From owner-freebsd-questions@FreeBSD.ORG Thu Oct 28 00:23:11 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 95F4916A4CE for ; Thu, 28 Oct 2004 00:23:11 +0000 (GMT) Received: from grog.secure-computing.net (grog.secure-computing.net [63.228.14.241]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02BC843D41 for ; Thu, 28 Oct 2004 00:23:11 +0000 (GMT) (envelope-from ecrist@secure-computing.net) Received: from [192.168.1.100] (c-66-41-19-61.mn.client2.attbi.com [66.41.19.61]) (authenticated bits=0)i9S0NMWc056155; Wed, 27 Oct 2004 19:23:22 -0500 (CDT) (envelope-from ecrist@secure-computing.net) In-Reply-To: <417F5E6B.2080100@locolomo.org> References: <417F5E6B.2080100@locolomo.org> Mime-Version: 1.0 (Apple Message framework v619) Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-4-356645904" Message-Id: <685CBB3A-2877-11D9-86F0-000D9333E43C@secure-computing.net> Content-Transfer-Encoding: 7bit From: Eric Crist Date: Wed, 27 Oct 2004 19:22:10 -0500 To: Erik Norgaard X-Pgp-Agent: GPGMail 1.0.2 X-Mailer: Apple Mail (2.619) X-Virus-Scanned: clamd / ClamAV version 0.75.1, clamav-milter version 0.75c on grog.secure-computing.net X-Virus-Status: Clean cc: questions@freebsd.org Subject: Re: VPN questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Oct 2004 00:23:11 -0000 --Apple-Mail-4-356645904 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed On Oct 27, 2004, at 3:38 AM, Erik Norgaard wrote: > Hi, > > I am looking at how to implement VPN but I'm getting confused as to how > IPSec, IKE, OpenSSL, FreeSWAN, racoon etc. all fit into the picture. I > am looking at two scenarios, and I have two questions. > > 1) Standard IPSec tunnel: > > +----+ IPSec/VPN +----+ > LAN---| FW |-----------| FW |---LAN > +----+ +----+ > > In this scenario: Can CARP/pf handle VPN/IPSec connections incase the > master unit fails? (I am assuming that both ends have fixed public > routable ip's). > > 2) VPN for mobile users > > +----+ VPN +-----+ > LAN---| FW |-----------| FW? |---[mobile unit] > +----+ +-----+ > > For mobile users I can't be sure where they are, their ip, or if they > are behind NAT/firewall, nor can I trust the network until the mobile > unit. > > IPSec breaks behind NAT, are there other altertives than ssh-tunnels I > should take a look at? (which? :-) > > Thanks, Erik > -- > Ph: +34.666334818 web: > www.locolomo.org > S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt > Subject ID: > A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 > Fingerprint: > 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2 Take a look at mpd in the ports tree for the mobile connections. I use it on a regular basis, and it is really easy to setup. Also, unlike poptop, mpd supports encryption. My particular setup is for 128-bit encryption and I allow 3 different connections at once. HTH ----- Eric F Crist Secure Computing Networks --Apple-Mail-4-356645904 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (Darwin) iEYEARECAAYFAkGAO7IACgkQRAAY9knOW+qi1QCfVQgn8ncY4V5/CpMAYwGxSpkx FnEAniiK7VDD+hO6NczvVBlTbeffXk4I =RoKN -----END PGP SIGNATURE----- --Apple-Mail-4-356645904--