Re: Linux v Dedicated NAT routers - secure remote differences

From: Leonid Rosenboim (MY_FIRST_NAME@CONSULTANT.COM)
Date: 09/28/02 

From: "Leonid Rosenboim" <MY_FIRST_NAME@CONSULTANT.COM>
Date: Sat, 28 Sep 2002 11:07:54 +0200

IMHO, depends on what is your goal:

If you're just trying to make it work, then go out and buy one of these
cheap routers and use it.

If you are trying to get to the bottom of this out of enthusiasm, then go
out and buy one of these routers that you know will work, and a good book on
IPsec. You'll enjoy finding this out by yourself istead of having somebody
giv eyou the bottom line.

"Alan Chandler" <alan@chandlerfamily.org.uk> wrote in message
news:9L3l9.11498$rT2.106444836@news-text.cableinet.net...
> My collegues, using NAT routers (such as Netgear RP114) can get a secure
> remote tunnel from a Windoze machine behind it to talk through a
Checkpoint
> FW-1 firewall. I can't with a linux NAT box. WHY?
>
> More details ...
>
>
> My company allows remote laptop computers connected via the internet
> to access its internal systems using secure remote installed on the
> laptop. We all have little Secure ID cards that calculates a time
> windowed password for these as an added security. The set up defines
> UDP encapsulation with IKE. The company uses the Checkpoint
> Firewall-1
>
> I can connect my Win98 laptop via a dial up connection to the
> internet, and this setup works.
>
> At home I have a small internal network controlled by a linux box
> acting as a firewall, NAT device and gateway onto a cable modem based
> in IPTABLES. Sitting behind this box, attempts to connect my win98
> laptop using secure remote fail.
>
> A number of other people have purchased dedicated
> Router/Hubs (Netgear RP114 is one such device) for their cable
> providers and are then connecting their laptops to these. All of
> these people report that their version of secure remote works just
> fine.
>
>
> Win98 --- Linux --- Internet --- FW-1 --- Internal company
>
> Above configuration fails
>
> Win98 --- Netgear RP114 --- Internet --- FW-1 --- Internal company
>
> Above configuration works
>
>
>
> I spent some time running ethereal on my linux box and a contact inside
the
> internal IT department on the phone looking at the other end trying to see
> why it didn't work. I communicate with the firewall and negotiate the key
> exchange correctly. My PC then tries to use the encrypted channel to talk
> to internal services (I was trying NNTP connection to a news service) and
> I see the packet go out, but no reply comes back. My IT department
> collegue reports that the IP address allocated by DHCP by my linux
> router (10.0.10.30) is seen as the return address of the decrypted
> packets inside the company - so when I access a service the reply does
> not know how to get routed back to me.
>
> The problem is, that now that other solutions are seen to work no one is
> prepared to spend more time helping me get my linux solution working. I
am
> pretty sure that these devices are acting as also acting as NAT devices
> (one collegue has told me he had been allocated 10.0.0.152 as his IP
> address).
>
> I have tried reading the Linux VPN HowTo, but these seem to assume
> that the tunnel starts at the linux box rather than on a NAT'ted
> machine behind.
>
> Could someone explain in simple terms how the setup I am describing
> should work and what could be the differences between what I could be
> doing with standard linux (2.4.18) and whatever might be in these
> routers (I assume these are quite likely to be linux variants).
>
> Thanks
>
> --
> Alan Chandler

Relevant Pages

  • no internet, any help/ideas apprecated
    ... My 4 year old Averatec laptop has ... internet (eth0) with WinXP, but not with Linux. ...
    (alt.os.linux)
  • Re: XP + Wireless + Linux question
    ... > internet for the XP box and a laptop at the other end of the house. ... > connection to the internet being routed through the Linux box but the ... This would be a router, and will need to be on and connected for *any* ...
    (comp.os.linux.networking)
  • Re: Route settings
    ... > I am trying to set my Fedora Core 2 as a simple route. ... A laptop is connected to the desktop directly by net ... > the laptop is 192.168.1.2, I want to let the laptop access to internet, ... every conceivable error in the process; I don't know much about Linux, ...
    (linux.redhat)
  • Re: Trusted Internet Zone?
    ... Routers do not offer application permissions; ... perhaps one of the most important capabilities of any firewall. ... In order to access the internet from my laptop, ...
    (comp.security.firewalls)
  • Re: XP + Wireless + Linux question
    ... The laptop has a default gateway that is set to the ip address linux box. ... > 2) How is traffic exiting the Linux box get routed into internet ... > 3) Will IPTABLES need adjustment to allow the internal windows client ...
    (comp.os.linux.networking)
Quantcast