On Fri, Jul 28, 2006 at 06:30:13AM -0700, jeraklo wrote:
> --- Joachim Schipper <[EMAIL PROTECTED]> wrote:
> > to the VPN box. The only real problem you are going
> > to run into is if
> > subnet C overlaps with a network the client is
> > already connected to,
>
> actually, client connects to a public network and
> doesn't overlaps with destinatio subnet (C), and I
> want its VPN interface to "put" the client as close as
> possible to destination subnet (C). Putting the
> client's VPN interface directly to destination subnet
> (C) would be the most preffered solution.
That's not difficult with IPsec, just tell the clients to route traffic
to C over the tunnel.
The problem happens when a client is connected to your VPN and a
seperate network with the same numbering as subnet C. misc@ is littered
with threads that combine 'IPsec' and 'NAT' in the title; this setup,
while not impossible, is fraught with difficulties and gotchas. Don't do
it unless absolutely necessary.
Most other VPN solutions have this same problem, BTW.
> > however, since you mentioned 'public subnet', it
> > might be using public
> > IPs, in which case this won't be a problem.
> >
> >
> > Alternately, for a more shiny, more
> > firewall-friendly, but less
> > efficient protocol and not quite as secure an
> > implemenation, try
> > OpenVPN. It runs on Windows, Mac OS X, and (most?)
> > POSIX-compliant
> > systems that have tap/tun devices.
>
> OK but do OpenVPN connections survive NAT ? It is
> possible for some client addresses to be private and
> then translated through NAT to reach the internet.
Both OpenVPN and IPsec work fine over NAT. However, OpenVPN is more
likely to work over broken[1] routers, IME.
Joachim
[1] They work fine as residential NAT routers, as long as you don't do
anything other than TCP, UDP, and some ICMP, and nothing outside of
usual traffic patterns. Anything else causes much more interesting
behaviour.
I encountered one with rather interesting MTU handling, for instance.
I'm still sure there was a solution, but the brokenness of WinXP's IPsec
implementation combined with the suckiness of this router was enough for
me to go look for something less painful to do.
Of course, a decent WinXP client might have made things easier; and the
server was an old version of KAME's racoon on Linux.
