[Users] Port forwarding to Roadwarriors

From: Serge La Chance (slachance_at_onesystem.ca)
Date: Wed Oct 30 2002 - 01:26:15 CET

• Next message: Ken Bantoft: "Re: [Users] Port forwarding to Roadwarriors"
• Previous message: martin f krafft: "Re: [Users] no RSA public key found"
• Next in thread: Ken Bantoft: "Re: [Users] Port forwarding to Roadwarriors"
• Reply: Ken Bantoft: "Re: [Users] Port forwarding to Roadwarriors"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To whom may help me,

My setup:

Win2K --> Internet --> Gateway --> VPN Tunnel over the internet -->
Roadwarriors (ssh servers)

I am trying to ssh to my Roadwarriors on the web who are assigned dynamic
addresses. I was trying to accomplish this by initiating an ssh connection
to the specific ports on my gateway. Then port forwarding these ports to the
internal addresses of my Roadwarriors on port 22.
My goal is to simulate my Roadwarriors to have static addresses.

I am trying to accomplish this on a RedHat 6.2 with kernel version 2.2.19
running FreeSwan 1.9, ipchains and ipmasqadm. I have it working for the
machines who are connected via the LAN and also via direct PPP. But
unfortunately I cannot establish a connection to my Roadwarriors. My current
configuration allows me to ssh from the gateway to the Roadwarriors and vice
versa via the internal addresses.

My suspicion is the VPN is dropping the packets since it recognizes the
source address is not within its subnet. I came to this conclusion when I
did a tcpdump on the ipsec0 interface at both the gateway and on a
Roadwarrior. I found the packets were hitting the ipsec0 at the gateway but
not passing through to the Roadwarrior.

I am unsure which direction I should be attacking this problem and need
guidance on an approach. I been researching this issue for a week with no
useful solution in sight. The only possibility I have seen but dislike is
upgrading the kernel at my gateway, convert my rules to use iptables, use
SNAT to masq my source address and then port forward to the appropriate
machine. This solution is not viable since the main software that also runs
on the machine is not certified for a newer kernel.

I would like to find a solution that won't involve kernel recompilation or
upgrade. The solution must provide a similar configuration on the Win2k box
between these various connection types (VPN, PPP & LAN) to allow file
transfers and remote commands to be issued. Another preference would be to
have minimal trust between the Win2k box and the target machine.

Does anybody have any ideas?

Guidance request,

Serge La Chance
Support Technician
oneSystem Inc.
(780) 413-8399
slachance_at_onesystem.ca

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Ken Bantoft: "Re: [Users] Port forwarding to Roadwarriors"
• Previous message: martin f krafft: "Re: [Users] no RSA public key found"
• Next in thread: Ken Bantoft: "Re: [Users] Port forwarding to Roadwarriors"
• Reply: Ken Bantoft: "Re: [Users] Port forwarding to Roadwarriors"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Oct 30 2002 - 05:20:34 CET