Mailinglist Archive: opensuse-security (274 mails)

[René Matthäi <matthaei@xxxxxx>]

Hi,

Mark Cooke schrieb:
> I don't believe IPSEC traverses NAT correctly, so unless your firewall
> was also the VPN tunneller, I don't think it works nicely.  There's been
> some work on STUN, but I don't believe it co-exists nicely with 'double
> NAT' yet.
>
> Personally, I've been using CIPE.

The problem is that Windows comes only with a IPSec or L2TP client (for 
free and integrated). Unfortunately there is no Windows CE client or 
even Windows XP (<- is _this_ still true?). And for Mobile Computing 
there are only IPSec Clients (or PPTP/L2TP) I fear.

> > > All the machines on LAN-A have a route added:
> > >
> > > 10.2.0.0/255.255.255.0 via VPN-A Default route via FW-A
> >
> > That's okay - but I don't understand right at this moment why this is
> > neccessary. Can't the FW route the traffic to 10.2.0.0/255.255.0.0
> > (resp. the other addresses on LAN-B)?
>
> You are correct - you can get your firewall to redirect traffic to the
> VPN.  That doubles the traffic to the inside of the firewall though.
> Ie, LAN -> FW -> VPN -> FW instead of LAN -> VPN -> FW
>
> Traffic doubling might not be a problem, and you may decide the extra
> traffic isn't a problem in your scenario and you'd rather have the
> simpler setup.  (Especially as the LAN portion of your net is probably
> at least twice the speed of the link to your ISP.  Don't know about the
> loading on your firewall though)

You can avoid the traffic problem by adding another physical network 
link between the VPN GW and the FW. But as for the load, you're right. 
It's a Pentium I 200 MHz machine and we have 512 kBit/s connection. So I 
guess this is not on the edge.

Does everything work in your setup, e. g. LDAP or FTP then?

Ré