May 20, 2003
There is not much documentation as to what constitutes a Virtual Private Network (VPN). VPNs can be implemented using a number of different technologies, each having their own strengths and weaknesses. This article presents a number of scenarios, and strategies for implementing a VPN for each scenario.
This scenario has the following premise:
There are at least two sites.
Both sites are using INET internally.
Both sites are connected to the Internet, through a gateway that is running FreeBSD.
The gateway on each network has at least one public IP address.
The internal addresses of the two networks can be public or private IP addresses. The gateway machine can be running Network Address Translationing (NAT, see Handbook) if neccessary.
The internal IP addresses of the two networks should NOT collide. While it is expected to be theoretically possible to achieve this by using a combination of VPN and NAT technology, it would be a configuration nightmare.
If both of the networks are using the same private IP address range (e.g., both are using 192.168.1.x), then one of the networks will have to be renumbered.
The network topology for this scenario will look similar to the ASCII diagram below:
Network #1 [ Internal Hosts ] Private Net, 192.168.1.2-254
[ Win9x/NT/2K ]
[ UNIX ]
|
|
.---[fxp1]---. Private IP, 192.168.1.1
| FreeBSD |
`---[fxp0]---' Public IP, A.B.C.D
|
|
-=-=- Internet -=-=-
|
|
.---[fxp0]---. Public IP, W.X.Y.Z
| FreeBSD |
`---[fxp1]---' Private IP, 192.168.2.1
|
|
Network #2 [ Internal Hosts ]
[ Win9x/NT/2K ] Private Net, 192.168.2.2-254
[ UNIX ]
Notice the two public IP addresses. Letters have been used to refer to them in the rest of this article; that combination of letters should be replaced with your real public IP addresses. It should also be noted, that both gateways have distinct private IP addresses (192.1681.x and 192.168.2.x, respectively). All the machines in the private networks have been configured to use the gateway. From a network point of view, each network should view the machines on the other network as though they were directly attached to the same same router -- albeit a slightly slow router with an occasional tendency to drop packets. This means (for example), machine 192.168.1.20 should be able to run:
% ping 192.168.2.34
and have it function transparently. Microsoft Windows machines should be able to see the machines on the other network, browse file shares, etc; in exactly the same manner that they can broswe machines on the local network. All of this has to be secure, thus the traffic has to be encrypted.
Creating a VPN between these two networks is a multi step process. The stages are as follows:
Create a ``virtual'' network link between the two networks, across the Internet. To this virtual link with the ping(8) utlity, to make sure it is functioning.
Apply security policies to ensure that traffic between the two networks is transparently encrypted and decrypted as necessary; and to test this using tools like tcpdump(1), in order to ensre that the traffic is encrypted.
Configure additional software on the FreeBSD gateways, to allow Microsoft Windows machines to see one another across the VPN.
This, and other documents, can be downloaded from ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
For questions about FreeBSD, read the
documentation
before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.