On Sat, 16 Mar 2002, Joe Patterson wrote: > I've done something similar, only I just used a network specifically for > roadwarriors. My rules for this were something like: > > /sbin/iptables -t mangle -A PREROUTING -i ipsec0 -j MARK --set-mark 1 > /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to > 10.100.16.1-10.100.16.254 > > Although the SAME target would probably be preferable to SNAT. > > This has a few advantages. One, you don't *have* to have this box as your > gateway, you just put a route to, in my case 10.100.16.0/24, through your rw > vpn box. > > One thing of note if you have the normal sort of roadwarriors (i.e., they > have variable ip addresses). Because of what most consider a flaw in the > IPSec specification, if you use pre-shared keys, you will have *one* PSK for > *all* roadwarriors.
Not a flaw in IPSec just a flaw in implementation of whatever IPSec implementation you are running. I have one PSK per remote site here and it works perfectly. I use a hardware IPSec card to do all the work. Each connection essentially has a full clone of the connection and can be started and stopped at will. > For this reason, it's often preferable to use RSA keys > or certificates. And, to complicate matters even more, I'm not sure if the > mandrake rpm's have x.509 certificate support compiled in. Of course you > can do it however... but I did want to save you from the frustration of > trying to figure out why multiple PSK's aren't working. > > -Joe > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Vasiliy Boulytchev > > Sent: Saturday, March 16, 2002 5:28 PM > > To: Frank Fiene > > Cc: [EMAIL PROTECTED] > > Subject: Re: modules > > > > > > Frank, and everyone > > > > I've just reinstalled Mandrake 8.1 (first time I ever dealt with > > mandrake) > > Reason I installed Mandrake is because it comes with > > Freeswan, that way > > I dont need to recompile the kernel (like in RedHat) to get ipsec up. > > 8.1 Mandrake comes with 2.4.8 kernel. > > Here are my plans: > > 1.) have this box as a gateway firewall > > 2.) have IP Masq working properly > > 3.) have FreeS/WAN VPN working in RoadWarrior mode and authenticate > > via shared Secrets. > > 4.) Have RoadWarrior clients come in via IP Masq, no need to serve > > IPs. > > > > So here's my steps: > > 1.) Have this thing as a gateway first. > > 2.) turn ipsec on > > 3.) configure ipsec.conf and ipsec.secrets > > 4.) masq everything from ipsec0 to eth1. > > > > If anyone has already played with this, lets hook up. > > Also, if anyone has anything to add to this plan, please let > > me know :) > > > > Also, I've never really dealt with iptables. I'm RTFMing right now. > > Any awesome links? Any table examples? > > > > Thanks list, you're great, > > > > Vasiliy Boulytchev > > Colorado Information Technologies Inc. > > ----- Original Message ----- > > From: "Frank Fiene" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Saturday, March 16, 2002 2:38 PM > > Subject: Re: modules > > > > > > > On Saturday, 16. March 2002 21:17, Vasiliy Boulytchev wrote: > > > > Ladies and Gents, > > > > When I installed iptables from source, i can't find > > > > ipt_MASQUERADE.o, ipt_state.o, ipt_REJECT.o, ip_nat_ftp.o and so on. > > > > Did the names change? > > > > I search for them in such manner: > > > > > > > > find /usr/src -name ipt_state.o > > > > > > > > > > > > I did uninstall the RPM before installing from source. > > > > > > > > > > You have made a kernel configuration with iptables? > > > You have compiled iptables user space or what else? > > > > > > Very difficult to see what you have done! > > > > > > ff > > > -- > > > SYNTAGS GmbH, Maerkische Str. 237, D-44141 Dortmund, Germany > > > Security, Cryptography, Networks, Software Development > > > http://www.syntags.de mailto:[EMAIL PROTECTED] > > > > > > > > > > > -------------------------------------------------- Matthew G. Marsh, President Paktronix Systems LLC 1506 North 59th Street Omaha NE 68104 Phone: (402) 932-7250 x101 Email: [EMAIL PROTECTED] WWW: http://www.paktronix.com --------------------------------------------------
