[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Friday 10 June 2005 23:01, Simon Waters wrote: tidier would be closer to my opinion. More Tao ;) > > > The VPN is ipsec, native 2.6 stack with openswan package. Any ideas for this > > one? > > Nope, I'm trying to give up VPNs in favour of putting stuff over SSL, at > least where email is concerned. Do you mean using encrypted SSL sessions or SSH tunnels? The reason I ask is that i know that i can secure the email logon with SSL but to do so would involve opening my pop3 server to the world so anyone could attempt to logon, or attempt to bruteforce. I also know that i could route pop3 etc through an SSH tunnel then used preshared ssh keys for authentication which adds a (IMHO) much better layer of security. The problem with SSH tunnels is that i effectivly have a WAN and i would have to tunnel each needed protocol and I know that you cannot do this very well with SMB protocols etc as the otherend is a MS Client and its on a network of its own. Hence the reason for the full VPN solution. The VPN problem is indeed a MTU issue, as the VPN endpoint is masqurading the network behind it and the eth0 connection has a MTU of 1400 all internal network servers are perfect. (a mtu of 1500 breaks this access). (I think the overhead is 56 bytes + the NAT-T stuff). The issue is indeed access to the local server as you cannot set the MTU for any (VPN) network traffic in this case, the tunnel bypasses eth0 settings, so i might have to patch the kernel to get the old KLIPS ipsecX interfaces back. Ot look at some nasty iptables clamping rules. -- Robin Cornelius --------------------------------------------------- robin@xxxxxxxxxxxxxxxxxxxxx http://www.cornelius.demon.co.uk http://sourceforge.net/projects/rt2400 GPG Key ID: 0x729A79A23B7EE764 http://www.biglumber.com/x/web?qs=0x729A79A23B7EE764
Attachment:
pgp17lnXUwt3x.pgp
Description: PGP signature