[PLUG] VPN needed for other OS

Keith Morse kgmorse at mpcu.com
Tue Oct 8 05:05:28 UTC 2002


On 7 Oct 2002, Derek Loree wrote:

> You're right, I didn't provide much info, mainly because there is so
> much.  When I started, I used the instructions from:
> 
> http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509 
> Nate claims that this works even with the client behind a masquerading
> firewall.
> 
> What I'm fishing for with the second question is more like:
> 
> 1) Server starts up, network interfaces start, ipsec interfaces start,
> waiting for a connection.
> 
> 2) Client starts a connection, sends initial packet (I think this is the
> start of phase 1 using IKE).
> 
> 3) Server responds to initiation, Phase 1 is successful if the client
> replies back.  This establishes the tunnel (I think, I also assume this
> is when the win2k client will start logging connection activity).
> 
> 4) Client sends encryption needs back to server (initiation of Phase
> 2?).
> 
> 5) Server generates encryption parameters (time of key rotation, etc.).
> 
> 6) Client accepts encryption parameters and starts sending out encrypted
> packets.  Now everything should work.
> 
> The part I don't get is how the packets go from the tunnel device
> associated with eth0 (the internet side) to eth1 (the LAN side), Nate
> says nothing about iptables rules, or special tunnels to the inside
> interface.  He also has two seperate tunnels set up, one to the
> interface with no subnet, and one to the LAN subnet, I don't understand
> why.

when ipsec starts and ipsec interface is started with it, ipsec0 for 
example.  you can specify the name of the interface in ipsec.conf and bind 
it to specific interface like eth0.  when the tunnel is successfully 
created, ipsec should update the kernels routing table automagically so 
that packets destined for the far side of the tunnel will get routed to 
the appropriate ipsec0 interface.

I haven't read Nate's documentatiion (been meaning to) so I can't speak to 
it.  Two things I do recommend is going to either the www.freeswan.org or 
www.freeswan.ca website and rifling thru the documentation found there.  
And subscribe to the freeswan-users mail list.  It's probably the most 
free-form mail-list I've seen, definitely don't use a MS based MUA to 
peruse it.

> 
> Why am I fishing here?  Because I'm hoping for some real world
> experience, not just a programmers version of what ought to happen.

I just got done fight^H^H^H^H^Hbuilding a vpn using a package called 
SuperFreeswan (put together by a freeswan guru named Ken Bancroft) that 
included NAT-Traversal as well as x509 certificate support that looked 
something like...



RFC-1918 Network
    |
    |
Firewall (linux and freeswan, NAT)  <--------------------------+
    |                                                          |
    |                                                          |
Cable Modem Router                                             |
    |                                                          |
    |                                                          |
Internet                                                vpn tunnel
    |                                                          |
    |                                                          |
Firewall (linux and freeswan and doing NAT)                    |
    |                                                          |
    |                                                          |
RFC-1918 Network (wireless)                                    |
    |                                                          |
    |                                                          |
Firwall (linux and freeswan and doing NAT and wins, ick)  <----+
    |
    |
RFC-1918 Network (yet another)
 





More information about the PLUG mailing list