Re: FreeBSD as a VPN Server/Router
Am 10.08.2006 um 01:09 schrieb Christopher Martin: Also, the load IPSec (or any encryption method for that matter) places on the encapsulating router is non-trivial, so be aware that if your hardware is a bit old you may get disappointing performance. I would suggest making the hardware at least current low end, or high end from a couple of years ago, to get the best performance. My 533 MHz Via C3 based router does 230 kB/s with OpenVPN while being about 75% idle. (My line's not faster, so I don't know where it would peak out.) Stefan -- Stefan Bethke [EMAIL PROTECTED] Fon +49 170 346 0140 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD as a VPN Server/Router
I am going to venture into the field of the security gurus so help me God! It looks like I am gonna get stuck in wet cement, I can feel it;) I have two sites, siteA and siteB. Each site has a horde of Windows PCs behind a FreeBSD box, which acts as a firewall/router/proxy/everything:) Each site has got a dedicated connection to an ISP. At the moment it's the same ISP, if that matters, but my thinking is that it can be any ISP. I have a challenge of establishing a WAN between the two sites. They are geographically apart. In this scenario, siteA has several applications running on several windows servers which are behind the FreeBSD box. The challenge is to allow siteB to access these applications securely via the WAN setup. VPN comes straight to mind, but this is a new area to me. The boxes are both FreeBSD 5.5-STABLE. I am looking for pointers/clues on how to do the setup in a clean way, while adhering to K.I.S.S as closely as possible. If extra hardware (other than the FreeBSD boxes) is required so that the WAN is efficient, I'd be happy to know. I am very optimistic on pulling this one off, since I belong to a community full of security experts (FreeBSD users). PS: I am already googling, perhaps with the wrong keywords:-) -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Who messed with my anti-paranoia shot? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD as a VPN Server/Router
I am going to venture into the field of the security gurus so help me God! It looks like I am gonna get stuck in wet cement, I can feel it;) I have two sites, siteA and siteB. Each site has a horde of Windows PCs behind a FreeBSD box, which acts as a firewall/router/proxy/everything:) Each site has got a dedicated connection to an ISP. At the moment it's the same ISP, if that matters, but my thinking is that it can be any ISP. I have a challenge of establishing a WAN between the two sites. They are geographically apart. In this scenario, siteA has several applications running on several windows servers which are behind the FreeBSD box. The challenge is to allow siteB to access these applications securely via the WAN setup. VPN comes straight to mind, but this is a new area to me. The boxes are both FreeBSD 5.5-STABLE. I am looking for pointers/clues on how to do the setup in a clean way, while adhering to K.I.S.S as closely as possible. If extra hardware (other than the FreeBSD boxes) is required so that the WAN is efficient, I'd be happy to know. I am very optimistic on pulling this one off, since I belong to a community full of security experts (FreeBSD users). PS: I am already googling, perhaps with the wrong keywords:-) It's been a couple of years since I did this, but this worked for me... http://www.pjkh.com/wiki/vtund -philip ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD as a VPN Server/Router
there is a freebsd based project called pfsense (.org) that would suit your needs perfectly. ive been running it for quite a while now, and i think its the best thing since sliced bread. i have a IPSec WAN between 2 sites (my apt, and my servers that are at a colo). tons of features that are found on other expensive firewalls, are included! cheers, jonathan On Wednesday 09 August 2006 12:33, Odhiambo Washington wrote: I am going to venture into the field of the security gurus so help me God! It looks like I am gonna get stuck in wet cement, I can feel it;) I have two sites, siteA and siteB. Each site has a horde of Windows PCs behind a FreeBSD box, which acts as a firewall/router/proxy/everything:) Each site has got a dedicated connection to an ISP. At the moment it's the same ISP, if that matters, but my thinking is that it can be any ISP. I have a challenge of establishing a WAN between the two sites. They are geographically apart. In this scenario, siteA has several applications running on several windows servers which are behind the FreeBSD box. The challenge is to allow siteB to access these applications securely via the WAN setup. VPN comes straight to mind, but this is a new area to me. The boxes are both FreeBSD 5.5-STABLE. I am looking for pointers/clues on how to do the setup in a clean way, while adhering to K.I.S.S as closely as possible. If extra hardware (other than the FreeBSD boxes) is required so that the WAN is efficient, I'd be happy to know. I am very optimistic on pulling this one off, since I belong to a community full of security experts (FreeBSD users). PS: I am already googling, perhaps with the wrong keywords:-) -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Who messed with my anti-paranoia shot? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD as a VPN Server/Router
On 08/09/2006 12:33, Odhiambo Washington wrote: I am going to venture into the field of the security gurus so help me God! It looks like I am gonna get stuck in wet cement, I can feel it;) I have two sites, siteA and siteB. Each site has a horde of Windows PCs behind a FreeBSD box, which acts as a firewall/router/proxy/everything:) Each site has got a dedicated connection to an ISP. At the moment it's the same ISP, if that matters, but my thinking is that it can be any ISP. I have a challenge of establishing a WAN between the two sites. They are geographically apart. In this scenario, siteA has several applications running on several windows servers which are behind the FreeBSD box. The challenge is to allow siteB to access these applications securely via the WAN setup. VPN comes straight to mind, but this is a new area to me. The boxes are both FreeBSD 5.5-STABLE. I am looking for pointers/clues on how to do the setup in a clean way, while adhering to K.I.S.S as closely as possible. The FreeBSD Handbook has a chapter on this: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html HTH. If extra hardware (other than the FreeBSD boxes) is required so that the WAN is efficient, I'd be happy to know. I am very optimistic on pulling this one off, since I belong to a community full of security experts (FreeBSD users). PS: I am already googling, perhaps with the wrong keywords:-) -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +==+ |\ _,,,---,,_ | Odhiambo Washington[EMAIL PROTECTED] Zzz /,`.-'`'-. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +==+ Who messed with my anti-paranoia shot? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Regards, Eric ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: FreeBSD as a VPN Server/Router
Am 09.08.2006 um 19:33 schrieb Odhiambo Washington: In this scenario, siteA has several applications running on several windows servers which are behind the FreeBSD box. The challenge is to allow siteB to access these applications securely via the WAN setup. VPN comes straight to mind, but this is a new area to me. OpenVPN certainly fits your requirements. Besides a routed connection between two sides, it also offers a bridged setup, so it is ideally suited for connecting two Windows-centric networks. We use it at work for home VPNs as well as road warriors, configuration is straightforward, and performance is absolutely acceptable. IPSec has been mentioned before; I've had trouble understanding the configuration and how to diagnose problems. We did get it to work in the office, but only with a lot of trial and error. isakmpd and racoon are... idiosyncratic, to be polite. vtun has had major security issues in the past, so I would be wary, but I haven't looked into it for the past two years. pfSense is a FreeBSD-based firewall/routing OS, so you'd need to replace your existing FreeBSD routers with it, or add additional boxes. Stefan -- Stefan Bethke [EMAIL PROTECTED] Fon +49 170 346 0140 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD as a VPN Server/Router
The FreeBSD Handbook has a chapter on this: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html HTH. The only problem with IPSec is you need static IP addresses for the tunnelling mode (unless somebody knows something I don't, at which point I'd really like to hear about it!). OpenVPN is about as good as it gets stability wise, and can customised, hacked, and altered in any way you need. It can also use public key authentication. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: FreeBSD as a VPN Server/Router
If OpenVPN seems like a bit much to tackle you could establish the link with an easy protocol like PPTP (PPTP can be added to pppd with the port /usr/ports/net/poptop) and then IPSec traffic traversing the link. Some even argue that this is a good idea because it's two layers of encryption (not to suggest that the PPTP encryption methods are a particular challenge to break), but they'll be a performance penalty to pay as well. Also, the load IPSec (or any encryption method for that matter) places on the encapsulating router is non-trivial, so be aware that if your hardware is a bit old you may get disappointing performance. I would suggest making the hardware at least current low end, or high end from a couple of years ago, to get the best performance. On side note, has anyone heard about the crypto lib for fast_ipsec and the Intel IPSec accelerated network cards (like the Pro 100/S)? I remember reading some time ago that there were, at the time, still issues getting the required info out of Intel to get the processor offloading working right. Is Intel still withholding the information? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Christopher Martin Sent: Thursday, 10 August 2006 8:42 AM To: FreeBSD Questions Mailing List (E-mail) Subject: RE: FreeBSD as a VPN Server/Router The FreeBSD Handbook has a chapter on this: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html HTH. The only problem with IPSec is you need static IP addresses for the tunnelling mode (unless somebody knows something I don't, at which point I'd really like to hear about it!). OpenVPN is about as good as it gets stability wise, and can customised, hacked, and altered in any way you need. It can also use public key authentication. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
