Re: [fw-wiz] Newbie VPN setup/configuration question

From: Dave Piscitello (dave@corecom.com)
Date: 07/18/02 

From: Dave Piscitello <dave@corecom.com>
To: Tony Howlett <thowlett@netsecuritysvcs.com>, Kathy Bieltz <kbieltz@hal-pc.org>
Date: Thu Jul 18 10:43:01 2002

SonicWall does work with other vendor VPN appliances. We have several
running in a multi-vendor test network we use to teach VPNs at
Networld/Interop, etc. The other vendor equipment includes CheckPoint,
WatchGuard, Netscreen, and the products formerly known as the Nokia
CryptoCluster (abandoned product line) and RapidStream (acquired by
WatchGuard).

The *trick* with multi-vendor VPNs is matching IKE and IPsec policies both
ends support. We've been successful with SonicWall and other vendor
equipment when we use IKE (pre-shared secrets, Diffie Hellman Group 2,
SHA1, 3DES, Perfect Forward Secrecy, 8 hour lifetime) and IPsec (ESP, SHA1,
3DES). There is at least one documented bugs in the SonicWall GUI that can
throw you for a loop when you go the multivendor route, so visit the
support site.

SonicWall OEMs the SafeNet VPN client. This is a win32 software package and
it's a very clean install. WatchGuard and Netscreen also OEM this client,
as do several other VPN vendors.

You can get a Free S/WAN client, open source and executables, for Linux.
I don't know of anyone who's tried this with a SonicWall, but check first
that you can configure the IKE and IPsec SA parameters I suggested above. I
know Free S/WAN supports raw public keys - Sonic does not, so crawl before
you walk.

Frankly, you'd probably spend less time creating a Win32 partition (dual
boot) on your husband's Linux box, or (better) install the SafeNet VPN
client on another Win32 machine in your house, and have him use SAMBA to
mount and transfer files between his linux machine and the VPN client.

At 08:17 PM 7/17/2002 -0500, Tony Howlett wrote:
>Kathy,
>
>Since the Sonicwall uses an IPSec VPN, it in theory possible to get some
>software based VPN software for the linux box that will interoperate, in
>reality, probably more trouble than it is worth. Sonicwall claims to be
>compatible with some major brands such as Firewall1 and raptor but ive
>never tried to make this work. I seriously doubt if they will support any
>of the lower end consumer based firewalls or anything that runs on
>linux. Sorry to be the bearer of bad news but i work with Sonicwall alot
>and they seem to only work with their own firewall VPN boxes. Just
>thought id save you alot of sweat and heartache
>
>PS. Since work is requiring the VPN connection, why wont they spring
>for the VPN router. Sonicwall has a low end telecommuter model for about
>$500 that will do the job.
>
>Good Luck!
>
>At 01:10 PM 7/17/2002 -0500, you wrote:
>>Hi,
>>
>>My husband's work has installed a SonicWALL firewall,
>>previously they were using a Linux system for their firewall.
>>
>>My husband was previously able to log into work via our
>>DSL connection at home through a hole in the firewall
>>set up for his static IP.
>
>
>
>>The new sys admin would like us to ideally get a SonicWALL
>>firewall with VPN tunneling at home so we could use a VPN
>>connection to get into work. But I'd like to avoid spending
>>the money if possible.
>>
>>At home we have an SMC7004ABR Barricade router
>>that is capable of VPN pass through. Is it possible to
>>set up some VPN software on the Linux box my husband
>>uses at home to launch a VPN connection with his work.
>>The other PC's on our home network would still use
>>TCP/IP and I'd like to use TCP/IP on my husband's
>>Linux box when he is not logged into his work to surf
>>the net and download updates to his operating system?
>>
>>Is this possible? If so pointer's to documents and VPN
>>software that would allow me to do this would be
>>appreciated.
>>
>>Thanks!
>>Kathy Bieltz
>>
>>
>>
>>
>>_______________________________________________
>>firewall-wizards mailing list
>>firewall-wizards@honor.icsalabs.com
>>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
>_______________________________________________
>firewall-wizards mailing list
>firewall-wizards@honor.icsalabs.com
>http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

David M. Piscitello
Core Competence, Inc. &
3 Myrtle Bank Lane
Hilton Head, SC 29926
dave@corecom.com
843.689.5595
www.corecom.com
hhi.corecom.com/~yodave/

Relevant Pages

  • Re: [fw-wiz] Recommendation needed for a firewall appliance
    ... >>I was unsuccessful in getting an IPSec VPN going with a Win2K ... >There are several firewall specific linux distros, Astaro, Coyote ... >There are some small firewall units, and there are small Managed Security ... >> for Windows, OSX and Linux. ...
    (Firewall-Wizards)
  • Re: [SLE] Roadwarriors, VPN or pptp?
    ... > I'm using PPTP for some of our remote users, but that's because I have Win ... > poptop on a SnapGear firewall, though I'm planning to start moving to ipsec ... pptp is not as secure of a vpn ... Also recommended for consideration is Astaro Secure Linux. ...
    (SuSE)
  • Re: VPN From W2K/Pro to W2K Server Doesn;t Work Through Firewall
    ... I think I set up my Linux ipchains firewall to allow everything and to ... > If AH is being used in your VPN connection, you should see packets in your ... > use a sniffer such as windump [on your VPN client, ...
    (microsoft.public.win2000.security)
  • Re: Outlook RPC/HTTP behind Sonicwall - is 443 sufficient?
    ... Make sure the Web Management Settings in the Sonicwall are not using port ... Soniwall Firewall and RWW ... After you have the Sonicwall set up, rerun CEICW (don't let it use UPNP to ... VPN) and then complete the rest of CEICW. ...
    (microsoft.public.windows.server.sbs)
  • Re: [opensuse] VPN connection to Sonicwall
    ... Maybe you mean through a SonicWall ... firewall to a PC/Server behind the firewall? ... I think you missed the word "VPN" in my original message. ... Linux, instead of having to boot into Windows 2000. ...
    (SuSE)