Topic: office to office vpn

[Arby Edi]

Can someone please point me (or fully explain the howto's) to how I can connect my current 5.1.2 by VPN to another office running another 5.1.2 and have both offices act like we are 1 big building and network?? (Also, each office would use 1 servers DHCP server so we would all use NAT'd private addresses)  I guess I'm asking, how do the servers stay connected and/or reconnect to each other.  

Or am I losing the point of 1 vs 2?  I guess I'm totally lost.

[simon]

Best way is to build a hardware firewall and use IP cop or Smoothwall which is freeware and use the VPN feature.
Of course you will need to have one at each end.

Smoothwall will run on a 486 with 32mb ram and a 1gig hard drive (nice program and easy to use)

[Gene Cooper]

I agree with the basic plan a la Simon.

I've used (many times) both Smoothwall and IPCop, which I run myself.  Use IPCop.  There is political baggage attached to Smoothwall.

Or, if it isn't convenient to build the firewalls yourself, or if you think a hardware device with no moving parts is a better idea (as I generally do), look at SnapGear products.  www.snapgear.com

I sell these and I have been using them for years.  They run Linux and they are quite stable and flexible.

G

[Todd Pearsall]

I agree with the others and prefer my firewall and servers to be on seperate hardware.  Smoothwall is nice as are the LEAF projects at leaf.sourceforge.net (floppy disk based Linux firewalls).  But you can do it directly with SME also, the instructions are here:  http://myezserver.com/downloads/mitel/contrib/freeswan-0.4/

That will get the 2 networks talking (be sure to give them different internal network addresses), but they will each be on their own domain requiring logins on both servers.  To see each side of the network you'll need to mess with the Samba remote annouce settings or have each PC use both servers and their WINS server.

- Todd

[Arby Edi]

>>That will get the 2 networks talking (be sure to give them different internal network addresses), but they will each be on their own domain requiring logins on both servers. To see each side of the network you'll need to mess with the Samba remote annouce settings or have each PC use both servers and their WINS server.


Now you're getting to the good stuff tht I just don't understand.  Ok I understand setting up a separate firewall/vpn and that will alwys be connected to the other end vpn/firewall.....at leat I think I got it.  But when you start talking about samba and WINS server, you're really over my head.  Couldnt' I just tell the SME that the other end IP address is partr of the internal network?  Of course I'm not too sure I know what tthat would do for me....aaahhhhh...too much information.

[Todd]

The 2 server part of the problem has more to do with the default way Samba is setup on SME servers and not to do with being on different sides of a VPN.  

Here I am talking generic Samba. nothing specific to SME.  (folks, please correct me if need be).  

By default in M$ terms you are running 2 Win2K Servers as standalone, not as domain controllers or part of a domain, just 2 servers in a workgroup.  Just as with M$ servers you would need an ID/PW on each to authenticate and use resources.  (In fact in Win9x/Me the IDs and PW  would need to be identical, since Win9x/Me cannot logon as more then 1 user at a time.)

But wait you say, Samba can act as a domain contoller, so why can one be the domain controller and the other just a server in the domain or a backup controller?  Well in Samba they can (one be a PDC and the other be a server on the domain that is), but each user still needs a linux ID on the box since the Samba IDs get mapped to Linux IDs for filesystem security.  There is some new stuff coming (winbind) that will do away with the need for Linux IDs, but I think it's still pretty experiemental.

I assume the typical mass Samba server deployment uses something like NIS to replicate Linux users across all systems, then a Samba domain controller to cooridinate Windows users logins, but at this point I'm talking past my experience.

The remote annouce stuff I mentioned for Network Neighborhood should be pretty easy to add as a SME template for Samba, see samba.org for the syntax and the document here on modifing SME templates if need be.

The users will be the real challenge.  I see 2 options:

1) For a low number of users.  Set them up on both servers and show them how to change their passwords on each to keep them in sync.

2) Check the archives and ask around if there is a way to either synchronize the users between the systems or make the addition of a user on one system trigger the addition of the user on the other.  This sounds scarey to me.

Sorry for no straight forward answer.  I suggest doing a lot of reading on Samba to get a comfort level with it.

- Todd

[Arby Edi]

Wow, I didn't expect that....awesome and thank you very much.  Actually I'm the one who sets up the users and we only have a handful so synching shouldn't be a problem.  Ok I  think I know enough to cause some havoc.  Thank you again.