Hey, On Mon, 2001-09-03 at 00:47, Rino Mardo wrote: > hi. i have a working knowledge of vpn and i would just like: > a) confirmation with the list regarding my knowledge of how it works You're basically correct in your assumptions:) I'd be willing to bet there aren't many people out there who could tell you exactly how IPSEC works, but I can tell you the basics at least;) When you're using IPSEC, all traffic destined for a particular network is encrypted and tunnelled through a single TCP port (ESP). Any number of authentication and encryption methods can be used, but most use 3DES and IKE or Pre-shared keys. You can filter traffic on that port as you normally would. > b) what vpn solution or approach would you recommend We've been using FreeS/WAN successfully at work for six months now. Management could be a little bit easier, but that can be remedied with scripts (If I ever get around to it:). As for actual performance though, I definitely can't complain. I'm not sure about Potato, but Woody has both the FreeS/WAN kernel modules and userland utils available. You can find more info here: http://jixen.tripod.com/ and here: http://www.freeswan.org > you see in my previous job they've installed cisco's vpn client on one of > the laptops and a vpn feature in the pix firewall. according to what > they've told me anywhere in the world this laptop user can access our > internal servers just by logging in to a local isp and using this vpn > client. plus the connection would be secure. The connection is almost definitely secure, but the problem we struggle with at work is whether or not the client machine is secure. We're very reluctant (Indeed, we haven't) offered software-based VPN's to any of our employees or clients. It seems to us that the only comfortably secure solution is to give the client a hardware-based firewall/vpn appliance. We're looking at some of the sweet embedded Linux devices now, but up until this point we've been giving out low-end workstations to our employees that act as a firewall/gateway/vpn. now, am i right in saying > that i can also apply this with lotus notes clients who wants to sync their > databases and check their emails with the internal servers? can vpn be done > using dial-up? what about dynamic ip addresses on the vpn server will it be > ok? Yep, it should work out for any application. Your clients sitting on a VPN connection are, for all intents and purposes, on your LAN. There are subtle differences (Such as their IP's being external, Internet-routable, and they miss out of broadcast messages) but for the most part you can think of them as being on a really-slow segment of your network:) A VPN should be perfectly suited to support Notes-type applications. We've run into problems running NFS over a VPN, but other than that everything has worked out just fine. > having said that what vpn solution is recommended for lotus notes clients? Welp, I haven't actually done it or read about it, but like I said, I suspect it would work out with little or no problems. > thank you. No problem:)) - James Morton jmorton@viata.com
Attachment:
pgpeqJcGXQQyU.pgp
Description: PGP signature