VPN and routing

Dana J. Dawson dana at INTERPRISE.COM
Wed Feb 21 17:32:45 EST 2001


James Baumgardner wrote:
>
> I have a proxy server on our internal network that allows access to the
> outside world.  I also have setup a VPN box using Linux/FreeSwan.  I want
> all traffic routed to the other private network to go thru the VPN box, so
> do I add this routing entry to the PROXY, or do I make it the default
> gateway?  What is the ideal solution?
>
> VPN is sponsored by SecurityFocus.COM

The ideal solution depends on your network topology, but in general you want
internal routes to the remote private network(s) to point at the VPN device.
This can be a bit of a bother if you have a single LAN, since your desktop
systems probably only have a single default gateway configured and it probably
points at the proxy server.  If you point that default gateway at your proxy
server, then it'll have to redirect any VPN traffic back out on the LAN to the
VPN box.  If the proxy server is the only path to the outside world, then the
VPN box will have to put the encrypted traffic back on the LAN so it can get to
the outside.  An alternative would be to add routes to your desktop systems that
need to use the VPN so they'll send traffic to the appropriate box depending on
the destination.  The default gateway would still point at the proxy server, and
you'd have a new route (or routes) for the remote network(s) that point at the
VPN box.  If you have a local router between your users and the VPN and proxy
servers, then you only need to add routes to it, so that's a little easier.

If you don't depend on any transparent proxy features of your proxy server (i.e.
all your applications that access the Internet are manually configured with your
proxy server's private address), then you may be able to get by with just
pointing the default gateway in your workstations at the VPN box.

Good luck - I hope this helps.

Dana

--
Dana J. Dawson                              dana at interprise.com
Distinguished Principal Engineer            CCIE #1937
Qwest Communications International, Inc.    (612) 664-3364
600 Stinson Blvd., Suite 1S                 (612) 664-4779 (FAX)
Minneapolis  MN  55413-2620

"Hard is where the money is."

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list