I agree with Nokia-man :) Get the appliances if you can if not freeswan.
That is, if you can afford the slow response time over the Internet. I
guess a lot depends on how much traffic (data) is being pushed and pulled by
the program. If it is not much then you should be fine. If there is a lot
of network traffic then you are going to be very unhappy. Remember that the
program has load itself and all of its parts over this link, and all of the
data has to go back and forth as well.
Good Luck!
----------------
Warren Melnick
Director of Research and Development
Astata Corporation
-----Original Message-----
From: Jason Costomiris [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 28, 2001 8:16 AM
To: [EMAIL PROTECTED]
Subject: Re: Need VPN guidance puhleez! :)
On Tue, Feb 27, 2001 at 12:32:57PM -0500, Steve Gulick wrote:
: I have no clue with all this VPN stuff and am looking for a good place to
: start so I was hoping that you guys could help. My job is to set up a VPN
: between 2 linux boxes that will allow the Winblows boxes from Network#1 to
: run apps off the server at Network#2. Is this possible? If it is what
: software do I need?
2 ways spring to mind. Both cost about the same, and will handle about
5 Mbps of 3DES traffic between the networks.
Get yourself two Linux boxes, reasonably well-outfitted, 256 or 512 MB of
RAM in each, disk isn't all that important, so go with what's cheap, two
GOOD HIGH QUALITY NICs (like 3Com or Intel), etc. Load them up and install
FreeS/WAN (www.freeswan.org). Put one at each site, and setup an IPSec
VPN between them. I believe later versions of FreeS/WAN will perform
IKE key negotiation, which beats the heck out of manual key swapping,
like we used to do in the days of old. Problem? It's only really good
for site-to-site VPNs. If you decide you want to offer remote access
VPN (users dial an ISP and VPN in with a client), it's not going to
fly. What's good? It's a free, standards compliant IPSec implementation
that integrates nicely with Linux. While great technology, you MUST
have someone who understands the "voodoo" that's going on under the
surface, just like anything else.
Other solution is get a couple of hardware VPN devices. I happen to work
for Nokia. About 9 months ago, we acquired Network Alchemy, who had some
outstanding VPN gear. Well, things are settling down, and they're much
more integrated into our culture now, and everyone's productive again, in
fact stronger than they were (the number of people on the project has
tripled). The low-end boxes (CC500) run about $1500 each. They are
rack-mountable, and have 2 10/100 ethernet ports inside. If you require
high-availability, or want to do some load balancing, you can cluster the
boxes together. Failover happens in 500ms if the master node dies, and
250ms if any other node croaks. It's standard IKE/IPSec technology too.
The boxes have an internal CA you can kick on to issue X.509 certs to use
for the IKE negotiation too. BTW - when failover happens, not only do
the boxes failover at the IP level, but also at the *IPSec* level. Yes,
the SA's move over and do NOT need to be re-negotiated. Clients do NOT
need to re-authenticate. The CC500's are good for 100 users or less.
If you need more, there are bigger boxes that scale up into the thousands
of users.
For my $$, even if I didn't work for Nokia, I would pick the appliances.
Why? They're flash based, no hard drive to worry about failing. They're
also incredibly compact (about the size of a small 8-port hub), but can
still be rack mounted if you want (takes up 1U). Also, the FreeS/WAN
stuff does not offerring clustering capabilities for HA/Load Balancing.
Lastly, FreeS/WAN, while very robust, requires a fair bit of work to
set it up. The Nokia appliances practically fall out of the box working.
And for those who are wondering, nope, these are not the same as the
fw-1 appliances we sell (IP110, 330, 440, 650)...
One of my friends is building a FreeS/WAN box right now. Next weekend, he's
supposed to bring it over, and we're going to geek out, trying to get all of
these to talk IPSec to each other:
Nokia CC500
FreeS/WAN
Watchguard SOHO
Netscreen 5
Nokia IP330 w/VPN-1 4.1SP2
Cisco Pix
Oof, if I were married, I'd be a dead man. All of that stuff in my living
and dining rooms.. :-)
--
Jason Costomiris <>< | Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
My account, My opinions.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
