Search
  • Adrian Chung

20 years later...

Once upon a time, when the internet was young, and geocities was the place to be, I had a blog.


Its focus, in retrospect was personal technology interests, system administration and an effort to share concepts and things I'd learned with other people.


Finally finding the time between clients and grown up life to be relaunching a blog, I came across an old post -- one that at the time seemed so novel and cutting edge, but is now a commonplace foundational concept.


While it made me smile and immediately think about how far things have come in 20 years, it also made me think about how the things I was interested in all that time ago, and where I started out has forever etched and shaped how and what I do today.


This post was circa 2001. VMware GSX was the most common deployment at the time, and SME Server here referred to a Linux-based appliance startup (e-smith Inc.) headed by Joe Morrison & Kim Morrison and acquired by Mitel Networks that same year.


Without further ado...


VMware is software that allows you to create a virtual computer inside your real computer. By sharing your host computer's resources, a VMware "virtual machine" allows you to do almost anything you would on a real computer, including installing an operating system, software, and applications. It's definitely handy for testing software and applications in heterogeneous computing environments.


At work, I've been integrating and developing virtual private networking (VPN) applications for our server software. Testing VPNs usually requires a number of computers, but in general, at least 4 -- two security gateways that establish a secure link between each other to route packets destined for their respective subnets, and two client machines to test end-to-end connectivity.


The Setup


Using VMware, I came up with a testing infrastructure that consists of four computers, except that they're all VMware virtual machines running on my workstation. The four computers are:

  • Two SME Servers with ServiceLink, each with two network interface cards (NICs).

  • One Linux client

  • One Windows 2000 client.VMware provides three main mechanisms for connecting a virtual machine's NIC to a network:

  • "Bridged" mode connects the virtual NIC to the host machine's LAN, as if it were physically connected.

  • "NAT" mode uses Network Address Translation to provide network connectivity to the host machine's LAN via the host machine's IP address.

  • "Host-only" mode requires the configuration of a subnet that can only be accessed by the host machine and any of its virtual machines.

A VPN security gateway needs to be multi-homed, meaning it needs to have at least two network interfaces. One interface "faces" the LAN, and the other faces some untrusted network, most commonly the Internet. Combined with the fact that each security gateway must protect different subnets, this means that our testing infrastructure must consist of three networks.


Using two of VMware's network modes, "bridged" and "host-only", three distinct networks can be constructed. By configuring host-only mode on the host machine, two networks are created, which form the LAN networks that our VPN will connect and secure: 192.168.101.0/24 (host-only network 1) and 192.168.102.0/24 (host-only network 2).


When I set up my virtual machines, bridged network connections create the third network: 192.168.1.0/24. This last network forms the "untrusted", or public network over which the VPN will be created.


Configuring the Virtual Machines


Starting with the two virtual machines which will become our VPN gateways, I installed the SME Server v5 distribution on to both, and configured each virtual machine to have two NICs. One was installed in bridged mode, and the other in host-only mode. This setup each server as a multi-homed machine each having its own LAN (host-only), and an interface facing a public network (bridged).


Once those two machines were up and running, and network connectivity was verified, it was easy to add client machines to each virtual LAN by installing an operating system, and configuring them to get an IP address via DHCP from an SME Server.


With all four machines setup, the testing infrastructure is complete. The machines in each virtual LAN should not have direct network connectivity to each other, although should have full Internet access if the host machine has Internet access, and each SME Server has been configured with an appropriate gateway on the bridged network.


Once a VPN is configured, (using software such as FreeS/WAN), clients on each LAN will have network level access to each other.

49 views0 comments