[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Freeswan Configuration



On Tue, Mar 26, 2002 at 01:47:09PM +1000, Bradley Marshall wrote:
> This is all well and good, apart from the fact that it breaks remote
> name resolution.  To set this up properly, you need to create a VPN
> from the client router to the office subnet.  See my reply message to
> the explanation of the VPN setup at Dave and Berns place for an
> example config.

To really understand whats happening here, we're going to delve into
some ASCII art.

+----+    +----+   internet   +----+   +----+
| S1 |----| R1 |<------------>| R2 |---| S2 |
+----+    +----+              +----+   +----+

In the first case, we had setup a VPN between S1 and S2.  This was all
well and good, apart from the fact that the DNS server was on R1, and
needed to see S2.  So, we set up the R1->S2 VPN.  In the general case
this shouldn't be a problem, as the DNS server is rarely on the
router - only in a home situation does this really make sense.

For completeness and to allow all hosts to see all subnets and vice
versa, we would need 4 VPNs, as follows:

  S1 <-> S2
  R1 <-> R2
  S1 <-> R2
  S2 <-> R1

However, we can get away in general with a subset of these.

Thanks,
Brad
-- 
+=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|Brad Marshall                    |           Plugged In Software|
|Senior Systems Administrator     |     http://www.pisoftware.com|
|mailto:bmarshal@pisoftware.com   |  GPG Key Id: 47951BD0 / 1024b|
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
 Fingerprint:  BAE3 4794 E627 2EAF 7EC0  4763 7884 4BE8 4795 1BD0