From: Mark Cooke (mpcstar.sr.bham.ac.uk)
Date: Tue Aug 12 2003 - 09:29:56 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear René

Everything (ftp, ldap, ssh, dns, etc) all works fine with my setup.

The individual machines on the LAN's don't use IPSec/tunnels. There's a
single VPN tunnel essentially bridging the 'big bad internet' using a
CIPE tunnel.

I run an 'internal DNS', and 'internal samba' as a domain browser, and
it all 'just works'.

As far as the two LANs are concerned, there isn't any NAT at all, and
machines on the other lan are directly reachable with a unique address.
It avoids breakage of things like (non passive) FTP.

Finally - there's a windows 2K/XP/NT4 version of CIPE, that I use on my
laptop when I'm off-site (or on wireless as WEP isn't worth using).

Mark

On Tue, 2003-08-12 at 15:23, René Matthäi wrote:
> Hi,
>
> Mark Cooke schrieb:
> >
> > I don't believe IPSEC traverses NAT correctly, so unless your firewall
> > was also the VPN tunneller, I don't think it works nicely. There's been
> > some work on STUN, but I don't believe it co-exists nicely with 'double
> > NAT' yet.
> >
> > Personally, I've been using CIPE.
>
> The problem is that Windows comes only with a IPSec or L2TP client (for
> free and integrated). Unfortunately there is no Windows CE client or
> even Windows XP (<- is _this_ still true?). And for Mobile Computing
> there are only IPSec Clients (or PPTP/L2TP) I fear.
>
> >>>All the machines on LAN-A have a route added:
> >>>
> >>>10.2.0.0/255.255.255.0 via VPN-A Default route via FW-A
> >>
> >>That's okay - but I don't understand right at this moment why this is
> >>neccessary. Can't the FW route the traffic to 10.2.0.0/255.255.0.0
> >>(resp. the other addresses on LAN-B)?
> >
> > You are correct - you can get your firewall to redirect traffic to the
> > VPN. That doubles the traffic to the inside of the firewall though.
> > Ie, LAN -> FW -> VPN -> FW instead of LAN -> VPN -> FW
> >
> > Traffic doubling might not be a problem, and you may decide the extra
> > traffic isn't a problem in your scenario and you'd rather have the
> > simpler setup. (Especially as the LAN portion of your net is probably
> > at least twice the speed of the link to your ISP. Don't know about the
> > loading on your firewall though)
>
> You can avoid the traffic problem by adding another physical network
> link between the VPN GW and the FW. But as for the load, you're right.
> It's a Pentium I 200 MHz machine and we have 512 kBit/s connection. So I
> guess this is not on the edge.
>
> Does everything work in your setup, e. g. LDAP or FTP then?
>
> Ré
--
Mark Cooke <mpcstar.sr.bham.ac.uk>

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]