From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Nov 13 2002 - 09:58:16 CET
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 13 Nov 2002, michael verrilli wrote:
> I am trying to vpn to the office. They are running a Checkpoint firewall.
> The administrator gave me a username and password, and the ip address of the
> firewall. I was also given a link to download the SecureRemote vpn
> software. However, I run linux at home (gentoo on my workstation), behind a
> linux firewall which does ip-masquerading. No keys were given to me to use.
It sounds as if they're running a shared-secret authentication scheme for
their Roadwarriors. The IPSec protocols only allows for one PSK roadwarrior
connection to be defined, unless Aggressive mode is used; FreeS/WAN doesn't
support Aggressive mode, as it is insecure (ID information is exchanged in the
clear, and this allows for man-in-the-middle attacks).
FreeS/WAN doesn't support Aggressive mode; there is a patch for FreeS/WAN
1.5, kicking around; you can check www.freeswan.ca if you're curious.
Now, if you are running a dynamicDNS service on your machine, perhaps the
Checkpoint administrator can make an individual connection for you based on
your Dynamic DNS FQDN. (ie, you would be mimicing a static-static shared
secrets connection, which sidesteps the issues mentioned above.)
As well, realize that 192.168.0.0/16 covers the entire class C other users
might be using for NAT. You may want to renumber and/or restrict the network
definition down to a /24 to play well with the Checkpoint.
>
> HOME dynamicip 77.77.77.77 WORK
> ------------- --------- -----------
> |Workstation |----|Firewall|---- <ISP> ----|Checkpoint|---[10.x.x.x]
> ------------- --------- -----------
> 192.168.0.2 192.168.0.1
>
> My internal network is the 192's... the work internal net is 10's. My
> firewall has an external ip which is dynamic (although I have a dyndns
> account), and for argument's sake, the work external ip is 77.77.77.77. I
> want to access the 10.x.x.x network from my Workstation.
>
> So, I gave this a try, putting these connection settings in:
> left=192.168.0.2
> leftsubnet=192.168.0.0/16
> leftnexthop=192.168.0.1
> right=77.77.77.77
> rightsubnet=10.0.0.0/8
>
> I have no idea what to do with my name and password. I also do not know if
> I need to add settings to my firewall.
At minimum, you need to allow UDP 500 (IKE) traffic, and protocol 50 and/or
51; take a look at doc/firewall.html.
Also, you'll want to exempt packets travelling to the 10.0.0.0/8 subnet from
NAT.
http://lists.freeswan.org/pipermail/users/2002-August/012920.html
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPdIUKUOSC4btEQUtAQHJMgP8D60/QKBtwWu/L/SepD+V3df2+EIvH17B
z/Oximr2Tm+T+/0t0nUOL/XR2wMR1ITRzCA5/fCDb4bhzyTTwxr1GACIhrtniHPs
lF4gJDI4C2/1v6DQJ17ogcW/Z6hf6AJ+ZS6dXrOwRt3n5hcSaiqOGjvrnBo+wkO4
HcvKHFQ3fTQ=
=x/Lc
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Fri Nov 15 2002 - 05:20:49 CET