Re: Simple VPN setup

Mon, 12 Nov 2001 23:55:38 -0800 

>       I am thinking about setting up what I would consider a simple VPN.  I have
>two IP'masqed RedHat 7.2 boxes at two locations.  I want to make the
>machines behind them look like they are on the same network.  Is there a
>relatively easy and secure way of doing this?  Seems fairly simple, but most
>documentation that I have come across seems complex.  Any good suggestions?

I'd suggest CIPE

I think people see VPNs as a complex thing because they just don't know the
way it works
in the case of CIPE (others system too, i guess), you just get a new
network interface on each computer, and the two interfaces are in the same
ip subnet. think of it in the same manner as ppp provides a ppp0 interface
and a link over a telephony network, no matter how complex this sub layer
is : cipe provides a cipb0 interface and a link over an ip sub-layer (ther
internet, actually).
a basic configuration would be : 
private network 1 <-> lanbox 1 <-> internet <-> internet <-> internet <->
lanbox 2 <-> private network 2

adding a VPN between lanbox 1 and lanbox 2 just "hides" the internet sub
layer and shrinks the configuration to :
private network 1 <-> lanbox 1 <-> lanbox 2 <-> private network 2

now, suppose your private network 1 has IP subnet #1, private network 2 IP
subnet #2, and the VPN adds an IP subnet #3 between the lanboxes. then the
routing configuration is obvious : set a static route to subnet #2 on
lanbox 1 via lanbox 2's cipb0 ip address (ie lanbox 2's ip address in
subnet #3) and conversely a static route to subnet #1 on lanbox2 via lanbox
1's cipb0 ip address. of course i guess that private network 1 machines
have already a default route that points to lanbox 1 and conversely for
private network 2 machines.

now, you have a total control over routes and you can make private subnets
communicate easily and securely.

of course, lanbox 1 and lanbox 2 can be configured to NAT outgoing packets
which do not concern private to private traffic.

so to make short consider a vpn as a new point-to-point link. isn't it
finally easy ?
                        - * - * - * - * - * - * -
Si nous avons chacun un objet et que nous les echangeons, 
   nous avons encore chacun un objet.
Si nous avons chacun une idee et que nous les echangeons,
   nous avons alors chacun deux idees.

Thierry ITTY
eMail : [EMAIL PROTECTED]               FRANCE



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to