[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
On Wednesday 01 October 2003 5:36 pm, Luke wrote: > An ipsec box and firewall. Behind this will be a win2k server and an > imap linux mail server. These two machines are going to be on their own > with no clients directly connected, in a rack with there own 2mb pipe. Sounds somewhat similar but more "serious" than my set up so far. I have a gateway server which runs a firewall for my internal network and also freeswan. My server only connects to a static ip broadband 512k though. As the secure connection appears as interface ipsec0 i have seperate firewall rules to my untrusted ppp0 interface so even the secure connection can be firewalled for that added protection. On the protected LAN i have another server (also linux) running samba for window domain logons of all the windows clients. > > Then we have the clients, which will very between 7-10 each with their > own dsl connection and a variety of os - winxp & win2k & Linux. Some are > static and some dhcp off their isp. No problem here, static and or dynamic ip is fine as are any of the above OS's as there are windows clients it is recomended you use X509 certificates for authentication. As pre shared secrets is not as secure. > > What i would like to get together is almost replicate the normal win2k > domain login to keep consistancy with what they users are used too. They > all develop in win32 so there is no getting away from the windows angle. > So each user will be presented with a domain login screen which then > implements the whole hog, they then inherit the whole active directory > groups and users permission set up & each client can access each others > machines via network neighbourhood, net sends, internal msn, i need to > get some internal video conferencing together as well (but one thing at > a time eh). But the AD stuff is most the most important. Domain logons are possible from windows clients but can be somewhat more tricky. I have not tried too hard as a domain logon over a 512k connection is a nighmare! but the main issues were geting the windows clients to connect to the internet with my broadband connection before the logon screen. If connected the underlying ipsec system of windows does seem to work ok. You need to get the wins server address right as well that really helps windows. > Oh, and each client will have an imap mailbox which will keep the mail > internal (apart from passing through the tunnels) As the mail server is behind your ipsec gateway i assume it will be a 192.168.0.x address on a private lan as will the NT domain controller. You just set up to ipsec connection to the net rather that the ipsec server. Eg i am sitting here on a static ip broadband address and i can ping 192.168.0.20 and get a response from my mail/samba server across the intenet. So to check my work mail my pop3/imap server is 192.168.0.20! simple once it is up and running! > As far as the NAT stuff goes, that may only pose a problem with users > behind there own routers. the magic left/right next hop! if this is coupled with dynamic IP's this becomes a pain. you can tell ipsec that the packets are going through a router/NAT system by specifing its IP address. > Which dist did you use? Its all on mandrake 9.0 freeswan1-99 (i really should upgrade) for the main server (x509-patched). (as per mandrake rpm i believe) My connection at home mandrake 9.1 with freeswan-2.00-x509 compiled my my self from source. My "other" connection at home windows XP . And we also have XP on road-warrior laptops. > Be interested in what sort of set up you have going. Think i covered that now! Hope this helps Regards Robin
Attachment:
pgp00046.pgp
Description: signature