| gabriel rosenkoetter on Tue, 28 May 2002 16:40:14 +0200 |
|
On Tue, May 28, 2002 at 08:57:37AM -0400, Jon Galt wrote: > I just don't know how to make it so that some requests get sent out to > the insecure netowrk and others get sent to the other end of the VPN. Without a clearer definition of what should be "secure" and what shouldn't, that's a little hard to answer. If you meant that the VPN machine will also be the internet gateway (a REALLY bad idea, btw), then you can accomplish this easily by static routes on the VPN machine (traffic to the address space of the remote office goes over the vtun device, everything else goes over the default route). You don't even have to be using RFC 1918 private address spaces and NAT for the offices to do this (though you'll need to understand how bit-level granularity on IP address specification actually works). > Another idea I have is to have him leave their current gateways in place > and add a Linux machine within each LAN that will handle all VPN traffic > between the two LANs. Each... "VPN server" (?) would simply be another > local machine as far as the gateways are concerned. Would this be a good > way to go? This would be a healthier thing to do. Two options: First, the client machines (the windows machines, your Linux DB server) then run a VPN client and tell it about their VPN gateway. Second, the client machines use the VPN machine as their default gateway, and you're back to static routes based on destination address on the Linux machine. (The routing really isn't that bad, and this saves you the pain of making MS's VPN client talk to anything that's not MS's VPN server, which possible... you know, in theory.) In either case, the Linux VPN machines use your internet gateway as their default route. In the first case, they use it exclusively to run traffic to the other Linux VPN machine. In the second, you've added one hop to your regular internet traffic (which is hardly the end of the world; your internal network is almost definitely faster than your connection to your ISP). Also, as I've said before, I haven't found FreeSWAN to be worth the time it takes to configure it. It's just insufficiently finished to use in production (and, last I checked, they said the same thing on their web page). > I'm still not sure how to bring the telecommuter into the picture. The simplest way to deal is to think of his connecting to yet a third VPN gateway. This doesn't mean you actually need a third machine, just that the routing's different on your two VPN gateways. It doesn't matter which one of those two he uses, but whichever it is needs to properly route traffic from him to the site where it lives out its internal interface, forward--WITHOUT reencrypting; that is, just treat it as regular IP traffic which, to all appearances it will be--the traffic to the other site out its external interface, and drop traffic not directed at one of these two networks. (That last part's not really necessary, but if you're paranoid enough for the VPN...) Hrm. This actually sounds like something of a headache. If it's easier to configure the telecommuter's client to talk to a certain network through one VPN gateway and to another through another, that'll be easier. Also safer, since the above would require having the same private key on both your VPN routers, which strikes me as a really terrible idea, come to think of it. -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgprwhzci2dXp.pgp
|
|