Re: VPN Newbie has a silly question
On 01/12/03 07:35 PM, Adam Maas sat at the `puter and typed: > Big question is 'Is that Cisco box doing NAT?' If so, you might as well > stick to SSH Tunneling, because IPSEC won't do encryption through a NAT'ing > firewall. Solution 3 is to look to see if anybody ported the GRE (CISCO > Proprietary VPN Protocol) support from Linux. I don't think it is doing NAT - I'll check before investing long nights into this. And the Cisco client has been ported, but it hasn't been made to work on FreeBSD in compatibility mode. One of the folks I work with tried for a while and gave up. Something to do with a hardcoded ethernet interface and some wierdness with making it configurable or changing it at all. I've never gotten a look at the code myself, but I've been severly discouraged from attempting it. I don't know why. Thanks for the heads up. Lou > --Adam > > - Original Message - > From: "Louis LeBlanc" <[EMAIL PROTECTED]> > To: "FreeBSD Questions" <[EMAIL PROTECTED]> > Sent: Sunday, January 12, 2003 7:29 PM > Subject: Re: VPN Newbie has a silly question > > > > On 01/12/03 06:22 PM, Dru sat at the `puter and typed: > > > > > > > > > On Sun, 12 Jan 2003, Louis LeBlanc wrote: > > > > > > > Here's a complicated VPN question: > > > > > > > > I have one FreeBSD machine behind a firewall (let's call it WORK), > > > > only way thru is via VPN - unfortunately, the VPN in use is an old > > > > proprietary Cisco deal that has no client ported to FreeBSD. > > > > > > > > The other machine (also FreeBSD, call it HOME), is on a dynamic IP, > > > > but with the dns name served thru Zoneedit.com - so anytime the IP > > > > changes, there's maybe an hour or two of lag time while the auto > > > > update scripts get the dns back on track. > > > > > > > > What I want to do is initiate a VPN connection from WORK to HOME, and > > > > here's where I show my VPN ignorance, connect thru that VPN connection > > > > from HOME to WORK. Basically I want to work from home on a secure > > > > connection rather than just getting my work machine to pop a terminal > > > > up on the home display over an insecure connection. > > > > > > > > I suspect this won't work this way, but I figure what the hell. The > > > > worst that can happen is someone tells me I'm a dope and it don't work > > > > that way. > > > > > > > > So will it, or not? > > > > > > > > > It should be doable. You may have less hair than you started out with > and > > > learn more than you ever cared to about IPSec on the way to getting it > to work, > > > but it should work. > > > > Ok, then no deadlines . . . Thanks! > > > > > Now, is this Cisco deal a concentrator, a PIX, or a router? (it makes a > > > difference) Do you have the flexibility of getting its admin to create > the > > > necessary IPSec policy and access lists to allow you through? Is your > new > > > IP address always within the same network range? (that will make access > > > lists much easier) > > > > No, it's a Cisco 5000, or some such thing. It isn't IPSEC compliant, > > but has like 2 general passwords - in addition to the user password. > > There was supposed to be some promotion from Cisco to upgrade it last > > year, with free hardware, but our sysadmins were swamped at the time > > and decided against it. Had they had the time, it would have become > > IPSEC compliant. > > > > > These will get you started: > > > > > > klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm > > > > > > > www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide > s_books_list.html > > > > > > you want SC: Part 4: IP Security and Encryption > > > > > > Make sure you create a "dynamic" crypto map in addition to the regular > > > crypto map. Authentication may prove interesting due to the dynamic IP; > > > you'll want to read up carefully on your possibilities. > > > > > > As a side note, it may prove easier to just configure ssh on the > > > destination computer and create the necessary rule to allow the > > > connection on the access list on the Cisco thingie. Just a thought. > > > > > > Good luck, > > > > > > Dru > > > > I'll start on tha
Re: VPN Newbie has a silly question
Big question is 'Is that Cisco box doing NAT?' If so, you might as well stick to SSH Tunneling, because IPSEC won't do encryption through a NAT'ing firewall. Solution 3 is to look to see if anybody ported the GRE (CISCO Proprietary VPN Protocol) support from Linux. --Adam - Original Message - From: "Louis LeBlanc" <[EMAIL PROTECTED]> To: "FreeBSD Questions" <[EMAIL PROTECTED]> Sent: Sunday, January 12, 2003 7:29 PM Subject: Re: VPN Newbie has a silly question > On 01/12/03 06:22 PM, Dru sat at the `puter and typed: > > > > > > On Sun, 12 Jan 2003, Louis LeBlanc wrote: > > > > > Here's a complicated VPN question: > > > > > > I have one FreeBSD machine behind a firewall (let's call it WORK), > > > only way thru is via VPN - unfortunately, the VPN in use is an old > > > proprietary Cisco deal that has no client ported to FreeBSD. > > > > > > The other machine (also FreeBSD, call it HOME), is on a dynamic IP, > > > but with the dns name served thru Zoneedit.com - so anytime the IP > > > changes, there's maybe an hour or two of lag time while the auto > > > update scripts get the dns back on track. > > > > > > What I want to do is initiate a VPN connection from WORK to HOME, and > > > here's where I show my VPN ignorance, connect thru that VPN connection > > > from HOME to WORK. Basically I want to work from home on a secure > > > connection rather than just getting my work machine to pop a terminal > > > up on the home display over an insecure connection. > > > > > > I suspect this won't work this way, but I figure what the hell. The > > > worst that can happen is someone tells me I'm a dope and it don't work > > > that way. > > > > > > So will it, or not? > > > > > > It should be doable. You may have less hair than you started out with and > > learn more than you ever cared to about IPSec on the way to getting it to work, > > but it should work. > > Ok, then no deadlines . . . Thanks! > > > Now, is this Cisco deal a concentrator, a PIX, or a router? (it makes a > > difference) Do you have the flexibility of getting its admin to create the > > necessary IPSec policy and access lists to allow you through? Is your new > > IP address always within the same network range? (that will make access > > lists much easier) > > No, it's a Cisco 5000, or some such thing. It isn't IPSEC compliant, > but has like 2 general passwords - in addition to the user password. > There was supposed to be some promotion from Cisco to upgrade it last > year, with free hardware, but our sysadmins were swamped at the time > and decided against it. Had they had the time, it would have become > IPSEC compliant. > > > These will get you started: > > > > klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm > > > > www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide s_books_list.html > > > > you want SC: Part 4: IP Security and Encryption > > > > Make sure you create a "dynamic" crypto map in addition to the regular > > crypto map. Authentication may prove interesting due to the dynamic IP; > > you'll want to read up carefully on your possibilities. > > > > As a side note, it may prove easier to just configure ssh on the > > destination computer and create the necessary rule to allow the > > connection on the access list on the Cisco thingie. Just a thought. > > > > Good luck, > > > > Dru > > I'll start on that. What I'll do is look out for a connection failure > hook of sorts, and just write a script to reinitialize the connection > when the IP changes. Shouldn't be too hard to monitor that and write > a catch script to fix the configs and reestablish the connection. > > Thanks a bunch. > Lou > -- > Louis LeBlanc [EMAIL PROTECTED] > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > http://www.keyslapper.org ԿԬ > > nolo contendere: > A legal term meaning: "I didn't do it, judge, and I'll never do it again." > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: VPN Newbie has a silly question
On 01/12/03 06:22 PM, Dru sat at the `puter and typed: > > > On Sun, 12 Jan 2003, Louis LeBlanc wrote: > > > Here's a complicated VPN question: > > > > I have one FreeBSD machine behind a firewall (let's call it WORK), > > only way thru is via VPN - unfortunately, the VPN in use is an old > > proprietary Cisco deal that has no client ported to FreeBSD. > > > > The other machine (also FreeBSD, call it HOME), is on a dynamic IP, > > but with the dns name served thru Zoneedit.com - so anytime the IP > > changes, there's maybe an hour or two of lag time while the auto > > update scripts get the dns back on track. > > > > What I want to do is initiate a VPN connection from WORK to HOME, and > > here's where I show my VPN ignorance, connect thru that VPN connection > > from HOME to WORK. Basically I want to work from home on a secure > > connection rather than just getting my work machine to pop a terminal > > up on the home display over an insecure connection. > > > > I suspect this won't work this way, but I figure what the hell. The > > worst that can happen is someone tells me I'm a dope and it don't work > > that way. > > > > So will it, or not? > > > It should be doable. You may have less hair than you started out with and > learn more than you ever cared to about IPSec on the way to getting it to work, > but it should work. Ok, then no deadlines . . . Thanks! > Now, is this Cisco deal a concentrator, a PIX, or a router? (it makes a > difference) Do you have the flexibility of getting its admin to create the > necessary IPSec policy and access lists to allow you through? Is your new > IP address always within the same network range? (that will make access > lists much easier) No, it's a Cisco 5000, or some such thing. It isn't IPSEC compliant, but has like 2 general passwords - in addition to the user password. There was supposed to be some promotion from Cisco to upgrade it last year, with free hardware, but our sysadmins were swamped at the time and decided against it. Had they had the time, it would have become IPSEC compliant. > These will get you started: > > klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm > > >www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guides_books_list.html > > you want SC: Part 4: IP Security and Encryption > > Make sure you create a "dynamic" crypto map in addition to the regular > crypto map. Authentication may prove interesting due to the dynamic IP; > you'll want to read up carefully on your possibilities. > > As a side note, it may prove easier to just configure ssh on the > destination computer and create the necessary rule to allow the > connection on the access list on the Cisco thingie. Just a thought. > > Good luck, > > Dru I'll start on that. What I'll do is look out for a connection failure hook of sorts, and just write a script to reinitialize the connection when the IP changes. Shouldn't be too hard to monitor that and write a catch script to fix the configs and reestablish the connection. Thanks a bunch. Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ nolo contendere: A legal term meaning: "I didn't do it, judge, and I'll never do it again." To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: VPN Newbie has a silly question
On Sun, 12 Jan 2003, Louis LeBlanc wrote: > Here's a complicated VPN question: > > I have one FreeBSD machine behind a firewall (let's call it WORK), > only way thru is via VPN - unfortunately, the VPN in use is an old > proprietary Cisco deal that has no client ported to FreeBSD. > > The other machine (also FreeBSD, call it HOME), is on a dynamic IP, > but with the dns name served thru Zoneedit.com - so anytime the IP > changes, there's maybe an hour or two of lag time while the auto > update scripts get the dns back on track. > > What I want to do is initiate a VPN connection from WORK to HOME, and > here's where I show my VPN ignorance, connect thru that VPN connection > from HOME to WORK. Basically I want to work from home on a secure > connection rather than just getting my work machine to pop a terminal > up on the home display over an insecure connection. > > I suspect this won't work this way, but I figure what the hell. The > worst that can happen is someone tells me I'm a dope and it don't work > that way. > > So will it, or not? It should be doable. You may have less hair than you started out with and learn more than you ever cared to about IPSec on the way to getting it to work, but it should work. Now, is this Cisco deal a concentrator, a PIX, or a router? (it makes a difference) Do you have the flexibility of getting its admin to create the necessary IPSec policy and access lists to allow you through? Is your new IP address always within the same network range? (that will make access lists much easier) These will get you started: klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guides_books_list.html you want SC: Part 4: IP Security and Encryption Make sure you create a "dynamic" crypto map in addition to the regular crypto map. Authentication may prove interesting due to the dynamic IP; you'll want to read up carefully on your possibilities. As a side note, it may prove easier to just configure ssh on the destination computer and create the necessary rule to allow the connection on the access list on the Cisco thingie. Just a thought. Good luck, Dru To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
VPN Newbie has a silly question
Here's a complicated VPN question: I have one FreeBSD machine behind a firewall (let's call it WORK), only way thru is via VPN - unfortunately, the VPN in use is an old proprietary Cisco deal that has no client ported to FreeBSD. The other machine (also FreeBSD, call it HOME), is on a dynamic IP, but with the dns name served thru Zoneedit.com - so anytime the IP changes, there's maybe an hour or two of lag time while the auto update scripts get the dns back on track. What I want to do is initiate a VPN connection from WORK to HOME, and here's where I show my VPN ignorance, connect thru that VPN connection from HOME to WORK. Basically I want to work from home on a secure connection rather than just getting my work machine to pop a terminal up on the home display over an insecure connection. I suspect this won't work this way, but I figure what the hell. The worst that can happen is someone tells me I'm a dope and it don't work that way. So will it, or not? TIA Lou -- Louis LeBlanc [EMAIL PROTECTED] Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Lubarsky's Law of Cybernetic Entomology: There's always one more bug. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message