[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: need pptp tunnel for win nethood ADVISE!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

> hello list,
>
> I hope everyone is doing well.
>
> Here is my qusetion for today, this applies to MCSE's and CCNA's

Well, not necessarily...  I know MCSEs and CCNAs that would be totally
lost on your question :)

> It is possible to tunnel the Network Neighborhood on a single domain in the
> following situation:
> a main office is connected to a remote office through DSL on both ends, using
> linux as the router, NAT, firewall on both ends.

If Linux is at both ends that makes it *sooooo* easy.  Things get
interesting if one of the ends is, oh, a Cisco.  Or (shudder) a Windows
"firewall".

[..]

> What makes this possible
> VPN, VLAN maybe.....eh.........anyone?? Special hardware, Frame-relay.

If you just need to connect two lans, a VPN is exactly what you need (a
vlan is something else entirely).  On Linux, there are generally 6 (well,
*I* can only think of 6 :) ways to do this.

1) IPsec - http://www.freeswan.org
2) MS' dreaded PPTP - http://poptop.lineo.com
3) vpnd - http://sunsite.auc.dk/vpnd/
4) cipe - http://sites.inka.de/~W1011/devel/cipe.html
5) vtun - http://vtun.sourceforge.net/
6) ppp over ssh

Of them, I've played with 2, 3, 4, and 6.

#1 (ipsec) is actually a generic method of encrypting communication
between two hosts.  Once you have it working, it's very simple to get a
vpn going.  IPsec is especially useful if you ever want to use internet
"appliances" like a NetScreen or a Cisco PIX to make a third vpn.  Keep in
mind, though, that the FreeSWAN people don't have any patches for the
2.4.x kernel series.

#2 (pptp) is IMO really a bad choice (poor encryption AND mismanagement of
the encryption keys :( ); you should implement it if and only if you need
Windows clients to "dial" into one or both of your lans.  It doesn't sound
like that will apply here.

#3 (vpnd) requires no kernel alterations, but can add quite a bit of
latency.  It is a small 60k executable, and 2 config files (a pre-shared
key, and the config file specifying IP #s and what not).  It required no
kernel modifications.

#4 (cipe) is currently my "favorite".  It's just about as small and as
simple to configure and vpnd, but has lower latency.  It has a kernel
"helper" module.

#5 (vtun) appears to be very similar to cipe, but I've never used it.
vtun and cipe have very similar capabilities and feature sets.

#6 (ppp over ssh) is a fairly simple to configure method of encrypting ppp
traffic - you establish the ssh session, then push the ppp data (just a
bunch of characters) over that link.  It does incur quite a bit of
overhead, however.

Oh, and the fact that you need to do this for a Windows environment
doesn't matter much, as long as all the traffic being moved is something
over IP.  If fact, you would configure Windows just as you would if your
WAN was implemented with dedicated telco hardware.

- -- 
- ----------------------------------------------------------------------
Phil Brutsche				    pbrutsch@tux.creighton.edu

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6ryqV/ZTSZFDeHPwRApgwAJ9fBjtaMkztuyhz3hyHDWKT5YH/jACgjm+5
7RrNt6+sBtFJ2C50eoBHwvI=
=PtQr
-----END PGP SIGNATURE-----
Reply to: