[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] IPSec VPN?

"Robert L. Harris" wrote:
>   Just started at a new company about 2 weeks ago.  It turns out they have
> a nice IPSec based firewall and a nice cute little package for windows
> ppl.  I ask the guy managing it for some more details and he goes "eh,
> here's the windows stuffs, good luck with linux..."  Great.
>   I'm behind a masq'ing firewall at home and am wondering if anyone has
> any good starting points or theories so I can get something working to
> connect from home?

I'm in a very similar position. I'm trying to talk to a Cisco PIX via
IPSec, but all I have to work from is the Cisco Windows SecureNet client
and its configuration data, some of which is in (apparently) an
undocumented proprietary format.

I'm working on a bizarre angle: I have the Windows client on my NT box
behind a NAT/masq firewall (OpenBSD, not Linux, but same thing).
So I think I can run my Windows client in "tunnel" mode,
point it at my OpenBSD box, and set up an SSH session to forward the
IPSec packets between my firewall and the PIX on the other end of the
VPN. Of course, this will suck, since everything will be encrypted
twice, once by SSH and once by the Cisco stuff. But it will allow me
to use the corporate VPN via the cable modem, rather than via dialup,
which is what I've had to do in the past.

I'm not sure if this is actually going to work, but I can't see why
it won't. Of course, you can't masquerade IPsec packets, because the
firewall doesn't know how to compute the checksums appropriately,
since they're encrypted with a key the masq firewall doesn't know (I
think), but forwarding packets without masqerading them should not
cause any trouble. I'll let you know how it goes.

-- Joe

-- Joseph A. Knapka
"If I ever get reincarnated... let me make certain I don't come back
 as a paperclip." -- protagonist, H Murakami's "Hard-boiled Wonderland"
// Linux MM Documentation in progress:
// http://home.earthlink.net/~jknapka/linux-mm/vmoutline.html
* Evolution is an "unproven theory" in the same sense that gravity is. *
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.