* [LARTC] IPSec gateway configuration
@ 2005-03-21 14:12 Vlad Adomnicai
2005-03-21 16:41 ` Eugene Butan
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Vlad Adomnicai @ 2005-03-21 14:12 UTC (permalink / raw)
To: lartc
Hi,
I'm trying to build an ipsec gateway and somewhere I'm doing something
wrong.
I have a couple of routers that have clients in their back. All the
routers are connected into a switch. In that switch I also have a
computer that provides internet access to the clients.
I would like to setup some sort of autentification (don't need
encryption), to allow me to give access to different services to
clients. Diferenciating services I can do on the internet gateway, but
on the routers I have to be certain that a certain IP is not stolen.
I have set up ipsec so that if a client pings his gateway, it will
work only if he has the same key as defined on the server. However, if
he pings the internet gateway, it will work, no matter what I do. I
would like the router to validate all packets to the outside LAN. Also I
would like to achieve this with the lowest CPU utilization possible
although this isn't critical. (about 150 clients behind one router
(p2-400/p3-600)).
The documentation that I have found was only how to establish secure
connection between two computers, but what I need is to get outside of
it and if possible to not use VPN, because I want the clients that are
in the same LAN have maximum trasnfer speeds.
Thx for any suggestions in advance.
Vlad Adomnicai
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] IPSec gateway configuration
2005-03-21 14:12 [LARTC] IPSec gateway configuration Vlad Adomnicai
@ 2005-03-21 16:41 ` Eugene Butan
2005-03-21 17:44 ` Vlad Adomnicai
2005-03-21 18:20 ` Eugene Butan
2 siblings, 0 replies; 4+ messages in thread
From: Eugene Butan @ 2005-03-21 16:41 UTC (permalink / raw)
To: lartc
Hello Vlad,
Why just not to use PPPoE between your gateways and clients?
This way you will be sure that only authenticated clients will be given
Internet access.
Eugene
On Monday 21 March 2005 16:12, Vlad Adomnicai wrote:
> Hi,
> I'm trying to build an ipsec gateway and somewhere I'm doing something
> wrong.
>
> I have a couple of routers that have clients in their back. All the
> routers are connected into a switch. In that switch I also have a
> computer that provides internet access to the clients.
> I would like to setup some sort of autentification (don't need
> encryption), to allow me to give access to different services to
> clients. Diferenciating services I can do on the internet gateway, but
> on the routers I have to be certain that a certain IP is not stolen.
> I have set up ipsec so that if a client pings his gateway, it will
> work only if he has the same key as defined on the server. However, if
> he pings the internet gateway, it will work, no matter what I do. I
> would like the router to validate all packets to the outside LAN. Also I
> would like to achieve this with the lowest CPU utilization possible
> although this isn't critical. (about 150 clients behind one router
> (p2-400/p3-600)).
>
> The documentation that I have found was only how to establish secure
> connection between two computers, but what I need is to get outside of
> it and if possible to not use VPN, because I want the clients that are
> in the same LAN have maximum trasnfer speeds.
>
> Thx for any suggestions in advance.
>
> Vlad Adomnicai
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] IPSec gateway configuration
2005-03-21 14:12 [LARTC] IPSec gateway configuration Vlad Adomnicai
2005-03-21 16:41 ` Eugene Butan
@ 2005-03-21 17:44 ` Vlad Adomnicai
2005-03-21 18:20 ` Eugene Butan
2 siblings, 0 replies; 4+ messages in thread
From: Vlad Adomnicai @ 2005-03-21 17:44 UTC (permalink / raw)
To: lartc
Hi,
Indeed, PPPoE is great for this, but unfortunately, in my case I would
prefere something else. For PPPoE all the auth stuff is easy, but if two
clients from the same LAN try to copy from each other, they are killing
the processor and the network card in the router instead of copying
directly from one another via the switches. Another problem with the
PPPoE I couldn't solve was strange disconnects of clients. I couldn't
trace them to high cpu load or high network traffic. They simply appear
to be random and more, when the connection crashes, I get mismatches
between the number of pppX interfaces from ifconfig output and the
number of interfaces that I see in /proc/net/dev.
With the IPSec I hoped to ease some traffic from the routers and also
decrease the cpu load. Also I hoped I could get rid of the nasty
disconnects.
Vlad Adomnicai
Eugene Butan wrote:
>Hello Vlad,
>
>Why just not to use PPPoE between your gateways and clients?
>This way you will be sure that only authenticated clients will be given
>Internet access.
>
>Eugene
>
>On Monday 21 March 2005 16:12, Vlad Adomnicai wrote:
>
>
>>Hi,
>> I'm trying to build an ipsec gateway and somewhere I'm doing something
>>wrong.
>>
>> I have a couple of routers that have clients in their back. All the
>>routers are connected into a switch. In that switch I also have a
>>computer that provides internet access to the clients.
>> I would like to setup some sort of autentification (don't need
>>encryption), to allow me to give access to different services to
>>clients. Diferenciating services I can do on the internet gateway, but
>>on the routers I have to be certain that a certain IP is not stolen.
>> I have set up ipsec so that if a client pings his gateway, it will
>>work only if he has the same key as defined on the server. However, if
>>he pings the internet gateway, it will work, no matter what I do. I
>>would like the router to validate all packets to the outside LAN. Also I
>>would like to achieve this with the lowest CPU utilization possible
>>although this isn't critical. (about 150 clients behind one router
>>(p2-400/p3-600)).
>>
>> The documentation that I have found was only how to establish secure
>>connection between two computers, but what I need is to get outside of
>>it and if possible to not use VPN, because I want the clients that are
>>in the same LAN have maximum trasnfer speeds.
>>
>> Thx for any suggestions in advance.
>>
>>Vlad Adomnicai
>>
>>_______________________________________________
>>LARTC mailing list
>>LARTC@mailman.ds9a.nl
>>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>>
>>
>_______________________________________________
>LARTC mailing list
>LARTC@mailman.ds9a.nl
>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
>
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [LARTC] IPSec gateway configuration
2005-03-21 14:12 [LARTC] IPSec gateway configuration Vlad Adomnicai
2005-03-21 16:41 ` Eugene Butan
2005-03-21 17:44 ` Vlad Adomnicai
@ 2005-03-21 18:20 ` Eugene Butan
2 siblings, 0 replies; 4+ messages in thread
From: Eugene Butan @ 2005-03-21 18:20 UTC (permalink / raw)
To: lartc
On Monday 21 March 2005 19:44, Vlad Adomnicai wrote:
> Hi,
> Indeed, PPPoE is great for this, but unfortunately, in my case I would
> prefere something else. For PPPoE all the auth stuff is easy, but if two
> clients from the same LAN try to copy from each other, they are killing
> the processor and the network card in the router instead of copying
> directly from one another via the switches.
You can setup a multi-homed client to address this issue
> Another problem with the
> PPPoE I couldn't solve was strange disconnects of clients. I couldn't
> trace them to high cpu load or high network traffic. They simply appear
> to be random and more, when the connection crashes, I get mismatches
> between the number of pppX interfaces from ifconfig output and the
> number of interfaces that I see in /proc/net/dev.
works for me. Are you using encryption?
> With the IPSec I hoped to ease some traffic from the routers and also
> decrease the cpu load. Also I hoped I could get rid of the nasty
> disconnects.
Just one more thought: you can use so-called HotSpot solution.
And since this thread clearly becomes off-topic, you can hit me with e-mail
directly.
>
> Vlad Adomnicai
>
> Eugene Butan wrote:
> >Hello Vlad,
> >
> >Why just not to use PPPoE between your gateways and clients?
> >This way you will be sure that only authenticated clients will be given
> >Internet access.
> >
> >Eugene
> >
> >On Monday 21 March 2005 16:12, Vlad Adomnicai wrote:
> >>Hi,
> >> I'm trying to build an ipsec gateway and somewhere I'm doing something
> >>wrong.
> >>
> >> I have a couple of routers that have clients in their back. All the
> >>routers are connected into a switch. In that switch I also have a
> >>computer that provides internet access to the clients.
> >> I would like to setup some sort of autentification (don't need
> >>encryption), to allow me to give access to different services to
> >>clients. Diferenciating services I can do on the internet gateway, but
> >>on the routers I have to be certain that a certain IP is not stolen.
> >> I have set up ipsec so that if a client pings his gateway, it will
> >>work only if he has the same key as defined on the server. However, if
> >>he pings the internet gateway, it will work, no matter what I do. I
> >>would like the router to validate all packets to the outside LAN. Also I
> >>would like to achieve this with the lowest CPU utilization possible
> >>although this isn't critical. (about 150 clients behind one router
> >>(p2-400/p3-600)).
> >>
> >> The documentation that I have found was only how to establish secure
> >>connection between two computers, but what I need is to get outside of
> >>it and if possible to not use VPN, because I want the clients that are
> >>in the same LAN have maximum trasnfer speeds.
> >>
> >> Thx for any suggestions in advance.
> >>
> >>Vlad Adomnicai
> >>
> >>_______________________________________________
> >>LARTC mailing list
> >>LARTC@mailman.ds9a.nl
> >>http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
> >
> >_______________________________________________
> >LARTC mailing list
> >LARTC@mailman.ds9a.nl
> >http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-03-21 18:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-03-21 14:12 [LARTC] IPSec gateway configuration Vlad Adomnicai
2005-03-21 16:41 ` Eugene Butan
2005-03-21 17:44 ` Vlad Adomnicai
2005-03-21 18:20 ` Eugene Butan
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.