Re: freebsd vpn server behind nat dsl router

Robert Johannes wrote:
On Wed, 7 Mar 2007, Tom Judge wrote:
<SNIP/>

Looking into adding nat-t to ipsec as we speak.


I would suggest you go with Yvan's suggestion of doing away with gif and adding the nat-t support to ipsec. Alternatively you could use a UDP/TCP based vpn solution such as openvpn (in ports and http://openvpn.net/) which will be fully compatible with you nat setup, openvpn will also be tolerant to remote end points changing ip address half while the vpn link is active, comes in hand when used in combination with a dynamic dns service).

As far as openvpn goes, I looked into it in October or Nov. last year, and it seemed not to be very scalable; I have 6 different offices that all need to connect and chat with each other, and it didn't seem like openvpn would allow for this to happen. I didn't investigate it much beyond that when I learned that.



There are no problems with connecting 6 sites together with openvpn, you could either run separate instances of openvpn for each site or using the correct configuration option that specifies all clients can talk to each other via the server. However I would have though that you would want each site to have a link to every other site directly, in which case a openvpn server at each site is you best option, with a number of clients if you use ospf/bgp you will be able to easily maintain your routing table with all these links and be able to survive a link failure as the traffic will get routed via another site rather than directly to its destination.

It would be advisable to use a routing protocol such as ospf even if you decide to use IPSec as is simplifies the maintenance of the routing table, and allows new sites to be added easily and quickly.

Just my 2p

Tom
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: Best VPN server to use on Fedora
    ... ESPinUDP encapsulation (very MUCH like IPSec NAT-T) for the actual ... transport (as described in the OpenVPN documentation). ... OpenVPN server mode can help ... that it can directly tunnel IPv6 over an IPv4 tunnel. ...
    (Fedora)
  • Re: Documentation on "iptables -m policy"
    ... OpenVPN did the job, kann ich nur sagen. ... Wo ich mich mit ipsec bzw. OpenS/WAN wochenlang abgemüht habe, ging's mit OpenVPN binnen weniger Stunden. ... Ganz bin ich die Pein mit OpenS/WAN leider noch nicht los, da ich bei einem Kunden eine Verbindung von seinem Homeoffice (Windows-Software-Client in einem privaten Subnetz, hinter einem DSL-Router) übers Internet zu seiner Praxis aufbauen muß. ... Ich möchte ungern mit dem nativen L2TP oder IPSEC von Windows arbeiten müssen (u.a. deswegen, weil das native IPSEC nur IP-Adressen als GW akzeptiert, der Praxis-GW aber ebenfalls per DSL angeschlossen ist und somit nur per DynDNS erreichbar). ...
    (de.comp.security.firewall)
  • Re: No more IP spoofing??
    ... And what are the other flaws of IPsec? ... I'm talking about flaws, not actual vulnerabilities. ... lack of protocol specification (_any_ specification, not a clear one, ... What do you mean saying "server farms" and how OpenVPN deals with them? ...
    (comp.os.linux.security)
  • Re: Wireless User Authentication using Linux?
    ... The VPN I use, OpenVPN, is also ... > Windows support was just announced last month. ... I looked into IPSec, and I'm currently trying to find a howto on how to ... Remove +newsharvested to e-mail me | Poista +newsharvested jos meilaat ...
    (comp.os.linux.networking)
  • Re: No more IP spoofing??
    ... I wouldn't recommend using IPsec at all. ... Use OpenVPN instead, or some other SSL-based secure VPN ...
    (comp.os.linux.security)