Re: [SLE] VPN & SuSE: any comment on the attached statement ??? [Fwd: Re: VPN question]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 19 November 2003 11:11 am, Maura Edelweiss Monville wrote:
Its Cisco VPN for Linux and Solaris Release 3.7
I ran this successfully on SUSE 8.2 for load testing purposes. I had it stop and restart the connection every 5 minutes on a bunch of machines for about 2 weeks. The only odd thing I noticed was that sometimes it would take a few minutes to unload the kernel module. I used the 'vpn-install' script to install it. In your other message:
The Client machine gets its IP address changed dynamically and does not respond if accessed by its original static IP so long as VPN is running. Instead the Server machine retains its original IP address working. Moreover, if I start VPN CLient remotely on my home computer from the lab computer (Server) then I cannot reach my home computer any more from the lab.
This is normal behaviour. All traffic is routed through the VPN by default for security reasons. If the machine was still accessable through it's normal IP and there was a security hole, someone could potentially get into your private network via your machine. That would make your VPN useless. That said, there is an option to allow you to route through your original connection, but I forget what it is off-hand and I wouldn't recommend using it. - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/u4yE+FOexA3koIgRAotTAJ92MoMJ0JlH8JOYXdVVYoTDpflJCQCfTMxQ O5NO/33/lahPgDPuANryag4= =fMks -----END PGP SIGNATURE-----
I installed Cisco vpnclient-linux-4.0.1-A-k9.tar.gz, configured it and it ran. I have KeepAlives=1 in the .pcf file which allows me to stay connected 24/7 when working from home. It's running behind a NAT firewall to cable modem when at home and on the road I use it dialled up to an ISP. I have EnableLocalLAN=1, but it falsely reports "Local LAN Access is disabled". Regards Sid. James Oakley wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wednesday 19 November 2003 11:11 am, Maura Edelweiss Monville wrote:
Its Cisco VPN for Linux and Solaris Release 3.7
I ran this successfully on SUSE 8.2 for load testing purposes. I had it stop and restart the connection every 5 minutes on a bunch of machines for about 2 weeks. The only odd thing I noticed was that sometimes it would take a few minutes to unload the kernel module.
I used the 'vpn-install' script to install it.
In your other message:
The Client machine gets its IP address changed dynamically and does not respond if accessed by its original static IP so long as VPN is running. Instead the Server machine retains its original IP address working. Moreover, if I start VPN CLient remotely on my home computer from the lab computer (Server) then I cannot reach my home computer any more from the lab.
This is normal behaviour. All traffic is routed through the VPN by default for security reasons. If the machine was still accessable through it's normal IP and there was a security hole, someone could potentially get into your private network via your machine. That would make your VPN useless.
That said, there is an option to allow you to route through your original connection, but I forget what it is off-hand and I wouldn't recommend using it.
- -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/u4yE+FOexA3koIgRAotTAJ92MoMJ0JlH8JOYXdVVYoTDpflJCQCfTMxQ O5NO/33/lahPgDPuANryag4= =fMks -----END PGP SIGNATURE-----
-- Sid Boyce .... Linux Only Shop.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday 19 November 2003 08:04 pm, Sid Boyce wrote:
I installed Cisco vpnclient-linux-4.0.1-A-k9.tar.gz, configured it and it ran. I have KeepAlives=1 in the .pcf file which allows me to stay connected 24/7 when working from home. It's running behind a NAT firewall to cable modem when at home and on the road I use it dialled up to an ISP. I have EnableLocalLAN=1, but it falsely reports "Local LAN Access is disabled".
Hmmm. I've never used that version, so I'm not sure how to fix it, but I can tell you that the EnableLocalLAN option is *very* bad for security. Your admins should set up a proxy server for you to browse the web. (I'm guessing that's why you want it) Alternatively, you can connect/disconnect as needed, which is the most secure option. If you still want this option, you should contact Cisco's support guys. - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/vMZS+FOexA3koIgRAveeAJ9W0cg/YPLWAacqXDmgBT5UILWQdACdH0p5 zg5mivPcBnmB5iPMgk2o/3M= =hvZx -----END PGP SIGNATURE-----
I need the local LAN connection so I can scp and rsync stuff between my laptop and my other home machines locally. There is a need for the VPN to be on 24/7 especially when I'm on call or working from home. I have a local firewall through which I use other boxes for non-work stuff. On the firewall I only have the relevant ports opened to the machines that need to use them and where appropriate as in the case of VPN, only to the one host on the WAN. In any case at the other end they have a proper defences except for the SPAM that Lotus Notes can't cope with. Regards Sid. James Oakley wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Wednesday 19 November 2003 08:04 pm, Sid Boyce wrote:
I installed Cisco vpnclient-linux-4.0.1-A-k9.tar.gz, configured it and it ran. I have KeepAlives=1 in the .pcf file which allows me to stay connected 24/7 when working from home. It's running behind a NAT firewall to cable modem when at home and on the road I use it dialled up to an ISP. I have EnableLocalLAN=1, but it falsely reports "Local LAN Access is disabled".
Hmmm. I've never used that version, so I'm not sure how to fix it, but I can tell you that the EnableLocalLAN option is *very* bad for security. Your admins should set up a proxy server for you to browse the web. (I'm guessing that's why you want it) Alternatively, you can connect/disconnect as needed, which is the most secure option.
If you still want this option, you should contact Cisco's support guys.
- -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/vMZS+FOexA3koIgRAveeAJ9W0cg/YPLWAacqXDmgBT5UILWQdACdH0p5 zg5mivPcBnmB5iPMgk2o/3M= =hvZx -----END PGP SIGNATURE-----
-- Sid Boyce .... Linux Only Shop.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 20 November 2003 08:31 pm, Sid Boyce wrote:
I need the local LAN connection so I can scp and rsync stuff between my laptop and my other home machines locally. There is a need for the VPN to be on 24/7 especially when I'm on call or working from home. I have a local firewall through which I use other boxes for non-work stuff. On the firewall I only have the relevant ports opened to the machines that need to use them and where appropriate as in the case of VPN, only to the one host on the WAN. In any case at the other end they have a proper defences except for the SPAM that Lotus Notes can't cope with.
Contact Cisco's support. They wrote the VPN and none of us have access to their code. Again, I'll reiterate that split routing is a bad thing and that you shouldn't mix your home and corporate networks. Then again, I'm extremely paranoid to the point that none of my servers have gcc, telnet, ftp, lynx, etc. on them. - -- James Oakley Engineering - SolutionInc Ltd. joakley@solutioninc.com http://www.solutioninc.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/viwr+FOexA3koIgRAuMMAJ0ZmK9efI2eNmTYMoEhfUOHUO7E2QCfdXqs pYmbIUlfLCg2GLuTYpcgIUA= =4NkZ -----END PGP SIGNATURE-----
* James Oakley;
Again, I'll reiterate that split routing is a bad thing and that you shouldn't mix your home and corporate networks. Then again, I'm extremely paranoid to the point that none of my servers have gcc, telnet, ftp, lynx, etc. on them.
And making sure that they are behind a stateful-firewall and the services are running chrooted etc. etc. paranoid +1 -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://susefaq.sf.net
participants (3)
-
James Oakley -
Sid Boyce -
Togan Muftuoglu