Network setup at main office. 10.10.10.x Mandrake 9.1 as router under Shorewall, DHCPing with a few rules forwarding for pcAnywhere. Network setup at secondary office. 192.168.1.x Soon to be Mandrake 9.1 router using Shorewall, DHCPing I want to tunnel them together. I''ve read the HOWTO on IPSEC VPN tunneling and it seems pretty straight forward. Is that the best way to go? Or is another protocol better. Do I have to use this FreeS/WAN program? What does it setup that the HOWTO doesnt setup? And if someone has the time can you reply with the changes I will need to make to my /etc/shorewall files on both routers. I think I followed the HOWTO correctly but I want to be sure. Thanks alot gang!
On 21 May 2003 19:14:57 -0500, tufkal <tufkal@granola.mine.nu> wrote:> Network setup at main office. > 10.10.10.x Mandrake 9.1 as router under Shorewall, DHCPing with a few > rules > forwarding for pcAnywhere.Beware Mandrake 9.x two-interface setups -- see the Shorewall home page.> > Network setup at secondary office. > 192.168.1.x > Soon to be Mandrake 9.1 router using Shorewall, DHCPing > > I want to tunnel them together. > > I''ve read the HOWTO on IPSEC VPN tunneling and it seems pretty straight > forward. Is that the best way to go? Or is another protocol better?I dislike FreeS/Wan because the kernel must be patched. I personally would use OpenVPN.> Do I have to use this FreeS/WAN program? What does it setup that the > HOWTO doesnt setup?It sets up the VPN -- what is in the Shorewall IPSEC page is simply what you have to do in Shorewall to open the holes for the VPN traffic. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 22 May 2003 01:43:04 +0100, Chet <martyn@chetnet.co.uk> wrote:> Tom, ever thought about starting a forum up?, it would benefit totally > useless people like me as we could look back at all the postings, I > notice > that most of the stuff I get through in mails I have seen before, would > cut > down on a load of support work from yourself. > > Just a thoughtThere is a Forum and it DOES NOT CUT DOWN ON MY SUPPORT WORK. At least on the mailing list, I get some help answering questions. On the forum, there''s no one but me there to answer them; plus newbies seem to gravitate to the Forum which makes it even more of a burden. Additionally, I think a web forum absolutely sucks as a mechanism for trying to help someone with Shorewall: a) All white space is collapsed from posts -- ever try looking at the output of "shorewall status" after you''ve removed all non-essential white space? b) It is extreamly awkward to quote parts of what the other person said and make them stand out from what you are posting. For this reason, I get very frustrated with the Forum and occasionally I simply remove the link to it while I recover from Forum Fatigue (there is no link from the support page to the forum currently, for example). -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Hello, On Wed, 21 May 2003, Tom Eastep wrote:>> I''ve read the HOWTO on IPSEC VPN tunneling and it seems pretty straight >> forward. Is that the best way to go? Or is another protocol better? > >I dislike FreeS/Wan because the kernel must be patched. I personally would >use OpenVPN.I strongly agree with Tom here. If you have control of both routers and they''re both running Linux then use OpenVPN. It is *much* easier to get going than IPSec! IPSec is a major headache to properly understand and deploy. With a tool like OpenVPN available IPSec only makes sense to use when you need to support Windows clients, IMO. Jason
On Wednesday 21 May 2003 05:02 pm, Tom Eastep wrote:> Additionally, I think a web forum absolutely sucks as a mechanism for > trying to help someone with Shorewall:I concure. Forums are a rather juvinile (sorry Chet) mechanism for support. This mailing list has archives which are searchable by google or direcly at http://lists.shorewall.net/pipermail/shorewall-users/ A forum on the end of a slow dialup link is almost unbearable as the bulk of the transmission bandwidth is chewed up with useless formating. Try reading one with lynx some time. -- John Andersen - NORCOM http://www.norcomsoftware.com/
Hello, I use Freeswan and I accept it is non-trivial to set this up. The problem I find is clearly identifying how secure these various options are! Is OPENVPN as secure and robust as Freeswan? If anyone knows of an objective document that comments on this it would help people make a balanced judgement! Regards Roy Carter -----Original Message----- From: Jason Maas [mailto:maasj@dm.org] Sent: 23 May 2003 02:04 To: tufkal@granola.mine.nu Cc: Shorewall Users Mailing List Subject: Re: [Shorewall-users] Simple VPN tunnel setup question Hello, On Wed, 21 May 2003, Tom Eastep wrote:>> I''ve read the HOWTO on IPSEC VPN tunneling and it seems pretty straight >> forward. Is that the best way to go? Or is another protocol better? > >I dislike FreeS/Wan because the kernel must be patched. I personally would >use OpenVPN.I strongly agree with Tom here. If you have control of both routers and they''re both running Linux then use OpenVPN. It is *much* easier to get going than IPSec! IPSec is a major headache to properly understand and deploy. With a tool like OpenVPN available IPSec only makes sense to use when you need to support Windows clients, IMO. Jason _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
"CARTER, Roy" schrieb:> > Hello, > I use Freeswan and I accept it is non-trivial to set this up. The > problem I find is clearly identifying how secure these various options are! > Is OPENVPN as secure and robust as Freeswan? If anyone knows of an objective > document that comments on this it would help people make a balanced > judgement!Hi, I don''t know exactly how secure OpenVPN is. Did you check the OpenVPN website to get information on how it works? Without thinking too much, I expect OpenVPN to be as secure as other programs using OpenSSL for encryption are. My experience with OpenVPN''s robustness has been very good. In my situation, I have not had a single failure since I installed it some months ago. Simon> > Regards > > Roy Carter > > -----Original Message----- > From: Jason Maas [mailto:maasj@dm.org] > Sent: 23 May 2003 02:04 > To: tufkal@granola.mine.nu > Cc: Shorewall Users Mailing List > Subject: Re: [Shorewall-users] Simple VPN tunnel setup question > > Hello, > > On Wed, 21 May 2003, Tom Eastep wrote: > > >> I''ve read the HOWTO on IPSEC VPN tunneling and it seems pretty straight > >> forward. Is that the best way to go? Or is another protocol better? > > > >I dislike FreeS/Wan because the kernel must be patched. I personally would > >use OpenVPN. > > I strongly agree with Tom here. If you have control of both routers and > they''re both running Linux then use OpenVPN. It is *much* easier to get > going than IPSec! IPSec is a major headache to properly understand and > deploy. With a tool like OpenVPN available IPSec only makes sense to > use when you need to support Windows clients, IMO. > > Jason >
I have set up two open vpn setups, both for car dealers, which has been
running for 2 months without any problems, the internet went down once on
one but it
fixed itself once the internet was up. The first one I set up I booted the
boxs and left short of some Shorewall rules walked away and have been back
since. They are running parts, accounting and finance through the
tunnels.All windows boxes going through the vpn with a mixture of XP,
win2k,win98 One of the vpns even has a third vpn that connects So they could
sell cars at a remote location. So it supports multiple vpns.
One of the apps uses emulation software in which each keystroke has to
go through the vpn, each keystroke from the users goes through the vpn at an
average of 15ms per keystroke. Just like you where there as far as speed.
Uses automatic compression when needed for large transfers.
Easy to set up I built the 5 boxs and used Ghost to image the other four
Linux boxes with Dell600sc server boxes at $350 a piece Which support rh 7.3
and
Rh 8. Comes with keyboard and mouse and server board with a gigbit network
card.
You can use Linux version of Ghost I used Nortons.
Mike
----- Original Message -----
From: "Simon Matter" <simon.matter@ch.sauter-bc.com>
To: "CARTER, Roy" <Roy.CARTER@birmingham.sema.slb.com>
Cc: "Shorewall Users Mailing List"
<shorewall-users@lists.shorewall.net>
Sent: Friday, May 23, 2003 3:37 AM
Subject: Re: [Shorewall-users] Simple VPN tunnel setup question
> "CARTER, Roy" schrieb:
> >
> > Hello,
> > I use Freeswan and I accept it is non-trivial to set this up.
The> > problem I find is clearly identifying how secure these various options
are!> > Is OPENVPN as secure and robust as Freeswan? If anyone knows of an
objective> > document that comments on this it would help people make a balanced
> > judgement!
>
> Hi,
>
> I don''t know exactly how secure OpenVPN is. Did you check the
OpenVPN
> website to get information on how it works?
>
> Without thinking too much, I expect OpenVPN to be as secure as other
> programs using OpenSSL for encryption are.
>
> My experience with OpenVPN''s robustness has been very good. In my
> situation, I have not had a single failure since I installed it some
> months ago.
>
> Simon
>
> >
> > Regards
> >
> > Roy Carter
> >
> > -----Original Message-----
> > From: Jason Maas [mailto:maasj@dm.org]
> > Sent: 23 May 2003 02:04
> > To: tufkal@granola.mine.nu
> > Cc: Shorewall Users Mailing List
> > Subject: Re: [Shorewall-users] Simple VPN tunnel setup question
> >
> > Hello,
> >
> > On Wed, 21 May 2003, Tom Eastep wrote:
> >
> > >> I''ve read the HOWTO on IPSEC VPN tunneling and it
seems pretty
straight> > >> forward. Is that the best way to go? Or is another protocol
better?
> > >
> > >I dislike FreeS/Wan because the kernel must be patched. I
personally
would> > >use OpenVPN.
> >
> > I strongly agree with Tom here. If you have control of both routers
and
> > they''re both running Linux then use OpenVPN. It is *much*
easier to get
> > going than IPSec! IPSec is a major headache to properly understand
and
> > deploy. With a tool like OpenVPN available IPSec only makes sense to
> > use when you need to support Windows clients, IMO.
> >
> > Jason
> >
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 *groan*. But where were you a month ago when I descended into freeswan hell? ;-) Everything now works, I''m happy to say, with freeswan and shorewall, no prob. I''m going to do some interoperability tests connecting to KAME on netbsd and/or freebsd this weekend. I also just found out that the 2.6 kernel will include KAME (just like the BSD''s do). Really kicking myself that I spent so much time understanding and configuring freeswan. *sigh* Oh well... Thanks for the OpenVPN tip. Sorry for being OT. - -ken - ------- On Thu, May 22, 2003 at 09:04:13PM -0400, Jason Maas wrote:> Hello, > > On Wed, 21 May 2003, Tom Eastep wrote: > > >> I''ve read the HOWTO on IPSEC VPN tunneling and it seems pretty straight > >> forward. Is that the best way to go? Or is another protocol better? > > > >I dislike FreeS/Wan because the kernel must be patched. I personally would > >use OpenVPN. > > I strongly agree with Tom here. If you have control of both routers and > they''re both running Linux then use OpenVPN. It is *much* easier to get > going than IPSec! IPSec is a major headache to properly understand and > deploy. With a tool like OpenVPN available IPSec only makes sense to > use when you need to support Windows clients, IMO. > > Jason > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm- -- - --------------- The world''s most affordable web hosting. http://www.nearlyfreespeech.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) iD8DBQE+z9Hee8HF+6xeOIcRAvxpAJ4xpt3E/pI4ZOuYetYQK7mt0MrVHQCg4BAu mVGZsTyhhJo9IxTTI4QMYNU=8DY9 -----END PGP SIGNATURE-----