Checkpoint Endpoint Security VPN with linux
Etzion Bar-Noy
ezaton at tournament.org.il
Mon Mar 21 02:41:21 IST 2011
It is common that the VPN provider policy *prevents* you from connecting to
multiple networks (theirs and someone else's). The logic behind it is to
prevent data leak, especially accidental, by combining somehow their network
with someone else's.
So - this poses no problem to be dealt with. The common problem is that your
local home network overlaps one of the organization's networks. Some of the
VPN clients place themselves in the network interface stack, so they hijack
the packets to their correct destination(s). That is the common reason
(except for time and effort) that Linux clients are more rare. This
operation is somewhat more complicated there, and would require root access.
Fortigate VPN client (SSL VPN) does that. Juniper java SSL VPN does that. CP
SSL VPN client (snx) does that. Theoretically, for the client-connect
(office-connect, for previous versions of Checkpoint) you would be able to
use some implementation of *SWAN (freeswan, openswan, something swan), but
this is a very complicated setup, which requires noticeable effort on your
side, and, on some cases, requires the VPN server owner to perform actions
which negate the famous Etzion's principle of "minimum effort, minimum
energy", so it would probably never happen.
Ez
2011/3/20 Elazar Leibovich <elazarl at gmail.com>
> On Sun, Mar 20, 2011 at 9:54 PM, Shachar Shemesh <shachar at shemesh.biz>wrote:
>
>>
>> On another side note, what does it do if I'm having a 192.168.4.*
>>> internal network?
>>>
>> Then you are @!#*%!@#$@!)(!@#&%@#! !@(%!@#()#!@$!@%#.
>
>
> Wow, I'm not sure I know any adjective that long in English ;-)
>
> VPN is designed to connect disparaged networks as if they are close
>> together.
>
>
> Yeah, but as your probably know, VPN is used in practice to connect to your
> workstation from your laptop, and for this use case, you might want to
> connect to two VPNs which unfortunately share the same internal network
> address. I don't think that makes you an idiot.
>
> And VPN solution could offer NAT, in fact a shallow Google search[1] offers
> exactly the same solution.
>
> Is there something I'm missing here?
>
> [1] http://nimlabs.org/~nim/dirtynat.html
>
>
> _______________________________________________
> Linux-il mailing list
> Linux-il at cs.huji.ac.il
> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20110321/07c638ab/attachment-0001.html>
More information about the Linux-il
mailing list