Checkpoint Endpoint Security VPN with linux

[Etzion Bar-Noy]

On Mon, Mar 21, 2011 at 10:02 AM, Shachar Shemesh <shachar at shemesh.biz>wrote:

> On 21/03/11 02:41, Etzion Bar-Noy wrote:
>
>> It is common that the VPN provider policy *prevents* you from connecting
>> to multiple networks (theirs and someone else's). The logic behind it is to
>> prevent data leak, especially accidental, by combining somehow their network
>> with someone else's.
>>
> You have to connect to some network in order to get the VPN packets out.

Your home LAN, Internet Cafe, whatever. True.

>
>
>> So - this poses no problem to be dealt with. The common problem is that
>> your local home network overlaps one of the organization's networks. Some of
>> the VPN clients place themselves in the network interface stack, so they
>> hijack the packets to their correct destination(s). That is the common
>> reason (except for time and effort) that Linux clients are more rare. This
>> operation is somewhat more complicated there, and would require root access.
>>
> Hijacking the outgoing packets does not solve the routing conflict. When I
> send a packet to 172.27.245.17, you somehow need to know whether that is the
> 172.27.245.17 that is visible through the VPN, or the one visible locally.
> Hijacking ALL outgoing packets rarely makes sense.
>
They avoid hijacking your default GW.

>
> Hijacking the network interface does allow you to route the ENCRYPTED
> packet without going into routing loops, and is the reason this is done.
> Still, you are hiding parts of the network if there is a conflict.

You do, of course. Usually, the VPN clients hide the local network where a
conflict exists.

Ez

>
>
> Shachar
>
> --
> Shachar Shemesh
> Lingnu Open Source Consulting Ltd.
> http://www.lingnu.com
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20110321/56073aa6/attachment.html>