<< | Thread Index | >> ]    [ << | Date Index | >> ]


I want to do what you ask, and the idea I've come up is this. 

* Use CIPE (also applies to FreeSWAN/etc) with preshared keys.
* This will ONLY get you a tunnel between the client and the VPN server.
The VPN server has
  default ipchains that block all forwarding/whatever - hence stopping
it from being a VPN
  router.
* The client must then attach to the VPN server via a Web browser (SSL
not required as 
  you're now talking to it via VPN) and authenticate with a
usercode/password CGI script. 
  This (ahem) setuid root script would upon correct authentication set
ipchain rules that 
  would allow that IP address to route via the VPN server back onto your
LAN/whatever.

The benefit of such a scheme is that you control the backend CGI script.
It could be anything - 
NT auth/LDAP/SecurID tokens/whatever. You could also set up timeouts so
that such links were only valid for n hours, etc, etc, etc.

How's that sound? Stupid? :-)





<< | Thread Index | >> ]    [ << | Date Index | >> ]