Is a VPN the right thing to use here?
Apologies for putting this on many lists; I'm not sure which is most relevant but it's not purely a Swan nor SuSE problem, more an IP problem I suspect. Due to current circumstances, I have two separate networks, L and R, on the same side of an ADSL modem and need to setup a route between them. They both share the ADSL modem, 10.0.E.2, as their common, default gateway. Note that E, L & R are used to identify the subnets for this discussion only and are normally replaced with valid, distinct, octet numbers. Under normal circumstances, these two networks would be in differing geographical locations, linked via the Internet. I would hope that the L subnet could treat the R subnet as if it were the same network and vice versa but all traffic between the two subnets seems to disappear up the ADSL modem to oblivion. How can I sort this? Is a VPN the answer or should I look at static routes? Can anyone give me pointers on how to set this up, please? L net = 192.168.L.0/24, default gateway = 192.168.L.1 | | Netgear FVS318 DSL router 192.168.L.1 External interface = 10.0.E.32, default gateway = 10.0.E.2 | | Hub----->ADSL Modem 10.0.E.2------>Internet | | External interface = 10.0.E.31, default gateway = 10.0.E.2 Server running SuSE10 + Swan/IPSEC Internal interface 192.168.R.31 | | R net = 192.168.R.0/24, default gateway = 192.168.R.31 Thanks, in advance John
On Tue, 2005-11-15 at 19:23 +0000, John wrote:
Apologies for putting this on many lists; I'm not sure which is most relevant but it's not purely a Swan nor SuSE problem, more an IP problem I suspect.
Due to current circumstances, I have two separate networks, L and R, on the same side of an ADSL modem and need to setup a route between them. They both share the ADSL modem, 10.0.E.2, as their common, default gateway.
Note that E, L & R are used to identify the subnets for this discussion only and are normally replaced with valid, distinct, octet numbers. Under normal circumstances, these two networks would be in differing geographical locations, linked via the Internet.
I would hope that the L subnet could treat the R subnet as if it were the same network and vice versa but all traffic between the two subnets seems to disappear up the ADSL modem to oblivion. How can I sort this?
Is a VPN the answer or should I look at static routes?
Can anyone give me pointers on how to set this up, please?
L net = 192.168.L.0/24, default gateway = 192.168.L.1 | | Netgear FVS318 DSL router 192.168.L.1 External interface = 10.0.E.32, default gateway = 10.0.E.2 | | Hub----->ADSL Modem 10.0.E.2------>Internet | | External interface = 10.0.E.31, default gateway = 10.0.E.2 Server running SuSE10 + Swan/IPSEC Internal interface 192.168.R.31 | | R net = 192.168.R.0/24, default gateway = 192.168.R.31
Thanks, in advance
John
You need to use a router with multiple interfaces, one for each subnet, and linux can perform this task fore you. L net 192.168.L.x | | Linux router interface #1 192.168.L.1 | | Linux router interface #2 --->DSL modem | | Linux router interface #3 192.168.R.1 | | R net 192.168.R.x With the proper routing statements, on the linux router, both R & L can talk to each other and the internet. The hub/switch you have setup will not work as you need routing between subnets and a hub/switch does not do routing. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998
John wrote:
Due to current circumstances, I have two separate networks, L and R, on the same side of an ADSL modem and need to setup a route between them. They both share the ADSL modem, 10.0.E.2, as their common, default gateway.
Note that E, L & R are used to identify the subnets for this discussion only and are normally replaced with valid, distinct, octet numbers. Under normal circumstances, these two networks would be in differing geographical locations, linked via the Internet.
I don't understand these two paragraphs fully. If your two networks are in differing geographical locations, linked via the Internet, probably they don't share a common ADSL modem.
Is a VPN the answer or should I look at static routes?
Can anyone give me pointers on how to set this up, please?
L net = 192.168.L.0/24, default gateway = 192.168.L.1 | | Netgear FVS318 DSL router 192.168.L.1 External interface = 10.0.E.32, default gateway = 10.0.E.2 | | Hub----->ADSL Modem 10.0.E.2------>Internet | | External interface = 10.0.E.31, default gateway = 10.0.E.2 Server running SuSE10 + Swan/IPSEC Internal interface 192.168.R.31 | | R net = 192.168.R.0/24, default gateway = 192.168.R.31
This depends on the configuration of your two gateways and your security concerns. If your Netgear and your SUSE box act as a firewall with NAT and your traffic between the external interfaces is really over the Internet, a VPN is the answer. If you don't have NAT and these are really internal networks, then you _could_ add static network routes to the Netgear and the SUSE server. You will have to adapt the respective firewall configuration, though, and let this traffic pass. (You run a firewall on the gateways, don't you?) This will surely work. If you do so, you have the remaining risk that spoofed packets from the Internet can enter your internal networks if somebody guesses your other private network numbers. YMMV -- I would not take up this risk, but then I work as a security consultant and therefore I'm paranoid by definition. :-) Cheers, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: jschrod@acm.org Roedermark, Germany
On 11/15/2005 01:23 PM, John wrote:
Apologies for putting this on many lists; I'm not sure which is most relevant but it's not purely a Swan nor SuSE problem, more an IP problem I suspect.
Due to current circumstances, I have two separate networks, L and R, on the same side of an ADSL modem and need to setup a route between them. They both share the ADSL modem, 10.0.E.2, as their common, default gateway.
Note that E, L & R are used to identify the subnets for this discussion only and are normally replaced with valid, distinct, octet numbers. Under normal circumstances, these two networks would be in differing geographical locations, linked via the Internet. First things first. This is the configuration you will have in "normal" circumstances:
L net ---- router --- (some modem) ---> Internet <---- (some modem) ----- router ---- R net I replaced the DSL descriptors with generic a "some modem" because the specific hardware is irrelevant. You could design this with two tin cans and a piece of string, if you had the network drivers for it :) (Of course, you might have a bit of trouble getting a string with enough tensile strength to give you decent bandwidth :D ) For this a VPN is the best solution, IMO, and some might go so far as to say it is the only realistic solution. Your "current" configuration should try to mimic this as far as possible, to avoid having to undergo major reconfiguration when things go back to normal. Even if you could get the two subnets to talk to one another, I do not see that this is possible with the diagram you propose: L net --- router ---+ | hub --- (modem) ---> Internet | R net --- router ---+ Instead, I suggest that you fully configure both the L and R nets, including the two routers, as if they were working under "normal" circumstances; that is, build your VPN without reference to what is between the two networks. Then mimic the *two* connections to the internet with a third, temporary, router, as follows: L net --- router ---+ | temporary router --- (modem) ---> Internet | R net --- router ---+ For this, any old unused computer you may have lying around will suffice, so long as your favourite brand of SuSE/Novell Linux will install on it. The way I have drawn the diagram suggests using 3 network cards in the temporary router, but you could could connect all three routers to a hub if you prefer (personally, I prefer using an intelligent switch rather than a hub, to avoid having to match speeds on the network cards). The temporary router has two functions. First, all traffic not strictly within the VPN is routed to the modem and internet (this will be the default routing). Secondly, traffic strictly within the VPN is routed directly between the L/R routers.
participants (4)
-
Darryl Gregorash -
Joachim Schrod -
John -
Ken Schneider