Re: [Leaf-user] VPN / IPSEC Problem

Fri, 15 Jun 2001 23:33:14 -0700 

Phil,

I believe IPSEC is the keyword here.  I have to use Secure Remote
another commercial VPN client to logon for on call duty.  I had to VPN
in today, so I said let's figure this out.  Right now my solution is a
removal hard drive with Check Points secure remote installed.  I swap
the hard drives and then plug the cable modem into the client computer
directly bypassing the firewall--I know it's not pretty but it works. 
So I think I know what is missing but both of us will need help from the
developers.  I don't have a compile box yet.  

Take a look at http://www.phoneboy.com/fag/0372.html.  You have all the
right information and are trying all the right things, but scroll down
to the the very bottom of the phoneboy page.  It says,

   # ipfwd to get Protocol 50 packets 
   /usr/sbin/ipfwd client-ip 50 & 

The ipfilter.conf, network.conf, and network /etc/init.d shell script
have all sorts of code to handle masquerading and port forwarding, but
nothing to forward ipsec, protocol 50.  google pointed me to these
documents which talk about protocol 47 packets:
http://www.cag.lcs.mit.edu/~cananian/Projects/IPfwd/
http://www.linuxrouter.org/listarch/linux-router/1999-07-01/msg00814.html
http://www.linuxrouter.org/listarch/linux-router/1999-07-01/msg00817.html
http://www.netsys.com/firewalls/firewalls-9710/0730.html # This guy
wrote it.
http://uwsg.iu.edu/hypermail/linux/net/9710.3/0077.html  # ditto.

There are security issues with using ipfwd or as this ipmasq document
explains describing ipportfw, "Before jumping right into installing
either the 2.0.x IPPORTFW or 2.2.x version of IPMASQADM with IPPORTFW
support,
network security can be an issue with any port forwarder. The reason for
this is because these tools basically create a hole in the packet
firewall for the forwarded TCP/UDP ports."
http://www.e-infomax.com/ipmasq/howto/ipmasq-HOWTO-1.95c.html#ss6.8
What Check Point's secure remote does on the Windows box is to place
many more protocols on your ethernet adapter.  So even though I need
breach the firewall Check Point will do some magic.  Phoneboy's faq
describes placing Check Point on one internal machine.  Paranoia tells
me to turn this off after I am done.

Would some of you more experienced network admin review my description
of the problem and comment.  I believe the answer is forwarding
protocols like ipsec through masquerading are not possible with out a
tool like ipfwd.

If am correct, would a developer please compile this tool for LEAF?

Greg Morgan





Phil Faris wrote:
> 
> Hi,
> 
> I am trying to establish a VPN tunnel between a remote Internet
> attached PC (RoadWorrior) and the masqueraded private network
> (192.168.1.0) on my LRP (Charles Steinkuehler's Eigerstein modified
> for ipsec 1.5).
> 
> The RoadWarrior is using PGPnet configured according to the
> instructions given in "Ipsec practical configurations for Linux
> Freeswan 1.X." by Jean-Francois Nadeau (http://jixen.tripod.com).
> 
> PGPnet indicates a valid connection (SA) is established, however, I
> cannot transmit in either direction (i.e.  "pings" in either direction
> fail).
> 
> On the LRP side, Ipsec appears to create valid bi-directional
> forwarding rules after the connection is established as indicated by
> "ipchains -L forward -n":
> 
> Chain forward (policy DENY):
> target  prot    opt     source  destination     ports
> ACCEPT  all     ------  206.86.3.105    192.168.1.0/24  n/a
> ACCEPT  all     ------  192.168.1.0/24 206.86.3.105     n/a
> DENY    icmp    ----l-  0.0.0.0/0       0.0.0.0/0       5 -> *
> MASQ    all     ------  192.168.1.0/24 0.0.0.0/0        n/a
> DENY    all     ------  0.0.0.0/0       0.0.0.0/0       n/a
>         (Where 206.86.3.105 is the IP of the RoadWarrior)
> 
> My /etc/ipsec.conf is:
> 
> config setup
>         interfaces="ipsec0=eth0"
>         klipsdebug=none
>         plutodebug=none
>         plutoload=%search
>         plutostart=%search
> conn %default
>         keyingtries=1
> conn vpntest
>         type=tunnel
>         leftfirewall=no
>         left=0.0.0.0
>         leftsubnet=
>         leftnexthop=
>         rightfirewall=yes
>         right=209.233.16.123
>         rightsubnet=192.168.1.0/24
>         rightnexthop=209.233.16.254
>         auto=add
>         authby=secret
> 
> My modifications to /etc/ipfilter.conf (near the end of the script)
> are:
> 
> $IPCH -I input -j ACCEPT -p udp -s 0/0 500 -d $EXTERN_IP 500 -i
> $EXTERN_IF
> $IPCH -I output -j ACCEPT -p udp -s $EXTERN_IP 500 -d 0/0 500 -i
> $EXTERN_IF
> $IPCH -I input -j ACCEPT -p 50 -s 0/0 -d $EXTERN_IP -i $EXTERN_IF
> $IPCH -I output -j ACCEPT -p 50 -s $EXTERN_IP -d 0/0 -i $EXTERN_IF
> $IPCH -I input -j ACCEPT -p 51 -s 0/0 -d $EXTERN_IP -i $EXTERN_IF
> $IPCH -I output -j ACCEPT -p 51 -s $EXTERN_IP -d 0/0 -i $EXTERN_IF
> 
> I would appreciate any ideas on how to solve my problem.
> 
> Phil Faris

_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to