|
|
On Sun, 2006-03-05 at 06:10 +0100, Franck Y wrote: > Hello, > I've some problem regarding Vpn, it's more like the "understanding problem". > > I've have at office a server running onto a FC4 (Fedora Core 4), with > samba with the proper policies. > Due to the grow of the business, i 'd like to give access to the > server thought Internet. I'm totally lost about the option that i have > OpenVpn/IPSEC, OpenVpn/SSL, OpenVpn/PPT... > > What is the best solution for this configuration ? The other thing, is > that the client are on win2000, Xp home, Xp pro. > > Several users are using a software that requires a Windows server but > samba act like one. > <snip> This can be a bit confusing when starting and really depends on your environment. We have looked at this very extensively in the ISCS open source network security management project (http://iscs.sourceforge.net). There is an extensive table comparing IPSec and OpenVPN on the Generic Linux PEP Installation page. You can retrieve that document either through CVS or by downloading the source tarball and looking in the docs directory. In briefest summary, IPSec is more complicated but better performing and allows interoperability with a greater variety of vendors. We generally use it for LAN-to-LAN connections. IPSec or IPSec/L2TP can both be used for Road Warriors but it introduces significant complexity in managing the IP address space. For example, the former cannot tolerate two users behind different NAT gateways with the same private address (very common nowadays with wireless broadband routers) while the latter cannot tolerate multiple users behind the same NAT gateway. OpenVPN is simpler and generally the preferable solution for Road Warrior connections. It solves virtually all the IPSec and IPSec/L2TP issues but at the cost of performance and interoperability - it is a solution unto itself even though it is open source. It is a very good solution and we have been thrilled with our success over the last few months of using it in production. Jon gave you some good guidelines in his reply. However, I would not suggest bridging for Samba traffic and network browsing. That will push all kinds of background garbage across the VPN connection - tolerable on a LAN but wasting precious bandwidth on a WAN or Remote Access connection. Instead, use WINS, enable NETBios (alas needed even in a 100% active directory network to support network browsing) and edit the user registry to not be a Master Browser and to not maintain the browse list. Specifically: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters \IsDomainMaster set to FALSE HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters \MaintainServerList set to FALSE That should allow you to browse windows shares without requiring broadcast traffic across the VPN. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx Financially sustainable open source development http://www.opensourcedevel.com ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-03/msg00064.html on line 244 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-03/msg00064.html on line 244 |