Re: [suse-security] VPN, NAT and LDAP or FTP
Hi, Mark C. wrote:
[...]
All the machines on LAN-A have a route added:
10.2.0.0/255.255.255.0 via VPN-A Default route via FW-A
That's okay - but I don't understand right at this moment why this is neccessary. Can't the FW route the traffic to 10.2.0.0/255.255.0.0 (resp. the other addresses on LAN-B)?
FW-A is setup to forward appropriate ports to the VPN-A to allow the VPN to establish. Eg, with CIPE, just a single udp forwarding is needed.
[...]
I have this exact setup running perfectly fine. You might put a rule on both firewalls to block traffic to the other LAN (except from the VPN machine) from being NAT'd - this basically ensures you don't leak any information for a machine that's missing the right routing.
You talked of CIPE. Do you use CIPE or another solution? Do you think that a VPN with FTP and LDAP between two VPN GWs each inside a NATed intranet would be possible with IPSec implementations, e. g. FreeS/WAN? My impression is that this - quite useful as I mean - setup maybe only works with L2TP, IPSec over L2TP (if _that_ exists), CIPE or (v)tun or tinc. Ré
Dear René, I don't believe IPSEC traverses NAT correctly, so unless your firewall was also the VPN tunneller, I don't think it works nicely. There's been some work on STUN, but I don't believe it co-exists nicely with 'double NAT' yet. Personally, I've been using CIPE. You are correct - you can get your firewall to redirect traffic to the VPN. That doubles the traffic to the inside of the firewall though. Ie, LAN -> FW -> VPN -> FW instead of LAN -> VPN -> FW Traffic doubling might not be a problem, and you may decide the extra traffic isn't a problem in your scenario and you'd rather have the simpler setup. (Especially as the LAN portion of your net is probably at least twice the speed of the link to your ISP. Don't know about the loading on your firewall though) Mark On Tue, 2003-08-12 at 14:51, René Matthäi wrote:
Hi,
Mark C. wrote:
[...]
All the machines on LAN-A have a route added:
10.2.0.0/255.255.255.0 via VPN-A Default route via FW-A
That's okay - but I don't understand right at this moment why this is neccessary. Can't the FW route the traffic to 10.2.0.0/255.255.0.0 (resp. the other addresses on LAN-B)?
FW-A is setup to forward appropriate ports to the VPN-A to allow the VPN to establish. Eg, with CIPE, just a single udp forwarding is needed.
[...]
I have this exact setup running perfectly fine. You might put a rule on both firewalls to block traffic to the other LAN (except from the VPN machine) from being NAT'd - this basically ensures you don't leak any information for a machine that's missing the right routing.
You talked of CIPE. Do you use CIPE or another solution? Do you think that a VPN with FTP and LDAP between two VPN GWs each inside a NATed intranet would be possible with IPSec implementations, e. g. FreeS/WAN?
My impression is that this - quite useful as I mean - setup maybe only works with L2TP, IPSec over L2TP (if _that_ exists), CIPE or (v)tun or tinc.
Ré -- Mark Cooke
Hi, Mark Cooke schrieb:
I don't believe IPSEC traverses NAT correctly, so unless your firewall was also the VPN tunneller, I don't think it works nicely. There's been some work on STUN, but I don't believe it co-exists nicely with 'double NAT' yet.
Personally, I've been using CIPE.
The problem is that Windows comes only with a IPSec or L2TP client (for free and integrated). Unfortunately there is no Windows CE client or even Windows XP (<- is _this_ still true?). And for Mobile Computing there are only IPSec Clients (or PPTP/L2TP) I fear.
All the machines on LAN-A have a route added:
10.2.0.0/255.255.255.0 via VPN-A Default route via FW-A
That's okay - but I don't understand right at this moment why this is neccessary. Can't the FW route the traffic to 10.2.0.0/255.255.0.0 (resp. the other addresses on LAN-B)?
You are correct - you can get your firewall to redirect traffic to the VPN. That doubles the traffic to the inside of the firewall though. Ie, LAN -> FW -> VPN -> FW instead of LAN -> VPN -> FW
Traffic doubling might not be a problem, and you may decide the extra traffic isn't a problem in your scenario and you'd rather have the simpler setup. (Especially as the LAN portion of your net is probably at least twice the speed of the link to your ISP. Don't know about the loading on your firewall though)
You can avoid the traffic problem by adding another physical network link between the VPN GW and the FW. But as for the load, you're right. It's a Pentium I 200 MHz machine and we have 512 kBit/s connection. So I guess this is not on the edge. Does everything work in your setup, e. g. LDAP or FTP then? Ré
Dear René Everything (ftp, ldap, ssh, dns, etc) all works fine with my setup. The individual machines on the LAN's don't use IPSec/tunnels. There's a single VPN tunnel essentially bridging the 'big bad internet' using a CIPE tunnel. I run an 'internal DNS', and 'internal samba' as a domain browser, and it all 'just works'. As far as the two LANs are concerned, there isn't any NAT at all, and machines on the other lan are directly reachable with a unique address. It avoids breakage of things like (non passive) FTP. Finally - there's a windows 2K/XP/NT4 version of CIPE, that I use on my laptop when I'm off-site (or on wireless as WEP isn't worth using). Mark On Tue, 2003-08-12 at 15:23, René Matthäi wrote:
Hi,
Mark Cooke schrieb:
I don't believe IPSEC traverses NAT correctly, so unless your firewall was also the VPN tunneller, I don't think it works nicely. There's been some work on STUN, but I don't believe it co-exists nicely with 'double NAT' yet.
Personally, I've been using CIPE.
The problem is that Windows comes only with a IPSec or L2TP client (for free and integrated). Unfortunately there is no Windows CE client or even Windows XP (<- is _this_ still true?). And for Mobile Computing there are only IPSec Clients (or PPTP/L2TP) I fear.
All the machines on LAN-A have a route added:
10.2.0.0/255.255.255.0 via VPN-A Default route via FW-A
That's okay - but I don't understand right at this moment why this is neccessary. Can't the FW route the traffic to 10.2.0.0/255.255.0.0 (resp. the other addresses on LAN-B)?
You are correct - you can get your firewall to redirect traffic to the VPN. That doubles the traffic to the inside of the firewall though. Ie, LAN -> FW -> VPN -> FW instead of LAN -> VPN -> FW
Traffic doubling might not be a problem, and you may decide the extra traffic isn't a problem in your scenario and you'd rather have the simpler setup. (Especially as the LAN portion of your net is probably at least twice the speed of the link to your ISP. Don't know about the loading on your firewall though)
You can avoid the traffic problem by adding another physical network link between the VPN GW and the FW. But as for the load, you're right. It's a Pentium I 200 MHz machine and we have 512 kBit/s connection. So I guess this is not on the edge.
Does everything work in your setup, e. g. LDAP or FTP then?
Ré -- Mark Cooke
Hi, Mark Cooke schrieb:
You are correct - you can get your firewall to redirect traffic to the VPN. That doubles the traffic to the inside of the firewall though. Ie, LAN -> FW -> VPN -> FW instead of LAN -> VPN -> FW
Traffic doubling might not be a problem, and you may decide the extra traffic isn't a problem in your scenario and you'd rather have the simpler setup. (Especially as the LAN portion of your net is probably at least twice the speed of the link to your ISP. Don't know about the loading on your firewall though)
If you setup your firewall correctly, it will send an ICMP Redirect message to the peers that have the firewall set as their default gateway whereafter the peers will send all following packets directly to the VPN GW without bothering the firewall and therefore the net any more as long as the connection exists (don't know if this may be different for UDP connections, though, as UDP is a connection-less protocol). René
participants (2)
-
Mark Cooke
-
René Matthäi