Hi all, I am trying to set up VPN masquerading, for a Windows box, and just wondered if there was an easy way to do this, using just the firewall.rc.config script, or do both that plus the custom config script have to be used? I have seen the VPN how-to, however just wondered about a how to aply this with SuSE's scripts. Thanks for any suggestions, (PS if there is someone familiar with setting upo VPN on the SuSe box itself, I would be very interested as well..., of course) - Cheers, Joost
I am trying to set up VPN masquerading, for a Windows box, and just wondered if there was an easy way to do this, using just the firewall.rc.config script, or do both that plus the custom config script have to be used?
There are several ways to setup vpn's. Linux gots the IPSEC implementation with freeswan (Secure WAN) - www.freeswan.org . Another possibility is using ppp over ssh - simple script solution - works fine. I guess you need such solution, since you have private ip's in your intranet, that arent't public routed. If you have public ip's in your intra/extranet packetfiltering/routing/gatewaying can do this job - but all traffic is unencrypted und "public" readable :O( Michael Appeldorn
* Joost van der Lugt wrote on Fri, Sep 07, 2001 at 01:12 -0700:
I am trying to set up VPN masquerading, for a Windows box,
Does this mean, you are trying to masquerade a VPN connection? This shouldn't work, since masquerading modifies the packet (it changes the source IP and port), and VPN implementation should detect that this packet is modified and should drop it.
(PS if there is someone familiar with setting upo VPN on the SuSe box itself, I would be very interested as well..., of course)
Well, I use freeswan in different versions of multiple hosts which runs nicely. Please note, that you can tunnel RFC1918 addresses from one network to another. In that case, you don't need masquerading. Imageing two locations, i.e. Berlin and Sydney. Berlin has 192.168.0.0/24 and Sydney uses 192.168.1.0/24. In that case, you can tunnel the 0.0 network to sydney and the 1.0 to berlin. For the clients in the networks it looks as berlin and sydney are connected directly. For the "internet" it look like the routers (which need a single official IP) talk a lot with IP protocol 50 to each other. In those IP proto 50 packets the packages from 0.0<->1.0 are included - but invisible since encrypted. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Thanks for both responses. * Steffen Dettmer <steffen@dett.de> [Sep 07. 2001 07:12]:
* Joost van der Lugt wrote on Fri, Sep 07, 2001 at 01:12 -0700:
I am trying to set up VPN masquerading, for a Windows box,
Does this mean, you are trying to masquerade a VPN connection? This shouldn't work, since masquerading modifies the packet (it changes the source IP and port), and VPN implementation should detect that this packet is modified and should drop it.
I guess, but there is a VPN masquerading How-To, though...
(PS if there is someone familiar with setting upo VPN on the SuSe box itself, I would be very interested as well..., of course)
Well, I use freeswan in different versions of multiple hosts which runs nicely.
I have been looking into this, however the window box I currently use, uses someting called securemote, and I do not believe I can setup freeswan the same way, as far as I can see... (I have no root access to the VPN server of course).
Please note, that you can tunnel RFC1918 addresses from one network to another. In that case, you don't need masquerading. Imageing two locations, i.e. Berlin and Sydney. Berlin has 192.168.0.0/24 and Sydney uses 192.168.1.0/24. In that case, you can tunnel the 0.0 network to sydney and the 1.0 to berlin. For the clients in the networks it looks as berlin and sydney are connected directly. For the "internet" it look like the routers (which need a single official IP) talk a lot with IP protocol 50 to each other. In those IP proto 50 packets the packages from 0.0<->1.0 are included - but invisible since encrypted.
If I understand this correctly, you will need full root access to both networks as well for this, so, in my case not feasible. I will be digging deeper into this definite "Case of Linux", number xxx :-)
oki,
Steffen
-- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Joost
What is the deal with the broken YOU / GPG on SuSE 8.0pro? Is there a work around, or a fix planned? Can someone please let me know. I updated to 8.0 over the weekend and everything was great, until ;( I ran YOU. Which proceeded to tell me that either GPG was not installed, or SuSE had not signed the update RPMs correctly, I of course installed the updates anyway. Now I love SuSE but this is a definite show stopper for me(in fact I thought about downgrading again!!), and worse yet imagine all the new users who will be alienated by this type of horrific, and it is, error. I can replicate this on different machines and on every install, this weekend I ran around 10 installs to verify all of which reported the same error. Maybe someone at SuSE can shed a little light on this for me and the others affect by this, thanks in advance ______________________________________________________________ Duane Kehoe phone: 414.908.1814 Programmer / Analyst fax: 414.908.1601 Weyco Group, Inc. email: dkehoe@weycogroup.com -----Original Message----- From: Joost van der Lugt [mailto:jvdl@wanadoo.fr] Sent: Friday, September 07, 2001 3:13 AM To: suse-security@suse.com Subject: [suse-security] VPN masquerading Hi all, I am trying to set up VPN masquerading, for a Windows box, and just wondered if there was an easy way to do this, using just the firewall.rc.config script, or do both that plus the custom config script have to be used? I have seen the VPN how-to, however just wondered about a how to aply this with SuSE's scripts. Thanks for any suggestions, (PS if there is someone familiar with setting upo VPN on the SuSe box itself, I would be very interested as well..., of course) - Cheers, Joost -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (4)
-
Appeldorn -
Duane Kehoe -
Joost van der Lugt -
Steffen Dettmer