From owner-freebsd-questions@FreeBSD.ORG Wed Oct 27 12:03:18 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5434116A4CE for ; Wed, 27 Oct 2004 12:03:18 +0000 (GMT) Received: from mail.proficuous.com (www.proficuous.com [209.240.79.128]) by mx1.FreeBSD.org (Postfix) with ESMTP id 236F643D4C for ; Wed, 27 Oct 2004 12:03:18 +0000 (GMT) (envelope-from ml@proficuous.com) Received: from [192.168.3.69] (aaron-workstation.proficuous.com [192.168.3.69]) by mail.proficuous.com (Postfix) with ESMTP id 46F32A8943D; Wed, 27 Oct 2004 07:03:14 -0500 (CDT) From: "Aaron P. Martinez" To: Erik Norgaard In-Reply-To: <417F5E6B.2080100@locolomo.org> References: <417F5E6B.2080100@locolomo.org> Content-Type: text/plain Message-Id: <1098878627.4101.21.camel@aaron.proficuous.com> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 (1.4.6-2) Date: Wed, 27 Oct 2004 07:03:47 -0500 Content-Transfer-Encoding: 7bit cc: questions@freebsd.org Subject: Re: VPN questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 27 Oct 2004 12:03:18 -0000 On Wed, 2004-10-27 at 03:38, Erik Norgaard wrote: > Hi, > > I am looking at how to implement VPN but I'm getting confused as to how > IPSec, IKE, OpenSSL, FreeSWAN, racoon etc. all fit into the picture. I > am looking at two scenarios, and I have two questions. > > 1) Standard IPSec tunnel: > > +----+ IPSec/VPN +----+ > LAN---| FW |-----------| FW |---LAN > +----+ +----+ > > In this scenario: Can CARP/pf handle VPN/IPSec connections incase the > master unit fails? (I am assuming that both ends have fixed public > routable ip's). > > 2) VPN for mobile users > > +----+ VPN +-----+ > LAN---| FW |-----------| FW? |---[mobile unit] > +----+ +-----+ > > For mobile users I can't be sure where they are, their ip, or if they > are behind NAT/firewall, nor can I trust the network until the mobile unit. > > IPSec breaks behind NAT, are there other altertives than ssh-tunnels I > should take a look at? (which? :-) I suggest looking at openvpn, it is a ssl based vpn that is fairly easy to set up. I might shy away from freeswan as it is for the most part out of development, only one more rollup and that's it. > > Thanks, Erik > -- > Ph: +34.666334818 web: www.locolomo.org > S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt > Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 > Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" Aaron