[nycbug-talk] need help asap, will pay, ms vpn client
george at galis.org
Tue Mar 1 23:01:43 EST 2005
On Tue, Mar 01, 2005 at 10:12:42PM -0500, Jesse Callaway wrote:
>On Tue, Mar 01, 2005 at 09:50:46PM -0500, George Georgalis wrote:
>> On Tue, Mar 01, 2005 at 09:38:02PM -0500, Jesse Callaway wrote:
>> >On Tue, Mar 01, 2005 at 08:45:28PM -0500, George Georgalis wrote:
>> >> On Tue, Mar 01, 2005 at 08:35:17PM -0500, marco at metm.org wrote:
>> >> >I hate fxxxing mixed OS vpn setups.
>> >> >All I can say is I've been there, more undocumented incompatible crap
>> >> >than you can shake a stick at. I would love for someone to prove me
>> >> >wrong and that in fact I am the dummy who just did not understand.
>> >> which is a great segue,
>> >> I'm thinking the problem has been client firewalls. And the solution is
>> >> to replace them with linksys vpn firewalls
>> >> client - linksys vpn - internet - vpn linksys - private lan
>> >> which should leave the least room for error, easiest to setup and
>> >> support. comments? "of course you idiot" variety welcome.
>> >> // George
>> >of course, I thought you were talking about IPSEC enabled firewall/gateways. Yes. Once you do that the problem will be a non-issue. You just "do it" on the MS side, lordy lordy. Were you leaving the IPSEC ports completely open? Where did they forward to? What about NAT? Yeah, once you have these guys up facing the outside it should be no problem.
>> >I've done it w/o problems when you have the VPN device sitting at the edge. Otherwise you will have to invest some time.
>> the vpn router is on the edge, but since the client has their own edge
>> firewall, support for that and their system will be excessive. seems
>> simpler to give them an edge vpn / firewall. then there is zero config
>> on the client host, the remote network is joined by the edge devices,
>> edge, edge, edge is the answer, I think, don't have an extra one yet.
>> // George
>edge, edge, edge. That's the mantra. You're not opening anything new up. It will have to be opened up on whatever seperate firewall you're using anyway. It's assumed that IPSEC is secure "enough" on its own and big keys are no problem. PPTP and L2TP get kind of confused with the addresses if you are using NAT in tandem. At least *I* get confused, which is bad enough, let alone the equipment.
>So this is kind of off-list, but just buy some more linksys vpn/firewalls. Life will be extremely simple. I hate to say it but it's just not worth it to have a BSD box dedicated to IPSEC if there is not more than one connection going through it.
Forgot a requirement. traveling laptop users, that's why we looked at a
software based solution in the first place.
me thought could get ipsec through a firewall much like me gets https
through a nat firewall. <sigh> the juniper hardware solution that uses a
java applet to concentrate vpn over a tcp port this way costs $15-$20K.
George Georgalis, systems architect, administrator Linux BSD IXOYE
http://galis.org/george/ cell:646-331-2027 mailto:george at galis.org
More information about the talk