SPS VPN IPsec

I'm looking to connect some network's, but after day's I still can't make a
discision.

Situation
-Network-A1
company-network hooked up to the internet (mailserver/www,ftp)
official static IP's
-Network-A2
same network but some extra servers, and services (pcanywhere, ssh)
local IP's (192.168.0.0)

-Network-B
Home-network with backup-data storage
DHCP with NAT (1 official IP, other local)

-Network-C
same as B


Now network B and C must be able to connect to the local network at our
company (A2).
Everybody starts to think ... VPN, but,
- The OS are mixed (Suse, Redhat, Win9X, W2K, WXP), so for every box setting
up a VPN will be hard to do.
- NAT, because the home-network's are NAT. I can't use IPsec.


I see 2 other 'easy' options, but don't know if they are good:
- 1 publish the IP of the home-network and inserting these in the firewall.
(like a dynamic update of a dns hostname, or other scripts)
- 2 SPS (sign the outgoing IP-traffic to company-network, which are seen by
iptables)


Anyone better ideas (VLAN?)

P.S.
It should go 'over' the internet. There is a modempool connected to the
network A2, but this is to slow.


Best Regards,
Pascal

In article <benqm4$ad6$(E-Mail Removed)>,
Pascal Nobus wrote:
> Everybody starts to think ... VPN, but,
> - The OS are mixed (Suse, Redhat, Win9X, W2K, WXP), so for every box setting
> up a VPN will be hard to do.

If on each segment you have a Linux box (any distro, for that matter,
almost any Unix-like OS) this would be very easy to do with OpenVPN. If
you don't have a Linux box on any one segment, it would be a simple and
cheap matter to put one up using dumpster-grade hardware. It might even
enhance your overall security to use that box as your firewall.
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

"Pascal Nobus" <(E-Mail Removed)> wrote in message
news:benqm4$ad6$(E-Mail Removed)...
>
> Now network B and C must be able to connect to the local network at our
> company (A2).
> Everybody starts to think ... VPN, but,
> - The OS are mixed (Suse, Redhat, Win9X, W2K, WXP), so for every box
setting
> up a VPN will be hard to do.
> - NAT, because the home-network's are NAT. I can't use IPsec.

CIPE tunnels will work between Linux and Windows, doesn't mind NAT and
one end can have a dynamic IP address, so I'd start with that to connect
networks. RedHat includes the ability to create and manage CIPE interfaces
in their GUI network tool so that is the easy way to set one up, but
starting
from source isn't all that hard either. The only tricky part is that like
any
other VPN you have to arrange routing of the appropriate ranges into
the tunnels. If you already have a Linux box acting as the default gateway
for each network involved, create the VPN on that box and nothing else
needs to know. If you don't, you'll have to also arrange routes from
the existing default gateway or add them to every individual box.

If you have roaming laptops or a lot of individual connections you
might like PPTP better for them.

---
Les Mikesell
(E-Mail Removed)

Les Mikesell wrote:

> CIPE tunnels will work between Linux and Windows, doesn't mind NAT and
> one end can have a dynamic IP address, so I'd start with that to connect
> networks.

FWIW, my "server" end is dhcp. In my notebook computer, I told it to use
the host name of my firewall computer, rather than specific IP, in the
options.cipcb0 peer statement. This means that even if my IP changes, the
remote computer will still be able to find it.
--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

/dev/rob0 wrote:

> In article <benqm4$ad6$(E-Mail Removed)>,
> Pascal Nobus wrote:
>> Everybody starts to think ... VPN, but,
>> - The OS are mixed (Suse, Redhat, Win9X, W2K, WXP), so for every box
>> setting up a VPN will be hard to do.
>
> If on each segment you have a Linux box (any distro, for that matter,
> almost any Unix-like OS) this would be very easy to do with OpenVPN. If
> you don't have a Linux box on any one segment, it would be a simple and
> cheap matter to put one up using dumpster-grade hardware. It might even
> enhance your overall security to use that box as your firewall.

CIPE also works well.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

I looked into CIPE but couldn't figure out the routing (thought you need to
setup the tunnel for each machine)

maybe better with an example


[company-server]---[companyvpnserver]
(w2K) (redhat)
192.168.0.111 192.168.0.1
123.123.123.123 (static)
10.0.0.10 (cipe-fake)
|
|
[INTERNET]
|
|
[home PC]--------[NAT-firewall]
(win95) (redhat)
192.168.1.111 192.168.1.1
234.234.234.234 (dynamic)
10.0.0.11 (cipe-fake)

Say I am at the home PC and want to use PC-anywhere to connect to
company-server.
I need to make a tunnel from the NAT-firewall at home to the
company-VPNserver.
setup a link between 10.0.0.10 and 10.0.0.11.

home-PC: nothing changes (gw 192.168.1.1)
NAT-firewall: add a route for 192.168.0.0 to gw 10.0.0.10
companyvpnserver: add a route for 192.168.1.0 to gw 10.0.0.11
companyserver: add a route for 192.168.1.0 to gw 192.168.0.1

If that will do the trick, it's almost a piece of cake.
Both machines have redhat with cipe-ready, clients don't need changes..

But I'm still puzzled about the routing of the companyserver back to my
HomePC..






> Situation
> -Network-A1
> company-network hooked up to the internet (mailserver/www,ftp)
> official static IP's
> -Network-A2
> same network but some extra servers, and services (pcanywhere, ssh)
> local IP's (192.168.0.0)
>
> -Network-B
> Home-network with backup-data storage
> DHCP with NAT (1 official IP, other local)
>
> -Network-C
> same as B
>
>
> Now network B and C must be able to connect to the local network at our
> company (A2).
> Everybody starts to think ... VPN, but,
> - The OS are mixed (Suse, Redhat, Win9X, W2K, WXP), so for every box
setting
> up a VPN will be hard to do.
> - NAT, because the home-network's are NAT. I can't use IPsec.
>
>
> I see 2 other 'easy' options, but don't know if they are good:
> - 1 publish the IP of the home-network and inserting these in the
firewall.
> (like a dynamic update of a dns hostname, or other scripts)
> - 2 SPS (sign the outgoing IP-traffic to company-network, which are seen
by
> iptables)
>
>
> Anyone better ideas (VLAN?)
>
> P.S.
> It should go 'over' the internet. There is a modempool connected to the
> network A2, but this is to slow.
>
>
> Best Regards,
> Pascal
>
>

"Pascal Nobus" <(E-Mail Removed)> wrote in message
news:beqe9v$2en$(E-Mail Removed)...
> I looked into CIPE but couldn't figure out the routing (thought you need
to
> setup the tunnel for each machine)
>
> maybe better with an example
>
>
> [company-server]---[companyvpnserver]
> (w2K) (redhat)
> 192.168.0.111 192.168.0.1
> 123.123.123.123 (static)
> 10.0.0.10 (cipe-fake)
> |
> |
> [INTERNET]
> |
> |
> [home PC]--------[NAT-firewall]
> (win95) (redhat)
> 192.168.1.111 192.168.1.1
> 234.234.234.234 (dynamic)
> 10.0.0.11 (cipe-fake)
>
> Say I am at the home PC and want to use PC-anywhere to connect to
> company-server.
> I need to make a tunnel from the NAT-firewall at home to the
> company-VPNserver.
> setup a link between 10.0.0.10 and 10.0.0.11.
>
> home-PC: nothing changes (gw 192.168.1.1)
> NAT-firewall: add a route for 192.168.0.0 to gw 10.0.0.10
> companyvpnserver: add a route for 192.168.1.0 to gw 10.0.0.11
> companyserver: add a route for 192.168.1.0 to gw 192.168.0.1
>
> If that will do the trick, it's almost a piece of cake.
> Both machines have redhat with cipe-ready, clients don't need changes..
>
> But I'm still puzzled about the routing of the companyserver back to my
> HomePC..


Yes, on Linux the cipe tunnels are point-to-point interfaces (the windows
version is a little different) so you add routes to the remote network
through
the remote endpoint. If you set it up by hand, the routes would go in the
cipe 'ip-up' script. I think the RedHat GUI has a provision to set that up
for you. That takes care of the directly connected machines. Then you
need to make sure any other networked machines route the remote
network addresses to the ethernet address of the cipe server. In your
home-PC example this is probably already the default so it doesn't need
any change. If companyvpnserver isn't already the default gateway for
the company net then you can either add a route in every machine that
you want to access like your companyserver route example. However, if
you control the router that is the default gateway you can put a static
route
there which will work for the whole network. Some other details: any
firewalls have to be configured to pass the UDP port number you choose,
and if you have multiple tunnels on a single machine each must use a
unique UDP port.

----
Les Mikesell
(E-Mail Removed)