RE: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

RE: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

[Roksana Boreli]

Thanks Jason.

> enable IKE over TCP on the clients and UDP encapsulation.  
> this is not a problem with netfilter, but with multiple
>  IPSec clients behind *any* NAT = device.

Perhaps some additional info needs to be added about my configuration.
I need to use standard Cisco Linux clients, as this is for people
visiting (with their laptops and standard VPN setup for remote access)
and wanting to get to their (Cisco) server.  In fact, it could be more
than one ipsec server at some time in the future.  I definitely need to
use a Cisco VPN gateway (can't use FreeSwan), I cannot have a single vpn
client from the Linux router device as the requirement is for multiple
clients behind this device.  The Cisco gateway and Win 2k client can set
up a connection through a NAT router, we have tried this with a Netgear
device.  So I thought the issue was similar to pptp vpn pass-through for
multiple clients (i.e. a patch for the kernel/iptables was the way to
go), hence the question.  

Kind regards, Roksana 


Subject: RE: Multiple IPSEC VPNs through a firewall based on 2.4.2X
kernel
Date: Tue, 24 Aug 2004 07:56:33 -0400
From: "Jason Opperisano" <Jopperisano@alphanumeric.com>
To: <netfilter@lists.netfilter.org>

Hi,

I am trying to set up multiple ipsec VPN clients working behind a Linux
router with NAT/PAT, based on a 2.4.20 (can be 2.4.22) kernel. I would 
like to be able to connect a number of Windows (2k or XP) machines to 
an existing Cisco VPN server.

Kind regards, Roksana

RE: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

[John A. Sullivan III]

Thanks for the clarification.  Does the Cisco Linux client support any
form of NAT Traversal? If it does, that is the way to go.  The
documentation should tell you what you will need to open on your
firewall.  If not, you can try tracing using Ethereal and see what
protocols and ports it uses.

If it does not support NAT-T, then I think your only option is to assign
fixed IP addresses :-(  Perhaps you can isolate an IP subnet they use
(not a bad idea as per the paragraph below) and use the NETMAP target
from pom.

This ability for visitors to attach to their own networks does sound a
bit dangerous.  Is the company management aware that there is the
possibility that someone on the other side of those visiting VPN tunnels
could use the visiting station as an access point to your internal
network? Of course, someone may have addressed that and isolated the
points from which visitors can connect to their own WAN.  Take care -
John

On Wed, 2004-08-25 at 03:24, Roksana Boreli wrote:
> Thanks Jason.
> 
> > enable IKE over TCP on the clients and UDP encapsulation.  
> > this is not a problem with netfilter, but with multiple
> >  IPSec clients behind *any* NAT = device.
> 
> Perhaps some additional info needs to be added about my configuration.
> I need to use standard Cisco Linux clients, as this is for people
> visiting (with their laptops and standard VPN setup for remote access)
> and wanting to get to their (Cisco) server.  In fact, it could be more
> than one ipsec server at some time in the future.  I definitely need to
> use a Cisco VPN gateway (can't use FreeSwan), I cannot have a single vpn
> client from the Linux router device as the requirement is for multiple
> clients behind this device.  The Cisco gateway and Win 2k client can set
> up a connection through a NAT router, we have tried this with a Netgear
> device.  So I thought the issue was similar to pptp vpn pass-through for
> multiple clients (i.e. a patch for the kernel/iptables was the way to
> go), hence the question.  
> 
> Kind regards, Roksana 
> 
> 
> Subject: RE: Multiple IPSEC VPNs through a firewall based on 2.4.2X
> kernel
> Date: Tue, 24 Aug 2004 07:56:33 -0400
> From: "Jason Opperisano" <Jopperisano@alphanumeric.com>
> To: <netfilter@lists.netfilter.org>
> 
> Hi,
> 
> I am trying to set up multiple ipsec VPN clients working behind a Linux
> router with NAT/PAT, based on a 2.4.20 (can be 2.4.22) kernel. I would 
> like to be able to connect a number of Windows (2k or XP) machines to 
> an existing Cisco VPN server.
> 
> Kind regards, Roksana
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

RE: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

[Jason Opperisano]

> Thanks Jason.
>
> > enable IKE over TCP on the clients and UDP encapsulation.
> > this is not a problem with netfilter, but with multiple
> >  IPSec clients behind *any* NAT = device.
>
> Perhaps some additional info needs to be added about my configuration.
> I need to use standard Cisco Linux clients, as this is for people
> visiting (with their laptops and standard VPN setup for remote access)
> and wanting to get to their (Cisco) server.  In fact, it could be more
> than one ipsec server at some time in the future.  I definitely need to
> use a Cisco VPN gateway (can't use FreeSwan), I cannot have a single vpn
> client from the Linux router device as the requirement is for multiple
> clients behind this device.  The Cisco gateway and Win 2k client can set
> up a connection through a NAT router, we have tried this with a Netgear
> device.  So I thought the issue was similar to pptp vpn pass-through for
> multiple clients (i.e. a patch for the kernel/iptables was the way to
> go), hence the question.
>
> Kind regards, Roksana

the standard cisco vpn client for linux supports IKE over TCP & UDP/TCP tunneling of IPSec traffic--read the admin guide for details.  the settings are something like:

  EnableNat=1
  TunnelingMode=0
  TcpTunnelingPort=10000

the easiest way to do this is just take the .pcf file from a working windows client and copy it to your linux client.  this is getting pretty OT...

-j

RE: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

[Jason Opperisano]

> Hi,
>
> I am trying to set up multiple ipsec VPN clients working behind a Linux
> router with NAT/PAT, based on a 2.4.20 (can be 2.4.22) kernel. I would
> like to be able to connect a number of Windows (2k or XP) machines to an
> existing Cisco VPN server.
>
> client 1 (ipsec) --->  | router       |
> client 2 (ipsec) --->  |  NAT/        |
> .                     PAT     | -> ipsec VPN server (Cisco)
> .                  |          |
> client 10 (ipsec) --->|               |
>
> A patch seems to be needed to make this work, and I have seen a lot of
> emails with a similar question in regards to pptp VPN clients, but
> nothing encouraging for ipsec.  I have also seen the IP masquerade HOWTO
> and the VPN HOWTO, which both refer to a patch for 2.2 kernels, but
> claim nothing is available for 2.4 kernels. I am a netfilter newbie (if
> this is not blindingly obvious), so any help would be much appreciated.
>
>
> Kind regards, Roksana

enable IKE over TCP on the clients and UDP encapsulation.  this is not a problem with netfilter, but with multiple IPSec clients behind *any* NAT device.

-j

Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

[Roksana Boreli]

Hi,

I am trying to set up multiple ipsec VPN clients working behind a Linux
router with NAT/PAT, based on a 2.4.20 (can be 2.4.22) kernel. I would
like to be able to connect a number of Windows (2k or XP) machines to an
existing Cisco VPN server. 

client 1 (ipsec) --->  | router	|
client 2 (ipsec) --->  |  NAT/	|
.		        PAT	| -> ipsec VPN server (Cisco)
.		     |		|
client 10 (ipsec) --->|		|

A patch seems to be needed to make this work, and I have seen a lot of
emails with a similar question in regards to pptp VPN clients, but
nothing encouraging for ipsec.  I have also seen the IP masquerade HOWTO
and the VPN HOWTO, which both refer to a patch for 2.2 kernels, but
claim nothing is available for 2.4 kernels. I am a netfilter newbie (if
this is not blindingly obvious), so any help would be much appreciated.


Kind regards, Roksana

Re: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

[Ming-Ching Tiew]

> 
> I am trying to set up multiple ipsec VPN clients working behind a Linux
> router with NAT/PAT, based on a 2.4.20 (can be 2.4.22) kernel. I would
> like to be able to connect a number of Windows (2k or XP) machines to an
> existing Cisco VPN server. 
> 
> client 1 (ipsec) --->  | router |
> client 2 (ipsec) --->  |  NAT/ |
> .         PAT | -> ipsec VPN server (Cisco)
> .      | |
> client 10 (ipsec) --->| |
> 

Instead of making your VPN clients tunnel thru' Linux NAT router,
it would be better if you make the Linux NAT router perform
IPSEC VPN client functions with the Cisco ipsec VPN server 

In the configuration I mention, you are effectively putting IPSEC
behind NAT,  whereas to have IPSEC before NAT, that's a lot 
more problematic.

Re: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

[Payal Rathod]

On Tue, Aug 24, 2004 at 01:46:45PM +0800, Ming-Ching Tiew wrote:
> Instead of making your VPN clients tunnel thru' Linux NAT router,
> it would be better if you make the Linux NAT router perform
> IPSEC VPN client functions with the Cisco ipsec VPN server 

How does one do that? Does one have to install a different software for that?

-Payal

Re: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

[Ming-Ching Tiew]

> On Tue, Aug 24, 2004 at 01:46:45PM +0800, Ming-Ching Tiew wrote:
> > Instead of making your VPN clients tunnel thru' Linux NAT router,
> > it would be better if you make the Linux NAT router perform
> > IPSEC VPN client functions with the Cisco ipsec VPN server 
> 
> How does one do that? Does one have to install a different software for that?
> 

Redhat distributions include IPSec capabilities, though I am not too 
familiar with the versions. 

If you would like to roll your own, I recommend you use openswan -
freeswan/superfreeswan are supposed to be freezed or in slow maintainance
mode.

You must first find out if the Cisco is going to use 'Aggressive Mode'. 
Avoid using 'Aggressive Mode' if possible. If 'Aggressive mode' is 
needed you have to use openswan-1.0.7, otherwise use openswan-2.1.4 
or 2.1.5 because they patch the kernel more cleanly.

Re: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

[John A. Sullivan III]

On Tue, 2004-08-24 at 01:11, Roksana Boreli wrote:
> Hi,
> 
> I am trying to set up multiple ipsec VPN clients working behind a Linux
> router with NAT/PAT, based on a 2.4.20 (can be 2.4.22) kernel. I would
> like to be able to connect a number of Windows (2k or XP) machines to an
> existing Cisco VPN server. 
> 
> client 1 (ipsec) --->  | router	|
> client 2 (ipsec) --->  |  NAT/	|
> .		        PAT	| -> ipsec VPN server (Cisco)
> .		     |		|
> client 10 (ipsec) --->|		|
> 
> A patch seems to be needed to make this work, and I have seen a lot of
> emails with a similar question in regards to pptp VPN clients, but
> nothing encouraging for ipsec.  I have also seen the IP masquerade HOWTO
> and the VPN HOWTO, which both refer to a patch for 2.2 kernels, but
> claim nothing is available for 2.4 kernels. I am a netfilter newbie (if
> this is not blindingly obvious), so any help would be much appreciated.
> 
> 
> Kind regards, Roksana
The answer depends on what exactly you are trying to do.  If you are
branching together two networks, you may wish to consider moving the
IPSec stack to the Linux gateway and creating a LAN-to-LAN connection. 
If you wish to restrict access to just those few clients, you can make
such restrictions in iptables.

On the other hand, if you are connecting to an external network, e.g.,
clients from a partner are working on your network and they need access
back to their home network (consider carefully if you really want to do
that - you may open your internal network to the external network
through these clients), then you will want to retain the IPSec stack on
the clients.

You have two options.  You can use a client which supports NAT-Traversal
(assuming that the Cisco VPN device is also configured to use
NAT-Traversal) or you can assign a one-to-one NAT mapping for the
clients to unique public addresses (very expensive if you have limited
public IP addresses) and use a standard IPSec stack.  We have
successfully implemented both arrangements.  Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

[Thomas Kirk]

Hi

On Tue, Aug 24, 2004 at 05:31:52AM -0400, John A. Sullivan III wrote:

> The answer depends on what exactly you are trying to do.  If you are
> branching together two networks, you may wish to consider moving the
> IPSec stack to the Linux gateway and creating a LAN-to-LAN connection. 
> If you wish to restrict access to just those few clients, you can make
> such restrictions in iptables.

Excusing me for interrupting the discussion but in a situation where i
would like to make a LAN-to-LAN IPsec VPN between to offices both
running iptables on the gateways. Ive been lurking on the liste for
some time but i have a few questions regarding this. First each site
have a link to internet howto specify which protocols that should go
over VPN and which should go to internet? Which IPsec implementation
would be the most stable and secure solution to use. Currently im
using a couple of retired pcworkstations running debian woody so i
would prefer something that is supported by debian but its not
absolutly neccessary :)

Thanks in advance

-- 
Venlig Hilsen/Kind Regards
Thomas Kirk
IT-chef
ARKENA A/S

Mejlgade 27-29, DK-8000 Aarhus C
Havnegade 39, DK-1058 København K

Telephone Direct: +45 8620 4264
Telephone Office: +45 7023 3456
Telephone Mobile: +45 2612 3237

Office FAX: +45 8620 4270
WWW: http://www.arkena.com
--

"I've always wondered if there was a god. And now I know there is --
and it's me." -- Homer Simpson

Re: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

[John A. Sullivan III]

On Thu, 2004-08-26 at 05:13, Thomas Kirk wrote:
<snip>
> Excusing me for interrupting the discussion but in a situation where i
> would like to make a LAN-to-LAN IPsec VPN between to offices both
> running iptables on the gateways. Ive been lurking on the liste for
> some time but i have a few questions regarding this. First each site
> have a link to internet howto specify which protocols that should go
> over VPN and which should go to internet? Which IPsec implementation
> would be the most stable and secure solution to use. Currently im
> using a couple of retired pcworkstations running debian woody so i
> would prefer something that is supported by debian but its not
> absolutly neccessary :)
> 
> Thanks in advance
I have been using either strongswan (http://www.strongswan.org) or
openswan (http://www.openswan.org) for an IPSec implementation.  The
Linux 2.6 kernel and I believe some of the later 2.4 kernels support
IPSec natively.  I have yet to experiment with the kernel IPSec.  My
guess is that its code is somewhat cleaner than *swan.

I do like the way in which *swan uses a separate interface for IPSec
traffic.  This makes it simple to identify the VPN traffic in iptables
although it is not impossible to do so with the kernel IPSec.

I have traditionally determined which traffic goes in the clear and
which goes in the tunnel based upon destination network, e.g., traffic
between 192.168.1.0/24 and 10.1.1.0/24 go through the tunnel while the
rest goes in the clear.  I have been away from configuring *swan for
quite a while and I believe there have been significant advances since
then.  It used to be that one could specify which sockets could be used
to initiate the tunnel but then any traffic could use the tunnel once
established.  I believe one can now restrict a tunnel based upon socket
but I'm not sure.  I would suggest going to either of the sites
mentioned above and perusing the documentation.  Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: Multiple IPSEC VPNs through a firewall based on 2.4.2X kernel

[Tom Eastep]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John A. Sullivan III wrote:

|
| I do like the way in which *swan uses a separate interface for IPSec
| traffic.  This makes it simple to identify the VPN traffic in iptables
| although it is not impossible to do so with the kernel IPSec.
|
|

The 'policy' match feature in Patch-O-Matic allows you to differentiate
the VPN traffic. You also need to install the ipsec-netfilter patches to
ensure that VPN traffic is passed properly through the various netfilter
builtin chains.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBLfBPO/MAbZfjDLIRAgTIAKCUoKABy8qboj/YdNpgQy7zOrH8zwCePHKX
qUwyxq6xUNPGSaI2TGKGW0U=
=6vBN
-----END PGP SIGNATURE-----