We have a situation where say there is a Linux machine in City 1 with IP address
10.0.0.10 (for example)
and a Linux machine in City 2 with an IP address of
10.0.0.20 (for example).* Now these machines are
in different cities, so machine 1 cannot just open a socket on 10.0.0.20
because machine 2 is on a different
network.* Each machine does have a router, say City 1 is 65.15.47.28 (for example).* To get into City 1from
outside the network you go through thr router, use 65.15.47.28 which routes into the LAN.* The same for
City 2.* For a unix process on
10.0.0.10 to send to
10.0.0.20 it would have to send to 65.15.47.28 which would route
it in.* Problem is, its from address would be
10.0.0.10, which the machine at
10.0.0.20 wouldn't know about.
A process on 10.0.0.20 would have to do something similar to respond.
Now these machines have to actually be able to use each others' 10.0.0.X addresses.* I assume this is possible
via a VPN.* They don't have any Cicsco VPNs or anything, and they asked whether it is possible just using
Linux (CentOS) to set up a VPN.* I did a bit of searching and found a couple things.* Freeswan seemed to be
the most promising, though other packages could be just as good.
Is the above scenario possible with Freeswan or can you recommend some other way?
*
I dont kown about Freeswan, but I've succesfully used*OpenVPN.
But, for your scenario, you can also*modify*the NAT / PAT tables in both router.
*
HTH
*
--
Alessandro Brezzi
*
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
01-04-2008, 04:49 PM
"Mr.Scrooge"
Freeswan (CentOS 4.5)
--- tony.chamberlain@lemko.com wrote:
>
>
> Has anyone had experience with Freeswan?
>
> We have a situation where say there is a Linux machine in City 1 with IP address 10.0.0.10 (for
> example)
> and a Linux machine in City 2 with an IP address of 10.0.0.20 (for example). Now these machines
> are
> in different cities, so machine 1 cannot just open a socket on 10.0.0.20 because machine 2 is on
> a different
> network. Each machine does have a router, say City 1 is 65.15.47.28 (for example). To get into
> City 1from
> outside the network you go through thr router, use 65.15.47.28 which routes into the LAN. The
> same for
> City 2. For a unix process on 10.0.0.10 to send to 10.0.0.20 it would have to send to
> 65.15.47.28 which would route
> it in. Problem is, its from address would be 10.0.0.10, which the machine at 10.0.0.20 wouldn't
> know about.
> A process on 10.0.0.20 would have to do something similar to respond.
>
> Now these machines have to actually be able to use each others' 10.0.0.X addresses. I assume
> this is possible
> via a VPN. They don't have any Cicsco VPNs or anything, and they asked whether it is possible
> just using
> Linux (CentOS) to set up a VPN. I did a bit of searching and found a couple things. Freeswan
> seemed to be
> the most promising, though other packages could be just as good.
>
> Is the above scenario possible with Freeswan or can you recommend some other way?
>
>
> Thanks
>
Wouldn't port fowarding work here?
-Max
__________________________________________________ __________________________________
Never miss a thing. Make Yahoo your home page.
http://www.yahoo.com/r/hs
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
01-04-2008, 04:58 PM
kalinix
Freeswan (CentOS 4.5)
On Fri, 2008-01-04 at 09:49 -0800, Mr.Scrooge wrote:
> --- tony.chamberlain@lemko.com wrote:
>
> >
> >
> > Has anyone had experience with Freeswan?
> >
> > We have a situation where say there is a Linux machine in City 1 with IP address 10.0.0.10 (for
> > example)
> > and a Linux machine in City 2 with an IP address of 10.0.0.20 (for example). Now these machines
> > are
> > in different cities, so machine 1 cannot just open a socket on 10.0.0.20 because machine 2 is on
> > a different
> > network. Each machine does have a router, say City 1 is 65.15.47.28 (for example). To get into
> > City 1from
> > outside the network you go through thr router, use 65.15.47.28 which routes into the LAN. The
> > same for
> > City 2. For a unix process on 10.0.0.10 to send to 10.0.0.20 it would have to send to
> > 65.15.47.28 which would route
> > it in. Problem is, its from address would be 10.0.0.10, which the machine at 10.0.0.20 wouldn't
> > know about.
> > A process on 10.0.0.20 would have to do something similar to respond.
> >
> > Now these machines have to actually be able to use each others' 10.0.0.X addresses. I assume
> > this is possible
> > via a VPN. They don't have any Cicsco VPNs or anything, and they asked whether it is possible
> > just using
> > Linux (CentOS) to set up a VPN. I did a bit of searching and found a couple things. Freeswan
> > seemed to be
> > the most promising, though other packages could be just as good.
> >
> > Is the above scenario possible with Freeswan or can you recommend some other way?
> >
> >
> > Thanks
> >
> Wouldn't port fowarding work here?
>
> -Max
>
>
> __________________________________________________ __________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
>
Maybe already mentioned by others: OpenVPN could help.
http://openvpn.net/
Calin
=================================================
My face is new, my license is expired, and I'm under a doctor's care!!!!
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
01-04-2008, 11:34 PM
John Summerfield
Freeswan (CentOS 4.5)
tony.chamberlain@lemko.com wrote:
Has anyone had experience with Freeswan?
We have a situation where say there is a Linux machine in City 1 with IP address 10.0.0.10 (for example)
and a Linux machine in City 2 with an IP address of 10.0.0.20 (for example). Now these machines are
in different cities, so machine 1 cannot just open a socket on 10.0.0.20 because machine 2 is on a different
network. Each machine does have a router, say City 1 is 65.15.47.28 (for example). To get into City 1from
outside the network you go through thr router, use 65.15.47.28 which routes into the LAN. The same for
City 2. For a unix process on 10.0.0.10 to send to 10.0.0.20 it would have to send to 65.15.47.28 which would route
it in. Problem is, its from address would be 10.0.0.10, which the machine at 10.0.0.20 wouldn't know about.
A process on 10.0.0.20 would have to do something similar to respond.
Now these machines have to actually be able to use each others' 10.0.0.X addresses. I assume this is possible
via a VPN. They don't have any Cicsco VPNs or anything, and they asked whether it is possible just using
Linux (CentOS) to set up a VPN. I did a bit of searching and found a couple things. Freeswan seemed to be
the most promising, though other packages could be just as good.
I use openvpn; it's a user-land VPN solution, works well, scales well,
has good docs.
Is the above scenario possible with Freeswan or can you recommend some other way?
When I was looking (years ago) Freeswan and Openswan had
doubtful-looking futures and were relatively difficult to set up. Kernel
patches, as I recall.
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
01-08-2008, 07:59 AM
Howard Wilkinson
Freeswan (CentOS 4.5)
Title: Signature
tony.chamberlain@lemko.com wrote:
Has anyone had experience with Freeswan?
We have a situation where say there is a Linux machine in City 1 with
IP address 10.0.0.10 (for example)
and a Linux machine in City 2 with an IP address of 10.0.0.20 (for
example).* Now these machines are
in different cities, so machine 1 cannot just open a socket on
10.0.0.20 because machine 2 is on a different
network.* Each machine does have a router, say City 1 is 65.15.47.28
(for example).* To get into City 1from
outside the network you go through thr router, use 65.15.47.28 which
routes into the LAN.* The same for
City 2.* For a unix process on 10.0.0.10 to send to 10.0.0.20 it would
have to send to 65.15.47.28 which would route
it in.* Problem is, its from address would be 10.0.0.10, which the
machine at 10.0.0.20 wouldn't know about.
A process on 10.0.0.20 would have to do something similar to respond.
Now these machines have to actually be able to use each others'
10.0.0.X addresses.* I assume this is possible
via a VPN.* They don't have any Cicsco VPNs or anything, and they asked
whether it is possible just using
Linux (CentOS) to set up a VPN.* I did a bit of searching and found a
couple things.* Freeswan seemed to be
the most promising, though other packages could be just as good.
Is the above scenario possible with Freeswan or can you recommend some
other way?
Thanks
We use FreeSwan in our firewalls to link sites together to produce just
such a scheme as you describe. The setup for fixed IP addresses at each
end is easy and can be based around pre-shared keys, or RSA signatures.
We tend to use the latter as it is slightly stronger in practice.
The major headaches are not with the IPSEC tunnels, they tend to be in
the firewall settings to allow the IPSEC traffic through and in the
routing. For the first we use Shorewall and for the second we run BGP
to support route failover if a firewall connection goes down.
Our configuration has been used with FreeSWAN and now with OpenSWAN
which is the later replacement for the product.
IPSEC connections are robust once established but can be very tricky to
get going for the first time. Interoperability is always an issue but
so far the only combination we have had long term trouble with is
OpenSWAN to Netscreen.
If you go down this route use a late release 2.6.x kernel ... Fedora 7
works nicely.
Howard.
--
Howard Wilkinson
Phone:
+44(20)76907075
Coherent Technology Limited
Fax:
*
23 Northampton Square,
Mobile:
+44(7980)639379
United Kingdom, EC1V 0HL
Email:
howard@cohtech.com
*
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
01-08-2008, 01:37 PM
Jonathan Horne
Freeswan (CentOS 4.5)
Howard Wilkinson wrote:
tony.chamberlain@lemko.com wrote:
Has anyone had experience with Freeswan?
We have a situation where say there is a Linux machine in City 1 with
IP address 10.0.0.10 (for example)
and a Linux machine in City 2 with an IP address of 10.0.0.20 (for
example). Now these machines are
in different cities, so machine 1 cannot just open a socket on
10.0.0.20 because machine 2 is on a different
network. Each machine does have a router, say City 1 is 65.15.47.28
(for example). To get into City 1from
outside the network you go through thr router, use 65.15.47.28 which
routes into the LAN. The same for
City 2. For a unix process on 10.0.0.10 to send to 10.0.0.20 it would
have to send to 65.15.47.28 which would route
it in. Problem is, its from address would be 10.0.0.10, which the
machine at 10.0.0.20 wouldn't know about.
A process on 10.0.0.20 would have to do something similar to respond.
Now these machines have to actually be able to use each others'
10.0.0.X addresses. I assume this is possible
via a VPN. They don't have any Cicsco VPNs or anything, and they
asked whether it is possible just using
Linux (CentOS) to set up a VPN. I did a bit of searching and found a
couple things. Freeswan seemed to be
the most promising, though other packages could be just as good.
Is the above scenario possible with Freeswan or can you recommend some
other way?
it doesnt particularly matter what vpn transport you choose to go with,
because in the end, you technically have "the same network" at both
ends: 10.0.0.x.
for this to work right, you really need to re-ip one city to be
10.0.1.x. right now, if 10.0.0.10 tried to connect to 10.0.0.20, as it
starts the connection, it compares the destination address to its own
network settings and "oh, this must be local", and polls the local arp
table accordingly.
the trick for 10.0.0.10 to access 10.0.0.20, will be to cause the "local
lan" behavior to be overridden by behavior that causes 10.0.0.10 to hand
the connection off to the router. a static route could be one way:
the above statement would cause .20 to be routed thru the defaultgateway
of .1 (for the example i just make an assumption that .1 is your default
gateway...), but .10 would continue to use "local lan behavior" to
access any other host that falls under 10.0.0.x. you would need to
reverse the behavior for the .20 at the other location to access the .10.
if these are the single sole computers that exist at both ends, then the
route statement is simple enough to get you going. as soon as the same
ip exists on a machine at both ends, your asking for a giant can of
worms, and it wouldnt be worth the trouble. at that point, you need to
bite the bullet and re-ip one location, and then it would be as simple
as "just let the vpn-firewalls do their job".
hope this helps,
--
Jonathan Horne
http://dfwlpiki.dfwlp.org
linux08 _@_ dfwlp.com
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Freeswan (CentOS 4.5)
