Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Network routing question...
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
chrispy
Apprentice
Apprentice


Joined: 10 Nov 2002
Posts: 228
Location: Tokyo

PostPosted: Wed Nov 13, 2002 6:22 am    Post subject: Network routing question... Reply with quote

Ok,

So i'm not working in IT, but I decided to build a gentoo box to be used as VPN server in our company, coz right now we use dialup for remote access, and it's painfully slow. For this I would like to use FreeSWAN, since after searching the forums, it seems like the right choice.
On the server side, I think it's pretty straight forward, I've asked the net admin to forward all udp, tcp and esp traffic of one of our global ips to one machine inside.

My concern, (read : headache) is that at home, I have my gentoo box, with 2 nics to do the NAT and other usefull services (that I run on ETH1).

My DSL modem ppp0 is bridged to my ETH0 card, so actually ETH0 doesn't have any IP address.

I'd like to install FreeSWAN there too so that I can access our office network transparently from home.

So to have this working, in my head I see it like this :
( the part between [ ] is the gentoo server )
Code:

home pc-->[eth1 (nat)--> eth0 (freeswan&firewall)--> DSL modem]--internet--> company router--> VPN server


how can I do that with IPtables ?? :oops:

I was thinking to setup eth1 directing to gateway eth0, and eth0 directing to default route, i.e ppp0

Can someone tell me if my idea is possible ? advices and iptables hints are welcome of course :D

thankee
Back to top
View user's profile Send private message
carlivar
Tux's lil' helper
Tux's lil' helper


Joined: 22 Jul 2002
Posts: 92
Location: Burbank, California

PostPosted: Wed Nov 13, 2002 7:30 am    Post subject: Reply with quote

Doesn't FreeSWAN require the remote IP of each VPN client? If your home IP is dynamic how will you config FreeSWAN?

You might want to think about that first. Could prevent you from doing what you want. VPN server software is pretty limited for Linux.

Carl
_________________
"It is difficult to make our material condition better by the best law, but it is easy enough to ruin it by bad laws." - Theodore Roosevelt
Back to top
View user's profile Send private message
chrispy
Apprentice
Apprentice


Joined: 10 Nov 2002
Posts: 228
Location: Tokyo

PostPosted: Wed Nov 13, 2002 7:56 am    Post subject: Reply with quote

Well I dunno, I read (still reading hehe) their documentation and it seems that you can use "manual" keys (i.e. keys are generated and put on the clients manually), instead of automatic keying.
besides, it's for connecting once i'm home, not to be a permanent link, so I would fall into the category "road warrior" that they describe in their howtos ...
Back to top
View user's profile Send private message
vertex
n00b
n00b


Joined: 14 Nov 2002
Posts: 29

PostPosted: Thu Nov 14, 2002 4:31 am    Post subject: Reply with quote

[quote="carlivar"]Doesn't FreeSWAN require the remote IP of each VPN client? If your home IP is dynamic how will you config FreeSWAN?

You might want to think about that first. Could prevent you from doing what you want. VPN server software is pretty limited for Linux.
/quote]

You can definitely use ipsec with dynamic ip's on the client side. You might be forced to use shared secrets instead of public key, but thats the tradeoff I suppose. There are probably better and more creative ways.

As far as using NAT with ipsec, I would have to decline as it's too close to bedtime and I might give you an idiot answer.

Good luck!
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum