Topic: IP subnets and VPN

[Brenno]

Folks,

I'm trying to set up a 4-office IPSec VPN for work.  Currently, 3 offices have no provisions for this, so I'm starting carte blanche.  My office is using a SnapGear SME 530 as our VPN/firewall/gateway applicance and it works well.  It has IPSec capability via FreeS/WAN.

I've tried to connect with IPSec to my e-smith 6.0b2 box at home, which I installed FreeS/WAN on by following the instructions in Darrel May's howto.  I can't connect!

After much reading/researching online, I've come up with one question I'm hoping forum users can answer:

Do the internal IP address ranges for the two tunnel endpoints have to be similar?  My office uses a 193.1.1.x subnet and at home I use 192.168.0.x.  (they use a routable subnet at work because the network is so old that it was numbered before the 193 range became public domain!)

All the sample configurations I've found online indicate one office as being 192.168.0.x an another as 192.168.1.x and so on.

All PCs/servers at work have static internal IPs; at home, their DHCP assigned by the e-smith box.  Both locations have static external IPs.

Ultimately, I can reconfigure the office to use DHCP and a 192.168.1.x subnet, but this is not possible at this time.  I'm also hoping to replace the SnapGear with another e-smith box.

Anybody have any suggestions?  I've raked the forums looking for this, but can't find it.

Much thanks in advance!

[Boris]

All internal networks should be on the different subnets.
You will save yourself a lot of time and frustration if you just get four Netgear FVS318 (<$150) or FVM318 (<$300) boxes and setup (easy) VPN between them. If you need SME as a file/mail/web etc.. servers, use them for that purpose.

[Brenno]

Boris,

I see a lot of recommendations for using e-smith in conjunction with separate VPN appliances.

My question is why would one want to spend an extra $1,000 on appliances when e-smith can perform the same functions?  Is there some inherent instability or flaw in e-smith that makes IPSec more of a pain than it's worth?

I did toy with buying one of these http://www.cyberguard.com/snapgear/lite.html as they are inexpensive ($259 Cdn.)

Can anyone with experience in this recommend which route to take?

[bushinc]

> Is there some inherent instability or flaw in
> e-smith that makes IPSec more of a pain than
> it's worth?

I used freeswan on 5 sme5.x servers for two years without any issues.  I decided to move to a seperate firewall for a couple of reasons.  First IPSEC was included with the distro I chose (IPCOP) so upgrades carry my configuration forward.  Second I feel more secure having a full featured firewall with frequent updates sitting between my internal network and the Internet.

[Boris]

I see a lot of recommendations for using e-smith in conjunction with separate VPN appliances.

Because the current version of SME doesn't include easy to configure IPSec VPN option and appliances do.

My question is why would one want to spend an extra $1,000 on appliances when e-smith can perform the same functions?  Is there some inherent instability or flaw in e-smith that makes IPSec more of a pain than it's worth?

It really depends of whats your time worth. My clients cannot afford me spending hours on manually configuring multi-site VPNs with SME. They prefer me buying an appliance for them and be done in an hour or so.

I did toy with buying one of these http://www.cyberguard.com/snapgear/lite.html as they are inexpensive ($259 Cdn.)

I’ve never tried this particular model. It may do just as well.

Can anyone with experience in this recommend which route to take?

18 years in IT and last 10 of them in intensive networking consulting and system integration is not enough experience?

[Brenno]

Boris and bushinc,

Thanks for your replies.  I don't have any experience in doing this sort of thing - I was kind of "appointed" to the task as I'm the most knowledgable in the office

For e-smith, I was planning on using FreeS/WAN since I know IPSec isn't supported be default. But, the more I think if it, it's actually less expensive to go the VPN appliance route as the other 3 locations in question do not have hardware yet for an e-smith machine.

We've had our SnapGear unit working here as a firewall/gateway/PPTP server for over a year and it's been rock solid.

IPCop sounds intriguing, too, as it's frequently mentioned on these forums and definitely bears a closer look.

Whatever route I take, I'd like to use a homogenous solution for all 4 locations as this makes deployment and management easier.

Again, thanks for contributing based on your experience.  That's what makes forums like this so invaluable for someone like me.

Keep the suggestions coming!!

[Boris]

Just another advice if you going to use appliance firewalls for it. Get one extra as a spare unit in case that vendor changes models or you need quick replacement. Keep the config files ready for easy uploading it to the spare unit, and ship it/ take it to that location for replacement. With the prices like they are now, it is well worth it.

[Brenno]

Boris,

That's actually a great idea.  It was something I was mulling over in the back of my mind already but it's nice to see somebody with more experience vocalize the same thing.

Thanks again!

[wallyrp]

Good Evening,

Here's my two cents. I have had great success with v5.1.2 and setting up a VPN. It only takes an hour or so to do it with dmay's very professional how-to. The problem that I'm having now is that, evidently there are some very visible exploits for 5.1.2 and I think my boxes are being compromised by an inside virus or worm. It could also be from outside, not 100% sure. I'm going to try and setup a VPN with SME 6.0 (contribs version) tonight and hope to have success. If not, I'm going the $75 or so appliance route.

Later,

Wally

[Boris]

It was easy on the older versions and I've done it myself as well, but now there is no working easy panel to configure it and price on appliances dropped down so much, that its not worth doing it hard way any more.

[Brenno]

Even though I was able to get FreeS/WAN installed on SME 6.0b2, I was unable to get it working at all when trying to connect to the SnapGear here at work.  Curiously enough, the SnapGear also uses FreeS/Wan for IPSec, which is why I had trouble understanding why they wouldn't connect.

Add to this the fact that remote management of either service was unavailable while the tunnel was "connected." This meant that tweaks were very difficult as I couldn't access one location from the other!

[sonoracomm]

Just my two cents...

Those SnapGear boxes are great.  I love those things and I have set up numerous IPsec VPN connections with them to various other devices...though not SME servers.

In general, we do not put SME servers on the 'edge'.  We don't use them as gateways...we usually use SnapGear devices for that.  We don't use SME servers as IPsec endpoints.  We use SnapGears...  If you're installing one at home, maybe then, but I still use an external gateway/FW/router even at home.

Setting up IPsec tunnels has, in the past, been a bit odd and often requires trial and error methodology to get them up.  But once they're up, they are virtually always quite stable.  SnapGear to SnapGear has always been quite simple.

G

[Boris]

That is exactly my point as well.
Spend a little on the router, configure it and go on with your life.
There are many other things to do instead of spending countless hours of configuring IPSec on the newer SME server and very little benefits in return.