[plug] vpn breaks home network
Adrian Chadd
adrian at creative.net.au
Wed Dec 12 13:32:45 WST 2007
On Wed, Dec 12, 2007, Jon L. Miller wrote:
> I'm under the impression (please correct me if I'm wrong) that when the
> client initiates a vpn tunnel to the remote server, the remote router
> sends the information for the split tunnel to take affect (e.g giving
> access to the local lan). The vpn is then the dgw thereby enabling routing
> to the local lan. I guess you could put the 'policy' on the local router,
> but then the tunnel would have to be up all the time... yes? From what I
> understand this is a security risk and all the workstations would have to
> be set to the VPN dgw ip address.
IIRC thats basically whats going on. Normal IPSEC stacks have absolutely
horrible interfaces for managing what traffic goes into the tunnel.
Checkpoint, Cisco, Nortel, etc VPN clients use IPSEC but wrapped up with
a security/authentication framework which lets the VPN server "dictate"
policy to the client.
At least under *NIX you may be able to find which part of the system they're
hooking into - its probably the table which classifies traffic to put into
IPSEC and how it should - and override things.
Try "man setkey" on a Linux box + IPSEC tools.
--
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
More information about the plug
mailing list