VPN requirements

I’m looking for some input on a VPN setup.
I currently have the following configuration and I’m required to setup
a VPN to a specific system on our LAN using ike policy.

Internet < -- > DMZ with shorewall firewall < -- > Internal Lan

What should I be looking at in accomplishing a VPN to one machine in
my LAN? I’m just looking for some ideas on what I would need to do so
this and I can dig up the details myself.

Thanks,
Dave

dave schreef:
> I’m looking for some input on a VPN setup.
> I currently have the following configuration and I’m required to setup
> a VPN to a specific system on our LAN using ike policy.
>
> Internet < -- > DMZ with shorewall firewall < -- > Internal Lan
>
> What should I be looking at in accomplishing a VPN to one machine in
> my LAN? I’m just looking for some ideas on what I would need to do so

http://en.wikipedia.org/wiki/VPN

> this and I can dig up the details myself.

happy digging...

>
> Thanks,
> Dave

Thanks but I was looking for more implementation ideas. For example,
OpenVPN on my shorewall firewall or could I setup a VPN server inside
of my network and then just control the access through shorewall with
rules and such.

On Nov 26, 2:22*pm, Luuk <l...@invalid.lan> wrote:
> dave schreef:
>
> > I’m looking for some input on a VPN setup.
> > I currently have the following configuration and I’m required to setup
> > a VPN to a specific system on our LAN using ike policy.
>
> > Internet < *-- *> DMZ with shorewall firewall < -- *> *InternalLan
>
> > What should I be looking at in accomplishing a VPN to one machine in
> > my LAN? I’m just looking for some ideas on what I would need to do so
>
> http://en.wikipedia.org/wiki/VPN
>
> > this and I can dig up the details myself.
>
> happy digging...
>
>
>
> > Thanks,
> > Dave

dave wrote:
> Thanks but I was looking for more implementation ideas. For example,
> OpenVPN on my shorewall firewall or could I setup a VPN server inside
> of my network and then just control the access through shorewall with
> rules and such.

When you're writing the rules, please not that there
are two addresses at the each end of the VPN tunnel:
one for the traffic inside the tunnel (the payload),
and another for the outside of the tunnel, connecting
the tunnel ends together.

For OpenVPN, the UDP port 1194 is the default outside
port.

--

Tauno Voipio
tauno voipio (at) iki fi

Am Wed, 26 Nov 2008 20:01:54 -0800 schrieb Dave {Reply Address in.Sig}:

> dave wrote:
> As a general principle, I try to run as little as possible on the
> firewall machine itself to reduce the chance of compromising the whole
> thing. So my solution is to open the relevant port in the firewall and
> direct it to an internal machine which then handles the VPN stuff.
>

What about IPSec with NAT Traversal. you only need to open udp/4500 and
udp/500.

Am Thu, 27 Nov 2008 20:36:29 -0800 schrieb Dave {Reply Address in.Sig}:


> It still needs a machine on the inside of the firewall to act as the VPN
> endpoint.
>

You could terminate the vpn on the firewall or you need to the machine
behind (I suggest DMZ network), otherwise you won't be able to establish a
vpn connection.
The other thing I could imagine for a temporary connection would be ssh
but you also would need a machine to terminate the connection and it
shouldn't be the firewall itself.

cheers

On Nov 28, 2:45*am, Burkhard Ott <n...@derith.de> wrote:
> Am Thu, 27 Nov 2008 20:36:29 -0800 schrieb Dave {Reply Address in.Sig}:
>
> > It still needs a machine on the inside of the firewall to act as the VPN
> > endpoint.
>
> You could terminate the vpn on the firewall or you need to the machine
> behind (I suggest DMZ network), otherwise you won't be able to establish a
> vpn connection.
> The other thing I could imagine for a temporary connection would be ssh
> but you also would need a machine to terminate the connection and it
> shouldn't be the firewall itself.
>
> cheers

Since I only need to worry about connecting one machine from outside
to one server on the inside, could I not just setup a RAS connection
on the server (inside) and then dedicate one of my public IP’s to the
connection on the outside? Then could then NAT the traffic from that
public IP to the server inside. Does this sound doable or am I missing
something?

Am Fri, 28 Nov 2008 08:56:43 -0800 schrieb dave:

> On Nov 28, 2:45Â*am, Burkhard Ott <n...@derith.de> wrote:
>> Am Thu, 27 Nov 2008 20:36:29 -0800 schrieb Dave {Reply Address in.Sig}:
>>
>> > It still needs a machine on the inside of the firewall to act as the VPN
>> > endpoint.
>>
>> You could terminate the vpn on the firewall or you need to the machine
>> behind (I suggest DMZ network), otherwise you won't be able to establish a
>> vpn connection.
>> The other thing I could imagine for a temporary connection would be ssh
>> but you also would need a machine to terminate the connection and it
>> shouldn't be the firewall itself.
>>
>> cheers
>
> Since I only need to worry about connecting one machine from outside
> to one server on the inside, could I not just setup a RAS connection
> on the server (inside) and then dedicate one of my public IP’s to the
> connection on the outside? Then could then NAT the traffic from that
> public IP to the server inside. Does this sound doable or am I missing
> something?

You asked for a vpn solution right? What you are talking about has nothing
to do with vpn, but it is also possible ther the client only needs a simple
connection to the internet.
In this case you only need a destination nat rule if the server is in a
rfc1918 segment.

cheers