96 | | the VPN needs to be able to handle non-IP protocols such as IPX, |
97 | | you are running applications over the VPN which rely on network broadcasts (such as LAN games), or |
98 | | you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server. |
99 | | |
100 | | Numbering private subnets |
| 97 | * the VPN needs to be able to handle non-IP protocols such as IPX, |
| 98 | * you are running applications over the VPN which rely on network broadcasts (such as LAN games), or |
| 99 | * you would like to allow browsing of Windows file shares across the VPN without setting up a Samba or WINS server. |
| 100 | |
| 101 | = Numbering private subnets = |
111 | | conflicts from different sites on the VPN using the same LAN subnet numbering, or |
112 | | remote access connections from sites which are using private subnets which conflict with your VPN subnets. |
113 | | |
114 | | For example, suppose you use the popular 192.168.0.0/24 subnet as your private LAN subnet. Now you are trying to connect to the VPN from an internet cafe which is using the same subnet for its WiFi LAN. You will have a routing conflict because your machine won't know if 192.168.0.1 refers to the local WiFi gateway or to the same address on the VPN. |
| 113 | * conflicts from different sites on the VPN using the same LAN subnet numbering, or |
| 114 | * remote access connections from sites which are using private subnets which conflict with your VPN subnets. |
| 115 | |
| 116 | For example, suppose you use the popular 192.168.0.0/24 subnet as your private LAN subnet. Now you are trying to connect to the VPN from an internet cafe which is using the same subnet for its !WiFi LAN. You will have a routing conflict because your machine won't know if 192.168.0.1 refers to the local !WiFi gateway or to the same address on the VPN. |
136 | | The server only needs its own certificate/key -- it doesn't need to know the individual certificates of every client which might possibly connect to it. |
137 | | The server will only accept clients whose certificates were signed by the master CA certificate (which we will generate below). And because the server can perform this signature verification without needing access to the CA private key itself, it is possible for the CA key (the most sensitive key in the entire PKI) to reside on a completely different machine, even one without a network connection. |
138 | | If a private key is compromised, it can be disabled by adding its certificate to a CRL (certificate revocation list). The CRL allows compromised certificates to be selectively rejected without requiring that the entire PKI be rebuilt. |
139 | | The server can enforce client-specific access rights based on embedded certificate fields, such as the Common Name. |
| 139 | * The server only needs its own certificate/key -- it doesn't need to know the individual certificates of every client which might possibly connect to it. |
| 140 | * The server will only accept clients whose certificates were signed by the master CA certificate (which we will generate below). And because the server can perform this signature verification without needing access to the CA private key itself, it is possible for the CA key (the most sensitive key in the entire PKI) to reside on a completely different machine, even one without a network connection. |
| 141 | * If a private key is compromised, it can be disabled by adding its certificate to a CRL (certificate revocation list). The CRL allows compromised certificates to be selectively rejected without requiring that the entire PKI be rebuilt. |
| 142 | * The server can enforce client-specific access rights based on embedded certificate fields, such as the Common Name. |