Quoting jjohnson@penguincomputing.com (jjohnson@penguincomputing.com) on Tue, Nov 21, 2000 at 12:40:45AM +0100:
Uhm.. Freeswan being a IPSec server will only allow people who authenticate via preshared keys or rsapublic keys to route traffic into your internal network. ie
win98client --- internet --- firewall(eth0) -> internal(eth1)
Obviously you would use a non-public iprange internally. If everything is setup properly, people on the internet cannot contact internal. but the win98client will be able to if there is a IPSec connection present (and IPSec is setup to do the routing to the internal lan).
If you are talking about something else, please elaborate on your question.
The basic funktionality I am after has nothing to do with FreeS/WAN, I want user based authentication before a firewall lets packets of that user through. To make it more complicated, those packets will come in via an IPSEC tunnel which will unwrap them before the authentiation. A more complete Picture: WinXX clinet with PGPnet or Win2K IPSEC or whatever Public Address 199.1.1.1 Private tunneled address 10.1.1.1 | | IPSEC Tunnel through some bad bad network... | Firewall with FreeS/WAN on 200.1.1.1 which receives IPSEC packets from 199.1.1.1 (tunnel authenticated via RSA keys) Unwraps packet from the client and tries to forward it to internal net But before the packet from 10.1.1.1 gets sent on, some form of user auth is needed | | Internal Net | Servers on 10.x.x.x User Auth could be some Client on the WinXXX side that allows the user to enter user id / password or SecurID key that is checked by the Firewall before it allows routing of packets coming from 10.1.1.1 Does that look clearer? cheers afx
On Mon, Nov 20, 2000 at 01:29:25PM +0100, Andreas Siegert wrote:
Hi, I am looking for a solution to authenticate routing.
IPSEC CLient (Mostly WinXX boxes) connects to firewall. Firewall untunnels packets (FreeS/WAN) Firewall authenticates user ???????? Successful authentication enables routing of the clients Packets into the internal net.
Commercial FWs like FW1 have that feature, but I'd rather run it on Linux.
Thanks for any pointers afx
-- atsec information security GmbH Phone: +49-89-44249830 Steinstrasse 68 Fax: +49-89-44249831 D-81667 Muenchen, Germany WWW: www.atsec.com May the Source be with you!