From owner-freebsd-net@FreeBSD.ORG Wed Jan 12 01:59:49 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31CD016A4CE for ; Wed, 12 Jan 2005 01:59:49 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id BFAE243D3F for ; Wed, 12 Jan 2005 01:59:48 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.3] (pool-68-160-208-232.ny325.east.verizon.net [68.160.208.232]) by pi.codefab.com (8.12.11/8.12.11) with ESMTP id j0C1xhDw017440 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 11 Jan 2005 20:59:45 -0500 (EST) Message-ID: <41E48472.5000909@mac.com> Date: Tue, 11 Jan 2005 20:59:14 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Tom Skeren References: <41E451D0.9080302@fsklaw.com> In-Reply-To: <41E451D0.9080302@fsklaw.com> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=1.8 required=5.5 tests=AWL,RCVD_IN_NJABL_DUL, RCVD_IN_SORBS_DUL autolearn=disabled version=3.0.1 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on pi.codefab.com cc: freebsd-net@freebsd.org Subject: Re: gif's X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Jan 2005 01:59:49 -0000 Tom Skeren wrote: > Been pulling my hair out. Anybody know of a resource for a fairly > complex tunneling scheme. My needs are such that a central hub "Star" > style tunneling scheme simply will not be efficient. At some point, complex VPN configurations become more work to setup and maintain than switching to IPsec or increasing the # publicly available services, hopefully switching to more secure protocols at the same time. By the last I mean, many people want a VPN to do filesharing from home to work, or access email and such "securely" over the encrypted tunnel, but people tend to terminate VPN endpoints inside the network rather than in a semi-trusted perimeter zone, and the more VPN connections you add, the greater the exposure of various external networks to the inside and to each other. Switching to HTTPS+WebDAV (eg SubVersion) for a filesharing/publishing mechanism to replace direct CIFS/Samba access, or accessing mail via IMAPS rather than firing up Outlook against the company's MS-Exchange server over the VPN might actually result in a more secure configuration. -- -Chuck