Re: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
To: Thomas Kirk <thomas@arkena.com>
Cc: netfilter@lists.netfilter.org,
	Roksana Boreli <Roksana.Boreli@nicta.com.au>
Subject: Re: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel
Date: Thu, 26 Aug 2004 06:39:25 -0400	[thread overview]
Message-ID: <1093516765.2021.8.camel@localhost> (raw)
In-Reply-To: <20040826091328.GD18545@arkena.dk>

On Thu, 2004-08-26 at 05:13, Thomas Kirk wrote:
<snip>
> Excusing me for interrupting the discussion but in a situation where i
> would like to make a LAN-to-LAN IPsec VPN between to offices both
> running iptables on the gateways. Ive been lurking on the liste for
> some time but i have a few questions regarding this. First each site
> have a link to internet howto specify which protocols that should go
> over VPN and which should go to internet? Which IPsec implementation
> would be the most stable and secure solution to use. Currently im
> using a couple of retired pcworkstations running debian woody so i
> would prefer something that is supported by debian but its not
> absolutly neccessary :)
> 
> Thanks in advance
I have been using either strongswan (http://www.strongswan.org) or
openswan (http://www.openswan.org) for an IPSec implementation.  The
Linux 2.6 kernel and I believe some of the later 2.4 kernels support
IPSec natively.  I have yet to experiment with the kernel IPSec.  My
guess is that its code is somewhat cleaner than *swan.

I do like the way in which *swan uses a separate interface for IPSec
traffic.  This makes it simple to identify the VPN traffic in iptables
although it is not impossible to do so with the kernel IPSec.

I have traditionally determined which traffic goes in the clear and
which goes in the tunnel based upon destination network, e.g., traffic
between 192.168.1.0/24 and 10.1.1.0/24 go through the tunnel while the
rest goes in the clear.  I have been away from configuring *swan for
quite a while and I believe there have been significant advances since
then.  It used to be that one could specify which sockets could be used
to initiate the tunnel but then any traffic could use the tunnel once
established.  I believe one can now restrict a tunnel based upon socket
but I'm not sure.  I would suggest going to either of the sites
mentioned above and perusing the documentation.  Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net

next prev parent reply	other threads:[~2004-08-26 10:39 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-08-24  5:11 Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel Roksana Boreli
2004-08-24  5:46 ` Ming-Ching Tiew
2004-08-24  7:32   ` Payal Rathod
2004-08-24  7:50     ` Ming-Ching Tiew
2004-08-24  8:53       ` bridge + transparent proxy ArioS
2004-08-24  9:31 ` Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel John A. Sullivan III
2004-08-26  9:13   ` Thomas Kirk
2004-08-26 10:39     ` John A. Sullivan III [this message]
2004-08-26 14:14       ` Tom Eastep
  -- strict thread matches above, loose matches on Subject: below --
2004-08-24 11:56 Jason Opperisano
2004-08-25  7:24 Roksana Boreli
2004-08-25 11:29 ` John A. Sullivan III
2004-08-25 11:44 Jason Opperisano

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1093516765.2021.8.camel@localhost \
    --to=john.sullivan@nexusmgmt.com \
    --cc=Roksana.Boreli@nicta.com.au \
    --cc=netfilter@lists.netfilter.org \
    --cc=thomas@arkena.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.