> OK, we have successfully built a couple DCD-DCD tunnels. We are still > learning how to get full windoze functionality across the tunnels. Is > it possible for a w2k-pro box to join (first time) a domain on a > w2k-adv-svr across this tunnel?
Hmm...I think so. You'll probably need to make sure you've got WINS setup properly, and you might have to 'kickstart' things by using IP addresses, or lmhosts entries at first. Once your part of the domain, normal browsing will work across the VPN. > Now, we are tasked to carry this further and we have several questions. > > Tasks: > > [A] Create three (3) gateway-gateway tunnels: > 1) Remote network, server & windoze boxen management (us); > 2) Remote Mac server & desktop management; and > 3) Remote accounting system. > > [B] Create infrastructure whereby windoze notebook users can remotely > use the internal network & servers, as if they are local, including > application usage and file access. > > Questions: > > [C] How many connections are possible under DCD? ip addr shows four (4) > interfaces: ipsec0,1,2,3 This is a frequent cause of confusion...the ipsec interfaces correspond to physical interfaces, not tunnels. You won't need more than 4 ipsec interfaces, unless you've got more than 4 physical interfaces you want to be sending VPN data over (unlikely). You'll probably only need ipsec0, which will be paired with your main upstream interface. You can run almost arbitrary numbers of tunnels over this single ipsec interface. NOTE: To the first approximation (as long as you're not getting into the hundreds or thousands of connections), additional tunnels are 'free' in terms of CPU...the bulk of the CPU usage for ipsec comes from encrypting/decrypting the data, not from keeping track of the tunnels. Therefore, you measure CPU requirements mainly based on your available bandwidth, not by how many tunnels you want to support. More details in the FreeS/WAN documentation... > [D] What resources ought we to read right now, in preparation for this? > Yes, we know about > <http://freeswan.org/freeswan_trees/freeswan-1.91/doc/index.html>. > Please, post other web links. That's the big one...they've got several pages of additional links within the documentation, as well. > [E] What are the limitations, now, that we must present to our customer? Windows networking is not designed to work well across subnets, or WAN's. Name resolution and GUI browsing is problematic, and requires specific network structures to work properly (note: SAMBA can enable additional functionality, such as spanning a work-group across a WAN, that MS products can't/don't support). Also, the MS networking protocols are not particularly bandwidth efficient, or designed well to work across WAN's (with high latency/packet loss)...make sure you MAP remote network resources rather than simply browsing to them...for some reason access is orders of magnitude faster that way. Macs probably have issues with networks crossing routers, but this is outside my experience. Administration can get complex with any VPN (espeically with road-warriors), so make sure the tools are available to support the admin load you expect. Also, you may not be able to implement the fancier security policies (ie authentication based on bio-metrics, the random-number-generating credit-card sized keys, smart cards, etc) supported by some of the higher-end commercial products. This may or may not concern you or your client. > [F] What are the alternatives? There's at least one alternate linux implementation of IPSec, and there's always BSD. Of course, you can also choose to go with one of the many commercial solutions, ranging from software only to hardware VPN gateways. In general, you'll get nicer administration tools (like a pretty GUI interface), and better support with the commercial solutions, but you'll be paying a lot more money, as well. You'll have to decide what works best for your environment. > [G] Those experienced with windoze road warriors, how can this be made > totally transparent to the users? Can they really believe that they are > still inside their internal network, with *all* local functionality? Yes, although if you're using windows systems to directly connect to the VPN (ie not a remote office going through a VPN gateway), you'll probably want some commercial software to make setup easier. I've heard good things about SSH Sentinel, but there are many other windows IPSec clients available. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
