> 1. Sitting in their US office, accessing multi-vendor VPN > systems at major > corporations. I have had success connecting to Cisco VPN concentrators and seen reports of connecting to others. One of the headache's I ran into was overlapping NAT's subnets which you mention below.
> 2. Sitting at the customer site, accessing their own US office LAN: > a. using their own laptops (Linux and Windows) > b. using "borrowed" machines (Linux and Windows) on the > customers' LAN I have used SSH Sentinel from a client site. In my installations the client could 1-to-1 map their NAT'd address to a real address so I set up connections to each user using PreShared Keys (PSKs). The other 2 options are: - Do a standard road-warrior with PSKs, but that requires all clients to use the same PSK since they share one connection from a source IP of 0.0.0.0 - Use RSA sigs which is supported by SSH Sentinel and gives each roadwarrior their own RSA sig. I believe this you best bet, but haven't done it personally. > 3. One employee in Australia needs to: > a. do all of the above, for both the US office and US customers Same answer as above > b. have the local AU LAN securely access the US LAN, Windows > shares and all Use FreeSWAN IPSec gateways (LEAF of course) with both ends maintaining a gateway to gateway connection. This can conflict with (a.) since the Linux kernel allows you to do IPSec gateways or IPSec masquarading, but not both at once. I have a similar situation and have addressed it in 2 different ways - The VPN Masq connection uses a second parrallel router not running as an IPSec gateway - The client uses a PPTP (yuck) connection which works fine through the IPSec gateway. > c. Have his laptop access local Australia customers Need a VPN Client that is compatible with the customers VPNs, since most clients tend to conflict and can't be installed together. SSH Sentinel may work well since it seems to be a flexible client for access different IPSec gateways, although I don't from 1st hand experience. > > Given the nature of IPSec, it seems NAT'd addresses can't be > relied upon in all > scenarios. This tends to indicate we would be better off running > routable > addresses on the LANs in questions --- but are the risks of that > manageable? > They own a /25 subnet, but I'm not sure we want to expose the > entire range to > the Internet. I'm not a fan of inside machines using routable addresses, but it would ensure there is no overlap. > > Having read some about FreeS/WAN, I am still confused on what it takes to > connect from a roaming laptop --- with a varying IP. Most of the > instructions > tend to be focused on gateway-to-gateway connections, not > laptop-to-gateway -- > and almost all doc uses non-routable IPs in the examples. Any > pointers to > configuring a single-address client to FreeS/WAN on LRP would be helpful. Laptop to gateway is called the roadwarrior config, you should be able to find docs on it. Supposedly the Win2K IPSec client works with FreeSWAN, but I was never able to get it work. > > Has anyone used LRP routers in this varied a scenario? Any > recommendations on > VPN clients for roaming connections, both for Windows and Linux > laptops? Any > wisdom, advice, pointers? :) I'm not associated with SSH Sentinel, but found it fairly easy to configure/troubleshoot and some pretty good docs available for it. The downside is it is not free. As I mentioned before, Win2K's IPSec client should also work, as well sa PGPs commercial VPN client (I don't think the free version can connect to a gateway, only a single machine) You also may want to post questions to the FreeSWAN mailing list. Good luck. Todd _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user