The proposed design will definitely be initially tested in a lab. Not to worry about that part.
The major problem I have seen by now is that IPsec have problems with NAT, while OpenVPN doesn't (but it adds to latency - it is not a major concern in the desired setup). I would like to briefly mention the setup again: some clients will get private IP addresses at their access network (theoretically, it could be anywhere in the world), and then immediatelly NAT-ed to some gateway's public IP pool, in order to access the outside world. Packets from this public IP pool will reach the VPN server and the VPN end should there be terminated. As I know, it is not possible to setup this situation using IPsec without using some additional magic. Opinions would be appreciated. Thanks, j. --- Jason Dixon <[EMAIL PROTECTED]> wrote: > On Jul 28, 2006, at 8:09 AM, jeraklo wrote: > > > I just wanted to simplify the layout (it seems at > the > > end it went more complex, sorry), but two > firewalls > > are actually PIX firewall with several interfaces. > > > > So, you are saying that pf(4), ipsec(4), > ipsecctl(8), > > and maybe vpn(8) is all I need ? Do I have to > make > > some special tweakings on the windows client > machines > > in order to run the VPN, or is ti just a matter of > > some default configuration ? > > Not to interject here, but your chances for success > are directly > proportional to your understanding of TCP/IP and > IPsec. It sounds as > though you are not terribly experienced with either. > That's not to > say you can't make this happen, but I would strongly > suggest you > reproduce your proposed design in a test lab > (probably at home). > > Everything you need is in the base install. With > the recent changes > to ipsecctl and ipsec.conf, there's no need to > consider OpenVPN > (except perhaps on technical merits, which I believe > it loses on). > Once you've started testing your network and run > into problems, > definitely come back and we'll be happy to help. > > -- > Jason Dixon > DixonGroup Consulting > http://www.dixongroup.net Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
