Re: What VPN is recommended?
On Mon, Sep 03, 2001 at 03:12:12AM -1000, James L. Morton wrote:
> Hey,
>
> On Mon, 2001-09-03 at 00:47, Rino Mardo wrote:
> > hi. i have a working knowledge of vpn and i would just like:
> > a) confirmation with the list regarding my knowledge of how it works
>
> You're basically correct in your assumptions:) I'd be willing to bet
> there aren't many people out there who could tell you exactly how IPSEC
> works, but I can tell you the basics at least;) When you're using
> IPSEC, all traffic destined for a particular network is encrypted and
> tunnelled through a single TCP port (ESP). Any number of authentication
> and encryption methods can be used, but most use 3DES and IKE or
> Pre-shared keys. You can filter traffic on that port as you normally
> would.
>
> > b) what vpn solution or approach would you recommend
>
> We've been using FreeS/WAN successfully at work for six months now.
> Management could be a little bit easier, but that can be remedied with
> scripts (If I ever get around to it:). As for actual performance
> though, I definitely can't complain. I'm not sure about Potato, but
> Woody has both the FreeS/WAN kernel modules and userland utils
> available.
I've compiles and installed freeswan on potato successfully (I had to
recompile a kernel though). downloaded the sources from woody.
>
> You can find more info here:
> http://jixen.tripod.com/
> and here:
> http://www.freeswan.org
>
>
> > you see in my previous job they've installed cisco's vpn client on one of
> > the laptops and a vpn feature in the pix firewall. according to what
> > they've told me anywhere in the world this laptop user can access our
> > internal servers just by logging in to a local isp and using this vpn
> > client. plus the connection would be secure.
>
> The connection is almost definitely secure, but the problem we struggle
> with at work is whether or not the client machine is secure. We're very
> reluctant (Indeed, we haven't) offered software-based VPN's to any of
> our employees or clients. It seems to us that the only comfortably
> secure solution is to give the client a hardware-based firewall/vpn
> appliance. We're looking at some of the sweet embedded Linux devices
> now, but up until this point we've been giving out low-end workstations
> to our employees that act as a firewall/gateway/vpn.
>
> now, am i right in saying
> > that i can also apply this with lotus notes clients who wants to sync their
> > databases and check their emails with the internal servers? can vpn be done
> > using dial-up? what about dynamic ip addresses on the vpn server will it be
> > ok?
>
> Yep, it should work out for any application. Your clients sitting on a
> VPN connection are, for all intents and purposes, on your LAN. There
> are subtle differences (Such as their IP's being external,
> Internet-routable, and they miss out of broadcast messages) but for the
> most part you can think of them as being on a really-slow segment of
> your network:) A VPN should be perfectly suited to support Notes-type
> applications. We've run into problems running NFS over a VPN, but other
> than that everything has worked out just fine.
I think I can guess that if you're using Lotus Notes, most of your
employee's are working on windows. if that's correct, then you should
consider pptp instead of ipsec. I'm no windows whiz but I think that pptp
is easier to set then ipsec on windows (on linux it's a different
matter). it worked fine on a startup I was working for (all the
employee's were connecting to a cisco firewall with pptp and radius
authentication).
>
> > having said that what vpn solution is recommended for lotus notes clients?
>
> Welp, I haven't actually done it or read about it, but like I said, I
> suspect it would work out with little or no problems.
>
> > thank you.
>
> No problem:))
>
> - James Morton
> jmorton@viata.com
>
Bye
--
Haim
Reply to: