| Home | Register | Members | Search | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
On 2004-02-20, Soojin Kim <(E-Mail Removed)> wrote:
> [snipped] > > What do I need to do to setup the VPN? > What do I need to do on the linux firewall using iptables? > get yourself a router that does 'PPP half bridge' (or sometimes called ZIPB), this will then put the real IP address of the router onto a dhcp-enabled client inside your network. Much that I love the Netgear boxes, especially as that one runs linux, I only do so as a recommendation to our lusers, the last thing I want is their computers not NATed....people are bad enough with opening attachments they have been told not to  My home setup is KAME (Linux 2.6.x required) and rp-L2TP. For the VPN you will need to play with IPSec+L2TP. I only recently got my setup working, but to save you lots of time make sure you plan on giving out static addresses to your VPNed 'satellite' clients and you use rp-l2tpd (as opposed to the horrible 'l2tpd' which is as buugy as anything). Then you simply can use my /etc/l2tp/l2tp.conf file as an example and dish out SSL client certifications (X.501) to your windoze box. I use the approach that the certificate authorises the machine to talk to the network, however then you use CHAP to authorize what IP address you want (/etc/ppp/chap-secrets). An interesting thing with this approach is that you can export real IP addresses anywhere you want and even if you are NATed on the other side of the world, still you can have the same real IP address (without having to have any 'relay' IP addresses being wasted). The IPSec of things is much more straight forward, the one entry works for everyone and you forget about it. I will leave it to you to play with certificate generation and the relevent links below for you to play with. have fun Alex [1] http://www.ipsec-howto.org/x247.html (KAME 2.6.x) [2] http://www.ipsec-howto.org/x507.html (certificates) [3] http://www.jacco2.dds.nl/networking/freeswan-l2tp.html ------------------ /etc/l2tp/l2tp.conf (1.2.3.4 is your servers real ip) # Global section (by default, we start in global mode) global # Load handlers load-handler "sync-pppd.so" load-handler "cmd.so" # Bind address listen-port 1701 # Configure the sync-pppd handler. You MUST have a "section sync-pppd" line # even if you don't set any options. section sync-pppd lns-pppd-opts "require-chap <realip>: lcp-echo-interval 30 lcp-echo-failure 6" lac-pppd-opts "name <hostname> noipdefault ipcp-accept-local ipcp-accept-remote lcp-echo-interval 30 lcp-echo-failure 6 file /etc/l2tp/ppp.options" # Peer section section peer peer 0.0.0.0 mask 0 hostname <hostname> port 1701 lac-handler sync-pppd lns-handler sync-pppd hide-avps yes # Configure the cmd handler. You MUST have a "section cmd" line # even if you don't set any options. section cmd ----------------- ----------------- /etc/l2tp/ppp.options lock noauth #debug dump logfd 2 logfile /var/log/l2tpd.log nodetach noccp novj novjccomp nopcomp noaccomp ------------------ ------------------ /etc/ppp/chap-secrets # Secrets for authentication using CHAP # client server secret IP addresses # # dd if=/dev/urandom bs=1 count=32 2>/dev/null | uuencode -m - (remove the ending '=') # # public IP's <client 1> <servername> <passphrase> <ip one> # internal IP's (10.0.254.0/24) - catchall <client 2> <servername> <passphrase> <ip two> ------------------- ------------------- /etc/racoon/racoon.conf (relevent section) remote anonymous { # exchange_mode main, aggressive, base; uncomment this for windows only # linux does not do aggresive mode and requires a different phase 1 # proposal exchange_mode main, base; #passive on; verify_cert on; generate_policy on; proposal_check obey; doi ipsec_doi; situation identity_only; certificate_type x509 "host-cert.pem" "host-key.pem"; my_identifier asn1dn; proposal { # Windows 2000, Cisco, others encryption_algorithm des; hash_algorithm md5; authentication_method rsasig; dh_group 1; } proposal { # linux freeswan, more paranoic clients # delete if you are dealing with windows only # and enable aggressive mode encryption_algorithm aes; hash_algorithm sha1; authentication_method rsasig ; dh_group 2; } } sainfo anonymous { { #pfs_group 2; encryption_algorithm aes, blowfish, 3des, des; authentication_algorithm hmac_sha1, hmac_md5; compression_algorithm deflate; } ------------------- ------------------- /etc/ipsec.conf #!/usr/local/sbin/setkey -f # Flush the SAD and SPD flush; spdflush; ### security policies for racoon spdadd <hostip>[1701] 0.0.0.0/0 any -P out ipsec esp/transport//require; spdadd 0.0.0.0/0 <hostip>[1701] any -P in ipsec esp/transport//require; ------------------- |
|
|
|
|
|||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Simple symmetric NAT Setup using IPTABLES | Asif | Linux Networking | 2 | 01-23-2006 12:15 PM |
| help setup iptables router with two interfarces | jcharth@hotmail.com | Linux Networking | 2 | 09-30-2005 02:45 PM |
| ssh host setup - iptables/ip_forwarding | erniehannell@yahoo.ca | Linux Networking | 1 | 09-22-2005 01:16 PM |
| Looking for iptables applications code (iptables.c) to run some rules to forward packets | tvnaidu@yahoo.com | Linux Networking | 2 | 01-17-2005 05:01 PM |
| iptables "can't initialize iptables table `filter'" | pete | Linux Networking | 1 | 10-10-2003 03:44 AM |
Linear Mode
