Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Comments please : planning a VPN / Firewall solution

From: Jakob Curdes (jc_at_info-systems.de)
Date: Tue Mar 19 2002 - 16:50:09 CET

Next message: Andreas Steffen: "RE: [Users] x509 and checkpoint fw-1"
Previous message: Markus Winkler: "[Users] ipsec.secrets syntax"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I wonder if anybody wants to comment on my plans. I am new to VPN solutions and am facing the follwoing task.
Please do a cc:to my email address as I am not (yet) subscribed to the list.

- goal : connect a _sub-branch_ of company a with a _sub-branch_ of company b
via public networks

- existing network infrastructure : adsl links with fixed ip address on both ends,
linux firewall machines on both ends, no external services offered via the firewall machines

-requirements : we do not want to route everything from subnet a to subnet b but just give access to _some_
windows file shares etc. on each side while protecting other information in the respective networks from being
read by the other side.

My general line is to keep firewall machines as simple as possible, so I would prefer a solution where
the vpn gateways are separated from the fw; that means in this case on the "inner" side of the firewalls.
I understand that there are limitations as to vpn'ing through a masquerading firewall, because of the changes the
firewall makes to the packets. So my idea is the following :

- place vpn-gateways inside the firewall
- gateways themselves provide internal firewalling to protect ports that should never pass the tunnel
- once encrypted, tunnel passes firewall **without** masquerading (corresponding ruleset must be written for the external firewall)
(Masquerading is needed for other services such as ftp, but not from/to the vpn gateway machines)

Is this possible, feasible, and sensible or is there a less complicated way to achieve what we want ?

The firewall machines are running a 2.x kernel, if I have to open up udp port 500,
can I do stateful packet filtering on this port when upgrading to 2.4.x ???
(problem : udp ist inherently two-way without SYN/ACK)

Thank you for your input,
Jakob Curdes
jc_at_info-systems.de

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Andreas Steffen: "RE: [Users] x509 and checkpoint fw-1"
Previous message: Markus Winkler: "[Users] ipsec.secrets syntax"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:45 CEST