[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IPSec VPN Questions, comments wanted :-)

I'm about to find a solutions to VPN-interconnect out branch offices.

Today we have a main site with a /28-net where the network servers are
located. Internal net is 10.0.0/24 with S-NAT for the servers. Branch
offices use ICA protocol to connect to internal Windows Termnal server.
Branch offices are rather small, tycically 1-3 laptop (Win2000/XP)
computers and a network printer, connected to Internet via ADSL or ISDN.
NAT addresses (192.168.1.x/24, each branch office uses same setup). Branch
offices have static IP addresses, which will be passed in by the firewall.

Branch office users typically travels a lot with their laptops, and need
to connect to the main site from various locations.

Firewall at main site is currently IPFilter on OpenBSD 2.8.

This is what we want to acheive:
1)Connectivity from non-static addresses, encrypted.
2)Interconnect the branch office networks with main site network,
encrypted. 3)User should never have to reconfigure laptop in order to
connect to main site.

This is the solution I had in mind:
First of all: Upgrade main site firewall to latest OpenBSD-stable.
1) Create "Virtual Private Network" connections using built-in features of
Win2000/XP, on the laptop computers. This is for use out-of-branch-office,
ie at home, visiting customer/supplier.

2)Equip each branch office with a "multi-purpose" IPSec-capable firewall,
ie Cisco 806, Multitech RF550VPN [1], Watchguard SOHO|tc. Set it up with
an assigned private network id (ie,,, etc) per
each branch office. The addresses will be provided to the laptops from
this multi-purpose firewall via DHCP.

3)Now I hope the only differnce from the users point of view, would be
that if he/she if out-of-office, the need to establish the transport-mode
VPN connection->main site firewall, before they can use network services.
If a user moves from one branch office to another, he/she only needs to
plug his laptop in and should then be able to reach network services on
the main site.

*Have I understood this right? ;)

*With IPSec tunnel mode->Main site firewall, all branch office networks
would be reachable from main site, right? Ie, from 10.0.0/24 I would be
able to ping a network printer

*Should the users connect to the private addresses of the main site
network (10.0.0/24) or the public addresses when they need to access
network services? This is ofcourse a DNS matter, since we cannot put
private addresses on a public DNS server.

*Since the firewall must be set to accept IPSec connections from all
source addresses, how does it know that it comes from an approved user? Is
the connection authenticated using private keys or username/passwords or

Don't you just love scenarios? =) Any ideas or feedback welcome.

[1] Seems to be a nice product for this purpose. Low price (SEK3.000 /
~$300). Features NAT, Packet filtering, 4-port 10/100 Switch, PPPoE for
automatic logon to ADSL provider, 5 Simultaneous IPSec tunnels, 700Kbps
IPSec throughput, 6Mbps firewall throughput. Specs see:



                                               .--.        .--.
.----------------------------------------.     |  |        |  | .-.
|           Rickard Borgmäster           |     |  |        |  |/  /
|             doktorn_(_at_)_sub_(_dot_)_nu             |   .-^  |  .--.  |     <
|         http://doktorn.sub.nu/         |  (  o  | ( () ) |  |\  \
`----------------------------------------'  `-----'  `--'  `--' `--'