[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

vpn and pf

To: misc@openbsd.org
Subject: vpn and pf
From: Matteo Cavalleri <shivabrahma@tiscali.it>
Date: Tue, 03 Feb 2004 20:48:53 +0100

i'm going to start working on a quite complex network and i'll work with
a guy who has much more experience than me. one of the
things we'll implement will be a quite complex firewall. since this guy
has a lot of experience with linux he proposed to build the firewall
with linux and iptable. since i know openbsd better than linux i
proposed openbsd, explaining him what openbsd can do, how it does it,
why it's better etc. he already agreed to build two test firewalls (one
with linux and one with openbsd) and see which is better for our needs.

there's however a thing we'll need to do with ipsec/vpn and since i know
nothing about these topics, i don't know yet how to implement this thing
on openbsd. i briefly looked at the enc and vpn man pages, but since i
know ipsec is not a simple topic it really would help me to have a brief
explanation on how to implement it on openbsd (because if we are not
sure we can do everything we need with openbsd there's no reason to
spend time building and configuring an openbsd box)

this is briefly what we need to do (and how he did it with linux):

we need to have some virtual interfaces (ex ipsec0, ipsec1, etc). when a
client connects to our server to create a vpn connection, the connection
is redirected to one of these virtual interfaces depending on the
clients certificate (e.g. client0 will connect to ipsec0, client1 will
connect to ipsec1, etc). then every virtual interface will have its fw
rules, so that, e.g., http connection coming from ipsec0 will be routed
to webserver0 while http connection coming from ipsec1 will be routed to
webserver1, etc.

my (currently) only and great doubt is how to redirect the connection on
the virtual interfaces (which i suppose will be enc0, enc1, etc) based
on the clients' certificates instead of their ip (i think this can't be
done with pf so i'll need to use isakmpd or ipsecadm or whatever, which
i never used)

thanks in advance.


-- 

    Shiva

  "Better true to yourself
Than a perfect shadow
       Of somebody else
     An empty shell"

(MrBig, My new religion)

Follow-Ups:
- Re: vpn and pf
  - From: Jason Dixon <jason@dixongroup.net>

Prev by Date: Re: AES performance
Next by Date: Re: trouble with second raid set
Prev by thread: Re: How to set interface hardware type fo Intel NIC cards?
Next by thread: Re: vpn and pf
Index(es):
- Date
- Thread