On Mon, Mar 21, 2011 at 10:02 AM, Shachar Shemesh <shac...@shemesh.biz>wrote:
> On 21/03/11 02:41, Etzion Bar-Noy wrote: > >> It is common that the VPN provider policy *prevents* you from connecting >> to multiple networks (theirs and someone else's). The logic behind it is to >> prevent data leak, especially accidental, by combining somehow their network >> with someone else's. >> > You have to connect to some network in order to get the VPN packets out. Your home LAN, Internet Cafe, whatever. True. > > >> So - this poses no problem to be dealt with. The common problem is that >> your local home network overlaps one of the organization's networks. Some of >> the VPN clients place themselves in the network interface stack, so they >> hijack the packets to their correct destination(s). That is the common >> reason (except for time and effort) that Linux clients are more rare. This >> operation is somewhat more complicated there, and would require root access. >> > Hijacking the outgoing packets does not solve the routing conflict. When I > send a packet to 172.27.245.17, you somehow need to know whether that is the > 172.27.245.17 that is visible through the VPN, or the one visible locally. > Hijacking ALL outgoing packets rarely makes sense. > They avoid hijacking your default GW. > > Hijacking the network interface does allow you to route the ENCRYPTED > packet without going into routing loops, and is the reason this is done. > Still, you are hiding parts of the network if there is a conflict. You do, of course. Usually, the VPN clients hide the local network where a conflict exists. Ez > > > Shachar > > -- > Shachar Shemesh > Lingnu Open Source Consulting Ltd. > http://www.lingnu.com > >
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
