On Friday, January 31, 2003, at 09:57 AM, Dick St.Peters wrote:
I've used FreeSWAN extensively and currently recommend against it to my users unless they absolutely need IPSEC for some reason.
Err.. You recommend AGAINST using strong encryption?
IPsec by itself does not include access controls beyond the shared secret or the x.509 certificate used to authenticate the tunnel. In most cases, IPsec is paired with some sort of firewalling to provide the access control.IPSEC is considerably more complex than most VPN technologies in ways that are counter-intuitive. IPSEC tunnels are not just virtual wires, they also include access controls.
For example, consider:
net1 --- gateway1 -- {internet} -- gateway2 --- net2 --- net3
A FreeSWAN tunnel between gateway1 and gateway2 can allow net1 and
net2 to talk to each other, but that same tunnel will not allow net1
and net3 to talk to each other. Communication between net1 and net3
would require an additional tunnel. In fact, full connectivity for
this case would require 6 tunnels:
1. net1 <--> net2
2. net1 <--> gateway2
3. net1 <--> net3
4. gateway1 <--> net2
5. gateway1 <--> gateway2
6. gateway1 <--> net3
net1 <--> net2/net3
This requires good network planning. For instance, you setup the left side as 192.168.1.0/24, and the right side as say, 192.168.2.0/24 and 192.168.3.0/24. In this case, your left side's "encryption domain" (pardon the check point parlance) is 192.168.1.0/24 and the right side is 192.168.2.0/23. Creating a tunnel to the gateways themselves is pointless. The gateways are the endpoints, that's all...
Since these guys seem to be VPN novices and have both site to site as well as remote client capabilities, I'd recommend they go with a vendor-supported solution. The Check Point SofaWare line is excellent for this application. Look, for instance at the Nokia IP30 products. They come in a 10-user site-site capable unit for a list price of $699 and a 25-user for $1199. These units can also terminate connections from Check Point's SecuRemote. SR is available for any reasonably recent Windows platform (WinME, NT, 2000 Pro, XP Home/Pro) for free from CP's web site.
Configurations of the IP30, or any other SofaWare platform is very easy, done through an https browser session. It provides a DHCP server for the LAN, and supports DHCP and PPPoE on the WAN side.
--
Jason Costomiris <><
E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe
https://listman.redhat.com/mailman/listinfo/redhat-list
