Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Further to my Free S/WAN problem...
  • From: "Argentium G. Tiger" <agtiger@xxxxxxxxx>
  • Date: Sun, 20 Jan 2002 09:05:22 -0600
  • Message-id: <5.1.0.14.2.20020120084900.03bea530@xxxxxxxxxxxxxxxxxxxx>
I thought I'd take a step back from the problem and describe exactly what
it is that I'm trying to accomplish.

What we've got is an office of PC's that are running Windows 2000 Professional
inside of VMWare on top of SuSE linux 7.3 This is rather amusing, watching
W2K run "in jail" and it has no idea. :-) We're developing for a client
in W2K, which is why we're running it at all. (Money's gotta come in from
somewhere). ;-)

The office runs on a private subnet of 192.168.1.0/24.

At the front end of this office is a SuSE 7.3 box running SuSEfirewall2 2.1.
It's name is: fire01

We have a DSL connection at the front of this office which comes into a
router of 1.2.3.73. Our firewall sits at 1.2.3.74 and gateways to 1.2.3.73.
(No, those aren't real addresses) ;-)


Okay, that describes the office.

Now over to the client's site:

They have a CISCO Pix Firewall with a bank of addresses. Currently, an
address of 5.6.7.220 is bound to an internal address of 10.100.0.26, and
only port 22 tcp (SSH) is allowed through.

10.100.0.26 is a SuSE 7.3 box which will be (but is not yet) running
SuSEfirewall2 2.1. It only has one NIC card, and I'll explain why here
in a bit. It's name is fire03.

Another machine on the inside is 10.100.0.17, which is a Windows based
development server offering file storage and Microsoft SourceSafe storage
of the source code we'd like direct access to from our 192.168.1.0/24
subnet at our office, hidden behind 1.2.3.74/32.

So that brings me to the problem at hand:

I need a securely encrypted connection between fire01 and fire03.

I have this so far using SSH. I have created a user called 'vpn' on both
fire01 and fire03, and they have cross-permitted public RSA keys and can ssh
back and forth at will (without passwords). Similarly, I've set this up
for the root accounts.

What I want to accomplish is a secure connection between fire01 at 1.2.3.74
and fire03 at 10.100.0.26, already behind the Pix at 5.6.7.220, such that
the machines behind fire01 at 192.168.1.0/24 can see the Microsoft development
server at 10.100.0.17 on the client's network.

I want to be able to use SuSEfirewall2 on both sides to ensure that ONLY
10.100.0.17 has permissions to talk through fire03, and that only 10.100.0.17
is reachable through our tunnel. (We want to limit the scope of the VPN
connection to safeguard our client as much as possible.)

I also want to ensure that though 10.100.0.17 is permitted to answer our
192.168.1.0/24 workstations behind fire01, that it is not permitted to see
inside our network - the client doesn't have a need to access our internal
network, and I must protect _our_ security as well.

Lastly, it's got to be seamless. Our 192.168.1.0/24 machines should see
the development server at 10.100.0.17 on the client side as if it were a
192.168.1.0/24 machine (let's say 192.168.1.17 for argument's sake, I can
leave that IP open) :-)

I've tried IPSEC, but haven't been quite able to get it running.
I've tried various SSH methods with scripts, but either I'm lacking
understanding, or the config isn't right, or... *sigh*

Oh: fire01 is up and running with SuSEfirewall2 - taking that protection
offline is _not_ an option. The fire03 machine behind the Pix is already
being protected by the pix so I've got a bit more freedom to play there.

Hopefully someone can help me attack and slay this dragon. I really need a
solution that works.

Argentium


< Previous Next >
This Thread
  • No further messages