Hi Charles, Thanks for your information.
I essentially need what you describe in option 1, but assumed that I had also to do option 2 to achieve the required result. To confirm my requirement: - I essentially have two private networks permantently connected to the internet, each to be protected by a Bering Firewall running both Shorewall and Ipsec. WINSRV A ------ Bering A ---- Router A ---- Internet ----- Router B ----- Bering B ----- WINSRV B Both the private networks also need to communicate with each other, in that a windows 2000 server on one site, needs to be able to see the other one. Not for file sharing but for connecting an IIS web server to a remote sql server, traffic is to path in both directions. So my desired solution is for the Bering firewall to appear as a router, that offers a secure path to the other private network, allowing data to be passed for ports 80 www and sql 1433. Regards, Simon. -----Original Message----- From: Charles Steinkuehler [mailto:[EMAIL PROTECTED] Sent: 27 March 2003 13:27 To: Simon Chalk Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Ipsec Setup with Bering LEAF Simon Chalk wrote: > Hi Charles, > > Are you saying that windows 2000 is quite happy with RSA keys, and will > still offer a secure path connecting two networks. I am a little confused > about the whole concept of which method to use, and the relevance of X509. I > had assumed that since it gets mentioned everywhere that it was necessary. You haven't mentioned what your VPN network architecture looks like. There are three basic options: 1) The Bering boxes are the VPN gateways. If you setup your network this way, the two windows boxes simply think they are seperated by a simple router, and require no special configuration or knowledge due to the fact that you're actually running a VPN (although they do need special configuration to be able to talk to each other, since the broadcast packets typically used for network discovery/browsing will not cross a router). You can use either pre-shared-keys (PSK), RSA keys, or x.509 keys for authentication. 2) You use the built-in windows IPSec client on both ends. To do this, you will have to configure your firewall to pass-through the IPSec traffic, and you will obviously have to configure VPN tunnels on the windows boxes. This will likely require you generate certificates or use pre-shared-keys. 3) You use the built-in windows IPSec client on one end, and the Bering firewall on the other end for the VPN gateway. This seems like extra work to me, but you might want to do this for some reason. In this case, you would likely be forced into using x.509 certs on the Bering firewall, as I don't think windows can use RSA keys that are not "wrapped" inside a certificate. I assumed you were looking at implementing option 1, since you were asking questions about ipsec509 on bering. With this setup, Windows doesn't know anything about the VPN, so it doesn't have to be "happy" with RSA keys...only the VPN gateways (the two Bering boxes) need to know anything about the VPN. -- Charles Steinkuehler [EMAIL PROTECTED] ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
