Dave Scott, 2002-Mar-06 15:30 -0800: > Thanks Jeff. > > Wow, I thought this was going to be an easy task. :( > Surely there must be thousands of others that have done just this. > > |---------------------| > |-|----Client(9x,2K)----| > | |---------------------| > | |DSL Modem > | | > | | > | |---------------------| > | |-----Internet--------| > | |---------------------| > | | > VPN | > | |Public IP > | |--------------------------| Nat |------------| > | |----Firewall--------------|----------|Workstations| > | |--Debian 2.2 W2.4Kernel---| |------------| > | |--------------------------| 192.168.0.10-200 > | NAT |192.168.0.1 > | | > | | > | |----------------------------| > | |---Windows NT 4.0 Server----| > |-|---PP2P Installed-----------| > |----------------------------| > 192.168.0.2 > > Need up to 6 VPN connections to the NT Server > Is this possible. Or is there just a better way to go about this. > They don't have any money for Cisco or Hard Firewall. > > At first I was going to use 2.2 Kernel because I read if you recompile > the kernel and install ipfwd you can GRE multi connections across, but > now I just read that 2.4 hasn't been configured to allow multi connects > across, but the date of the article is old. > Oh how confusing this is. > > > Cheers > -Dave
Nice work on the ascii diagram! :-) Personally, I wouldn't use GRE for a VPN for the reasons I stated on my previous response. I'd say you have 2 solutions worth considering: 1. Use PPTP. This works and the encryption is adequate, unless anyone with some resources thinks you're hiding something special :-) You'll need to open port 1723 on your firewall for the incoming connections. Just don't use MS-CHAPv2 for auth here, there's a well-known vulnerability with it. So, the remote clients will run the native PPTP to connect directly to the NT server, having turned on the PPTP support to recieve connections. Oh, and you'll actually need to port forward through the firewall since you have NAT. Or, you could run the Linux pptpd server on the firewall to terminate the connections there and just route normally on the private side. I like the later. 2. Use Freeswan. This is an IPSec solution that is much more secure, but more complex too. There are interworking issues between Linux and Windows but there is some good information on that on the web (a google search for "freeswan windows" will turn up some of them). So, in this scenario you'd run the Freeswan server on the Firewall and terminate the connections there. Be sure to allow port 500 to connect to the firewall, and I think protocol ESP as well. That's what IPSec runs over. You'll find everything you'll need on the Freeswan website, and you'll need to patch the kernel too. That's all I can think of at the moment. Having only time in your budget is not so uncommon. With VPN's, like with any other security, the more secure the more complex...most of the time. cya, jc -- Jeff Coppock Systems Engineer Diggin' Debian Admin and User

