Checkpoint Endpoint Security VPN with linux
Shachar Shemesh
shachar at shemesh.biz
Mon Mar 21 10:02:25 IST 2011
On 21/03/11 02:41, Etzion Bar-Noy wrote:
> It is common that the VPN provider policy *prevents* you from
> connecting to multiple networks (theirs and someone else's). The logic
> behind it is to prevent data leak, especially accidental, by combining
> somehow their network with someone else's.
You have to connect to some network in order to get the VPN packets out.
>
> So - this poses no problem to be dealt with. The common problem is
> that your local home network overlaps one of the organization's
> networks. Some of the VPN clients place themselves in the network
> interface stack, so they hijack the packets to their correct
> destination(s). That is the common reason (except for time and effort)
> that Linux clients are more rare. This operation is somewhat more
> complicated there, and would require root access.
Hijacking the outgoing packets does not solve the routing conflict. When
I send a packet to 172.27.245.17, you somehow need to know whether that
is the 172.27.245.17 that is visible through the VPN, or the one visible
locally. Hijacking ALL outgoing packets rarely makes sense.
Hijacking the network interface does allow you to route the ENCRYPTED
packet without going into routing loops, and is the reason this is done.
Still, you are hiding parts of the network if there is a conflict.
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com
More information about the Linux-il
mailing list