From: "René Gallati" <draxinusom@gmail.com>
To: Netfilter Mailing List <netfilter@lists.netfilter.org>
Cc: Nick Drage <nickd@metastasis.org.uk>
Subject: Re: vpn
Date: Wed, 15 Sep 2004 10:42:36 +0200 [thread overview]
Message-ID: <50f03b970409150142291aaa96@mail.gmail.com> (raw)
In-Reply-To: <20040914160735.GP26823@metastasis.org.uk>
On Tue, 14 Sep 2004 17:07:35 +0100, Nick Drage <nickd@metastasis.org.uk> wrote:
> On Tue, Sep 14, 2004 at 10:42:27AM -0400, John A. Sullivan III wrote:
> > On Tue, 2004-09-14 at 09:46, Peter Marshall wrote:
>
> <snip>
>
> > I would suggest an IPSec VPN using either the native IPSec stack in the
> > latest Linux or either StrongSWAN (www.strongswan.org) or OpenSWAN
> > (www.openswan.org) and placing access control and VPN on the same
> > device. That is how we design most devices for use in the ISCS project
> > (http://iscs.sourceforge.net).
>
> Reading "Network Security Hacks" recently I liked the look of VTun. Any
> thoughts on that? How does it interface with IPTables?
As far as I know openvpn uses it
(http://openvpn.sourceforge.net/index.html) It is fairly easy to
install and far more flexible and robust if one or both sides of the
tunnels have dynamic ip addresses. I've used FreeSwan for some years
and always had stability troubles when one side went down but the
tunnel wasn't properly terminated on the other side and such things.
I've switched to openvpn after the removal of the ipsec pseudodevices
which made my firewall rules unusable.
Now with openvpn you again have a device per tunnel on which you can
easily filter as before with ipsecN, just now they are called tunN
and/or tapN (depending on which type of tunnel you want)
You can furthermore do some things that ipsec cannot or are very
difficult. Using the tap's it emulates a virtual network card, so you
have arp running over it. You can easily do dhcp over taps and
furthermore broadcasts and multicast simply works over these pseudo
devices. It's just like both ends of the vpn have an additional nic
that is directly connected to each other.
I currently use it in a project where many peers connect to one vpn
server which then bridges together all these vpn endpoints and thus
creates one big "lan" segment where the peers can communicate to each
other mainly using broadcast and multicast. (it's a network testbed
for multihop routing protocols)
--
C U
- -- ---- ----- -----/\/ René Gallati \/\---- ----- --- -- -
next prev parent reply other threads:[~2004-09-15 8:42 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-09-14 13:46 vpn Peter Marshall
2004-09-14 13:55 ` vpn George Ross
2004-09-14 14:22 ` vpn Brent Clark
2004-09-14 14:31 ` vpn Michael Gale
2004-09-14 14:42 ` vpn John A. Sullivan III
2004-09-14 16:07 ` vpn Nick Drage
2004-09-15 3:01 ` vpn Ted Kaczmarek
2004-09-15 8:42 ` René Gallati [this message]
2004-09-15 11:37 ` vpn John A. Sullivan III
2004-09-14 17:20 ` vpn Jason Opperisano
-- strict thread matches above, loose matches on Subject: below --
2004-06-30 16:34 VPN paulobruck1
2004-06-30 16:52 ` VPN John A. Sullivan III
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50f03b970409150142291aaa96@mail.gmail.com \
--to=draxinusom@gmail.com \
--cc=netfilter@lists.netfilter.org \
--cc=nickd@metastasis.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.