RE: [suse-security] SuSE 8, IPSec and Gated (RIP)
Has anyone run gated, with rules for RIP, to allow ipsec through to an internal mail server, that has a default gateway that does not come back through the SuSE server?
I am stumped and cannot see any info. for it in SuSE 8 distro.
Whoa, hold yer horses! That's a pretty complicated setup you're describing with very few words.. I'd hardly expect your exact situation to be described in any place, but you should be able to piece everything together. After all, that's how UNIX works. Try to rephrase your question, being as clear as possible (this includes message formatting). Note, too, that your question isn't really related to security a lot.. Cheers Tobias
Not related to security, eh?
I thought that was what I was trying to achieve in implementing IPSec for VPN,
no? Perhaps the mention of ipchains/iptables qualifies it for the forum?
Seriously,
I have run the FreeSwan setup before, no problems. Only this time, I have been
asked to impliment it where there is a adsl router with 16 public ips on it. The
SuSE 8 server has been attributed one of these, with the adsl router being it's
default gateway.
Now, there is a win2k exchange server, whose default route is NOT the SuSE 8
server, but some PIX that again has it's own default gateway, that is the adsl
router. Overcomplicated, I know, but that is what I have been given.
Now the road warrior dials up and uses the vpn client to get in. The SuSE server
passes the packets, through the tunnel into the exchange server. The exchange
server sees the packets from their original, external ip. So it sends the
replies back along it's default gateway to send them externally. It's default
gateway is the PIX, NOT the SuSE Server!
The network consultant that manages the PIX says that if I use RIP on the SuSE
Server, and somehow broadcast its established routes, the PIX will redirect the
packets that came into the exchange server, through the SuSE server, back to the
SuSE Server.
My problems are:
I don't see the PIX doing this, when it's own default gateway will tell it to
send the packets back out;
The SuSE server is set to not allow redirects and source-routed packets;
IPSec, as I understand it, don't work this way and likes packets to come back
the way they went;
I don't know how to set the gated.conf to get the rip broadcasting correctly,
and there is very little useful stuff in the groups.
I wonder if they used static dial-ups, and put the static routes in the PIX, it
would work?
Apart from that, it's hunky-dorry.
But it is purely security, and the achievement of ...
Ta,
Rich.
Quoting "Reckhard, Tobias"
Has anyone run gated, with rules for RIP, to allow ipsec through to an internal mail server, that has a default gateway that does not come back through the SuSE server?
I am stumped and cannot see any info. for it in SuSE 8 distro.
Whoa, hold yer horses! That's a pretty complicated setup you're describing with very few words.. I'd hardly expect your exact situation to be described in any place, but you should be able to piece everything together. After all, that's how UNIX works.
Try to rephrase your question, being as clear as possible (this includes message formatting). Note, too, that your question isn't really related to security a lot..
Cheers Tobias
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Richard King
On Fri, 23 Aug 2002 rking@generationtechnology.co.uk wrote:
Not related to security, eh? I thought that was what I was trying to achieve in implementing IPSec for VPN, no? Perhaps the mention of ipchains/iptables qualifies it for the forum?
Seriously, I have run the FreeSwan setup before, no problems. Only this time, I have been asked to impliment it where there is a adsl router with 16 public ips on it. The SuSE 8 server has been attributed one of these, with the adsl router being it's default gateway.
Now, there is a win2k exchange server, whose default route is NOT the SuSE 8 server, but some PIX that again has it's own default gateway, that is the adsl router. Overcomplicated, I know, but that is what I have been given.
Why don't you just make it symmetric by putting the SuSE8 server in front of the PIX?
Now the road warrior dials up and uses the vpn client to get in. The SuSE server passes the packets, through the tunnel into the exchange server. The exchange server sees the packets from their original, external ip.
Why that? Use some private subnet for the road warriors and put a route for that either into the Exchange server or the PIX.
So it sends the replies back along it's default gateway to send them externally. It's default gateway is the PIX, NOT the SuSE Server!
The network consultant that manages the PIX says that if I use RIP on the SuSE Server, and somehow broadcast its established routes, the PIX will redirect the packets that came into the exchange server, through the SuSE server, back to the SuSE Server.
I am no expert in dynamic routing, but this setup seems to attract all kinds of problems and difficulties, especially concerning reliability. Ciao, Roland +---------------------------+-------------------------+ | TU Muenchen | | | Physik-Department E18 | Raum 3558 | | James-Franck-Str. | Telefon 089/289-12592 | | 85747 Garching | | +---------------------------+-------------------------+ If you think NT is the answer, you have not understood the question.
* rking@generationtechnology.co.uk wrote on Fri, Aug 23, 2002 at 13:31 +0100:
Not related to security, eh?
No, that is networking related :)
I thought that was what I was trying to achieve in implementing IPSec for VPN, no?
You did and know you have some selfmade routing problem I think :)
Now the road warrior dials up and uses the vpn client to get in. The SuSE server passes the packets, through the tunnel into the exchange server. The exchange server sees the packets from their original, external ip.
You use ESP transport mode I guess?
So it sends the replies back along it's default gateway to send them externally. It's default gateway is the PIX, NOT the SuSE Server!
The network consultant that manages the PIX says that if I use RIP on the SuSE Server, and somehow broadcast its established routes, the PIX will redirect the packets that came into the exchange server, through the SuSE server, back to the SuSE Server.
Sounds ok (but I haven't understood your setup completly I think).
My problems are: I don't see the PIX doing this, when it's own default gateway will tell it to send the packets back out;
Usually the RIP routes are preferred if available.
I don't know how to set the gated.conf to get the rip broadcasting correctly, and there is very little useful stuff in the groups.
Hum, IIRC I had similar troubles with gated. Maybe you should take a look to zebra. I played with it a little only, but it seemed for me to be not to cryptic and handles RIP.
I wonder if they used static dial-ups, and put the static routes in the PIX, it would work?
Well, someone may argue that a firewall (PIX is one, ain't?) shouldn't accept dynamic routing... For me, it sounds like a problem of some unclean security/routing concept if you have such issues. But I think you could solve it with zebra. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Usually the RIP routes are preferred if available.
PIX doesn't know about RIP routes afaik.
I wonder if they used static dial-ups, and put the static routes in the PIX, it would work? Yes.
Well, someone may argue that a firewall (PIX is one, ain't?) shouldn't accept dynamic routing... For me, it sounds like a problem of some unclean security/routing concept if you have such issues. But I think you could solve it with zebra. Bingo. The other solution that was offered: Putting the suse machine in "front" of the PIX kind of defeats the purpose of having the PIX at all...we won't get into that ;) PIX doesn't use dynamic routing protocols last time I checked. Only static routing.
Regards, MD
participants (5)
-
Reckhard, Tobias -
rking@generationtechnology.co.uk -
Roland Kuhn -
Steffen Dettmer -
Tech Support