[nzlug] connecting two networks?
Daniel Pittman
daniel at rimspace.net
Wed May 21 16:27:25 NZST 2008
Simon <greminn at gmail.com> writes:
> On Wed, May 21, 2008 at 3:53 PM, Daniel Pittman <daniel at rimspace.net> wrote:
>
>> I strongly suggest you read the manuals for the Fortgate devices, which
>> are quite capable of creating a site-to-site VPN tunnel and include
>> excellent examples and directions on how to do so.
>>
>>> Can this be done over ssh? I like ssh.
>>
>> A also strongly suggest that you avoid inventing solutions without fully
>> understanding their implications: this is *not* the solution you are
>> looking for.
>>
>> Any tunnelling of IP over TCP is a fundamental mistake, which will cause
>> you significant grief at some point. Please note that this is a
>> different case from tunneling /data/ over a TCP link, which is what the
>> various port forwarding options available as part of SSH offer.
>>
>>
>> If you absolutely insist on doing it that way, rather than trivially
>> through the firewall hardware, then you would be well advised to use
>> only the generic "SOCKS" or "dynamic" forwarding capabilities of ssh.
>
> I agree with your points here. The fortigate filewall at the data
> centre end is cool.. but what can i use on our office end.. we dont
> have a firewall or router that could do this?
Ah. I mis-read that and thought you had Fortigate devices at both ends.
Anything that talks IPSec can happily create the link for you, at which
point you only need the routing done at the office end to make it work.
I have had good success using pipsecd[1] to create IPSec tunnels, or you
can use the kernel support together with the tools of your distribution
of choice.
I can't comment on how to achieve that; when dealing with the Fortigates
I only ever had to connect from other Fortigates, though it shouldn't be
enormously difficult I expect.
Regards,
Daniel
Footnotes:
[1] http://perso.enst.fr/~beyssac/pipsec/
More information about the NZLUG
mailing list