[PLUG] VPN needed for other OS
Keith Morse
kgmorse at mpcu.com
Tue Oct 8 05:05:28 UTC 2002
On 7 Oct 2002, Derek Loree wrote:
> You're right, I didn't provide much info, mainly because there is so
> much. When I started, I used the instructions from:
>
> http://www.natecarlson.com/include/showpage.php?cat=linux&page=ipsec-x509
> Nate claims that this works even with the client behind a masquerading
> firewall.
>
> What I'm fishing for with the second question is more like:
>
> 1) Server starts up, network interfaces start, ipsec interfaces start,
> waiting for a connection.
>
> 2) Client starts a connection, sends initial packet (I think this is the
> start of phase 1 using IKE).
>
> 3) Server responds to initiation, Phase 1 is successful if the client
> replies back. This establishes the tunnel (I think, I also assume this
> is when the win2k client will start logging connection activity).
>
> 4) Client sends encryption needs back to server (initiation of Phase
> 2?).
>
> 5) Server generates encryption parameters (time of key rotation, etc.).
>
> 6) Client accepts encryption parameters and starts sending out encrypted
> packets. Now everything should work.
>
> The part I don't get is how the packets go from the tunnel device
> associated with eth0 (the internet side) to eth1 (the LAN side), Nate
> says nothing about iptables rules, or special tunnels to the inside
> interface. He also has two seperate tunnels set up, one to the
> interface with no subnet, and one to the LAN subnet, I don't understand
> why.
when ipsec starts and ipsec interface is started with it, ipsec0 for
example. you can specify the name of the interface in ipsec.conf and bind
it to specific interface like eth0. when the tunnel is successfully
created, ipsec should update the kernels routing table automagically so
that packets destined for the far side of the tunnel will get routed to
the appropriate ipsec0 interface.
I haven't read Nate's documentatiion (been meaning to) so I can't speak to
it. Two things I do recommend is going to either the www.freeswan.org or
www.freeswan.ca website and rifling thru the documentation found there.
And subscribe to the freeswan-users mail list. It's probably the most
free-form mail-list I've seen, definitely don't use a MS based MUA to
peruse it.
>
> Why am I fishing here? Because I'm hoping for some real world
> experience, not just a programmers version of what ought to happen.
I just got done fight^H^H^H^H^Hbuilding a vpn using a package called
SuperFreeswan (put together by a freeswan guru named Ken Bancroft) that
included NAT-Traversal as well as x509 certificate support that looked
something like...
RFC-1918 Network
|
|
Firewall (linux and freeswan, NAT) <--------------------------+
| |
| |
Cable Modem Router |
| |
| |
Internet vpn tunnel
| |
| |
Firewall (linux and freeswan and doing NAT) |
| |
| |
RFC-1918 Network (wireless) |
| |
| |
Firwall (linux and freeswan and doing NAT and wins, ick) <----+
|
|
RFC-1918 Network (yet another)
More information about the PLUG
mailing list