I have just finished work on a project that involved building quite a complex
VPN infrastructure between multiple sites, using a partial mesh technology.
This was based on a bunch of embedded PCs acting as VPN gateways/routers/
firewalls. I had originally considered using m0n0 for this project, but
dismissed the idea fairly early on because of the lack of functionality to
support a complex VPN routing scenario. The project was done using OpenBSD
and IPIP tunnels (using the gre(4) device) with security from IPsec transport
mode.
I have used the same technique in the past, using either GRE or IPIP tunnels.
The main benefits of this approach are:
- The tunnel is seen by the OS as an interface, so it can be the target of
routing tables, firewall rules, etc.
- You can run a routing protocol, such as RIP or OSPF, across the tunnels to
build a multi-path mesh network (also to keep the tunnel alive).
- It interoperates with cisco routers (GRE) and Microsoft RRAS (using either
GRE or IPIP)
Now that the system is up and running, I was thinking how much nicer it would
have been for the users if they could interact with the system via the m0n0
GUI. So, I have been doing some digging around inside m0n0's IPsec
implementaion and I think I can get the same system to work pretty easily
using m0n0.
Is there a view on the value of doing this? Would people use it if it was
there? Does anybody have an alternative strategy they would like to share
with us?
I have some 'spare' time coming up in the near future when the OpenVPN stuff
is finished and could have a go at getting this system working within the
next couple of months.
Peter
--
----------------------------------------------------------------------------
Peter Curran Leveraging Internet Technology
Close Consultants for Businesses
p: +44-1225-463700
f: +44-1225-463705
e: peter at closeconsultants dot com
sip: peter at closeconsultants dot com
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean. | 