<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: JR,AT,JRago,DOT,com
Subject: Re: Is CIPE the right solution for my needs?
From: "Eric M. Hopper" <hopper,AT,omnifarious,DOT,org>
Date: Mon, 22 Mar 2004 07:24:48 -0800
Cc: cipe-l,AT,inka,DOT,de
In-reply-to: <EGEOKKPIPDNJGAFLKMEPMEOACAAA.JR@JRago.com>
Organization: Omnifarious Software
References: <EGEOKKPIPDNJGAFLKMEPMEOACAAA.JR@JRago.com>

On Sun, 2004-03-21 at 12:44, Jeff Rago wrote:
>       I have a RedHat 9 server running SAMBA 3 sharing out directories to 
> several
> WinXP Pro clients on the LAN.
> 
>       The server is using iptables to do NAT (masquerading) to allow the LAN
> internet access through a T1 with a static IP address.  (A dial modem is
> also available on the server)
> 
>       I have a need to have three remote WinXP Pro users access the SAMBA 
> shares
> on the server.
> 
>       The will be accessing the internet from various locations with or 
> without
> NAT routers. Sometimes via dialup from hotel rooms and sometimes via
> broadband (cable or ADSL) from home.
> 
>       I have determined that an IPSEC VPN is not appropriate due to the NAT
> issues.  (Is this correct?)

This isn't correct actually.  I've recently discovered that there's an
RFC for IPSEC inside of UDP (though I can't remember the number right
offhand).  I discovered it will doing packet analysis on a VPN appliance
that my current job bought for me.  The appliance is a SNAPgear SME550.

http://www.cyberguard.com/snapgear/sme550.html

>       What I have read about CIPE seems to indicate that it will work in 
> this
> configuration but the scarce documentation is not totally clear.

Yes, it will.

>       If CIPE is appropriate for my needs - any suggestions on how to go 
> about
> implementing it?
> 
>       I am very well versed in Windows NT (4.0, 5.0 and 5.1), RedHat Linux 
> and
> networking but a little light on VPNs.

After seeing this VPN device I just got in action, I would suggest using
it over CIPE.  The device itself can be configured by you, and tailored
to the people in the remote offices.  They can connect their computers
to it, and then connect it to the Internet, and poof, it sets up a
secure private network that includes your office and their machine.

It will even make sure that the only packets that make it to their
machine came through the firewalls at your office.  This will make it
harder for someone to compromise your network by taking down a satellite
machine, then invading your network through it.

And, it looks like it's much less of a configuration hassle for the
people using it than CIPE is.  It looks like a little more of a
configuration hassle for you because IPSEC is an ugly, complicated
beast.

Have fun (if at all possible),
-- 
The best we can hope for concerning the people at large is that they
be properly armed.  -- Alexander Hamilton
-- Eric Hopper (hopper,AT,omnifarious,DOT,org  
http://www.omnifarious.org/~hopper) --

Attachment: signature.asc
Description: This is a digitally signed message part


<< | Thread Index | >> ]    [ << | Date Index | >> ]