Re: VPN

["M.Hockings" <veeshooter hockings net>]

Rick Stevens wrote:

> Mark Knecht wrote:
>
> > > You've got two totally different things going on here, Mark.
> > >
> > > VPN (virtual private network) is a mechanism whereby two separate
> > > NETWORKS connect together using the public internet as the conduit and
> > > securing the data by using encryption keys.  For example, your work
> > > network and your home network connect together via a VPN.  In that
> > > case, each network has a "router" with one interface on the local
> > > network and the other interface on the VPN:
> > >
> > >     worksys1 --+                                  +-- homesys1
> > >     worksys2 --+-- router ---- VLAN ---- router --+-- homesys2
> > >     worksys3 --+                                  +-- homesys3
> > >
> > > The two routers must know what type of VLAN is being used and know what
> > > the encryption keys are for it to work.  Any traffic that doesn't go
> > > to a local box gets transmitted by the router via the VLAN to the other
> > > network.
> > >
> > > SSH is entirely different.  SSH is essentially telnet with encryption
> > > (it has much more, but that's the easiest way to think of it).  It only
> > > connects one system to another system--it does NOT do networks.
> > >
> > > The main thing to remember is that VPNs connect networks to networks,
> > > ssh connects system to system (a.k.a. "point to point").
> >
> >
> >
> > Rick,
> >    I get what you are saying, so maybe I'm not communicating my 
> > perspective
> > well enough, or not applying your picture clearly enough. I 
> > completely get
> > that the SSH connection is between my Linux box and my Dad's Linux box.
> > (point to point) that's not the question. I was wrong by implying 
> > anything
> > else, even though it was not my intention to do so.
> >
> >    Let's take your diagram, but let's extend it and apply it to how 
> > my real
> > home network (and possibly Brad's) looks, and how my home network 
> > works with
> > Windows VPN clients:
> >
> >                                ISP DNS
> > worksys1 --+                      |              +-- (VPN) homesys1
> > worksys2 --+-- router ---- VLAN --+-- firewall --+-- homesys2
> > worksys3 --+                      |              +-- homesys3
> > worksysDNS-+                    Yahoo
> >
> >    First, I don't really have a 'router' at home, as I understand 
> > routers. I
> > have a firewall that is capable of being configured as a router, but 
> > I don't
> > have that button clicked. The M$ VPN link happens without a 'router'.
> > (Please correct me on this point if I'm wrong as I understand this 
> > could be
> > critical in my getting this.)
> >
> >    Maybe the concept here is that the M$ VPN client is the 'router' 
> > in your
> > diagram for homesys1 only?
> >
> >    When I run M$'s VPN client on homesys1, only homesys1 becomes part 
> > of the
> > worksys network. homesys1 uses worksysDNS and is attached like it's 
> > part of
> > worksys. However, homesys2 & 3 don't know anything about me doing 
> > that. If
> > they want to go to Yahoo, they use ISP_DNS.
> >
> >    When I look at your picture above it is exactly what we do here at
> > ControlNet. We use this between buildings here and go halfway around the
> > world at times to other sites. However, that's not what I'm doing at 
> > home.
> > When I turn on the M$ VPN client it has no effect on the connections
> > homesys2/3 see, except possibly they cannot see me.
> >
> >    Help!!! ;-)
>
>
> Ahhhhh!  First off, it rather depends on which M$ OS you're running.
> The VPN clients for 98 and ME don't support encryption.  The ones for
> W2K-based stuff (XP/2K/2003) use L2TP and IPSEC encryption mechanisms,
> so make sure your Linux VPN uses the same stuff.  If you can tell us
> which Linux VPN stuff you're using, perhaps I can help more.
>
> For some interesting stuff, see:
>
>     http://www.trellisnet.com/Security/Microsoft/vpn.asp
>     http://rucs.rutgers.edu/vpn/vpn_files/os_clients.php3
>
> ----------------------------------------------------------------------
> - Rick Stevens, Senior Systems Engineer     rstevens vitalstream com -
> - VitalStream, Inc.                       http://www.vitalstream.com -
> -                                                                    -
> -             To iterate is human, to recurse, divine.               -
> ----------------------------------------------------------------------

Please excuse my verbosity, I started writing and got carried away...

Here is my understanding of how VPN works.  For the most part I just
use the VPN client that whoever I'm working for provides and use
their machine to connect so i'm really not too concerned about
getting it to work from a Linux machine at home.

I think that most of the hardware boxes for home use are referred to
as routers though they mostly do just network address translation
and some firewall stuff.  Probably for this discussion your could
simply consider it as a funnel that gets your many machines to
connect to the www via a single connection.

If you think of your network before establishing the VPN connection
it could be something like the diagram below.  Your ISP's DNS server
could be considered to be in the WWW.

I'm fairly certain that your work IT has some sorta firewall set up
and may be using some sorta proxy to get through it.  Though from
what I've seen the need to configure a proxy to get through the
firewall has been done away with but I just added it for fun.

Note that the VPN server at work can be thought of as being both
connected to your work internal network and having a fixed ip
external to the network.  You probably had to configure this ip
address and some sort of userid/pwd in the Windows VPN client.
I've never used the MS one but I've used VPN clients from
Intel, Cisco, etc at different times, sometime with a separate
SecureId card and sometime not.  In any case, moving on to the
next diagram.

     +-------------- (known ip)
     |           F      [           ]         
 VPN Svr-+       I      [           ]      + your-sys 1
         +       R      [wonderful  ]   N  + your-sys 2
 sys1 ---+   P   E      [  wide     ]---A--+ .
 sys2 ---+   R   W      [   web     ]   T  + .
   .     +---O---+------[           ]      + your-sys n
   .     +   X   L      [           ]
 sysn ---+   Y   L      [           ]

                                                   
                                                   
Shown below you have started your VPN client and connected to the VPN 
server.
Interestingly enough it _seems_ as if you have your own private 
connection to
work.  You should have all the access that you had before (www) plus some
additional ip address ranges internal to work granted to you by the VPN 
server.
So now you should be able to "see" both the WWW and work machines.  Your 
other
your-sys machines should be able to interact with the first machine just the
same as before you started the VPN 
client.                                                    
                                                   
     +-------------- (known ip)<<<<<<<<<<<<<<<<<<<<<<<<<<< +
     |           F       [           ]                     |
 VPN Svr-+       I       [           ]       + your-sys 1(VPN)
         +       R       [wonderful  ]    N  + your-sys 2
 sys1 ---+   P   E       [  wide     ]----A--+ .
 sys2 ---+   R   W       [   web     ]    T  + .
   .     +---O---+-------[           ]       + your-sys n
   .     +   X   L       [           ]
 sysn ---+   Y   L       [           ]                       


Once connected via VPN your-sys 1 will also appear on the work network 
so, just
like connecting to the WWW it is prudent to run some sort of firewall on the
machine itself.  If you are running Linux then just make sure that
iptables/ipchains whatever is config'd appropriately for Windows there are
a number of products (Symantic and BlackIce come to mind).  

See my earlier note about the dangers of VNC on Windows -- It's a no-no
where I'm working now...

So, in a nutshell, I'd just get one of the Linux VPN clients and have
a go at configuring it to connect to your work network and see what
happens...

Mike            

P.S. Please don't take this as "gospel" as I am not a netwoking expert !