D&C Lug - Home Page
Devon & Cornwall Linux Users' Group

[ Date Index ][ Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] freeswan ipsec



Hi Robin,

The routing was also one of my main concerns. As you say creating almost a
virtual subnet is one solution, do you know if you can specify the address
alocation range in freeswan?

After reading your advice it sounds like it may be best all going via the
server, the load will not be to bad as there will not be a great deal of
traffic between the clients. it will be a one-job machine (900mhz cpu 256k
ram) i will build the kernel to just netfilter & freeswan.

I know need to read up more on freeswan/ipsec, so thanks for the links.

Thanks again for your time Robin. Can i mail you if i get any problems
during set up?

Regards,

Luke

> Just re-read this section and had a few thoughts
>
>> What i would like to get together is almost replicate the normal win2k
>> domain login to keep consistancy with what they users are used too. They
>> all develop in win32 so there is no getting away from the windows angle.
>> So each user will be presented with a domain login screen which then
>> implements the whole hog, they then inherit the whole active directory
>> groups and users permission set up & each client can access each others
>> machines via network neighbourhood, net sends, internal msn, i need to
>> get some internal video conferencing together as well (but one thing at
>> a time eh). But the AD stuff is most the most important.
>>
>
> Although each client can connect to the server connecting to each other
> (client-client) is difficult. Some of the protocols involved are
> non-routeable, i believe, so you will have to masqurade all the clients as
> the same private subnet and you don't want these sort of protocols flying
> around unencripted either.
>
> You will be able to see everybody in the browselist (as the server knows
> where
> eveybody is) but communication between clients will attempt to go direct
> so
> you may need some "hairy" routing to create a virtual subnet.
>
> If you allow direct client-client access every client will need its own
> Certificate athority and evey client will need every other clients public
> certificate, instead of just one CA on the server and a certificate for
> each
> client. But the server aproach will double the bandwitdth usage / CPU as
> the
> packets must enter your gateway server, be decripted, be routed, be
> encripted
> and send to the other client!
>
> Just some thoughts!
>
> anyway more importantly links:-
>
> look at http://vpn.ebootis.de/ for windows client and basic linux server
> setup
> info plus windows helper progs and look at http://www.freeswan.ca for
> superfreeswan / x509 patches for normal freeswan.
>
> Regards
>
> Robin
>
>
>
>
>
>



------------------------------------------------------------------
PGPmail - "Free encrypted secure offshore webmail" https://pgp.bz/

--
The Mailing List for the Devon & Cornwall LUG
Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the
message body to unsubscribe.


Lynx friendly