Shorewall users - Oct 2007 - [debian etch]Shorewall with IPsec VPN

Dear all,
I have to install a solution like this (below)

[siteA]=========== vpn ipsec ============ [siteB]

||
||

||
||
vpn ipsec
vpn ipsec

||
||

||
||
     ============= [siteC] =================
Note: Each site has Internet access and I must install and deploy the vpn
via this Internet access between the different sites.

I subject this diagram to you so that you help me to install it better way.

Thank you for your assistance


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Tue, Oct 02, 2007 at 03:37:29PM +0000, Dominique Claver KOUAME
wrote:
> 
> Note: Each site has Internet access and I must install and deploy the vpn
> via this Internet access between the different sites.
> 
> I subject this diagram to you so that you help me to install it better way.
> 
Well, these are the facts as I see them:

 - three sites must be connected, with site A routing between B and C
 - you must use IPSEC for VPN

What can I say?  Not enough information to even begin to formulate a
response.  Please provide sufficient relevant detail.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Tue, Oct 02, 2007 at 04:59:30PM -0400, Roberto C. S?nchez
wrote:
>  - you must use IPSEC for VPN
There are only two kinds of people who need ipsec:

 - those who have to interact with ipsec devices that they don''t
   control (usually manufactured by cisco) and can''t replace
 - those who are doing overcomplicated enterprise-level stuff
   involving thousands of systems, and hence know what they''re doing
   and won''t be here asking the question in the first place

Everybody else should avoid it. It''s usually like trying to swat a fly
with a cruise missile.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Tue, Oct 02, 2007 at 10:20:22PM +0100, Andrew Suffield
wrote:
> On Tue, Oct 02, 2007 at 04:59:30PM -0400, Roberto C. S?nchez wrote:
> >  - you must use IPSEC for VPN
> 
> There are only two kinds of people who need ipsec:
> 
>  - those who have to interact with ipsec devices that they don''t
>    control (usually manufactured by cisco) and can''t replace
>  - those who are doing overcomplicated enterprise-level stuff
>    involving thousands of systems, and hence know what they''re
doing
>    and won''t be here asking the question in the first place
> 
> Everybody else should avoid it. It''s usually like trying to swat a
fly
> with a cruise missile.
> 
True.  Another case, however, is the one where you want people to be
able to connect from Mac or Windows clients and you want to support
IPSEC+L2TP so that the built in clients will work.  That would reduce
the support burden since supporting road warriors can be tough.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Thanks for your reply,
Now I have three sites (A,B,C) with an Internet access on each site. The
different sites communicate via vpn in Internet cloud. And we want to
install on each site a firewall with shorewall. This shorewall will hand the
communication with the others sites via Internet but in the new
configuration, we must have vpn  with ipsec between them.
The actually diagram is :
site-A to site-B vpn via Internet without encryption.
site-A to site-C vpn via Internet without encryption.
site-B to site-C vpn via Internet without encryption.

My board request a new solution with firewall and IPSEC vpn for encryption
according to the actual diagram like this

site-A[fw] to [fw]site-B - VPN + IPsec
site-A[fw] to [fw]site-C - VPN + IPsec
site-B[fw] to [fw]site-C - VPN + IPsec

Help me to install the best solution to do it.

Thanks more for your assistance


2007/10/2, Roberto C. Sánchez
<roberto@connexer.com>:
>
> On Tue, Oct 02, 2007 at 03:37:29PM +0000, Dominique Claver KOUAME wrote:
> >
> > Note: Each site has Internet access and I must install and deploy the
> vpn
> > via this Internet access between the different sites.
> >
> > I subject this diagram to you so that you help me to install it better
> way.
> >
>
> Well, these are the facts as I see them:
>
> - three sites must be connected, with site A routing between B and C
> - you must use IPSEC for VPN
>
> What can I say?  Not enough information to even begin to formulate a
> response.  Please provide sufficient relevant detail.
>
> Regards,
>
> -Roberto
>
> --
> Roberto C. Sánchez
> http://people.connexer.com/~roberto
> http://www.connexer.com
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFHArEy5SXWIKfIlGQRApBMAKCrjvOpjCgQXLlVTD+AJp6mvNwR7ACfQHiw
> XA5bcUNZ0QnCL0LG7N5BCsM> =014P
> -----END PGP SIGNATURE-----
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

On Wed, 3 Oct 2007 21:30:53 +0000, kdclaver@gmail.com said:
> My board request a new solution with firewall and IPSEC vpn for
> encryption according to the actual diagram like this
Are your board primarily business people or technical people? If the
former, ask them what they want to achieve (rather than tell you how to
implement it). If the latter, ask them why they want IPsec. You really,
really don''t want to do that unless you have compelling and, as yet,
unstated reasons. Use OpenVPN: much easier.
> Help me to install the best solution to do it.
Read the OpenVPN HOWTOs on the OpenVPN website, and read the QuickStart
guides on the Shorewall site followed by the OpenVPN page on that site.

-- 
Keith Edmunds

+---------------------------------------------------------------------+
|  Tiger Computing Ltd  |  Helping businesses make the most of Linux  |
|  "The Linux Company"  |       http://www.tiger-computing.co.uk     
|
+---------------------------------------------------------------------+

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

On Wed, Oct 03, 2007 at 09:30:53PM +0000, Dominique Claver KOUAME
wrote:
> Thanks for your reply,
> Now I have three sites (A,B,C) with an Internet access on each site. The
> different sites communicate via vpn in Internet cloud. And we want to
> install on each site a firewall with shorewall. This shorewall will hand
the
> communication with the others sites via Internet but in the new
> configuration, we must have vpn  with ipsec between them.
> The actually diagram is :
> site-A to site-B vpn via Internet without encryption.
> site-A to site-C vpn via Internet without encryption.
> site-B to site-C vpn via Internet without encryption.
> 
> My board request a new solution with firewall and IPSEC vpn for encryption
> according to the actual diagram like this
> 
> site-A[fw] to [fw]site-B - VPN + IPsec
> site-A[fw] to [fw]site-C - VPN + IPsec
> site-B[fw] to [fw]site-C - VPN + IPsec
> 
> Help me to install the best solution to do it.
> 
> Thanks more for your assistance
> 
You are still not providing any real detail above what was in your
original post.  Start by reading this:

http://www.shorewall.net/IPSEC-2.6.html

Then, figure out what you want to accomplish.  That is, do you want all
traffic to be routed via the VPN and then provide proxies (like squid or
whatever) for the protocols which will require external access.  Or
rather, do you want only traffic destined for IP addresses at the
various sites to traverse the VPN and other traffic to have direct
access to the Internet in the clear?  You need to figure out what you
are trying to accomplish.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

Thanks more I will try to do it tomorrow and begin the installation early. I
will be back here if I get a problem during installation.
Thanks more again.


2007/10/3, Keith Edmunds <kae@midnighthax.com>:
>
> On Wed, 3 Oct 2007 21:30:53 +0000, kdclaver@gmail.com said:
>
> > My board request a new solution with firewall and IPSEC vpn for
> > encryption according to the actual diagram like this
>
> Are your board primarily business people or technical people? If the
> former, ask them what they want to achieve (rather than tell you how to
> implement it). If the latter, ask them why they want IPsec. You really,
> really don''t want to do that unless you have compelling and, as
yet,
> unstated reasons. Use OpenVPN: much easier.
>
> > Help me to install the best solution to do it.
>
> Read the OpenVPN HOWTOs on the OpenVPN website, and read the QuickStart
> guides on the Shorewall site followed by the OpenVPN page on that site.
>
> --
> Keith Edmunds
>
> +---------------------------------------------------------------------+
> |  Tiger Computing Ltd  |  Helping businesses make the most of Linux  |
> |  "The Linux Company"  |       http://www.tiger-computing.co.uk 
|
> +---------------------------------------------------------------------+
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/