From: "Michael H. Warfield" <mhw@wittsend.com>
To: "Small, Jim" <jim.small@eds.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Linux/Windows pure SSL "VPN" Solution
Date: Wed, 2 Jun 2004 17:51:59 -0400 [thread overview]
Message-ID: <20040602215159.GD7480@alcove.wittsend.com> (raw)
In-Reply-To: <564DE4477544D411AD2C00508BDF0B6A206AAD93@usahm018.exmi01.exch.eds.com>
[-- Attachment #1: Type: text/plain, Size: 2240 bytes --]
On Wed, Jun 02, 2004 at 02:10:08PM -0400, Small, Jim wrote:
> I have a situation (common) where I need access to my corporate network, but
> the vendor will only allow traffic over ports 80 and 443. The vendor would
> like me to do an SSL VPN as they do not want to open other ports (read--no
> IPSec). I would like to do a Linux proof of concept solution using iptables
> and some sort of Open Source SSL VPN (Linux server sitting on the Internet
> or in one of our DMZs).
> This looks promising: http://www.hsc.fr/ressources/outils/ssltunnel/
> It's just what I'm looking for but it doesn't support Windows clients.
When I've been forced to do this, I generally use ppp over stunnel,
<www.stunnel.org>. There are Windows binaries for stunnel, but getting
ppp running on that side may be a challenge.
My general preference is IPSec NAT-T, which runs over 500/udp
and then 4500/udp, when straight IPSec (IP 50/51) is blocked but UDP
is open.
Worse comes to worse, check out CCTT. The Covert Channel Tunneling
Tool. Lots of goodies in that set for tunneling under the worst of
circumstances.
Which ever I use, I then layer IPv6 over top of that transport
and then have a complete routable addressable infrastructure I can access.
> I've looked at OpenVPN, CIPE, and vTun, but none of them appear to work only
> over port 443. OpenVPN works over 443, but also requires UDP/5000 which is
> not possible.
They have all UDP ports blocked (in bound and out bound)? That
could be challenging, then. Generally, once you initiate a connection
from the inside out, you can keep the ports open. IPSec NAT-T seems
to include a keep-alive that keeps NAT tables fresh once the SAs are
established.
> Does anyone know of a pure (TCP/443 only) SSL Open Source solution?
> Thanks,
> <> Jim
> PS I realize this is not a pure iptables question, so I'm prepared for
> flames... ;-)
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
[-- Attachment #2: Type: application/pgp-signature, Size: 307 bytes --]
next prev parent reply other threads:[~2004-06-02 21:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-02 18:10 Linux/Windows pure SSL "VPN" Solution Small, Jim
2004-06-02 18:24 ` John A. Sullivan III
2004-06-02 21:51 ` Michael H. Warfield [this message]
2004-06-02 22:23 ` Dick St.Peters
-- strict thread matches above, loose matches on Subject: below --
2004-06-02 18:28 CPD - David Cardeñosa Rubio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040602215159.GD7480@alcove.wittsend.com \
--to=mhw@wittsend.com \
--cc=jim.small@eds.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox