Re: VPN

[Rick Stevens <rstevens vitalstream com>]

Mark Knecht wrote:
> On Thu, 2003-12-04 at 10:42, Dan Schad wrote:
>
> > Mark,
> >
> > What VPN should do (setup as) is a virtual gateway into your other LAN.
> > Office, Home, etc, etc.  It's a way to remotely attach to separate
> > LANs using the Internet.
>
>
> Yep, that I understand. 
>
>
> > So, in this case, both LANs know how to talk to each other via the VPN
> > just like a dial-up connection or a T1 per say.  Once the connections
> > are made as long as your firewall settings allow it you can have full
> > access to all ports UDP and TCP.  That is, you should setup our Linux
> > box to be the gateway, router, VPN, etc.
>
>
> The difference I'm experiencing is that when I'm using an M$ style VPN,
> and I open Internet Explorer, and I tell it to connect to 192.168.1.X,
> the machine it connects to is on the work network, not the local
> network. In M$'s model, the VPN connection appears to make the complete
> local XP machine, and all of the local apps, act like they are on the
> remote network. In the Linux VPN model (Assuming VPN==ssh) the only part
> of my machine that is part of the remote network is the terminal I run
> ssh in. If I start Mozilla locally, it connects to 192.168.1.X on my
> network.
>
> Using the M$ style VPN, IE6 locally can display what it gets from a web
> server on the remote network using the remote DNS servers. 
>
> With the Linux style, when I start Mozilla it doesn't do this, so I
> cannot use it to directly read email from the remote email web
> interface.
>
> Or maybe I don't know how to do it.
>
>
> > As far as the VPN, I setup a VPN gateway as a firewall and VPN server for my
> > home
> > network.  All my access passes thru that box.  I have linux and windows
> > running
> > and have complete access to all my company resources.  We use FreeSwan, it's
> > a great free product out of Canada.  You IPTables (or IPChains for older
> > Linux
> > builds) for your firewall.  Between the two you should be able to get a VPN
> > into
> > your office and get access to all the network resources.
>
>
> I think I agree. I can do pretty much the same, but with the Linux style
> I need to run Mozilla remotely to use the remote web server. If I run it
> locally it just acts like it always does.
>
> Hope I'm making the complicated picture clearer and not more
> complicated! ;-)

You've got two totally different things going on here, Mark.

VPN (virtual private network) is a mechanism whereby two separate
NETWORKS connect together using the public internet as the conduit and
securing the data by using encryption keys.  For example, your work
network and your home network connect together via a VPN.  In that
case, each network has a "router" with one interface on the local
network and the other interface on the VPN:

	worksys1 --+                                  +-- homesys1
	worksys2 --+-- router ---- VLAN ---- router --+-- homesys2
	worksys3 --+                                  +-- homesys3

The two routers must know what type of VLAN is being used and know what
the encryption keys are for it to work.  Any traffic that doesn't go
to a local box gets transmitted by the router via the VLAN to the other
network.

SSH is entirely different.  SSH is essentially telnet with encryption
(it has much more, but that's the easiest way to think of it).  It only
connects one system to another system--it does NOT do networks.

The main thing to remember is that VPNs connect networks to networks,
ssh connects system to system (a.k.a. "point to point").
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens vitalstream com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-            We look for things.  Things that make us go!            -
----------------------------------------------------------------------