VPN question

VPN question

[patrick kuah]

Hi all,

I have configured a SNAT rule in my iptables but after configuring, i can't 
VPN to my server which reside on another network.

Do i need to add rule for VPN traffic to flow through the SNAT? If yes, what 
are the rule?
Thank for all the help.

patrick

_________________________________________________________________
Download games, logos, wallpapers and lots more at MSN Mobile! 
http://www.msn.com.sg/mobile/

Re: VPN question

[Chris Brenton]

On Tue, 2003-10-14 at 06:19, patrick kuah wrote:
> Hi all,
> 
> I have configured a SNAT rule in my iptables but after configuring, i can't 
> VPN to my server which reside on another network.

Do you see this traffic being dropped by your logs?

> Do i need to add rule for VPN traffic to flow through the SNAT? If yes, what 
> are the rule?

VPN is a generic term. What kind of VPN are you talking about? IPSec?
PPTP? SSL?

If you mean IPSec, you need to open UDP/500 to UDP/500 as well as
protocol 50. You also want to make sure that IPSec/IKE is only
negotiating ESP as a security service, not AH.

HTH,
C

Re: VPN question

[patrick kuah]

Thanks Chris :)

I'm using ipsec. Currently, my iptables is configured using stateful packet 
inspection.
Do i have to add the rules for port TCP/UDP 50 and TCP 50 ???
Thank you :)

patrick


>From: Chris Brenton <cbrenton@chrisbrenton.org>
>To: patrick kuah <patrickkuah@msn.com>
>CC: netfilter@lists.netfilter.org
>Subject: Re: VPN question
>Date: 14 Oct 2003 06:44:27 -0400
>
>On Tue, 2003-10-14 at 06:19, patrick kuah wrote:
> > Hi all,
> >
> > I have configured a SNAT rule in my iptables but after configuring, i 
>can't
> > VPN to my server which reside on another network.
>
>Do you see this traffic being dropped by your logs?
>
> > Do i need to add rule for VPN traffic to flow through the SNAT? If yes, 
>what
> > are the rule?
>
>VPN is a generic term. What kind of VPN are you talking about? IPSec?
>PPTP? SSL?
>
>If you mean IPSec, you need to open UDP/500 to UDP/500 as well as
>protocol 50. You also want to make sure that IPSec/IKE is only
>negotiating ESP as a security service, not AH.
>
>HTH,
>C
>
>
>
>

_________________________________________________________________
Take a break! Find destinations on MSN Travel. http://www.msn.com.sg/travel/

Re: VPN question

[Chris Brenton]

On Tue, 2003-10-14 at 11:25, patrick kuah wrote:
> Thanks Chris :)

Glad to! :)

> 
> I'm using ipsec. Currently, my iptables is configured using stateful packet 
> inspection.

You still need to open the correct ports as well create the proper DNAT
and SNAT rules.

> Do i have to add the rules for port TCP/UDP 50 and TCP 50 ???
> Thank you :)

Here's what you need to open up:
1) IKE to and from your IPSec gateway. something like:
iptables -p udp -s 0/0 --sport 500 -d 192.168.1.10 --dport 500 -j ACCEPT
iptables -p udp -s 192.168.1.10 --sport 500 -d 0/0 --dport 500 -j ACCEPT

2) Protocol 50 (ESP) to and from the gateway
iptables -p 50 -d 192.168.1.10 -j ACCEPT
iptables -p 50 -s 192.168.1.10 -j ACCEPT

Again, make sure your clients are not negotiating Authentication Header
(AH). If you try the above and you log drops to protocol 51, AH is being
negotiated.

HTH,
C

Re: SSH allow only form selected IP'

[luke]

I'm definitely not a firewall expert, but isn't it also possible to
get around
IPchains using IP spoofing? From what I know ipchains is only
protected against spoofing by using source address verification.

Or am I way off?

Luke



> luke@techfreak.org wrote:
>
>>One very effective way that I have found to do this is to use the
'hosts.allow' file located at /etc/hosts.allow
> hosts.allow is NOT secure.  You can easily spoof the IP addresses
contained within it.  You should not use it.
>
> Regards
>
> James
>
>

Re: SSH allow only form selected IP'

[James Turnbull]

[-- Attachment #1: Type: text/plain, Size: 547 bytes --]

luke@techfreak.org wrote:

>I'm definitely not a firewall expert, but isn't it also possible to
>get around
>IPchains using IP spoofing? From what I know ipchains is only
>protected against spoofing by using source address verification.
>
>Or am I way off?
>
>Luke
>  
>
A little off. :)  Yes you can spoof iptables but not nearly as easily as 
hosts.allow can be spoofed.  Hosts.allow's verifications procedures are 
considerably less sophisticated than those of iptables.

Regards

James

P.S. Generally Ipchains has been replaced by Iptables. 

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 2801 bytes --]

Re[2]: SSH allow only form selected IP'

[Kev]

>
>>I'm definitely not a firewall expert, but isn't it also possible to
>>get around
>>IPchains using IP spoofing? From what I know ipchains is only
>>protected against spoofing by using source address verification.
>>
>>Or am I way off?
>>
>>Luke
>>  
>>
>A little off. :)  Yes you can spoof iptables but not nearly as easily as 
>hosts.allow can be spoofed.  Hosts.allow's verifications procedures are 
>considerably less sophisticated than those of iptables.
>
>Regards
>
>James
>
>P.S. Generally Ipchains has been replaced by Iptables. 


I did both, i blocked IP's with iptbels and i also configured SSH Demean
to only allow connections form given IP's 

my server was down like 2-3 times a week due to DDOS attach or some one
running a attach on my SSH, now the server seem to be running fine.

oh yeah and i also blocked all ICMP communication and only allowed form
my IP only :)


------- 
Web Hosting at a cheap price, starting at $1 per month with your own domain, .COM, .NET, .LK, .ORG etc..
PHP, CGI, Perl, MySQL, Cpanel 9, POP3, POP3s, SMTP, IMAP, FTP,
http://www.orbitsl.net

VPN question

[Tony Gogoi]

Hello,

Right now when we use the VPN each of our computers needs a unique
external IP-address to communicate with the server.

To overcome the problem of having a few external IP addresses,
I was wondering if there's any software that would map all client's
external IP addresses to one unique IP address and communicate with the
server through another software that would "decrpyt" the unique IP address
into individual ones.

Regards,
Tony Gogoi

Re: VPN question

[Adam Lang]

Obvious first question is: why is it a problem?
----- Original Message ----- 
From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
To: <linux-admin@vger.kernel.org>
Sent: Monday, August 16, 2004 12:30 PM
Subject: VPN question


>
> Hello,
>
> Right now when we use the VPN each of our computers needs a unique
> external IP-address to communicate with the server.
>
> To overcome the problem of having a few external IP addresses,
> I was wondering if there's any software that would map all client's
> external IP addresses to one unique IP address and communicate with the
> server through another software that would "decrpyt" the unique IP address
> into individual ones.
>
> Regards,
> Tony Gogoi
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: VPN question

[Tony Gogoi]

Hi Adam,

I'm not too familiar with VPNs.

But our PC's sit on a LAN behind a firewall.  A few PC's are VPN clients.
Right now we have configured our firewall to map VPN clients on the
private LAN to static external IP addresses. The rest of the PC's on the
LAN are mapped to a single IP address. We are running out of external IP
addresses. Was wondering if there was a way out instead of having to buy
more IP addresses.

So, i was wondering if there's a set up that could make our PC's connect
to some sort of VPN server at our end which would act as a gateway to the
actual server located far away.

Regards,
Tony

On Mon, 16 Aug 2004, Adam Lang wrote:

> Obvious first question is: why is it a problem?
> ----- Original Message -----
> From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
> To: <linux-admin@vger.kernel.org>
> Sent: Monday, August 16, 2004 12:30 PM
> Subject: VPN question
>
>
> >
> > Hello,
> >
> > Right now when we use the VPN each of our computers needs a unique
> > external IP-address to communicate with the server.
> >
> > To overcome the problem of having a few external IP addresses,
> > I was wondering if there's any software that would map all client's
> > external IP addresses to one unique IP address and communicate with the
> > server through another software that would "decrpyt" the unique IP address
> > into individual ones.
> >
> > Regards,
> > Tony Gogoi
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



Tony Gogoi

Re: VPN question

[Adam Lang]

Ok, so you are CLIENTS  connecting to a VPN server.  That whole scenario you
were speaking of is called NAT (private ip addresses are mapped to a single
public ip address.  The router/firewall keeps track of the connections).

That is not the problem though.  The issue is that some encryption
technologies do not allow the connections to be NATed because your data
packets are "mangled" to achieve this, and the encryption protocol requires
packets to be unmodified so as to verify integrity.

You have two options.  The first option is to get the people hosting the VPN
server to change what they are doing into somethign more NAT friendly (but
loses a level of security) or work with them to set up a vpn server in your
network that builds a conenction with their vpn server.  Then, you set up
info on your routing tables to route over it.  This way, you have a single
VPN connection, and all your clients send data over it.

----- Original Message ----- 
From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
To: "Adam Lang" <aalang@rutgersinsurance.com>
Cc: <linux-admin@vger.kernel.org>
Sent: Monday, August 16, 2004 2:50 PM
Subject: Re: VPN question


>
> Hi Adam,
>
> I'm not too familiar with VPNs.
>
> But our PC's sit on a LAN behind a firewall.  A few PC's are VPN clients.
> Right now we have configured our firewall to map VPN clients on the
> private LAN to static external IP addresses. The rest of the PC's on the
> LAN are mapped to a single IP address. We are running out of external IP
> addresses. Was wondering if there was a way out instead of having to buy
> more IP addresses.
>
> So, i was wondering if there's a set up that could make our PC's connect
> to some sort of VPN server at our end which would act as a gateway to the
> actual server located far away.
>
> Regards,
> Tony
>
> On Mon, 16 Aug 2004, Adam Lang wrote:
>
> > Obvious first question is: why is it a problem?
> > ----- Original Message -----
> > From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
> > To: <linux-admin@vger.kernel.org>
> > Sent: Monday, August 16, 2004 12:30 PM
> > Subject: VPN question
> >
> >
> > >
> > > Hello,
> > >
> > > Right now when we use the VPN each of our computers needs a unique
> > > external IP-address to communicate with the server.
> > >
> > > To overcome the problem of having a few external IP addresses,
> > > I was wondering if there's any software that would map all client's
> > > external IP addresses to one unique IP address and communicate with
the
> > > server through another software that would "decrpyt" the unique IP
address
> > > into individual ones.
> > >
> > > Regards,
> > > Tony Gogoi
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-admin"
in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-admin"
in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
>
>
>
> Tony Gogoi

Re: VPN question

[urgrue]

This is all true, but one thing to check before embarking on this 
rather large project is whether your VPN fall into this category of 
"cant be NATted VPNs" in the first place.
Of the VPN solutions I've used, only IPSEC minds if the IPs are NATted. 
and if I remember correctly, IPSEC minds even if its a one-to-one NAT.

So I'd suggest you simply configure your router/firewall to NAT all 
those internal IPs to the same external IP and see if it works, before 
starting to set up a more complicated solution.


> Ok, so you are CLIENTS  connecting to a VPN server.  That whole 
> scenario you were speaking of is called NAT (private ip addresses are 
> mapped to a single public ip address.  The router/firewall keeps 
> track of the connections).

> That is not the problem though.  The issue is that some encryption 
> technologies do not allow the connections to be NATed because your 
> data packets are "mangled" to achieve this, and the encryption 
> protocol  requires packets to be unmodified so as to verify integrity.

> You have two options.  The first option is to get the people hosting 
> the VPN server to change what they are doing into somethign more NAT 
> friendly  (but loses a level of security) or work with them to set up 
> a vpn server in  your network that builds a conenction with their vpn 
> server.  Then, you set  up info on your routing tables to route over 
> it.  This way, you have a  single VPN connection, and all your 
> clients send data over it.


----- Original Message ----- From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
To: "Adam Lang" <aalang@rutgersinsurance.com>
Cc: <linux-admin@vger.kernel.org>
Sent: Monday, August 16, 2004 2:50 PM
Subject: Re: VPN question


> 
> Hi Adam,
> 
> I'm not too familiar with VPNs.
> 
> But our PC's sit on a LAN behind a firewall.  A few PC's are VPN 
> clients.
> Right now we have configured our firewall to map VPN clients on the
> private LAN to static external IP addresses. The rest of the PC's on 
> the
> LAN are mapped to a single IP address. We are running out of external 
> IP
> addresses. Was wondering if there was a way out instead of having to 
> buy
> more IP addresses.
> 
> So, i was wondering if there's a set up that could make our PC's 
> connect
> to some sort of VPN server at our end which would act as a gateway to 
> the
> actual server located far away.
> 
> Regards,
> Tony
> 
> On Mon, 16 Aug 2004, Adam Lang wrote:
> 
> > Obvious first question is: why is it a problem?
> > ----- Original Message -----
> > From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
> > To: <linux-admin@vger.kernel.org>
> > Sent: Monday, August 16, 2004 12:30 PM
> > Subject: VPN question
> >
> >
> > >
> > > Hello,
> > >
> > > Right now when we use the VPN each of our computers needs a unique
> > > external IP-address to communicate with the server.
> > >
> > > To overcome the problem of having a few external IP addresses,
> > > I was wondering if there's any software that would map all 
> client's
> > > external IP addresses to one unique IP address and communicate 
> with
the
> > > server through another software that would "decrpyt" the unique IP
address
> > > into individual ones.
> > >
> > > Regards,
> > > Tony Gogoi
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-
> admin"
in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.
> html
> >
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-
> admin"
in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> >
> 
> 
> 
> Tony Gogoi

-
To unsubscribe from this list: send the line "unsubscribe linux-admin" 
in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: VPN question

[Adam Lang]

Exactly.  The best solution is to just talk to the VPN people and find out
what their setup is.  VPN is a broad and vague term and can mean anything.
----- Original Message ----- 
From: "urgrue" <urgrue@tumsan.fi>
To: <linux-admin@vger.kernel.org>
Cc: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
Sent: Tuesday, August 17, 2004 4:51 AM
Subject: Re: VPN question


> This is all true, but one thing to check before embarking on this
> rather large project is whether your VPN fall into this category of
> "cant be NATted VPNs" in the first place.
> Of the VPN solutions I've used, only IPSEC minds if the IPs are NATted.
> and if I remember correctly, IPSEC minds even if its a one-to-one NAT.
>
> So I'd suggest you simply configure your router/firewall to NAT all
> those internal IPs to the same external IP and see if it works, before
> starting to set up a more complicated solution.
>
>
> > Ok, so you are CLIENTS  connecting to a VPN server.  That whole
> > scenario you were speaking of is called NAT (private ip addresses are
> > mapped to a single public ip address.  The router/firewall keeps
> > track of the connections).
>
> > That is not the problem though.  The issue is that some encryption
> > technologies do not allow the connections to be NATed because your
> > data packets are "mangled" to achieve this, and the encryption
> > protocol  requires packets to be unmodified so as to verify integrity.
>
> > You have two options.  The first option is to get the people hosting
> > the VPN server to change what they are doing into somethign more NAT
> > friendly  (but loses a level of security) or work with them to set up
> > a vpn server in  your network that builds a conenction with their vpn
> > server.  Then, you set  up info on your routing tables to route over
> > it.  This way, you have a  single VPN connection, and all your
> > clients send data over it.
>
>
> ----- Original Message ----- From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
> To: "Adam Lang" <aalang@rutgersinsurance.com>
> Cc: <linux-admin@vger.kernel.org>
> Sent: Monday, August 16, 2004 2:50 PM
> Subject: Re: VPN question
>
>
> >
> > Hi Adam,
> >
> > I'm not too familiar with VPNs.
> >
> > But our PC's sit on a LAN behind a firewall.  A few PC's are VPN
> > clients.
> > Right now we have configured our firewall to map VPN clients on the
> > private LAN to static external IP addresses. The rest of the PC's on
> > the
> > LAN are mapped to a single IP address. We are running out of external
> > IP
> > addresses. Was wondering if there was a way out instead of having to
> > buy
> > more IP addresses.
> >
> > So, i was wondering if there's a set up that could make our PC's
> > connect
> > to some sort of VPN server at our end which would act as a gateway to
> > the
> > actual server located far away.
> >
> > Regards,
> > Tony
> >
> > On Mon, 16 Aug 2004, Adam Lang wrote:
> >
> > > Obvious first question is: why is it a problem?
> > > ----- Original Message -----
> > > From: "Tony Gogoi" <tgogoi@cse.Buffalo.EDU>
> > > To: <linux-admin@vger.kernel.org>
> > > Sent: Monday, August 16, 2004 12:30 PM
> > > Subject: VPN question
> > >
> > >
> > > >
> > > > Hello,
> > > >
> > > > Right now when we use the VPN each of our computers needs a unique
> > > > external IP-address to communicate with the server.
> > > >
> > > > To overcome the problem of having a few external IP addresses,
> > > > I was wondering if there's any software that would map all
> > client's
> > > > external IP addresses to one unique IP address and communicate
> > with
> the
> > > > server through another software that would "decrpyt" the unique IP
> address
> > > > into individual ones.
> > > >
> > > > Regards,
> > > > Tony Gogoi
> > > > -
> > > > To unsubscribe from this list: send the line "unsubscribe linux-
> > admin"
> in
> > > > the body of a message to majordomo@vger.kernel.org
> > > > More majordomo info at  http://vger.kernel.org/majordomo-info.
> > html
> > >
> > > -
> > > To unsubscribe from this list: send the line "unsubscribe linux-
> > admin"
> in
> > > the body of a message to majordomo@vger.kernel.org
> > > More majordomo info at  http://vger.kernel.org/majordomo-info.html
> > >
> >
> >
> >
> > Tony Gogoi
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin"
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: VPN question

[Michael H. Warfield]

[-- Attachment #1: Type: text/plain, Size: 1521 bytes --]

On Tue, Aug 17, 2004 at 11:51:03AM +0300, urgrue wrote:
> This is all true, but one thing to check before embarking on this 
> rather large project is whether your VPN fall into this category of 
> "cant be NATted VPNs" in the first place.
> Of the VPN solutions I've used, only IPSEC minds if the IPs are NATted. 
> and if I remember correctly, IPSEC minds even if its a one-to-one NAT.

	IPSec NAT-T works great over NAT devices (can even be double
NAT'ed) and over firewalls.  Even Windows XP supports it.  Runs over
UDP port 4500 for both IKE and AH/ESP and few firewalls or NAT devices
even blink.

	Simple FreeS/WAN - no
	Super FreeS/WAN - yes
	StrongSWAN - yes
	OpenSWAN - yes
	KAME - yes
	Raccoon - YES!

	2.4.x kernel with KLIPS - qualified yes (anything other than simple FS)
	2.4.x kernel with IPSec Backport - yes
	2.6 kernel - absolutely

	All of the above "yes" interoperate (as well as they do without NAT-T)

	IPv4 - Yes
	IPv6 - No (think about it, why would you need it?)

> So I'd suggest you simply configure your router/firewall to NAT all 
> those internal IPs to the same external IP and see if it works, before 
> starting to set up a more complicated solution.

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

[-- Attachment #2: Type: application/pgp-signature, Size: 307 bytes --]

VPN question

[Tony Gogoi]

Hello,

Can multiple IPSEC VPN clients (road-warrior type & private IP addresses)
connect to a VPN server from behind a NAT firewall?

The reason I pose this is: We have a linux firewall (not VPN gateway). As
long as a private internal IP address is NAT'ed to a unique external
address on the outgoing interface of the firewall, things are normal.

But if more than one VPN client from the private network gets masqueraded
to the outgoing interface, authentication is not even possible. This is
observed from TCPdump. Reason:

Let the outgoing interface of the firewall be 28.29.30.31.
Let there be 2 VPN clients: 192.168.17.20 and 192.168.17.40.

Then the first client (say 192.168.17.20) which requests authentication
from the remote VPN server (there is no VPN gateway at our end), sends a
request from 192.168.17.20-port isakmp. The firewall on its behalf sends a
request from 28.29.30.31-port isakmp and the remote VPN server responds
correctly to 28.29.30.31-port isakmp and client is authenticated.

The 2nd client sends a request from 192.168.17.40-port isakmp. The
firewall cannot reuse port isakmp and instead sends a authentication
request from 28.29.30.31-port 12 (say). The remote VPN server INCORRECTLY
responds to 28.29.30.31-port isakmp where it should have responded to port
12 of our firewall !!! So the firewall passses on thepacket to the first
VPN client (which is already authenticated).

Is it part of VPN protocol for a VPN server to reply authentication
requests to port isakmp? Or is it a configuration issue for the remote VPN
server?

Regards,
TOny

Re: VPN question

[Tony Gogoi]

Looks like the linux kernel will have to be patched. ISAKMP (key-exchange)
protocol uses protocol 50 which is unsupported by the kernel.

On Wed, 22 Sep 2004,
Tony Gogoi wrote:

>
> Hello,
>
> Can multiple IPSEC VPN clients (road-warrior type & private IP addresses)
> connect to a VPN server from behind a NAT firewall?
>
> The reason I pose this is: We have a linux firewall (not VPN gateway). As
> long as a private internal IP address is NAT'ed to a unique external
> address on the outgoing interface of the firewall, things are normal.
>
> But if more than one VPN client from the private network gets masqueraded
> to the outgoing interface, authentication is not even possible. This is
> observed from TCPdump. Reason:
>
> Let the outgoing interface of the firewall be 28.29.30.31.
> Let there be 2 VPN clients: 192.168.17.20 and 192.168.17.40.
>
> Then the first client (say 192.168.17.20) which requests authentication
> from the remote VPN server (there is no VPN gateway at our end), sends a
> request from 192.168.17.20-port isakmp. The firewall on its behalf sends a
> request from 28.29.30.31-port isakmp and the remote VPN server responds
> correctly to 28.29.30.31-port isakmp and client is authenticated.
>
> The 2nd client sends a request from 192.168.17.40-port isakmp. The
> firewall cannot reuse port isakmp and instead sends a authentication
> request from 28.29.30.31-port 12 (say). The remote VPN server INCORRECTLY
> responds to 28.29.30.31-port isakmp where it should have responded to port
> 12 of our firewall !!! So the firewall passses on thepacket to the first
> VPN client (which is already authenticated).
>
> Is it part of VPN protocol for a VPN server to reply authentication
> requests to port isakmp? Or is it a configuration issue for the remote VPN
> server?
>
> Regards,
> TOny
> -
> To unsubscribe from this list: send the line "unsubscribe linux-admin" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>



Tony Gogoi

VPN question

[Sunny Shum]

Hello,
 
I am a newbie to the VPN setup.  Currently, my company has a Windows 2003
server behind a firewall (running iptables on RedHat 9).  I need to setup
VPN for a few executives so they can access the servers from home or on the
road.  I did some research and came to 3 options:
 
1. Run the VPN from the Windows 2003 server
2. OpenVPN
3. OpenSWAN or StrongSWAN
 
My questions are:
 
1. Is this the right place to ask questions regarding VPN, since this is
mainly an iptables-related list?  If not, can someone direct me to a
forum/list which will be helpful?  I really enjoy the information provide
from this list members.
 
2. If I choose option #2 or #3 above, how to set it up? I read the HOWTO
documents, but I am not sure where I should install the server side of the
VPN.  Do I install it on the firewall box?  Or the Windows 2003 box?
 
Thanks!
 
Regards,
Sunny
 
 
 

Re: VPN question

[Jason Opperisano]

On Wed, 2004-10-06 at 15:35, Sunny Shum wrote:
> Hello,
>  
> I am a newbie to the VPN setup.  Currently, my company has a Windows 2003
> server behind a firewall (running iptables on RedHat 9).  I need to setup
> VPN for a few executives so they can access the servers from home or on the
> road.  I did some research and came to 3 options:
>  
> 1. Run the VPN from the Windows 2003 server

don't do this.

> 2. OpenVPN

this is a nice option--not super scalable though.

> 3. OpenSWAN or StrongSWAN

i prefer open to strong, FWIW.
 
> My questions are:
>  
> 1. Is this the right place to ask questions regarding VPN, since this is
> mainly an iptables-related list?  

not really.

> If not, can someone direct me to a
> forum/list which will be helpful?  I really enjoy the information provide
> from this list members.

start by reading:

  http://wiki.openswan.org/index.php/FAQ

then look through the archives/join:

  http://lists.openswan.org/mailman/listinfo/users

 
> 2. If I choose option #2 or #3 above, how to set it up? I read the HOWTO
> documents, but I am not sure where I should install the server side of the
> VPN.  Do I install it on the firewall box?  Or the Windows 2003 box?

the firewall box would be a more logical choice, IMHO.

-j

-- 
Jason Opperisano <opie@817west.com>