Charles,
Thanks for the feedback!!!
I will start experimenting with freeswan and look around for a cheap (and
secure) way to handle my road warriors!!
Sergio Morilla
-----Mensaje original-----
De: [EMAIL PROTECTED]
Enviado el: Tuesday, July 03, 2001 15:59
Para: [EMAIL PROTECTED]
Asunto: Re: [Leaf-user] IPSEC, VPN et al
> I don't want anyone accessing my servers without an encrypted connection.
> So as you said I will need IPSec or other VPN solution on my office LRP.
>
> 1) What components do I need? I undertand freeswan is an IPSec "daemon",
is this
> true? So, will I need client software? Can I use plain W98 to access
through an
> IPSec LRP?
The components you need depend on the VPN solution you choose, which can be
anything from a small VPN gateway box (hardware) to configuration settings
(of your high-end cisco pix w/IPSec support) to software packages.
Regarding IPSec: It's a common mis-conception to think of a 'server' and
'client', when in reality, they are peers. You create an IPSec connection
with IPSec software on both ends...neither end is the 'client'. That said,
the FreeS/WAN IPSec software runs as a background process (like a daemon),
and can be configured to listen for inbound connection requests, as well as
attempting to bring up default connections when it starts.
Once you build a VPN (using whatever method you desire), it looks like just
another route to the machines using the tunnel. My machines think they are
one router hop away from the corperate HQ network, although they are really
going through about 14 hops on the internet. Since the packets are
encrypted & sent through the VPN tunnel, the remote & local IPSec gateway
look like they are connected by a dedicated wire to my secure traffic.
> 2) What protocol does M$ VPN use? I would like my remote users to access
my
> Terminal Server using just the Terminal Server software and out of the box
M$
> software. Is this possible?
There are a couple forms of M$ VPN, PPTP and IPSec. You want to stay away
from PPTP if you're at all concerned with security. While it's a bit harder
to sniff PPTP traffic than data sent in the clear, your average high-school
student with a late-model 'gamer' machine could crack the security in about
a day. In addition to the M$ IPSec software built into windows 2K, there
are many after-market IPSec solutions available. If you mainly need to hook
windows machines, or especially windows notebooks calling 'home' from random
locations on the internet, you may want to persue a windows based software
solution (at least for the 'road-warrior' systems).
> 3) In order to have an "static or permanent encrypted" (sorry about the
terms)
> connection between two LRPs, I would need IPSec on both od them. Is this
> practical, doable?? Hints please.
This is the sort of VPN I run. I have LRP boxes at both sites, IPSec is
loaded on both machines, and they are configured to build a tunnel between
the two protected internal networks when IPSec starts (on either box). This
is the easiest way to configure and use the FreeS/WAN IPSec software.
NOTE: Since windows likes for all machines to be in the same broadcast
domain, setting up a 'static' VPN like this still doesn't let windows
machines 'browse' the entire network. To do this, you have to configure
your windows networking like it's crossing a router (which it is). This can
be done using Samba, or by putting at least one properly configured NT
server on each subnet. Using NT servers, only domains can cross the subnet
boundry. With Samba, you can get workgroups to browse across the subnet
boundry as well.
> 4) Is there some easier wy to do this??? Am I on track??
I think you're generally on the right track, but you'll have to determine
which VPN solution is 'easiest' for you to implement...
Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
