Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
vpn network
- Thread starter gwu
- Start date
John Lewis
Programmer
Assuming pptp, look here
Actually, even the howto listed at the bottom of that page is valuable, some details have changed slightly but the basics are the same. You really need to just dig in and post back if you have any questions or problems.
Actually, even the howto listed at the bottom of that page is valuable, some details have changed slightly but the basics are the same. You really need to just dig in and post back if you have any questions or problems.
Yeah but I don't think they came up with many new words since then. 
- Thread starter
- #5
John Lewis
Programmer
Haven't done swan on 9.0 (yet). Setting up on your side should not be too bad. There is a learning curve to it, but if you can get a server up and running with tables, you should be able to figure it out.
You mentioned several Windows clients that will need access. Based upon experience, your long term problem will be there. Of course I don't know about your specific situation, but in general any time you talk about Windows users in a group of more than 3 or so, there is at least one that should not be allowed to own a computer. The IPSec connection can be a bear to get going the first couple of times, almost impossible without someone on the other end that has a clue. Maintaining the configuration can have the same problems.
PPTP is much easier to deal with both initially and from a maintenance standpoint. The Windows pptp client is relativly mature. Most users seem to be able to deal with it much better than the alternative. Configuration seems to require less repair over the long term.
There are times that IPSec is a better alternative. Main point in it's favor is the encription involved, but if you use preshared keys even that is somewhat questionable. If you use a CA, the other can of worms gets bigger.
Short version, if you really really need the extra encryption, go for the IPSec route and buy some extra asprin. Otherwise, (Windows clients + Windows users) = pptp, in my opinion, thus the link to poptop.
You mentioned several Windows clients that will need access. Based upon experience, your long term problem will be there. Of course I don't know about your specific situation, but in general any time you talk about Windows users in a group of more than 3 or so, there is at least one that should not be allowed to own a computer. The IPSec connection can be a bear to get going the first couple of times, almost impossible without someone on the other end that has a clue. Maintaining the configuration can have the same problems.
PPTP is much easier to deal with both initially and from a maintenance standpoint. The Windows pptp client is relativly mature. Most users seem to be able to deal with it much better than the alternative. Configuration seems to require less repair over the long term.
There are times that IPSec is a better alternative. Main point in it's favor is the encription involved, but if you use preshared keys even that is somewhat questionable. If you use a CA, the other can of worms gets bigger.
Short version, if you really really need the extra encryption, go for the IPSec route and buy some extra asprin. Otherwise, (Windows clients + Windows users) = pptp, in my opinion, thus the link to poptop.
- Thread starter
- #7
i am trying to get poptop working on my firewall.
I have a basic setup firewall with public ip address, 202.2.2.2 on one side and private address, 10.0.0.1, on the other. All the clients behind the firewall use snat to reach the net.
The ip address of the client connecting to the local network is 68.2.100.10
What would the local and remote ip address ranges be in the pptpd.conf file?
thanks
I have a basic setup firewall with public ip address, 202.2.2.2 on one side and private address, 10.0.0.1, on the other. All the clients behind the firewall use snat to reach the net.
The ip address of the client connecting to the local network is 68.2.100.10
What would the local and remote ip address ranges be in the pptpd.conf file?
thanks
- Thread starter
- #8
John Lewis
Programmer
It is possible that tables is your problem. (That sounds really bad, but 'tables are your problem' didn't seem much better in context. Just had to clarify in case my 11th grade English teacher is reading.)
I would rather suspect a routing problem. If you haven't done so already, add a route on your server to the client with the VPN address as the gateway. Sounds like the route lives on the client, otherwise you wouldn't be able to ping the 10.0.0.1 address.
Couple of things to keep in mind when dealing with tables and pptp. The VPN gets it's own interface on each end. If you use the -i option to select a specific interface when building rules, you will need to include rules for the VPN interface(s) as well. The first VPN connection will be ppp0, second is ppp1, etc. You can use ppp+ to specify all ppp interfaces ( '-i ppp+' in the rule ). If you have any dialup connections, they will also be included in this rule.
Also, be sure to limit the traffic to specific addresses or address ranges. If a VPN client is configured for routing, it is possible for traffic to be routed from the internet, through the client, up the VPN then out to your network.
I would rather suspect a routing problem. If you haven't done so already, add a route on your server to the client with the VPN address as the gateway. Sounds like the route lives on the client, otherwise you wouldn't be able to ping the 10.0.0.1 address.
Couple of things to keep in mind when dealing with tables and pptp. The VPN gets it's own interface on each end. If you use the -i option to select a specific interface when building rules, you will need to include rules for the VPN interface(s) as well. The first VPN connection will be ppp0, second is ppp1, etc. You can use ppp+ to specify all ppp interfaces ( '-i ppp+' in the rule ). If you have any dialup connections, they will also be included in this rule.
Also, be sure to limit the traffic to specific addresses or address ranges. If a VPN client is configured for routing, it is possible for traffic to be routed from the internet, through the client, up the VPN then out to your network.
- Status
Similar threads
- Locked
- Question