IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] Freeswan on Linux as a replacement for SecureRemote.

From: Alan Knipmeyer (Alan.Knipmeyer_at_btlooksmart.net)
Date: Fri Jun 14 2002 - 14:44:34 CEST

Afternoon,

GWHOME is my linux box, which has a Adsl connection running a dynamic
IP. This has is my 'perimiter' firewall at home, which runs freeswan. It
has a static ip on the ethernet card to which all traffic gets
translated to/from. I have a second firewall at home which seperates
home users (in this case, me&wife ;) from the internet, so the
possibility of accessing internal servers is reduced.

WFUK is the Checkpoint Firewall 1/VPN which I want to connect to and
acccess the encryption domain, in this case the 192.168.0.0 network.

The problem I have is that I can't keep modifiying the policy on WFUK to
allow dynamic IP's from users who could potentially just use
secureremote. I have tested using a static rule and with the current IP
of GWHOME, but this IP will change, and editing the policy on WFUK is an
administration night mare. What I need is that ipsec0 on the gateway box
creates a vpn to WFUK, allowing WFUK to access the 192.168.0.0 network.

There will be only one ipsec connection ber site, which will then be
natted to the internal network.

Re,

Al.

> -----Original Message-----
> From: John A. Sullivan III [mailto:john.sullivan_at_nexusmgmt.com]
> Sent: 14 June 2002 12:58
> To: Alan Knipmeyer
> Cc: users_at_lists.freeswan.org
> Subject: Re: [Users] Freeswan on Linux as a replacement for
> SecureRemote.
>
>
> Sorry to be so dense but once we're on the same page, I think I can
> help. This sounds like a pretty typical scenario. Would you kindly
> clarify what each device is. I see that GWHOME is a Free
> S/WAN gateway.
> Where is the Checkpoint firewall? Is it WFUK or stealthfw? I
> assume it
> is WFUK and that it is also running VPN-1 and will be the tunnel end
> point for remote users. Are all the remote users running
> Linux? Are you
> only going to have one remote IPSec user per home site? - John
>
> Alan Knipmeyer wrote:
>
> >The goal is for users on 10.10.10.0 network (my home lan)
> access to the
> >192.168.0.0 network (this is the encryption domain), with
> the checkpoint
> >firewall running in front of it.
> >
> >GWHOME is a adsl/ppp device running dynamic IP, which will
> be bound to
> >ipsec0.
> >
> >Re,
> >
> >Al.
> >
> >
> >
> >>-----Original Message-----
> >>From: John A. Sullivan III [mailto:john.sullivan_at_nexusmgmt.com]
> >>Sent: 13 June 2002 20:45
> >>To: Alan Knipmeyer
> >>Cc: users_at_lists.freeswan.org
> >>Subject: Re: [Users] Freeswan on Linux as a replacement for
> >>SecureRemote.
> >>
> >>
> >>Is the goal to allow users on the 192.168.0.0 network to
> >>access devices
> >>on the 10.10.0.0 network? - John
> >>
> >>Alan Knipmeyer wrote:
> >>
> >>
> >>
> >>>Hiya,
> >>>
> >>>Thanks for your response :)
> >>>
> >>>Thank fully at home I have another firewall (Sunscreen EFS
> running in
> >>>Stealth mode) which seperates the LAN from the linux box,
> so having a
> >>>second firewall is there.
> >>>
> >>>Reading your mail, I understand it as this...
> >>>
> >>>Lets say my work file is 'workfirewalluk' and my home machine is
> >>>'gatewayhome'
> >>>
> >>>i.e.
> >>>
> >>>192.168.0.0-lan-|WFUK|-10.0.0.1-----net-----10.0.2.1-|GWHOME|
> >>>
> >>>
> >>-/stealthfw
> >>
> >>
> >>>/-10.10.0.0
> >>>
> >>>I have freeswan on GWHOME, and I generate a certificate from
> >>>
> >>>
> >>WFUK which
> >>
> >>
> >>>I then has a trust on GWHOME ? this will allow me to make a VLAN to
> >>>192.168.0.0, and assuming I configure stealthfw to allow
> traffic from
> >>>that host through to 10.10.0.0 I can then acesss it ?
> >>>
> >>>This will be really cool if this is the case !
> >>>
> >>>Any url/tips much appreciated !
> >>>
> >>>Re,
> >>>
> >>>Al.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>From: John A. Sullivan III [mailto:john.sullivan_at_nexusmgmt.com]
> >>>>Sent: 13 June 2002 16:40
> >>>>To: Alan Knipmeyer
> >>>>Cc: users_at_lists.freeswan.org
> >>>>Subject: Re: [Users] Freeswan on Linux as a replacement for
> >>>>SecureRemote.
> >>>>
> >>>>
> >>>>I'm not entirely sure that I understand your needs but can
> >>>>you allow all
> >>>>IKE and ESP traffic through the firewall and trust the Free S/WAN
> >>>>gateway to only allow traffic from those who can furnish a valid
> >>>>certificate? It will create some internal routing issues for
> >>>>you and you
> >>>>will not be able to implement access control unless you
> >>>>
> >>>>
> >>place another
> >>
> >>
> >>>>firewall somewhere (either on the Free S/WAN gateway or after
> >>>>it). Hope
> >>>>this helps - John
> >>>>
> >>>>Alan Knipmeyer wrote:
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>Hi,
> >>>>>
> >>>>>I am looking to setup a 'secure remote' style connection
> >>>>>
> >>>>>
> >>from a Linux
> >>
> >>
> >>>>>host to a firewall. I have done a static connection, i.e.
> >>>>>
> >>>>>
> >>in the rule
> >>
> >>
> >>>>>set on the firewall I have configured the linux freeswan host to
> >>>>>connect to the firewall and established a vpn this way.
> >>>>>
> >>>>>The problem with this is that as new users which to connect
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>from their
> >>>
> >>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>linux hosts at home, they will need adding in which is
> an overhead
> >>>>>compared to users who use the Secure Remote client to
> >>>>>
> >>>>>
> >>connect to the
> >>
> >>
> >>>>>firewall and authentication is done by way of the client
> >>>>>
> >>>>>
> >>and RADIUS.
> >>
> >>
> >>>>>Currently we have a rule which allows Secure Remote users
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>access which
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>is authenticated via RADIUS, with either a FWZ ( I know
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>Freeswan doesn't
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>support) or IKE. Is there a way I can enable users who will be
> >>>>>connecting via DSL on dynamic IP's to the firewall using
> >>>>>
> >>>>>
> >>Freeswan and
> >>
> >>
> >>>>>without adding them into the firewall ruleset ?
> >>>>>
> >>>>>Many thanks in advance.
> >>>>>
> >>>>>Re,
> >>>>>
> >>>>>Al.
> >>>>>
> >>>>>___________________________________________________________
> >>>>>
> >>>>>
> >>________
> >>
> >>
> >>>>>Alan Knipmeyer - Unix Systems Administrator
> >>>>>BT LookSmart, Elizabeth House, 39 York Road, London, SE1
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>7NQ. Tel : +44
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>>(0)20 7401 5505
> >>>>>http://www.btlooksmart.com/en/index.html
> >>>>>I sense much NT in you. NT leads to bluescreen,
> bluescreen leads to
> >>>>>downtime, downtime leads to suffering. NT is the path to the
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>darkside.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>> Powerful Unix is.
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>_______________________________________________
> >>>>>Users mailing list
> >>>>>Users_at_lists.freeswan.org
> >>>>>http://lists.freeswan.org/mailman/listinfo/users
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>--
> >>>>John A. Sullivan III
> >>>>Group Technology Director
> >>>>Nexus Management
> >>>>+1 207-985-7880
> >>>>john.sullivan_at_nexusmgmt.com
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>>
> >>--
> >>John A. Sullivan III
> >>Group Technology Director
> >>Nexus Management
> >>+1 207-985-7880
> >>john.sullivan_at_nexusmgmt.com
> >>
> >>
> >>
> >>
> >
> >
> >
>
> --
> John A. Sullivan III
> Group Technology Director
> Nexus Management
> +1 207-985-7880
> john.sullivan_at_nexusmgmt.com
>
>
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:14 CEST