* CISCO VPN clients behind firewall
@ 2004-05-05 0:21 bino_oetomo
2004-05-05 0:53 ` Antony Stone
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: bino_oetomo @ 2004-05-05 0:21 UTC (permalink / raw)
To: netfilter
Hi All
Is there any clue/docs on hoe to let multiple clients behind firewall =
connecting to CISCO vpn concentrator ?
Sincerely
-bino-
^ permalink raw reply [flat|nested] 8+ messages in thread* Re: CISCO VPN clients behind firewall 2004-05-05 0:21 CISCO VPN clients behind firewall bino_oetomo @ 2004-05-05 0:53 ` Antony Stone 2004-05-05 1:34 ` bino_oetomo 2004-05-05 5:10 ` Andrew E. Mileski 2004-05-05 15:20 ` John A. Sullivan III 2 siblings, 1 reply; 8+ messages in thread From: Antony Stone @ 2004-05-05 0:53 UTC (permalink / raw) To: netfilter On Wednesday 05 May 2004 1:21 am, bino_oetomo wrote: > Hi All > > Is there any clue/docs on hoe to let multiple clients behind firewall = > connecting to CISCO vpn concentrator ? As far as I know, Cisco VPNs use IPsec - no problem there for netfilter (although maybe problems if you're using transport mode and doing nat). If you're not using IPsec, then what protocol/s are you talking about here? If you don't know what the problem with netfilter is, add some LOGging rules to your FORWARD chain so you can see what's trying to get through (and failing). Antony. -- You can spend the whole of your life trying to be popular, but at the end of the day the size of the crowd at your funeral will be largely dictated by the weather. - Frank Skinner Please reply to the list; please don't CC me. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CISCO VPN clients behind firewall 2004-05-05 0:53 ` Antony Stone @ 2004-05-05 1:34 ` bino_oetomo 2004-05-05 3:38 ` Marek Dohojda 0 siblings, 1 reply; 8+ messages in thread From: bino_oetomo @ 2004-05-05 1:34 UTC (permalink / raw) To: netfilter Dear Antony ----- Original Message ----- From: "Antony Stone" <Antony@Soft-Solutions.co.uk> To: <netfilter@lists.netfilter.org> Sent: Wednesday, May 05, 2004 7:53 AM Subject: Re: CISCO VPN clients behind firewall > As far as I know, Cisco VPNs use IPsec - no problem there for netfilter > (although maybe problems if you're using transport mode and doing nat). > Yes, actualy it's "behind nat" rather then just "behind firewall" Sincerely -bino- ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CISCO VPN clients behind firewall 2004-05-05 1:34 ` bino_oetomo @ 2004-05-05 3:38 ` Marek Dohojda 0 siblings, 0 replies; 8+ messages in thread From: Marek Dohojda @ 2004-05-05 3:38 UTC (permalink / raw) To: bino_oetomo; +Cc: netfilter Nope that is not a problem. Got it working without much of a problem. Ok that wasn't helpful I know. One thing you have to do is ensure that you are using proper setting on your concentrator. Ensure that it is set to be able to accept NAT. In addition choose UDP (or TCP) on specific port. bino_oetomo wrote: > Dear Antony > ----- Original Message ----- > From: "Antony Stone" <Antony@Soft-Solutions.co.uk> > To: <netfilter@lists.netfilter.org> > Sent: Wednesday, May 05, 2004 7:53 AM > Subject: Re: CISCO VPN clients behind firewall > > > >>As far as I know, Cisco VPNs use IPsec - no problem there for netfilter >>(although maybe problems if you're using transport mode and doing nat). >> > > > Yes, actualy it's "behind nat" rather then just "behind firewall" > > > Sincerely > -bino- > > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CISCO VPN clients behind firewall 2004-05-05 0:21 CISCO VPN clients behind firewall bino_oetomo 2004-05-05 0:53 ` Antony Stone @ 2004-05-05 5:10 ` Andrew E. Mileski 2004-05-05 7:14 ` Søren Kent Jensen 2004-05-05 15:20 ` John A. Sullivan III 2 siblings, 1 reply; 8+ messages in thread From: Andrew E. Mileski @ 2004-05-05 5:10 UTC (permalink / raw) To: netfilter bino_oetomo wrote: > Hi All > > Is there any clue/docs on hoe to let multiple clients behind firewall = > connecting to CISCO vpn concentrator ? > > Sincerely > -bino- [This might be a dupe, as my addressbook had the wrong address] I just finished Intel Centrino Certification testing on the PPTP patch (2004-04-16 cvs snapshot) and Fedora's 2.4.22-1.nptl last week. Passed with XP/2000 using Intel, Microsoft, Cisco, and Checkpoint VPN clients. You can browse the PPTP patch in CVS: http://cvs.netfilter.org/cgi-bin/viewcvs.cgi/netfilter/patch-o-matic/extra/ and check it out from a similar path. -- Andrew E. Mileski ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CISCO VPN clients behind firewall 2004-05-05 5:10 ` Andrew E. Mileski @ 2004-05-05 7:14 ` Søren Kent Jensen 2004-05-05 11:44 ` bino_oetomo 0 siblings, 1 reply; 8+ messages in thread From: Søren Kent Jensen @ 2004-05-05 7:14 UTC (permalink / raw) To: netfilter Use IPSec UDP incapsulation on any port you like or NAT-T It has been developed for exactly that reason. Regards Søren Kent Jensen ----- Original Message ----- From: "Andrew E. Mileski" <andrewm@isoar.ca> To: <netfilter@lists.netfilter.org> Sent: Wednesday, May 05, 2004 7:10 AM Subject: Re: CISCO VPN clients behind firewall > bino_oetomo wrote: > > Hi All > > > > Is there any clue/docs on hoe to let multiple clients behind firewall = > > connecting to CISCO vpn concentrator ? > > > > Sincerely > > -bino- > > [This might be a dupe, as my addressbook had the wrong address] > > I just finished Intel Centrino Certification testing on the > PPTP patch (2004-04-16 cvs snapshot) and Fedora's 2.4.22-1.nptl > last week. Passed with XP/2000 using Intel, Microsoft, Cisco, > and Checkpoint VPN clients. > > You can browse the PPTP patch in CVS: > http://cvs.netfilter.org/cgi-bin/viewcvs.cgi/netfilter/patch-o-matic/extra/ > and check it out from a similar path. > > -- > Andrew E. Mileski > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CISCO VPN clients behind firewall 2004-05-05 7:14 ` Søren Kent Jensen @ 2004-05-05 11:44 ` bino_oetomo 0 siblings, 0 replies; 8+ messages in thread From: bino_oetomo @ 2004-05-05 11:44 UTC (permalink / raw) To: netfilter Dear All thx for all answer to my question. I'll look deeper to my box sincerely -bino- ----- Original Message ----- From: "Søren Kent Jensen" <soren@familie-jensen.dk> To: <netfilter@lists.netfilter.org> Sent: Wednesday, May 05, 2004 2:14 PM Subject: Re: CISCO VPN clients behind firewall Use IPSec UDP incapsulation on any port you like or NAT-T It has been developed for exactly that reason. Regards Søren Kent Jensen ----- Original Message ----- From: "Andrew E. Mileski" <andrewm@isoar.ca> To: <netfilter@lists.netfilter.org> Sent: Wednesday, May 05, 2004 7:10 AM Subject: Re: CISCO VPN clients behind firewall > bino_oetomo wrote: > > Hi All > > > > Is there any clue/docs on hoe to let multiple clients behind firewall = > > connecting to CISCO vpn concentrator ? > > > > Sincerely > > -bino- > > [This might be a dupe, as my addressbook had the wrong address] > > I just finished Intel Centrino Certification testing on the > PPTP patch (2004-04-16 cvs snapshot) and Fedora's 2.4.22-1.nptl > last week. Passed with XP/2000 using Intel, Microsoft, Cisco, > and Checkpoint VPN clients. > > You can browse the PPTP patch in CVS: > http://cvs.netfilter.org/cgi-bin/viewcvs.cgi/netfilter/patch-o-matic/extra/ > and check it out from a similar path. > > -- > Andrew E. Mileski > > > ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: CISCO VPN clients behind firewall 2004-05-05 0:21 CISCO VPN clients behind firewall bino_oetomo 2004-05-05 0:53 ` Antony Stone 2004-05-05 5:10 ` Andrew E. Mileski @ 2004-05-05 15:20 ` John A. Sullivan III 2 siblings, 0 replies; 8+ messages in thread From: John A. Sullivan III @ 2004-05-05 15:20 UTC (permalink / raw) To: bino_oetomo; +Cc: netfilter On Tue, 2004-05-04 at 20:21, bino_oetomo wrote: > Hi All > > Is there any clue/docs on hoe to let multiple clients behind firewall = > connecting to CISCO vpn concentrator ? > > Sincerely > -bino- > > I've not worked with the Cisco VPN gear yet but I can give some general guidelines. Assuming the Cisco client is a basic IPSec client, you have four options that I can think of immediately. The easiest has already been suggested - if the clients support NAT-Traversal, use that and just be sure that whatever ports are needed for the initial key exchange (e.g., 500/udp for IKE) and for the encrypted traffic (e.g., 500/udp or 4500/udp depending the on version of NAT-Traversal) are open on the firewall. You will obviously need them open outbound. I'm not sure what happens if the remote tunnel termination point attempts to initiate the rekeying sequence and you do allow inbound traffic. Perhaps someone with more experience in actually doing this can comment. Does one just ensure that the client rekeying times are shorter than the gateway rekeying times? If the client does not support NAT traversal, you might assign each user who needs VPN access a static IP address and do a one-to-one mapping of their private address to a public address. This was the only client oriented choice (and an ugly one at that) before NAT-T. In this case one must be sure that the client can initiate outbound traffic for both the key exchange and the IPSec packets - typically ESP - IP protocol 50. Both of the client oriented solutions assume that you either trust all traffic that could possible enter the tunnel from the other side (and all traffic being generate from the client for that matter) or you have some kind of access control either on the client or on the remote gateway. If this is not true, you may wish to attempt either or both of two possible gateway oriented solutions. Sometimes, when we have a large number of clients needing access, we find it easier to create a gateway to gateway connection between the sites. Either a Cisco VPN concentrator can be brought on site and be the route to the remote network or one can implement an IPSec stack on the firewall and attempt to get the firewall and VPN concentrator talking to each other. In this way, access controls can be placed on both the inbound and outbound traffic with access control maintained in one place instead of every desktop. One will need to allow the necessary ports for both the client to pass traffic through firewall and to establish and maintain the tunnel with the remote VPN concentrator and be able to identify the traffic flowing in and out of the tunnel. If one desires to encrypt the local traffic or wants stronger local user authentication than IP address, one can establish a VPN connection between the local client and the local firewall and then a separate tunnel between the local firewall and the remote VPN concentrator. This maintains the possibility of centralized access control on the tunnel. One will need to allow the traffic necessary to establish the client connection with the firewall, identify the traffic flowing in and out of the tunnel and allow the traffic to establish and maintain the tunnel with the remote VPN concentrator. Hope this helps - John -- John A. Sullivan III Chief Technology Officer Nexus Management +1 207-985-7880 john.sullivan@nexusmgmt.com --- If you are interested in helping to develop a GPL enterprise class VPN/Firewall/Security device management console, please visit http://iscs.sourceforge.net ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2004-05-05 15:20 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-05-05 0:21 CISCO VPN clients behind firewall bino_oetomo 2004-05-05 0:53 ` Antony Stone 2004-05-05 1:34 ` bino_oetomo 2004-05-05 3:38 ` Marek Dohojda 2004-05-05 5:10 ` Andrew E. Mileski 2004-05-05 7:14 ` Søren Kent Jensen 2004-05-05 11:44 ` bino_oetomo 2004-05-05 15:20 ` John A. Sullivan III
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.