Topic: VPN sme7 to sme7?

[CKConsulting]

Has any one tried setting up a VPN tunnel SME7 to SME7?

If so what did you use?

Thanks
Rick

[electroman00]

CKConsulting

I think that, that avenue of system design may possibly not be as ideal as
one may design.

You could consider two vpn firewall devices with DMZ capability.

Then a whole new world of system security suddenly becomes evident.

SME Lan><SME server><VPN><SME server><SME Lan

Simply put a HACKERS dream come true..!!

Two for the price of one.

I can think of at least a dozen reasons for a system design that includes a
vpn firewall device.

All of those reasons would contain the words "improved system security".

While at the same time, providing added flexibilty.


Local Lan>  <vpn firewall>   <Internet VPN>   <vpn firewall>  <Local Lan


<SME server><DMZ vpn firewall>   <DMZ vpn firewall><SME server>


Servers then are isolated from Lans on both sides of the tunnel.
All servers on both sides of the tunnel are accessible via a single tunnel.

That's 508 servers accessible thru a single tunnel, on two different subnets, 254 each side.

Ok...so likely hood is 1-4 servers each side with "improved system security".

Not a design one should overlook.

A server by nature that provides services i.e Website

(opens port 80 for EXTERNAL ACCESS) leaves the front door wide open

so to speak.

Ultimately the jewery is left on the table (aka Lan clients) for the taking.

Forrest Gump said it best....

"Stupid is what stupid does"

You can does it if you want to.

Most all linux firewall distro's provide DMZ & VPN capability.

Two that I know work very well are Smoothwall & IPcop.
Powerfull and easy to setup VPN.

There are also some small box units that fit the bill here also.

[MSmith]

I think OpenVPN is being looked at by various clever contrib-writing types ... you might search the forums for that.  There used to be a FreeS/WAN contrib that worked great but development on that was stopped at around SME version 5.6.

As for electroman's diatribe, I don't really think SME's security is compromised by adding a site-to-site VPN.  Historically, IMHO, the only reason the GPL version of SME doesn't include such a capability right out of the box is that Mitel quite correctly wanted to have SOMEthing they could sell as a value-added extra!

[electroman00]

I think OpenVPN is being looked at by various clever contrib-writing types ... you might search the forums for that.  There used to be a FreeS/WAN contrib that worked great but development on that was stopped at around SME version 5.6.

What I have gleamed form your statement was basically you have no experience with VPN of two SME servers
or DMZ/VPN capable firewalls.
DMZ/VPN capable firewalls are one of the many mainstream solutions
and all solutions of this nature should be considered for any system
deployment of any size including a single server setup IMHO.
I simply presented Smoothwall & IPcop as possible low cost options for
Home or Commercial environments.
Athough there are more expensive solutions/options availible.
With Smoothwall & IPcop the software is free for home use, so it becomes
a matter of hardware and desire and need.

Hardware is in some cases, the old system on the storage shelf collecting dust and the desire to put it to good use late in the game.

If one has a need for increased system security (basically bullet proof)
and ease of system management then all that needs to be said is...

Try it...!!

If your only need is a VPN then it's the perfect solution to the problem and
system security and management are just extras.

You always have the option of disabling the extras.

You always have the option of dealing with viruses, worms, spam, spam
engines, pop ups, identity thieft and the entire evil empire on the internet.

We did setup a VPN of two SME servers for evaluation and testing.
Results that became evident were, that network setup failed to provide basic Network system security
required to be able to deploy the setup in a Home or Commercial environment.
However I'm not saying one cannot deploy the setup in a Home or Commercial environment.
Also I'm am not stating or implying that there is any security flaw within SME server and I assume any
Experience Network Administrator already knows that.
Simply the risk is to high to ensure long term Network Administrator employment or customer relations.
Again I assume a Experience Network Administrator already knows that.

As for electroman's diatribe,

Due to the vagueness of the statement I'm not sure what you considered to be abusive in my post, so if you
would be so kind as to point out what it was, I would be more than happy to edit my post and repost within this thread.

I don't really think SME's security is compromised by adding a site-to-site VPN.

Well I re-read the post and can't see where I made the statement....

SME's security is compromised by adding a site-to-site VPN.

So again if you would point it out, I would be more than happy to edit my post.

Historically, IMHO, the only reason the GPL version of SME doesn't include such a capability right out of the box is that Mitel quite correctly wanted to have SOMEthing they could sell as a value-added extra!

That certainly is a valid hypothesis, not sure   if   it could / would be validated by anyone.
Not sure if I could / would limit to just that one.
I can think of several other reasons, however I don't believe this thread would be a good place to debate it, possibly you could consider starting
another thread, I feel I would have difficulty debating without
a basis of factual information form Mitel and anything I might present
would simply be another hypothesis.

As I have said once you indicate the problem areas in my post I will make edits and repost in this thread.

I apologize in advance to anyone whom I may have offended in any way.

MSmith thank you for your input and understanding.

As always

[hanscees]

see
http://forums.contribs.org/index.php?topic=30770.0

for a discussion.

hanscees