FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 01-04-2008, 12:34 PM
"Alessandro Brezzi"
 
Default Freeswan (CentOS 4.5)

Hi,


2008/1/4, tony.chamberlain@lemko.com <tony.chamberlain@lemko.com>:


Has anyone had experience with Freeswan?

We have a situation where say there is a Linux machine in City 1 with IP address
10.0.0.10 (for example)
and a Linux machine in City 2 with an IP address of
10.0.0.20 (for example).* Now these machines are
in different cities, so machine 1 cannot just open a socket on 10.0.0.20
because machine 2 is on a different
network.* Each machine does have a router, say City 1 is 65.15.47.28 (for example).* To get into City 1from

outside the network you go through thr router, use 65.15.47.28 which routes into the LAN.* The same for
City 2.* For a unix process on
10.0.0.10 to send to
10.0.0.20 it would have to send to 65.15.47.28 which would route
it in.* Problem is, its from address would be
10.0.0.10, which the machine at
10.0.0.20 wouldn't know about.
A process on 10.0.0.20 would have to do something similar to respond.


Now these machines have to actually be able to use each others' 10.0.0.X addresses.* I assume this is possible
via a VPN.* They don't have any Cicsco VPNs or anything, and they asked whether it is possible just using

Linux (CentOS) to set up a VPN.* I did a bit of searching and found a couple things.* Freeswan seemed to be
the most promising, though other packages could be just as good.

Is the above scenario possible with Freeswan or can you recommend some other way?

*
I dont kown about Freeswan, but I've succesfully used*OpenVPN.
But, for your scenario, you can also*modify*the NAT / PAT tables in both router.
*
HTH
*
--
Alessandro Brezzi
*
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-04-2008, 04:49 PM
"Mr.Scrooge"
 
Default Freeswan (CentOS 4.5)

--- tony.chamberlain@lemko.com wrote:

>
>
> Has anyone had experience with Freeswan?
>
> We have a situation where say there is a Linux machine in City 1 with IP address 10.0.0.10 (for
> example)
> and a Linux machine in City 2 with an IP address of 10.0.0.20 (for example). Now these machines
> are
> in different cities, so machine 1 cannot just open a socket on 10.0.0.20 because machine 2 is on
> a different
> network. Each machine does have a router, say City 1 is 65.15.47.28 (for example). To get into
> City 1from
> outside the network you go through thr router, use 65.15.47.28 which routes into the LAN. The
> same for
> City 2. For a unix process on 10.0.0.10 to send to 10.0.0.20 it would have to send to
> 65.15.47.28 which would route
> it in. Problem is, its from address would be 10.0.0.10, which the machine at 10.0.0.20 wouldn't
> know about.
> A process on 10.0.0.20 would have to do something similar to respond.
>
> Now these machines have to actually be able to use each others' 10.0.0.X addresses. I assume
> this is possible
> via a VPN. They don't have any Cicsco VPNs or anything, and they asked whether it is possible
> just using
> Linux (CentOS) to set up a VPN. I did a bit of searching and found a couple things. Freeswan
> seemed to be
> the most promising, though other packages could be just as good.
>
> Is the above scenario possible with Freeswan or can you recommend some other way?
>
>
> Thanks
>
Wouldn't port fowarding work here?

-Max


__________________________________________________ __________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-04-2008, 04:58 PM
kalinix
 
Default Freeswan (CentOS 4.5)

On Fri, 2008-01-04 at 09:49 -0800, Mr.Scrooge wrote:
> --- tony.chamberlain@lemko.com wrote:
>
> >
> >
> > Has anyone had experience with Freeswan?
> >
> > We have a situation where say there is a Linux machine in City 1 with IP address 10.0.0.10 (for
> > example)
> > and a Linux machine in City 2 with an IP address of 10.0.0.20 (for example). Now these machines
> > are
> > in different cities, so machine 1 cannot just open a socket on 10.0.0.20 because machine 2 is on
> > a different
> > network. Each machine does have a router, say City 1 is 65.15.47.28 (for example). To get into
> > City 1from
> > outside the network you go through thr router, use 65.15.47.28 which routes into the LAN. The
> > same for
> > City 2. For a unix process on 10.0.0.10 to send to 10.0.0.20 it would have to send to
> > 65.15.47.28 which would route
> > it in. Problem is, its from address would be 10.0.0.10, which the machine at 10.0.0.20 wouldn't
> > know about.
> > A process on 10.0.0.20 would have to do something similar to respond.
> >
> > Now these machines have to actually be able to use each others' 10.0.0.X addresses. I assume
> > this is possible
> > via a VPN. They don't have any Cicsco VPNs or anything, and they asked whether it is possible
> > just using
> > Linux (CentOS) to set up a VPN. I did a bit of searching and found a couple things. Freeswan
> > seemed to be
> > the most promising, though other packages could be just as good.
> >
> > Is the above scenario possible with Freeswan or can you recommend some other way?
> >
> >
> > Thanks
> >
> Wouldn't port fowarding work here?
>
> -Max
>
>
> __________________________________________________ __________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>

Maybe already mentioned by others: OpenVPN could help.

http://openvpn.net/


Calin

=================================================
My face is new, my license is expired, and I'm under a doctor's care!!!!

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-04-2008, 11:34 PM
John Summerfield
 
Default Freeswan (CentOS 4.5)

tony.chamberlain@lemko.com wrote:


Has anyone had experience with Freeswan?

We have a situation where say there is a Linux machine in City 1 with IP address 10.0.0.10 (for example)
and a Linux machine in City 2 with an IP address of 10.0.0.20 (for example). Now these machines are
in different cities, so machine 1 cannot just open a socket on 10.0.0.20 because machine 2 is on a different
network. Each machine does have a router, say City 1 is 65.15.47.28 (for example). To get into City 1from
outside the network you go through thr router, use 65.15.47.28 which routes into the LAN. The same for
City 2. For a unix process on 10.0.0.10 to send to 10.0.0.20 it would have to send to 65.15.47.28 which would route
it in. Problem is, its from address would be 10.0.0.10, which the machine at 10.0.0.20 wouldn't know about.
A process on 10.0.0.20 would have to do something similar to respond.

Now these machines have to actually be able to use each others' 10.0.0.X addresses. I assume this is possible
via a VPN. They don't have any Cicsco VPNs or anything, and they asked whether it is possible just using
Linux (CentOS) to set up a VPN. I did a bit of searching and found a couple things. Freeswan seemed to be
the most promising, though other packages could be just as good.



I use openvpn; it's a user-land VPN solution, works well, scales well,
has good docs.





Is the above scenario possible with Freeswan or can you recommend some other way?


When I was looking (years ago) Freeswan and Openswan had
doubtful-looking futures and were relatively difficult to set up. Kernel
patches, as I recall.





--

Cheers
John

-- spambait
1aaaaaaa@coco.merseine.nu Z1aaaaaaa@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-08-2008, 07:59 AM
Howard Wilkinson
 
Default Freeswan (CentOS 4.5)

Title: Signature




tony.chamberlain@lemko.com wrote:




Has anyone had experience with Freeswan?



We have a situation where say there is a Linux machine in City 1 with
IP address 10.0.0.10 (for example)

and a Linux machine in City 2 with an IP address of 10.0.0.20 (for
example).* Now these machines are

in different cities, so machine 1 cannot just open a socket on
10.0.0.20 because machine 2 is on a different

network.* Each machine does have a router, say City 1 is 65.15.47.28
(for example).* To get into City 1from

outside the network you go through thr router, use 65.15.47.28 which
routes into the LAN.* The same for

City 2.* For a unix process on 10.0.0.10 to send to 10.0.0.20 it would
have to send to 65.15.47.28 which would route

it in.* Problem is, its from address would be 10.0.0.10, which the
machine at 10.0.0.20 wouldn't know about.

A process on 10.0.0.20 would have to do something similar to respond.



Now these machines have to actually be able to use each others'
10.0.0.X addresses.* I assume this is possible

via a VPN.* They don't have any Cicsco VPNs or anything, and they asked
whether it is possible just using

Linux (CentOS) to set up a VPN.* I did a bit of searching and found a
couple things.* Freeswan seemed to be

the most promising, though other packages could be just as good.



Is the above scenario possible with Freeswan or can you recommend some
other way?





Thanks


We use FreeSwan in our firewalls to link sites together to produce just
such a scheme as you describe. The setup for fixed IP addresses at each
end is easy and can be based around pre-shared keys, or RSA signatures.
We tend to use the latter as it is slightly stronger in practice.



The major headaches are not with the IPSEC tunnels, they tend to be in
the firewall settings to allow the IPSEC traffic through and in the
routing. For the first we use Shorewall and for the second we run BGP
to support route failover if a firewall connection goes down.



Our configuration has been used with FreeSWAN and now with OpenSWAN
which is the later replacement for the product.



IPSEC connections are robust once established but can be very tricky to
get going for the first time. Interoperability is always an issue but
so far the only combination we have had long term trouble with is
OpenSWAN to Netscreen.



If you go down this route use a late release 2.6.x kernel ... Fedora 7
works nicely.



Howard.



--







Howard Wilkinson



Phone:



+44(20)76907075





Coherent Technology Limited



Fax:



*





23 Northampton Square,



Mobile:



+44(7980)639379





United Kingdom, EC1V 0HL



Email:



howard@cohtech.com





*





--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-08-2008, 01:37 PM
Jonathan Horne
 
Default Freeswan (CentOS 4.5)

Howard Wilkinson wrote:

tony.chamberlain@lemko.com wrote:



Has anyone had experience with Freeswan?

We have a situation where say there is a Linux machine in City 1 with
IP address 10.0.0.10 (for example)
and a Linux machine in City 2 with an IP address of 10.0.0.20 (for
example). Now these machines are
in different cities, so machine 1 cannot just open a socket on
10.0.0.20 because machine 2 is on a different
network. Each machine does have a router, say City 1 is 65.15.47.28
(for example). To get into City 1from
outside the network you go through thr router, use 65.15.47.28 which
routes into the LAN. The same for
City 2. For a unix process on 10.0.0.10 to send to 10.0.0.20 it would
have to send to 65.15.47.28 which would route
it in. Problem is, its from address would be 10.0.0.10, which the
machine at 10.0.0.20 wouldn't know about.

A process on 10.0.0.20 would have to do something similar to respond.

Now these machines have to actually be able to use each others'
10.0.0.X addresses. I assume this is possible
via a VPN. They don't have any Cicsco VPNs or anything, and they
asked whether it is possible just using
Linux (CentOS) to set up a VPN. I did a bit of searching and found a
couple things. Freeswan seemed to be

the most promising, though other packages could be just as good.

Is the above scenario possible with Freeswan or can you recommend some
other way?


it doesnt particularly matter what vpn transport you choose to go with,
because in the end, you technically have "the same network" at both
ends: 10.0.0.x.


for this to work right, you really need to re-ip one city to be
10.0.1.x. right now, if 10.0.0.10 tried to connect to 10.0.0.20, as it
starts the connection, it compares the destination address to its own
network settings and "oh, this must be local", and polls the local arp
table accordingly.


the trick for 10.0.0.10 to access 10.0.0.20, will be to cause the "local
lan" behavior to be overridden by behavior that causes 10.0.0.10 to hand
the connection off to the router. a static route could be one way:


route add 10.0.0.20 netmask 255.255.255.0 gw 10.0.0.1 eth0

the above statement would cause .20 to be routed thru the defaultgateway
of .1 (for the example i just make an assumption that .1 is your default
gateway...), but .10 would continue to use "local lan behavior" to
access any other host that falls under 10.0.0.x. you would need to
reverse the behavior for the .20 at the other location to access the .10.


if these are the single sole computers that exist at both ends, then the
route statement is simple enough to get you going. as soon as the same
ip exists on a machine at both ends, your asking for a giant can of
worms, and it wouldnt be worth the trouble. at that point, you need to
bite the bullet and re-ip one location, and then it would be as simple
as "just let the vpn-firewalls do their job".


hope this helps,
--
Jonathan Horne
http://dfwlpiki.dfwlp.org
linux08 _@_ dfwlp.com

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 12:17 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org