VPN question

VPN question

[patrick kuah]

Hi all,

I have configured a SNAT rule in my iptables but after configuring, i can't 
VPN to my server which reside on another network.

Do i need to add rule for VPN traffic to flow through the SNAT? If yes, what 
are the rule?
Thank for all the help.

patrick

_________________________________________________________________
Download games, logos, wallpapers and lots more at MSN Mobile! 
http://www.msn.com.sg/mobile/

Re: VPN question

[Chris Brenton]

On Tue, 2003-10-14 at 06:19, patrick kuah wrote:
> Hi all,
> 
> I have configured a SNAT rule in my iptables but after configuring, i can't 
> VPN to my server which reside on another network.

Do you see this traffic being dropped by your logs?

> Do i need to add rule for VPN traffic to flow through the SNAT? If yes, what 
> are the rule?

VPN is a generic term. What kind of VPN are you talking about? IPSec?
PPTP? SSL?

If you mean IPSec, you need to open UDP/500 to UDP/500 as well as
protocol 50. You also want to make sure that IPSec/IKE is only
negotiating ESP as a security service, not AH.

HTH,
C

Re: VPN question

[patrick kuah]

Thanks Chris :)

I'm using ipsec. Currently, my iptables is configured using stateful packet 
inspection.
Do i have to add the rules for port TCP/UDP 50 and TCP 50 ???
Thank you :)

patrick


>From: Chris Brenton <cbrenton@chrisbrenton.org>
>To: patrick kuah <patrickkuah@msn.com>
>CC: netfilter@lists.netfilter.org
>Subject: Re: VPN question
>Date: 14 Oct 2003 06:44:27 -0400
>
>On Tue, 2003-10-14 at 06:19, patrick kuah wrote:
> > Hi all,
> >
> > I have configured a SNAT rule in my iptables but after configuring, i 
>can't
> > VPN to my server which reside on another network.
>
>Do you see this traffic being dropped by your logs?
>
> > Do i need to add rule for VPN traffic to flow through the SNAT? If yes, 
>what
> > are the rule?
>
>VPN is a generic term. What kind of VPN are you talking about? IPSec?
>PPTP? SSL?
>
>If you mean IPSec, you need to open UDP/500 to UDP/500 as well as
>protocol 50. You also want to make sure that IPSec/IKE is only
>negotiating ESP as a security service, not AH.
>
>HTH,
>C
>
>
>
>

_________________________________________________________________
Take a break! Find destinations on MSN Travel. http://www.msn.com.sg/travel/

Re: VPN question

[Chris Brenton]

On Tue, 2003-10-14 at 11:25, patrick kuah wrote:
> Thanks Chris :)

Glad to! :)

> 
> I'm using ipsec. Currently, my iptables is configured using stateful packet 
> inspection.

You still need to open the correct ports as well create the proper DNAT
and SNAT rules.

> Do i have to add the rules for port TCP/UDP 50 and TCP 50 ???
> Thank you :)

Here's what you need to open up:
1) IKE to and from your IPSec gateway. something like:
iptables -p udp -s 0/0 --sport 500 -d 192.168.1.10 --dport 500 -j ACCEPT
iptables -p udp -s 192.168.1.10 --sport 500 -d 0/0 --dport 500 -j ACCEPT

2) Protocol 50 (ESP) to and from the gateway
iptables -p 50 -d 192.168.1.10 -j ACCEPT
iptables -p 50 -s 192.168.1.10 -j ACCEPT

Again, make sure your clients are not negotiating Authentication Header
(AH). If you try the above and you log drops to protocol 51, AH is being
negotiated.

HTH,
C

VPN question

[Sunny Shum]

Hello,
 
I am a newbie to the VPN setup.  Currently, my company has a Windows 2003
server behind a firewall (running iptables on RedHat 9).  I need to setup
VPN for a few executives so they can access the servers from home or on the
road.  I did some research and came to 3 options:
 
1. Run the VPN from the Windows 2003 server
2. OpenVPN
3. OpenSWAN or StrongSWAN
 
My questions are:
 
1. Is this the right place to ask questions regarding VPN, since this is
mainly an iptables-related list?  If not, can someone direct me to a
forum/list which will be helpful?  I really enjoy the information provide
from this list members.
 
2. If I choose option #2 or #3 above, how to set it up? I read the HOWTO
documents, but I am not sure where I should install the server side of the
VPN.  Do I install it on the firewall box?  Or the Windows 2003 box?
 
Thanks!
 
Regards,
Sunny
 
 
 

Re: VPN question

[Jason Opperisano]

On Wed, 2004-10-06 at 15:35, Sunny Shum wrote:
> Hello,
>  
> I am a newbie to the VPN setup.  Currently, my company has a Windows 2003
> server behind a firewall (running iptables on RedHat 9).  I need to setup
> VPN for a few executives so they can access the servers from home or on the
> road.  I did some research and came to 3 options:
>  
> 1. Run the VPN from the Windows 2003 server

don't do this.

> 2. OpenVPN

this is a nice option--not super scalable though.

> 3. OpenSWAN or StrongSWAN

i prefer open to strong, FWIW.
 
> My questions are:
>  
> 1. Is this the right place to ask questions regarding VPN, since this is
> mainly an iptables-related list?  

not really.

> If not, can someone direct me to a
> forum/list which will be helpful?  I really enjoy the information provide
> from this list members.

start by reading:

  http://wiki.openswan.org/index.php/FAQ

then look through the archives/join:

  http://lists.openswan.org/mailman/listinfo/users

 
> 2. If I choose option #2 or #3 above, how to set it up? I read the HOWTO
> documents, but I am not sure where I should install the server side of the
> VPN.  Do I install it on the firewall box?  Or the Windows 2003 box?

the firewall box would be a more logical choice, IMHO.

-j

-- 
Jason Opperisano <opie@817west.com>