[Openswan Users] Re: [SLE] Is a VPN the right thing to use here?
Joachim Schrod
jschrod at acm.org
Tue Nov 15 21:33:21 CET 2005
John wrote:
>
> Due to current circumstances, I have two separate networks, L and R, on
> the same side of an ADSL modem and need to setup a route between them.
> They both share the ADSL modem, 10.0.E.2, as their common, default gateway.
>
> Note that E, L & R are used to identify the subnets for this discussion
> only and are normally replaced with valid, distinct, octet numbers.
> Under normal circumstances, these two networks would be in differing
> geographical locations, linked via the Internet.
I don't understand these two paragraphs fully. If your two networks are in
differing geographical locations, linked via the Internet, probably they don't
share a common ADSL modem.
> Is a VPN the answer or should I look at static routes?
>
> Can anyone give me pointers on how to set this up, please?
>
>
> L net = 192.168.L.0/24, default gateway = 192.168.L.1
> |
> |
> Netgear FVS318 DSL router 192.168.L.1
> External interface = 10.0.E.32, default gateway = 10.0.E.2
> |
> |
> Hub----->ADSL Modem 10.0.E.2------>Internet
> |
> |
> External interface = 10.0.E.31, default gateway = 10.0.E.2
> Server running SuSE10 + Swan/IPSEC
> Internal interface 192.168.R.31
> |
> |
> R net = 192.168.R.0/24, default gateway = 192.168.R.31
This depends on the configuration of your two gateways and your security concerns.
If your Netgear and your SUSE box act as a firewall with NAT and your traffic
between the external interfaces is really over the Internet, a VPN is the
answer.
If you don't have NAT and these are really internal networks, then you _could_
add static network routes to the Netgear and the SUSE server. You will have to
adapt the respective firewall configuration, though, and let this traffic pass.
(You run a firewall on the gateways, don't you?) This will surely work.
If you do so, you have the remaining risk that spoofed packets from the Internet
can enter your internal networks if somebody guesses your other private network
numbers. YMMV -- I would not take up this risk, but then I work as a security
consultant and therefore I'm paranoid by definition. :-)
Cheers,
Joachim
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Joachim Schrod Email: jschrod at acm.org
Roedermark, Germany
More information about the Users
mailing list