[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

How to make a working VPN

Howdy all.

That subject sounds a bit generic - but it's exactly what I'm asking. Googling for a while hasn't given me the answers I'm looking for - a lot refers to software I'm not using.

So - on with the background.

At this time, I have a primary router "stonewall.amfeslan.local". Stonewall is running Debian stable, 2.4 kernel, with an iptables SNAT firewall straight from the IP-Masquerade howto (allow everything inside out, deny everything outside in unless pre-connected).

Connected to stonewall's other network card is "foxy.amfeslan.local". This is running the same iptables script. I'm doing this because I read somewhere that having two routers to insulate your LAN from the Internet was a good idea. If this is overkill, or going to cause me problems - puhleeaze say so.

The card from "foxy" connects to our LAN switch. DHCP on an internal server has all the other computers using "foxy" as the gateway - "foxy" uses "stonewall" as the gateway - and "stonewall" connects to my ISP.

This has been working just dandy for internal usage. But now I want to start to allow external access to our system - and I haven't found a definitive "this is how you do it" for my needs. If I've missed a web page - by all means please point the way.

Since the remote clients are going to be using dynamic IP's - I can't use IP addressing for filtering. So it seems like IPSEC is the way to go. I had a lot of problems trying to get FreeSwan to work. So I upgraded "foxy" to kernel 2.6, as well as one of the LAN workstations, and used the ipsec-tools to create a secure link. It actually worked the first time - just the way the howto page showed me!

But how do I do this for external clients? Are there particular ports I need to open? Does using IPSEC eliminate the need for an IPTABLES firewall? With these two routers, do I need to configure special port/ip forwarding?


Reply to: