steps:
1. Nothing will work with encryption if it doesn't first work without.
I need to nail down the topology issue first. But , yeah, I expect
to use static routes.
2. Add encryption. Once IKE, ESP and all those other lovely new terms I'm
learning are cooperating I can start thinking about rejecting all
traffic on eth1 that doesn't play by their rules.
3. Start adding firewall rules. This way as I add rules I know that
any problems that occur are fw related, and not key negotiation or
routing (with luck)
4. rinse and repeat. another cluster will be added after I successfully
get this first tunnel going.
Thanks!
I appreciate any further guidance you have to offer.
Jen
> Jen,
>
> There is one problem that I can see with what you're proposing, which may, or
> may not, be relevant, depending on what you're actually planning to implement.
>
> IF you're planning a "proper" VPN, you should have a Firewall setup which
> prevents ANY traffic which does not pass through the VPN, to ensure that
> everything that goes through is authenticated at the VPN, and transmitted in
> encrypted form (otherwise, why bother with a VPN?).
>
> If you block non-VPN traffic in this way, pings would not be able to get
> through the link, unless you use static routing between the two ends of the VPN
> link AND the user has been authenticated at the VPN.
>
> With the above scenario I am, of course, presuming that you're using
> authentication at the VPN, if you're using a static VPN link, the proviso on
> user authentication is invalid (though the use of static addresses is risky if
> the environment is visible outside your network). I am also presuming that
> you're not planning on just passing specific traffic on a given port through
> the VPN, an allowing other traffic to utilise other routes. as noted above,
> though, this would, in effect, invalidate the use of the VPN, unless this is
> only an exercise in the creation of a VPN.
>
> Sorry to rabbit on, as you may have guessed, I work in computer security ;^)
>
> Hope this is of use.
>
> Regards,
>
> Neale
> >
> > I have two clusters of web servers that I need to set up a
> > VPN between. Each server has 2 nics: eth0 has a public address
> > eth1 has a private address,192.168.x.x
> >
>
> > Before I can start adding encryption into the mix I need to resolve
> > some routing issues. Will it be possible for me to get 192.168.1.170
> > to ping 192.168.2.4 ?
> > what routes are neccessary?
> >
> > please let me know what other information I can provide to be more
> > helpful. I guess first i need to know if this is possible. It seems to me
> > that you can probably do it as long as both public interfaces can reach
> > eachother. I just feel like I am not looking at this correctly.
> >
> > thanks in advance,
> >
> >
> > Jen
> >
> >
> > x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x
> > batgirl at sdf.lonestar.org
> > x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x
> >
> >
> >
> > _______________________________________________
> > techtalk mailing list
> > techtalk at linuxchix.org
> > http://www.linux.org.uk/mailman/listinfo/techtalk
>
>
>
>
x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x
batgirl at sdf.lonestar.org
x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x-x
More information about the Techtalk
mailing list