Re: Linux v Dedicated NAT routers - secure remote differences

From: Robert Davis (bob@bobsbits.net)
Date: 09/28/02 

From: Robert Davis <bob@bobsbits.net>
Date: Sat, 28 Sep 2002 16:04:20 -0400

I just spent 2 weeks of time getting a ms vpn to connect thru my linux
rh firewall.
First I tried the linux vpn. After much debugging I found out it doesnt
support mppc compression and I have to get the vpn admin to turn it off.
In the process I upgraded my rh from 6.1 to 7.3 causing many hours of
work. (almost everything had a problem!!) I finally hit upon the
solution though. Having given up on the linux pptp client I proceeded to
try and figure out how to route the "gre" packets thought the firewall
and nat. I found a reference that iptables does it and ipchains doesnt.
So I just finished today rewiting my firewall in iptables and it works.

I think you are using ipsec so my experience may not help since I am
using pptp. If you have any questions feel free to ask.
I knew it was the linux nat/firewall that was the problem because I
could connect with a modem. I too didnt want to go the easy route of
using a ms product as the firewall. I did learn a great deal about vpn's
and iptable in the process.

My setup is:
win2k pptp clienta (behind firewall)
win2k pptp server (not behind a firewall I think)
rh7.3 linux ipmasq and firewall

HTH
bob

Alan Chandler wrote:

>My collegues, using NAT routers (such as Netgear RP114) can get a secure
>remote tunnel from a Windoze machine behind it to talk through a Checkpoint
>FW-1 firewall. I can't with a linux NAT box. WHY?
>
>More details ...
>
>
>My company allows remote laptop computers connected via the internet
>to access its internal systems using secure remote installed on the
>laptop. We all have little Secure ID cards that calculates a time
>windowed password for these as an added security. The set up defines
>UDP encapsulation with IKE. The company uses the Checkpoint
>Firewall-1
>
>I can connect my Win98 laptop via a dial up connection to the
>internet, and this setup works.
>
>At home I have a small internal network controlled by a linux box
>acting as a firewall, NAT device and gateway onto a cable modem based
>in IPTABLES. Sitting behind this box, attempts to connect my win98
>laptop using secure remote fail.
>
>A number of other people have purchased dedicated
>Router/Hubs (Netgear RP114 is one such device) for their cable
>providers and are then connecting their laptops to these. All of
>these people report that their version of secure remote works just
>fine.
>
>
>Win98 --- Linux --- Internet --- FW-1 --- Internal company
>
>Above configuration fails
>
>Win98 --- Netgear RP114 --- Internet --- FW-1 --- Internal company
>
>Above configuration works
>
>
>
>I spent some time running ethereal on my linux box and a contact inside the
>internal IT department on the phone looking at the other end trying to see
>why it didn't work. I communicate with the firewall and negotiate the key
>exchange correctly. My PC then tries to use the encrypted channel to talk
>to internal services (I was trying NNTP connection to a news service) and
>I see the packet go out, but no reply comes back. My IT department
>collegue reports that the IP address allocated by DHCP by my linux
>router (10.0.10.30) is seen as the return address of the decrypted
>packets inside the company - so when I access a service the reply does
>not know how to get routed back to me.
>
>The problem is, that now that other solutions are seen to work no one is
>prepared to spend more time helping me get my linux solution working. I am
>pretty sure that these devices are acting as also acting as NAT devices
>(one collegue has told me he had been allocated 10.0.0.152 as his IP
>address).
>
>I have tried reading the Linux VPN HowTo, but these seem to assume
>that the tunnel starts at the linux box rather than on a NAT'ted
>machine behind.
>
>Could someone explain in simple terms how the setup I am describing
>should work and what could be the differences between what I could be
>doing with standard linux (2.4.18) and whatever might be in these
>routers (I assume these are quite likely to be linux variants).
>
>Thanks
>
>
> 

-- 

Robert Davis

email: mailto:rdavis@lillysoftware.com
       mailto:bob@bobsbits.net
web:   http://www.bobsbits.net
phone: work: 603-926-9696 x3456
       home: 603-778-0781
n42 58.476 w70 55.454

Relevant Pages

  • Re: filtering access to internet via programs - HOW?
    ... >> i'm new to linux as i have just switched from xp and zonealarm to SuSe 9.3 ... >> with its own firewall. ... >> to access the internet. ... > restrict ports properly by default. ...
    (comp.os.linux.security)
  • Re: filtering access to internet via programs - HOW?
    ... > i'm new to linux as i have just switched from xp and zonealarm to SuSe 9.3 ... > to the internet and ping any destination etc... ... but suspect that your SuSe firewall will already adequately ... restrict ports properly by default. ...
    (comp.os.linux.security)
  • Re: Is Linux really a security problem?
    ... Last thing I heard about Radio Shack trying ... > Linux box as a firewall between their main box and the 'net. ... Internet (never mind that in the mid 80's the Internet wasn't even ...
    (alt.os.linux)
  • Re: Firewall - Linux or Router
    ... >> machine operating as a server for the internet. ... >> probably a router. ... >The router will give you basic firewall functionality with very little ... then with some work you can set up your Linux box as gateway ...
    (comp.os.linux.networking)
  • Re: Linux or BSD alternative to Windows Home Server
    ... My questions were about Gentoo vs. Linux for a sever, ... I will probably eventually have a dedicated firewall ... if you were to have a file server which is accessible ... I'm aware that I could probably create scripts to regularly backup ...
    (comp.os.linux.misc)
Quantcast