[TriLUG] Firewall/VPN?

[Jon Carnes]

----- Original Message -----
From: "Michael S Czeiszperger" <czei at webperformanceinc.com>
Subject: Re: [TriLUG] Firewall/VPN?
>
> I run everything else on Linux, so any VPN would both have to support
stuff
> like NFS, as well as Samba in order to access remote Windows files. Any
> pointers to the easiest way of accomplishing this would be appreciated,
such
> as what type of VPN is best to use...
>
> - --
> Michael S Czeiszperger

http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO-5.html

First, make sure the modules are installed on your routers:
   insmod ipip.o
   insmod new_tunnel.o
   insmod ip_gre.o

On the router of network A, you do the following:
   ip tunnel add netb mode gre remote <B-ext-IP> local <A-ext-IP> ttl 255
   ip link set netb up
   ip addr add <A-int-IP> dev netb
   ip route add <B-int-NET> dev netb

On the router of network B:
   ip tunnel add neta mode gre remote <A-ext-IP> local <B-ext-IP> ttl 255
   ip link set neta up
   ip addr add <B-int-IP> dev neta
   ip route add <A-int-NET> dev neta

And when you want to remove the tunnel on router A:
   ip link set netb down
   ip tunnel del netb

To remove the tunnel on router B:
   ip link set netb down
   ip tunnel del neta

===

If you have problems with the modules, or you want to tightly control the
ports used, then I would recommend PPP/ssh.  Works fine, stays on port 22
and doesn't require anything special to run.  Of course you need both pppd
and sshd loaded and running.

I've got a couple of PPP/ssh vpns running on routers that change their
external addresses every so often.  The trick is to have some common server
where you can drop off and pick up the new ip address (Dynamic DNS would do
this for you).  Then you've got to associate the old ssh-key with the new ip
address (unless you use routing to link instead to the unchanging internal
address of the remote router...)

Let us know if you have any questions or get stuck!

Jon Carnes