IPv6 and IPSec in real life....
David Burgess
burgess@mitre.org
Wed, 05 Apr 2000 13:26:40 -0500
Here's what I have right now:
(Best viewed in a fixed font)
+-----+
| | A: Windows 95 machine using a Random Address
| A |-----+ from a local ISP.
| | | B: NetBSD-current running KAME
+-----+ | C: Corporate Office
| +-----+
+---+ +----+-----+ | |
| C |--| Internet +------+ B +-------{ Local non-routable network }
+---+ +----+-----+ | |
+-----+
Here's where I want to end up:
+-----+
| | A: Cisco 675 ADSL router (with a new static address)
| A |-----+ connected to a pair of Win-95 machines (with
| | | non-routable NATed addresses).
+-----+ | B: NetBSD-current running KAME
| C: Corporate Office
| +-----+
+---+ +----+-----+ | |
| C |--| Internet +------+ B +-------{ Local non-routable network }
+---+ +----+-----+ | |
+-----+
Clearly, I need a VPN solution, and since (B) already has IPSec and
IPv6 loaded and working, could someone make some recommendations
about what I need to research to figure out a workable solution for
the Interconnect.
Here are some specifics:
"A" goes from being a single computer, connected via modem, on
Monday, the 10th. Right now, it has no access to Network "B".
"A" has a connection to the Internet (through a dial-up).
"B" has a T-1 through an ISP.
All of the sessions from "A" and "B" to the Corporate Office "C" are
through a commercial VPN client. We might be able to use that if
we can figure out the mechanism to make it work. Our corporate
"solution" for IPSec VPN under Win-95 is "IntraPort", which I'm
apparently just too stupid to figure out.
We want the folks on Lan "B" to appear to be on Lan "A" without
having to put in more hardware. We want them to be able to access
our printers and other shared resources. We also want the traffic
to be relatively secure. Simple IP-IP encapsulation has already been
vetoed.
Things I've already considered:
1) Upgrading the machines in box A to Windows-2000 and running the
experimental IPv6 stuff on them. This is problematic from several
reasons, not the least of them is the lack of IPv6 at the ISP. If
we do that, we will need to use v4/v6 tunnelling from the W2K boxes
to the local IPv6 gateway.
2) Installing another NetBSD/KAME box to act as a v4/v6 tunnel end.
This is workable, but it requires us to go through the rigamarole of
getting another computer. It also requires me to be in two places at
the same time during configuration.
3) Using IntraPort, which except for some things that I can't figure
out, would be OK.
I'm not necessarily looking for a solution (although I certainly
wouldn't turn one down). I'm just looking for some suggestions.
My corporate office just puts their fingers in their ears and hums
whenever I ask them the question, which is fine. I think I'll
probably get a better answer here than I would from them anyway.
Dave Burgess