How to make a working VPN
Howdy all.
That subject sounds a bit generic - but it's exactly what I'm asking.
Googling for a while hasn't given me the answers I'm looking for - a lot
refers to software I'm not using.
So - on with the background.
At this time, I have a primary router "stonewall.amfeslan.local".
Stonewall is running Debian stable, 2.4 kernel, with an iptables SNAT
firewall straight from the IP-Masquerade howto (allow everything inside
out, deny everything outside in unless pre-connected).
Connected to stonewall's other network card is "foxy.amfeslan.local".
This is running the same iptables script. I'm doing this because I read
somewhere that having two routers to insulate your LAN from the Internet
was a good idea. If this is overkill, or going to cause me problems -
puhleeaze say so.
The card from "foxy" connects to our LAN switch. DHCP on an internal
server has all the other computers using "foxy" as the gateway - "foxy"
uses "stonewall" as the gateway - and "stonewall" connects to my ISP.
This has been working just dandy for internal usage. But now I want to
start to allow external access to our system - and I haven't found a
definitive "this is how you do it" for my needs. If I've missed a web
page - by all means please point the way.
Since the remote clients are going to be using dynamic IP's - I can't
use IP addressing for filtering. So it seems like IPSEC is the way to
go. I had a lot of problems trying to get FreeSwan to work. So I
upgraded "foxy" to kernel 2.6, as well as one of the LAN workstations,
and used the ipsec-tools to create a secure link. It actually worked
the first time - just the way the howto page showed me!
But how do I do this for external clients? Are there particular ports I
need to open? Does using IPSEC eliminate the need for an IPTABLES
firewall? With these two routers, do I need to configure special
port/ip forwarding?
Daniel
Reply to: