vpn

vpn

[Peter Marshall]

I need to set up a vpn.  I am trying to figure out which would be best.  I
need to connect my office with a sister office.  The employess are using
windows machines.  They want to be able to get and put files from a windos
file server. Windows networking would be a bonus.  Both offices have Linux
firewalls.    Would ssh over a PPP tunnel work for this ?  Would pptp or
cIPe be a better solution ?

I have my network setup below ... I was also wondering if it would be better
to put the vpn server either behind the internal firewall, or in the dmz, or
make it part of the internal firewall

my network in a nutshell.
I have an internal network with an internal firewall.  I have an external
network with an external firewall, and a dmz, between the internal and the
external firewall.  All numbers in the dmz are internet routable (They have
their own /26 network).  The external firewall has a 29 subnet on it's
external interface.

thanks for the help.

Peter



Peter Marshall, BCS
Network Administrator, CARIS
115 Waggoners Lane, Fredericton NB, E3B 2L4 CANADA
Phone:  (506) 458-8533 (Reception)

Re: vpn

[George Ross]

[-- Attachment #1: Type: text/plain, Size: 541 bytes --]

> I need to set up a vpn.  I am trying to figure out which would be best.  I
> need to connect my office with a sister office.  The employess are using
> windows machines. [...]

This is rather off-topic, but <http://openvpn.sourceforge.net/index.html>...
-- 
Dr George D M Ross, School of Informatics, University of Edinburgh
    Kings Buildings, Mayfield Road, Edinburgh, Scotland, EH9 3JZ
Mail: gdmr@inf.ed.ac.uk   Voice: +44 131 650 5147   Fax: +44 131 667 7209
 PGP: 1024D/AD758CC5  B91E D430 1E0D 5883 EF6A  426C B676 5C2B AD75 8CC5



[-- Attachment #2: Type: application/pgp-signature, Size: 228 bytes --]

RE: vpn

[Brent Clark]

Hi

maybe look at openswan.

Kind Regards
Brent Clark

Re: vpn

[Michael Gale]

Place the VPN on the firewall box .. NOT on a separate box in the DMZ ... other wise you will most likely have to NATing
on the VPN connections to the DMZ network or other problems.

Check out superfreeSwan

Michael


On Tue, 14 Sep 2004 10:46:14 -0300
"Peter Marshall" <peter.marshall@caris.com> wrote:

> I need to set up a vpn.  I am trying to figure out which would be best.  I
> need to connect my office with a sister office.  The employess are using
> windows machines.  They want to be able to get and put files from a windos
> file server. Windows networking would be a bonus.  Both offices have Linux
> firewalls.    Would ssh over a PPP tunnel work for this ?  Would pptp or
> cIPe be a better solution ?
> 
> I have my network setup below ... I was also wondering if it would be better
> to put the vpn server either behind the internal firewall, or in the dmz, or
> make it part of the internal firewall
> 
> my network in a nutshell.
> I have an internal network with an internal firewall.  I have an external
> network with an external firewall, and a dmz, between the internal and the
> external firewall.  All numbers in the dmz are internet routable (They have
> their own /26 network).  The external firewall has a 29 subnet on it's
> external interface.
> 
> thanks for the help.
> 
> Peter
> 
> 
> 
> Peter Marshall, BCS
> Network Administrator, CARIS
> 115 Waggoners Lane, Fredericton NB, E3B 2L4 CANADA
> Phone:  (506) 458-8533 (Reception)
> 
> 
> 
> 
> 
> 


-- 
Michael Gale
Network Administrator
Utilitran Corporation

Re: vpn

[John A. Sullivan III]

On Tue, 2004-09-14 at 09:46, Peter Marshall wrote:
> I need to set up a vpn.  I am trying to figure out which would be best.  I
> need to connect my office with a sister office.  The employess are using
> windows machines.  They want to be able to get and put files from a windos
> file server. Windows networking would be a bonus.  Both offices have Linux
> firewalls.    Would ssh over a PPP tunnel work for this ?  Would pptp or
> cIPe be a better solution ?
> 
> I have my network setup below ... I was also wondering if it would be better
> to put the vpn server either behind the internal firewall, or in the dmz, or
> make it part of the internal firewall
> 
> my network in a nutshell.
> I have an internal network with an internal firewall.  I have an external
> network with an external firewall, and a dmz, between the internal and the
> external firewall.  All numbers in the dmz are internet routable (They have
> their own /26 network).  The external firewall has a 29 subnet on it's
> external interface.
<snip>
I would suggest an IPSec VPN using either the native IPSec stack in the
latest Linux or either StrongSWAN (www.strongswan.org) or OpenSWAN
(www.openswan.org) and placing access control and VPN on the same
device.  That is how we design most devices for use in the ISCS project
(http://iscs.sourceforge.net).

You will need to manage the Windows networking carefully as the
broadcasts normally associated with browsing and with some forms of
NetBIOS Name Resolution will not work through the VPN.  There is a lot
of information in the FressS/WAN/ StrongSWAN / OpenSWAN archives about
that. Good luck with it - John
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevel.com

Re: vpn

[Nick Drage]

On Tue, Sep 14, 2004 at 10:42:27AM -0400, John A. Sullivan III wrote:
> On Tue, 2004-09-14 at 09:46, Peter Marshall wrote:

<snip>

> I would suggest an IPSec VPN using either the native IPSec stack in the
> latest Linux or either StrongSWAN (www.strongswan.org) or OpenSWAN
> (www.openswan.org) and placing access control and VPN on the same
> device.  That is how we design most devices for use in the ISCS project
> (http://iscs.sourceforge.net).

Reading "Network Security Hacks" recently I liked the look of VTun.  Any
thoughts on that?  How does it interface with IPTables?

-- 
mors omnia vincit

Re: vpn

[Ted Kaczmarek]

On Tue, 2004-09-14 at 12:07, Nick Drage wrote:
> On Tue, Sep 14, 2004 at 10:42:27AM -0400, John A. Sullivan III wrote:
> > On Tue, 2004-09-14 at 09:46, Peter Marshall wrote:
> 
> <snip>
> 
> > I would suggest an IPSec VPN using either the native IPSec stack in the
> > latest Linux or either StrongSWAN (www.strongswan.org) or OpenSWAN
> > (www.openswan.org) and placing access control and VPN on the same
> > device.  That is how we design most devices for use in the ISCS project
> > (http://iscs.sourceforge.net).
> 
> Reading "Network Security Hacks" recently I liked the look of VTun.  Any
> thoughts on that?  How does it interface with IPTables?

Keyword being hack.

 Always see if ipsec will meet your needs first, any encapsulation using
tcp for its upper layer may be easier, but can create all kinds of
interesting thing with multiple flows and tcp timers expiring. Great
stuff if you want to be an expert at debugging tcp problems, otherwise
stick to something that uses udp for its upper layer.

Although for simple traffic with minimal flows is is definitely usable.


Interop with Openswan is excellent as well these days.

Plus with Novell sponsoring Openswan it gives many people a warm fuzzy
feeling, and the list is one of the best their is, no spam assaults like
the old freeswan list.

Ted 

Re: vpn

[René Gallati]

On Tue, 14 Sep 2004 17:07:35 +0100, Nick Drage <nickd@metastasis.org.uk> wrote:
> On Tue, Sep 14, 2004 at 10:42:27AM -0400, John A. Sullivan III wrote:
> > On Tue, 2004-09-14 at 09:46, Peter Marshall wrote:
> 
> <snip>
> 
> > I would suggest an IPSec VPN using either the native IPSec stack in the
> > latest Linux or either StrongSWAN (www.strongswan.org) or OpenSWAN
> > (www.openswan.org) and placing access control and VPN on the same
> > device.  That is how we design most devices for use in the ISCS project
> > (http://iscs.sourceforge.net).
> 
> Reading "Network Security Hacks" recently I liked the look of VTun.  Any
> thoughts on that?  How does it interface with IPTables?

As far as I know openvpn uses it
(http://openvpn.sourceforge.net/index.html) It is fairly easy to
install and far more flexible and robust if one or both sides of the
tunnels have dynamic ip addresses. I've used FreeSwan for some years
and always had stability troubles when one side went down but the
tunnel wasn't properly terminated on the other side and such things.
I've switched to openvpn after the removal of the ipsec pseudodevices
which made my firewall rules unusable.

Now with openvpn you again have a device per tunnel on which you can
easily filter as before with ipsecN, just now they are called tunN
and/or tapN (depending on which type of tunnel you want)

You can furthermore do some things that ipsec cannot or are very
difficult. Using the tap's it emulates a virtual network card, so you
have arp running over it. You can easily do dhcp over taps and
furthermore broadcasts and multicast simply works over these pseudo
devices. It's just like both ends of the vpn have an additional nic
that is directly connected to each other.

I currently use it in a project where many peers connect to one vpn
server which then bridges together all these vpn endpoints and thus
creates one big "lan" segment where the peers can communicate to each
other mainly using broadcast and multicast. (it's a network testbed
for multihop routing protocols)

-- 
C U

     - -- ---- ----- -----/\/  René Gallati  \/\---- ----- --- -- -

Re: vpn

[John A. Sullivan III]

On Wed, 2004-09-15 at 04:42, René Gallati wrote:
<snip>
> As far as I know openvpn uses it
> (http://openvpn.sourceforge.net/index.html) It is fairly easy to
> install and far more flexible and robust if one or both sides of the
> tunnels have dynamic ip addresses. I've used FreeSwan for some years
> and always had stability troubles when one side went down but the
> tunnel wasn't properly terminated on the other side and such things.
> I've switched to openvpn after the removal of the ipsec pseudodevices
> which made my firewall rules unusable.
> 
> Now with openvpn you again have a device per tunnel on which you can
> easily filter as before with ipsecN, just now they are called tunN
> and/or tapN (depending on which type of tunnel you want)
> 
> You can furthermore do some things that ipsec cannot or are very
> difficult. Using the tap's it emulates a virtual network card, so you
> have arp running over it. You can easily do dhcp over taps and
> furthermore broadcasts and multicast simply works over these pseudo
> devices. It's just like both ends of the vpn have an additional nic
> that is directly connected to each other.
> 
> I currently use it in a project where many peers connect to one vpn
> server which then bridges together all these vpn endpoints and thus
> creates one big "lan" segment where the peers can communicate to each
> other mainly using broadcast and multicast. (it's a network testbed
> for multihop routing protocols)
OpenVPN does look like a very flexible technology.  We are very
interested in integrating other forms of VPN besides IPSec with iptables
in the ISCS project including OpenVPN.  As a slight aside, is anyone
interested in working on the OpenVPN module for ISCS (or SSL for that
matter)? The idea is that someone can describe their environment and
ISCS will go out and create and automatically distribute rule sets and
configurations that will make iptables and whatever VPN method work
together to provide a secure communications system.  An introduction is
available at http://iscs.sourceforge.net Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevel.com

Re: vpn

[Jason Opperisano]

On Tue, 2004-09-14 at 09:46, Peter Marshall wrote:
> I need to set up a vpn.  I am trying to figure out which would be best.  I
> need to connect my office with a sister office.  The employess are using
> windows machines.  They want to be able to get and put files from a windos
> file server. Windows networking would be a bonus.  Both offices have Linux
> firewalls.    Would ssh over a PPP tunnel work for this ?  Would pptp or
> cIPe be a better solution ?

IPSec would be the best solution here.  openswan is my stack of choice.

> I have my network setup below ... I was also wondering if it would be better
> to put the vpn server either behind the internal firewall, or in the dmz, or
> make it part of the internal firewall

make it part of either the external or internal firewall.  if you didn't
have public IP's on the internal firewall--the only proper choice would
be the external firewall.  since you mention putting it on the
internal--that would be a fine choice.  do not put it behind the
internal firewall--that would be a bad choice.

-j

-- 
Jason Opperisano <opie@817west.com>

VPN

[paulobruck1]

Hi guys

I would like to know what do you suggest in terms of IPSEC.
I used to deal with freeswan  and I looking another solution.

I've already listen about openvpn, openswan and raccon.

What do you suggest in terms of this tools.

I intend to use IPSEC w/ linux  accessing another linux + iptables +
IPCSEC and allow connections from micro$oft machines as road warriors.

distro: debian


any suggestion??

Re: VPN

[John A. Sullivan III]

On Wed, 2004-06-30 at 12:34, paulobruck1@bol.com.br wrote:
> Hi guys
> 
> I would like to know what do you suggest in terms of IPSEC.
> I used to deal with freeswan  and I looking another solution.
> 
> I've already listen about openvpn, openswan and raccon.
> 
> What do you suggest in terms of this tools.
> 
> I intend to use IPSEC w/ linux  accessing another linux + iptables +
> IPCSEC and allow connections from micro$oft machines as road warriors.
> 
> distro: debian
> 
> 
> any suggestion??
I've been reasonably happy with both openswan and strongswan
(http://www.strongswan.org).  openvpn looks very interesting although
non-standard.  I have not tried it.  I have not used racoon.

I believe fwbuilder (http://www.fwbuilder.org) provides a GUI interface
to setting up *swan.  ISCS (http://iscs.sourceforge.net) provides a GUI
front end to automatically create and distribute VPN, firewall, NAT and
routing rules without stepping on each other and, for your road
warriors, allows extended user authentication to be used throughout the
WAN without having to reassign internal IP addresses but it has not yet
released code.

Hope this helps - John

-- 
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com