Hiya everyone. I am currently evaluating tinc for use by my company's vpn needs and I would like some help/information about configuration of tinc and if it will do what I would like it to do. Hopefully some kind soul will help me with what I am trying to achieve. I am sorry if this is an inappropriate forum for this question but I am looking for people with some ideas on networking generally and since I am evaluating tinc this seems like a good place. We are a very small comany who rent out managed servers, which are linked to the Internet via a variety of means, mainly ISDN links. We have two infastructure servers co-located. Each client site has one (or more) of our servers on the premesis. Some of out clients also do vpn between themselves (which our servers have to handle) and pptp dialins (which go to the infastructure servers and are routed appropriately) For example purposes I will describe one of our most problematic instalations. There are 4 sites: Kendal, Redhills, Westlakes and Workington. All bar Workington have one server and Workington has 2. Each server has a /24 network of client machines behind it and an IP address that is internal to that network. Our infastructure servers are 192.168.0.1 and 192.168.4.1 and every site starts a vpnd link to both of these servers when they connect (They have 24/7 ISDN connections) this allows the mail (which is MX'd to the infastructre servers) to be routed to them. Workington's main server is 192.168.40.7 and the other server is .3. There are Win NT terminal servers at .10 and .11 which people from kendal and redhills need to use. Workinton, Kendal and redhills have 2 ISDN lines each. One IDSN line is for internet and general vpn traffic. The other ISDN line is dedicated to the kendal -> workington and redhills -> workington connections Kendal is 192.168.128.33 and Redhills is 192.168.128.41. What I was originally planning was to use ethernet SPF bridging to sort this mess out meaning that all the sites backbones would be one one unified /24 network as opposed to the mess they are in now. However I am not sure that this is the way to go and the bridge code is not working with FreeS/WAN and since tinc will only encapsulate IP then it won't work with tinc.. Basically I want to have an easy to manage network framework which will work and allow me to add/remove connections as traffic demands change etc.. I know that this wasn't the clearest question and/or explanation but my thinking hasn't really solidified on the issue yet. Feel free to grill me for more information about the setup, however this email is long enough as it is for now. Cheers Tomas Doran System administrator and systems developer. Northern Principle Ltd (0161 848 0440) -- The views & opinions expressed in this email may not be the views and opinions of my employer - Tinc: Discussion list about the tinc VPN daemon Archive: http://mail.nl.linux.org/lists/ Tinc site: http://ftp.nl.linux.org/pub/linux/tinc/
On Thu, Jan 04, 2001 at 11:52:49AM +0000, Tomas Doran wrote:> What I was originally planning was to use ethernet SPF bridging to sort > this mess out meaning that all the sites backbones would be one one > unified /24 network as opposed to the mess they are in now. However I am > not sure that this is the way to go and the bridge code is not working > with FreeS/WAN and since tinc will only encapsulate IP then it won't > work with tinc..The reason why FreeS/WAN tunnels cannot be bridged is because the tunnels are at the IP layer, not the MAC layer. Although it will change in the future, tinc only encapsulates IP because it acts as a router (and routers need to examine IP headers). You say it currently is a mess, but merging different sites into one /24 may prove to be an even greater mess. Indeed, only briding would solve that neatly, but bear in mind that all the broadcast packets (that includes an ARP packet every ~30 seconds for every host on the entire private network) will be exchanged by all the sites over the internet, not to mention SMB (windows' network environment) and other stuff... I would suggest that you'd use a separate /24 network for each site, and have them all be within one larger /16 network (obviously, 192.168.0.0/16).> Basically I want to have an easy to manage network framework which will > work and allow me to add/remove connections as traffic demands change > etc.. > > I know that this wasn't the clearest question and/or explanation but my > thinking hasn't really solidified on the issue yet.That's ok. Try routing first with separate subnets for each site. Tinc handles that very well, and it will also prove more scalable in the future (I think, but that depends on your situation ofcourse). If you have any further questions, please ask them! ------------------------------------------- Met vriendelijke groet / with kind regards, Guus Sliepen <guus@sliepen.warande.net> ------------------------------------------- See also: http://tinc.nl.linux.org/ http://www.kernelbench.org/ ------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 232 bytes Desc: not available Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20010106/3ac01260/attachment.pgp