Date: Fri, 22 Feb 2002 18:10:30 +0100 From: Rickard Borgmäster <doktorn@realworld.nu> To: freebsd-net@freebsd.org Subject: IPSec VPN Questions, comments wanted :-) Message-ID: <20020222181030.5532a263.doktorn@realworld.nu>
next in thread | raw e-mail | index | archive | help
I'm about to find a solutions t VPN-interconnect out branch offices. Today we have a main site with a /28-net where the network servers are located. Internal net is 10.0.0/24 with S-NAT for the servers. Branch offices use ICA protocol to connect to internal Windows Termnal server. Branch offices are rather small, tycically 1-3 laptop (Win2000/XP) computers and a network printer, connected to Internet via ADSL or ISDN. NAT addresses (192.168.1.x/24, each branch office uses same setup). Branch offices have static IP addresses, which will be passed in by the firewall. Branch office users typically travels a lot with their laptops, and need to connect to the main site from various locations. Firewall at main site is currently IPFilter on FreeBSD 4.3. This is what we want to acheive: 1)Connectivity from non-static addresses, encrypted. 2)Interconnect the branch office networks with main site network, encrypted. 3)User should never have to reconfigure laptop in order to connect to main site. This is the solution I had in mind: First of all: Upgrade main site firewall to latest FreeBSD-stable. 1) Create "Virtual Private Network" connections using built-in features of Win2000/XP, on the laptop computers. This is for use out-of-branch-office, ie at home, visiting customer/supplier. 2)Equip each branch office with a "multi-purpose" IPSec-capable firewall, ie Cisco 806, Multitech RF550VPN [1], Watchguard SOHO|tc. Set it up with an assigned private network id (ie, 10.0.1.0/28, 10.0.1.16/28, etc) per each branch office. The addresses will be provided to the laptops from this multi-purpose firewall via DHCP. 3)Now I hope the only differnce from the users point of view, would be that if he/she if out-of-office, the need to establish the transport-mode VPN connection->main site firewall, before they can use network services. If a user moves from one branch office to another, he/she only needs to plug his laptop in and should then be able to reach network services on the main site. Questionmarks: *Have I understood this right? ;) *With IPSec tunnel mode->Main site firewall, all branch office networks would be reachable from main site, right? Ie, from 10.0.0/24 I would be able to ping a network printer 10.0.1.12? *Should the users connect to the private addresses of the main site network (10.0.0/24) or the public addresses when they need to access network services? This is ofcourse a DNS matter, since we cannot put private addresses on a public DNS server. *Since the firewall must be set to accept IPSec connections from all source addresses, how does it know that it comes from an approved user? Is the connection authenticated using private keys or username/passwords or what? Don't you just love scenarios? =) Any ideas or feedback welcome. [1] Seems to be a nice product for this purpose. Low price (SEK3.000 / ~$300). Features NAT, Packet filtering, 4-port 10/100 Switch, PPPoE for automatic logon to ADSL provider, 5 Simultaneous IPSec tunnels, 700Kbps IPSec throughput, 6Mbps firewall throughput. Specs see: http://www.multitech.com/products/SOHO_VPN/ -- Rickard .--. .--. .----------------------------------------. | | | | .-. | Rickard Borgmäster | | | | |/ / | doktorn@sub.nu | .-^ | .--. | < | http://doktorn.sub.nu/ | ( o | ( () ) | |\ \ `----------------------------------------' `-----' `--' `--' `--' -- Rickard .--. .--. .----------------------------------------. | | | | .-. | Rickard Borgmäster | | | | |/ / | doktorn@sub.nu | .-^ | .--. | < | http://doktorn.sub.nu/ | ( o | ( () ) | |\ \ `----------------------------------------' `-----' `--' `--' `--' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020222181030.5532a263.doktorn>