[geeks] VPN stuff..

Andrew Weiss ajwdsp at cloud9.net
Fri Dec 27 14:11:02 CST 2002 

OK I'm going to go in for a new project when I get home from my parents
house this weekend and I can't seem to figure out the proper solution for
it.  I have several ideas.  I want to connect any machine on my LAN (RFC
1918 NAT'ed) to our company VPN at will.


Setup looks like this

                  __________________________
/\/\/\/\/\        |Router                                          |
LAN  >----| Powermac 8100/80AV               |------------<Cable Modem>--->
Internet<----<Corporate net>
\/\/\/\/\/        |NAT RFC1918 (192.168.0.0/24)|
                  |______Yellow Dog Linux 2.0___|

Normally our VPN needs the Contivity client.  I'm told that FreeS/WAN works
with the Contivity VPN.  I need to know whether or not to make the VPN
connection using the Linux router (which appears to cut off internet access
during the connection for everyone on the LAN, and NAT may/may not work
right--- in other words this doesn't work), or whether to do VPN masq with a
special kernel patch in which case certain AH ops don't work through NAT (I
have no clue whether my company is using this... and I have a less than
help^H^H^H skillful IT department located across the country at HQ (i.e. too
lazy to do anything about non Windows clients [which are available] for our
helpdesk software... which has a web interface that is ActiveX-only [what's
the point?])

Now I suppose I could

A. Use the Windows Box as a router (but this means I have to:
    1. Upgrade to 2000 Server to use NAT or work with that ugly hack ICS
    2. Buy a second network card (the reason I went with hardware I already
had is that I'm poor right now)
    3. Come on... get real... Windows router... blech I did this for months
with dialup access... I'm glad it's finally been relegated to games only
:-).

B. Buy a Linksys Cable router to do routing
    1. This assumes they have a Contivity aware product
    2. More cash outlay see A part 2
    3. It still cuts off local internet access during VPN access time
(corporate VPN doesn't allow internet access AFAIK in order to keep people
from sitting on them all day I suppose + security reasons)

--------------------------------------
Andrew J. Weiss
Field Network Engineer
En Pointe Technologies
aweiss at enpointe.com, ajwdsp at cloud9.net

More information about the geeks mailing list