Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
VPN, Part II - Right Side BEHIND a Cisco PIX NAT/Masq.
  • From: "Argentium G. Tiger" <agtiger@xxxxxxxxx>
  • Date: Mon, 21 Jan 2002 16:39:12 -0600
  • Message-id: <5.1.0.14.2.20020121162546.0377c4a0@xxxxxxxxxxxxxxxxxxxx>
Okay, I've got leg one of the IPSEC VPN up with SuSE 7.3. Public and many
thanks to Nadeem Hasan. :-)

What was stopping me at the last was that SuSEfirewall2's config file
(/etc/rc.config.d/firewall2.rc.config) had two external interfaces defined
(eth0 and ipsec0). Specifically:

FW_DEV_EXT="eth0 ipsec0"

A bit later on in the config, I declared the interface to masquerade on as
the variable $FW_DEV_EXT, which meant both eth0 and ipsec0 were being
masqueraded. ipsec0 can NOT be masqueraded! It confuses the heck out of
IPSEC. :-)

Specifically, what I had was:
FW_MASQ_DEV="$FW_DEV_EXT"

What it should have been and now is:
FW_MASQ_DEV="eth0"


Okay, on to my current dilemma.

Everything up to now has been a testbed between two SuSEfirewall 7.3
machines running SuSEfirewall2 version 2.1, and Free S/WAN 1.91. Both
the left and right machines had an external address that actually lived
on the internet.

Now I need to connect in a 'right side' that lives masqueraded behind a
Cisco Pix firewall, but it is 1:1 bound with a live internet IP.

Specifically:

Address a.b.c.d is bound to internal address 10.100.0.26.

Or in more detail, eth0 on this new machine is:
IP: 10.100.0.26
Mask: 255.255.255.0
GW: 10.100.0.1


So on the right side of the ipsec.conf, what I'm thinking of using is:

rightid=@rightid
right=10.100.0.26
rightsubnet=10.100.0.0/24
rightupdown=/usr/lib/ipsec/_updown_custom
rightrsasigkey=[snipped]
auto=start


On the left machine is when this becomes problematic...

Now I need to define the right stuff differently I'll bet by using the
external address instead of 10.100.0.26, since that's meaningless to the
outside world. Something like:

rightid=@rightid
right=a.b.c.d
rightsubnet=10.100.0.0/24
rightupdown=/usr/lib/ipsec/_updown_custom
rightrsakey=[snipped]
auto=start


Have I understood this correctly? Comments? Thoughts? Am I in for a world
of hurt here? :-) (Okay, that one's a given)

Argentium


< Previous Next >
This Thread
  • No further messages