-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said...
> hello list, > > I hope everyone is doing well. > > Here is my qusetion for today, this applies to MCSE's and CCNA's Well, not necessarily... I know MCSEs and CCNAs that would be totally lost on your question :) > It is possible to tunnel the Network Neighborhood on a single domain in the > following situation: > a main office is connected to a remote office through DSL on both ends, using > linux as the router, NAT, firewall on both ends. If Linux is at both ends that makes it *sooooo* easy. Things get interesting if one of the ends is, oh, a Cisco. Or (shudder) a Windows "firewall". [..] > What makes this possible > VPN, VLAN maybe.....eh.........anyone?? Special hardware, Frame-relay. If you just need to connect two lans, a VPN is exactly what you need (a vlan is something else entirely). On Linux, there are generally 6 (well, *I* can only think of 6 :) ways to do this. 1) IPsec - http://www.freeswan.org 2) MS' dreaded PPTP - http://poptop.lineo.com 3) vpnd - http://sunsite.auc.dk/vpnd/ 4) cipe - http://sites.inka.de/~W1011/devel/cipe.html 5) vtun - http://vtun.sourceforge.net/ 6) ppp over ssh Of them, I've played with 2, 3, 4, and 6. #1 (ipsec) is actually a generic method of encrypting communication between two hosts. Once you have it working, it's very simple to get a vpn going. IPsec is especially useful if you ever want to use internet "appliances" like a NetScreen or a Cisco PIX to make a third vpn. Keep in mind, though, that the FreeSWAN people don't have any patches for the 2.4.x kernel series. #2 (pptp) is IMO really a bad choice (poor encryption AND mismanagement of the encryption keys :( ); you should implement it if and only if you need Windows clients to "dial" into one or both of your lans. It doesn't sound like that will apply here. #3 (vpnd) requires no kernel alterations, but can add quite a bit of latency. It is a small 60k executable, and 2 config files (a pre-shared key, and the config file specifying IP #s and what not). It required no kernel modifications. #4 (cipe) is currently my "favorite". It's just about as small and as simple to configure and vpnd, but has lower latency. It has a kernel "helper" module. #5 (vtun) appears to be very similar to cipe, but I've never used it. vtun and cipe have very similar capabilities and feature sets. #6 (ppp over ssh) is a fairly simple to configure method of encrypting ppp traffic - you establish the ssh session, then push the ppp data (just a bunch of characters) over that link. It does incur quite a bit of overhead, however. Oh, and the fact that you need to do this for a Windows environment doesn't matter much, as long as all the traffic being moved is something over IP. If fact, you would configure Windows just as you would if your WAN was implemented with dedicated telco hardware. - -- - ---------------------------------------------------------------------- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6ryqV/ZTSZFDeHPwRApgwAJ9fBjtaMkztuyhz3hyHDWKT5YH/jACgjm+5 7RrNt6+sBtFJ2C50eoBHwvI= =PtQr -----END PGP SIGNATURE-----