FreeS/WAN network-to-network VPN
This is a discussion on FreeS/WAN network-to-network VPN within the Linux Security forums, part of the System Security and Security Related category; If I set up a Freeswan ipsec connection on between two servers, do the two servers get virtual IPs so ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-31-2003
|
|||
|
|||
FreeS/WAN network-to-network VPN
If I set up a Freeswan ipsec connection on between two servers, do the two
servers get virtual IPs so that connections on to/from those IPs are secured but their public IPs aren't? Or will any connection going from one server's public IP to the other server's public IP automatically go via IPsec? Thanks! 
|
|
10-31-2003
|
|||
|
|||
|
Re: FreeS/WAN network-to-network VPN
/dev/null wrote:
> If I set up a Freeswan ipsec connection on between two servers, do > the two servers get virtual IPs so that connections on to/from those > IPs are secured but their public IPs aren't? Or will any connection > going from one server's public IP to the other server's public IP > automatically go via IPsec? > > Thanks! Connections to the public IP will not be secured. Connections to the existing private IP range will be routed via the tunnel (via the new interface - ipsec0). I'm not sure how much you could change this by tweaking. Cheers Tim
|
|
11-01-2003
|
|||
|
|||
|
Re: FreeS/WAN network-to-network VPN
On Fri, 31 Oct 2003 07:07:16 GMT, /dev/null <dev.null@BeginThread.com> wrote:
> If I set up a Freeswan ipsec connection on between two servers, do the two > servers get virtual IPs so that connections on to/from those IPs are secured > but their public IPs aren't? Or will any connection going from one server's > public IP to the other server's public IP automatically go via IPsec? If you tunnel, typically only the tunnelled IPs are routed through ipsec0, and depending upon how your script modifies iptables during the connection, you might only be able to access LAN IPs other than the firewall doing the tunnel (since it may consider a public or other non-LAN IP entering its private interface as spoofing). Although, it is possible to work around that with additional rules to allow traffic to/from that remote IP on any interface. Or to access the firewall itself you could run a separate ipsec connection to the firewall public IP without any tunnel. But usually it is easier to simply ssh to it. -- David Efflandt - All spam ignored http://www.de-srv.com/ http://www.autox.chicago.il.us/ http://www.berniesfloral.net/ http://cgi-help.virtualave.net/ http://hammer.prohosting.com/~cgi-wiz/
|
|
11-01-2003
|
|||
|
|||
|
Re: FreeS/WAN network-to-network VPN
In article <slrnbq64vj.8ar.efflandt@typhoon.xnet.com>,
efflandt@xnet.com (David Efflandt) wrote: > Or to access the firewall itself you could run a separate ipsec connection > to the firewall public IP without any tunnel. But usually it is easier to > simply ssh to it. The remote firewall itself can be accessed through the VPN from your LAN if you use the private LAN IP of the remote firewall. I use SnapGears (www.snapgear.com) which run embedded Linux, iptables and Free S/WAN. I have IPsec tunnels from my SG to my clients' SGs and I can manage their SG by using their private LAN IPs. -- Sak Wathanasin Network Analysis Limited http://www.network-analysis.ltd.uk
|
Linear Mode
