Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Further to my Free S/WAN problem...
  • From: "Argentium G. Tiger" <agtiger@xxxxxxxxx>
  • Date: Sun, 20 Jan 2002 09:05:22 -0600
  • Message-id: <>
I thought I'd take a step back from the problem and describe exactly what
it is that I'm trying to accomplish.

What we've got is an office of PC's that are running Windows 2000 Professional
inside of VMWare on top of SuSE linux 7.3 This is rather amusing, watching
W2K run "in jail" and it has no idea. :-) We're developing for a client
in W2K, which is why we're running it at all. (Money's gotta come in from
somewhere). ;-)

The office runs on a private subnet of

At the front end of this office is a SuSE 7.3 box running SuSEfirewall2 2.1.
It's name is: fire01

We have a DSL connection at the front of this office which comes into a
router of Our firewall sits at and gateways to
(No, those aren't real addresses) ;-)

Okay, that describes the office.

Now over to the client's site:

They have a CISCO Pix Firewall with a bank of addresses. Currently, an
address of is bound to an internal address of, and
only port 22 tcp (SSH) is allowed through. is a SuSE 7.3 box which will be (but is not yet) running
SuSEfirewall2 2.1. It only has one NIC card, and I'll explain why here
in a bit. It's name is fire03.

Another machine on the inside is, which is a Windows based
development server offering file storage and Microsoft SourceSafe storage
of the source code we'd like direct access to from our
subnet at our office, hidden behind

So that brings me to the problem at hand:

I need a securely encrypted connection between fire01 and fire03.

I have this so far using SSH. I have created a user called 'vpn' on both
fire01 and fire03, and they have cross-permitted public RSA keys and can ssh
back and forth at will (without passwords). Similarly, I've set this up
for the root accounts.

What I want to accomplish is a secure connection between fire01 at
and fire03 at, already behind the Pix at, such that
the machines behind fire01 at can see the Microsoft development
server at on the client's network.

I want to be able to use SuSEfirewall2 on both sides to ensure that ONLY has permissions to talk through fire03, and that only
is reachable through our tunnel. (We want to limit the scope of the VPN
connection to safeguard our client as much as possible.)

I also want to ensure that though is permitted to answer our workstations behind fire01, that it is not permitted to see
inside our network - the client doesn't have a need to access our internal
network, and I must protect _our_ security as well.

Lastly, it's got to be seamless. Our machines should see
the development server at on the client side as if it were a machine (let's say for argument's sake, I can
leave that IP open) :-)

I've tried IPSEC, but haven't been quite able to get it running.
I've tried various SSH methods with scripts, but either I'm lacking
understanding, or the config isn't right, or... *sigh*

Oh: fire01 is up and running with SuSEfirewall2 - taking that protection
offline is _not_ an option. The fire03 machine behind the Pix is already
being protected by the pix so I've got a bit more freedom to play there.

Hopefully someone can help me attack and slay this dragon. I really need a
solution that works.


< Previous Next >
This Thread
  • No further messages