Jason Costomiris writes: > Err.. You recommend AGAINST using strong encryption?
No, of course not. I've previously posted my recommendation of different and more convenient strong encryption - CIPE or OpenVPN. > You've got double the number of tunnels you need. In fact, if you've > setup the site on the right properly, you only need one tunnel > definition. > > net1 <--> net2/net3 > > This requires good network planning. No, this requires planning your network around IPsec, which is not the same thing as good network planning. Other VPN technologies fit into the network you have ... or that you may want to have for other reasons. > Creating a tunnel to the gateways themselves is > pointless. The gateways are the endpoints, that's all... I take it you don't use traceroute or tracert ... and you expect the admin to go to the remote site when he/she needs to reconfigure its gateway. The gateways are just endoints only if you use specialized boxes. They can just as easily be general computers performing other roles such as providing services. One of my systems is currently an endpoint for 12 VPN tunnels using 4 different VPN technologies and at the same time is a pop3, smtp, www, and ftp server. > Since these guys seem to be VPN novices and have both site to site as > well as remote client capabilities, I'd recommend they go with a > vendor-supported solution. And remain VPN novices ... The question was asked on a RedHat list, so presumably the poster has RedHat, meaning he already has one good open source VPN solution (CIPE) and already has the tun/tap kernel driver used by at least two other easily-added open source VPN solutions (OpenVPN and VTun). He also has ppp and both stunnel and ssh, so he has a choice of many VPN solutions. There may be times when recommending vendor VPN solutions is appropriate, but in my opinion this is not one of them. -- Dick St.Peters, [EMAIL PROTECTED] -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
