cmisip
2003-Jul-31 17:54 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
Hi I have a local lan 192.168.1.0/24 and a linux ip masq router (via shorewall - lets call Arouter). I have clients connect to this via eth1 (eth0 is connected to the cable modem). Everything is working fine (all clients (machine blaptop,cdesktop,ddesktop) can see each other and the router and all happily connect to the internet). I have the default route on blaptop, cdesktop, ddesktop pointed to Arouter. To protect wireless 802.11b on blaptop, I create an ipsec tunnel between it and cdesktop, ddesktop, Arouter. Now cdesktop, and ddesktop and Arouter have IP forwarding turned on. When I bring up a tunnel between blaptop and ddesktop, the routing table on blaptop gets changed so now the default route points to ddesktop via ipsec0. This is ok since I have IP forwarding turned on in ddesktop hence packets for the internet get forwarded to the Arouter by ddesktop. Things are good. The same goes on If I turn on the ipsec tunnel to cdesktop. Now If I turn on the ipsec tunnel to Arouter, I can connect to Arouter and ping the hell out of it and I get ESP encryption on pings and replies. So the ipsec tunnel to Arouter must be working. The routing table now has Arouter as defaultroute via ipsec0 for the laptop. However, I cannot access the internet now from blaptop. What am I doing wrong? Somehow, I need to tell Arouter to decrypt these ipsec packets and masq them and send them to the internet like it is doing for eth1 subnet. My ethernet devices: eth0 - dhcp via cable modem eth1 - 192.168.1.1 eth2 - 192.168.2.1 my files: policy loc net ACCEPT net all DROP all all REJECT fw net ACCEPT loc fw ACCEPT fw loc ACCEPT fw vpn ACCEPT vpn fw ACCEPT vpn net ACCEPT zones: net Net loc Local dmz DMZ vpn VPN interfaces: net eth0 detect loc eth1 192.168.1.255 dmz eth2 192.168.2.255 vpn ipsec0 tunnels: ipsec loc 192.168.1.100 vpn masq : eth0 eth1 eth0 192.168.1.100/32 My Frees/wan ipsec is configured to be host to host (no subnets or nexthops as all machines exist in the same network and can see each other). I have in ipsec.conf the option for forwardcontrol=yes as well as interfaces="ipsec0=eth1" Any help would be appreciated. Thanks
Tom Eastep
2003-Jul-31 18:19 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
On 31 Jul 2003 19:54:59 -0500, cmisip <cmisip@insightbb.com> wrote:> my files: > policy > loc net ACCEPT > net all DROP > all all REJECTIf your policy file REALLY looks like this then you may as well delete the rest of the file because it''s doing nothing but taking up bytes. The above record matches all connections.> fw net ACCEPT > loc fw ACCEPT > fw loc ACCEPT > fw vpn ACCEPT > vpn fw ACCEPT > vpn net ACCEPT > > zones:-Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Aug-01 15:10 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
On Fri, 2003-08-01 at 15:01, cmisip wrote:> I kinda found that out , the hard way, after the remote machine locked > me out when I commented it out instead. Anyway, still no internet > access with ipsec on. >Please keep the thread on the list. Someone more familiar with IPSEC please help me out here; the tunnel in question is configured as host-to-host -- doesn''t that mean the IPSEC will toss any traffic coming into or out of the tunnel that has a source or destination other than the firewall itself? -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Darcy Ganga
2003-Aug-01 15:30 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
Hi All. FreeS/Wan have litle problem with the configuration using iptables, personality change freeswan for openvpn. -- Darcy Roberto Ganga System Engineer and Technical Software SYA Consultores de Chile S.A mailto:dganga@syachile.cl http://www.syachile.cl Phone:56-2-9401500 Direct:56-2-9401560 Key fingerprint = 91 4F 1F 11 89 E4 84 25 36 0B 92 E6 E6 91 8D 3F 47 05 36 EC User #290674 counter.li.org
Joshua Banks
2003-Aug-01 15:45 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
My experience with (Host to Host)Ipsec in general tells me that any traffic not destined for that specific host specified in the ipsec routing/tunneling policy will be dropped at the fireall before being encrypted because it doesn''t match the ipsec routing/tunneling policy. Are the firewalls the termination points(where the encryption and decryption happens? Or are the actual hosts/vpn clients the ones doing the encyption and decryption locally? If the actuall firewalls(ipsec termination points) are doing the encyption and decryption of the ipsec packets and then handing those packets off to the specific host after being decrypted, then only ipsec packets destined for that specific host will make it through the ipsec tunnel. If that host has other rules and policies that allow it out to the internet as well as having an ipsec routing/tunneling policy setup and a packet not destined for that specific host on the other end should go around the tunnel without being encrypted. But if the only rules in place on the firewall for that specific host is for ipsec tunneling then again any packet not destined for that host on the other end of the ipsec tunnel should get dropped. My 2cents. JBanks --- Tom Eastep <teastep@shorewall.net> wrote:> On Fri, 2003-08-01 at 15:01, cmisip wrote: > > I kinda found that out , the hard way, after the > remote machine locked > > me out when I commented it out instead. Anyway, > still no internet > > access with ipsec on. > > > > Please keep the thread on the list. > > Someone more familiar with IPSEC please help me out > here; the tunnel in > question is configured as host-to-host -- doesn''t > that mean the IPSEC > will toss any traffic coming into or out of the > tunnel that has a source > or destination other than the firewall itself? > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: >http://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
cmisip
2003-Aug-01 18:24 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
On Fri, 2003-08-01 at 17:44, Joshua Banks wrote:> My experience with (Host to Host)Ipsec in general > tells me that any traffic not destined for that > specific host specified in the ipsec routing/tunneling > policy will be dropped at the fireall before being > encrypted because it doesn''t match the ipsec > routing/tunneling policy.I have host to host between a client machine and a firewall/router (shorewall with ip masq). The client machine is a laptop with 802.11b. My intent was to encrypt all wireless communications from the laptop to any machine in the lan ,encrypting even packets destined for the internet ( so they are encrypted from laptop to linuxrouter and plaintext from linuxrouter to the internet) laptop <--802.11b--->linuxrouter---->cablemodem vpn <--tunnel----> vpn nofirewall shorewall However, the packets destined for the internet, seem to die at the linuxrouter. I think they make it there because I can ping the router and tcpdump shows ESP on ping and reply.> > Are the firewalls the termination points(where the > encryption and decryption happens? Or are the actual > hosts/vpn clients the ones doing the encyption and > decryption locally?the laptop is a termination point, the linuxrouter is a termination point.> > If the actuall firewalls(ipsec termination points) are > doing the encyption and decryption of the ipsec > packets and then handing those packets off to the > specific host after being decrypted,I thought encryption will only happen if source and destination of packets are the termination points of the ipsec tunnel. I am using Frees/wan. If there is a firewall between the vpn termination points, it just needs to allow the ipsec packets and have the termination points do the encryption and decryption. Am I understanding this wrong?> then only ipsec > packets destined for that specific host will make it > through the ipsec tunnel.I can ping and receive a reply when the tunnel is up and tcpdump shows esp encryption on both ping and reply. I have default route set to point to the linuxrouter also so packets destined for the internet are routed to the linuxrouter as well. With the tunnel down, the packets make it to the internet. With the tunnel up, they dont. I have tried another setup as well: laptop <--802.11b--> machineA <--wired--> dlinkrouter <--->cablemodem vpn <--------------->vpn NAT nofirewall shorewall (no ip masq but ip forwards) In this scenario, ping and reply between laptop and machineA show esp encryption. Ping and reply between laptop and dlinkrouter show no encryption. With the tunnel up between laptop and machineA, packets for the internet make it to machineA (ipsec makes the default route on laptop point to machineA) and then since machine A does ip forwarding, the packets continue on to dlinkrouter and to the internet. However these packets to the internet are not encrypted. My goal was to make the laptop to router connection secure for packets that need to go to the internet. Is this even possible, as it is impossible to setup a tunnel to every possible host on the internet, I thought that I could do this If I setup a vpn tunnel between the laptop and the router. Thanks> If that host has other rules and policies that allow > it out to the internet as well as having an ipsec > routing/tunneling policy setup and a packet not > destined for that specific host on the other end > should go around the tunnel without being encrypted. > But if the only rules in place on the firewall for > that specific host is for ipsec tunneling then again > any packet not destined for that host on the other end > of the ipsec tunnel should get dropped. > > My 2cents. > > JBanks > --- Tom Eastep <teastep@shorewall.net> wrote: > > On Fri, 2003-08-01 at 15:01, cmisip wrote: > > > I kinda found that out , the hard way, after the > > remote machine locked > > > me out when I commented it out instead. Anyway, > > still no internet > > > access with ipsec on. > > > > > > > Please keep the thread on the list. > > > > Someone more familiar with IPSEC please help me out > > here; the tunnel in > > question is configured as host-to-host -- doesn''t > > that mean the IPSEC > > will toss any traffic coming into or out of the > > tunnel that has a source > > or destination other than the firewall itself? > > > > -Tom > > -- > > Tom Eastep \ Shorewall - iptables made easy > > Shoreline, \ http://shorewall.net > > Washington USA \ teastep@shorewall.net > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > > http://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > __________________________________ > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo. > http://search.yahoo.com
Tom Eastep
2003-Aug-01 19:29 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
On Fri, 01 Aug 2003 20:24:42 -0500, cmisip <cmisip@insightbb.com> wrote:> > My goal was to make the laptop to router connection secure for packets > that need to go to the internet. Is this even possible, as it is > impossible to setup a tunnel to every possible host on the internet, I > thought that I could do this If I setup a vpn tunnel between the laptop > and the router. >If you had chosen any other tunnel type except host-to-host IPSEC, it would have probably worked. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep
2003-Aug-01 20:26 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
On Fri, 01 Aug 2003 19:29:31 -0700, Tom Eastep <teastep@shorewall.net> wrote:>> > > If you had chosen any other tunnel type except host-to-host IPSEC, it > would have probably worked. >And while I''m unavailable this weekend, you can look at the traffic through ipsec0 and your external interface. And it''s always a good idea to look at Shorewall log messages (because unless you''ve messed that up, the Shorewall-generated ruleset logs anything important that it doesn''t pass). And try to keep in mind that not all connection problems are due to Shorewall; doing that helps avoid tunnel vision. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Ed Greshko
2003-Aug-01 20:29 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
On Sat, 2003-08-02 at 11:26, Tom Eastep wrote:> And try to keep in mind that not all connection problems are due to > Shorewall; doing that helps avoid tunnel vision.Ahhh...pun intended, right? :-) -- http://www.shorewall.net Shorewall, for all your firewall needs
Joshua Banks
2003-Aug-01 20:30 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
You said:>I have host to host between a client machine and afirewall/router(shorewall with ip masq).>The client machine is a laptop with 802.11b. >My intent was to encrypt all wireless communicationsfrom the laptop to any machine in the lan ,encrypting even packets destined for the internet ( so they are encrypted from laptop to linuxrouter and plaintext from linuxrouter to the internet)>laptop <--802.11b--->linuxrouter---->cablemodem > vpn <--tunnel----> vpn >nofirewall shorewall>However, the packets destined for the internet, seemto die at the linuxrouter. I think they make it there because I can ping the router and tcpdump shows ESP on ping and reply. My response: So what you actually have is like a Moblie user vpn client on the laptop that authenticates to the Linux/firewall. Is the linux firewall like a Branch Office. If im wrong let me know? Once your athenticated to that firewall it should bind an ip to ipsec0 (in most cases). And now its as though your a virtual machine behind the firewall, as though your apart of the firewalls internal lan now. Im on the same page of music now as far as your setup is concerned. Now I''m not totally familar with how free/swan thier muvpn ipsec clients and concepts work but most ipsec implementations are pretty close to the same. I would venture to say that someone at linuxquestions.org would probably be able to help as well here. ?Is the connection to the ISP via a Static ip address PPOE? ?Are you able to ping any other machines behind the Firewall once the tunnel is up? If so can you telnet or ftp or hit a web page on any of those machines? I know what you want to do but if you had a machine behind the firewall that you could send any layer 7 traffic to, this would help further isolate the problem. I''ve seen where MTU size can be an issue either on the client end because of the wireless setup or the firewall end if the cable modem is using ppoe. This might be why sending a ping is working. Thats only a 64byte packet. Assuming that the Firewall has and Eth0 and Eth1 has an internal private address which one are you pinging? The public one or the privat one? What Im getting at is you want to prove the mtu theory wrong by either pinging with an MTU option or by size forcing your ping packet not to fragement. I don''t know how this is done on linux/unix yet. I''ve never tried. On windows you can "ping -l 1600 www.yaoo.com -f" -l is for size and -f tells it not to fragement the packet. So if your using linux/unix variation on your lap top you should be able to send a unfragemented ping packet to Eth1 on the Firewall of atleast 1472bytes. You''ll no if the packet gets to big because it should tell "packet needs to be fragemented but DF bit set" something like that anyway.>The laptop is a termination point, the linuxrouter isa termination point. I understand this now.>I thought encryption will only happen if source anddestination of packets are the termination points of the ipsec tunnel. As soon as the Laptop authenticates to the Linux firewall Encyption/Decryption can begin. In your setup every response coming back from the Firewall will be encrypted and then your laptop decrypts it. If you have the setup that I think that you do your laptop sends mail to a mail server behind the linux/firewall then the traffic is encrypted and passed through the tunnel to the linux/firewall where its decrypted and then sent plain text to the mail server. The mail server responds in plain text back to the linux/firewall where the firewall see''s that this traffic is destined for an Ipsec tunnel and then encrypts and push''s it through the ipsec tunnel.>I am using Frees/wan.if there is a firewall between the vpn termination points, it just needs to allow the ipsec packets and have the termination points do the encryption and decryption.>Am I understanding this wrong?Your correct. AH=IP 51 (Cannot be natted what so ever) or ESP=IP 50 and UDP/IKE 500 (in most situations) Some clients use a higher udp port like Cisco''s.>I can ping and receive a reply when the tunnel is upand tcpdump shows esp encryption on both ping and reply. Again this could be an MTU issue.>I have default route set to point to the linuxrouteralso so packets destined for the internet are routed to the linuxrouter as well.>With the tunnel down, the packets make it to theinternet.>With the tunnel up, they dont.Again you should try and try the ping test I talked about and atleast try something other than ping. Like telnet or SSH, something layer 7 through the tunnel. Telnet is usually the easiest.>I have tried another setup as well:laptop <--802.11b--> machineA <--wired--> dlinkrouter <--->cablemodem vpn <--------------->vpn NAT nofirewall shorewall (no ip masq but ip forwards)>In this scenario, ping and reply between laptop andmachineA show esp encryption. But you said at the beginning of this post that you got ping to work through the tunnel without the setup you just described.>Ping and reply between laptop and dlinkrouter show noencryption. They won''t because it''s probably on the same ethernet (MAC) segment.>With the tunnel up between laptop and machineA,packets for the internet make it to machineA (ipsec makes the default route on laptop point to machineA) and then since machine A does ip forwarding, the packets continue on to dlinkrouter and to the internet. So with this setup your telling this is working like you want it to for the most part? >VERY IMPORTANT<>However these packets to the internet are notencrypted. They won''t be, but the responses coming back from the internet to the linux/firewall get encrypted and passed back through the tunnel to the laptop.>My goal was to make the laptop to router connectionsecure for packets that need to go to the internet. This is secure as far as I can see.>Is this even possible, as it is impossible to setup atunnel to every possible host on the internet, I thought that I could do this If I setup a vpn tunnel between the laptop and the router. Yes, hopefully I explained this 2 comments ago. Laptop A sends a UDP500 IKE packet to the linux/firewall and authenticates which brings the tunnel up and now ESP or encryption can start. Laptop A wants to goto www.yahoo.com....the packet is Encrypted and sent through the tunnel to the linux/firewall where it is decrypted/unpackaged and read and then is forewarded uncrypted out to the appropriate Dns or WWW site. That site responds sending the packet back to the linux router in plain text, if its not SSH or HTTPS that is, and the Linux/firewall see''s that the packet is destined for the ipsec Laptop A and encrypts and sends the packet through the tunnel to laptop A which receives the packet and decrypts/unpackages it and is now able to read it. Im out of breath just thinking about it. Hope this helps. JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
Tom Eastep
2003-Aug-01 20:42 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
On 02 Aug 2003 11:29:32 +0800, Ed Greshko <Ed.Greshko@greshko.com> wrote:> On Sat, 2003-08-02 at 11:26, Tom Eastep wrote: > >> And try to keep in mind that not all connection problems are due to >> Shorewall; doing that helps avoid tunnel vision. > > Ahhh...pun intended, right? :-) >In this gig, you find your amusements where you may.... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
cmisip
2003-Aug-01 21:44 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
> > My response: > So what you actually have is like a Moblie user vpn > client on the laptop that authenticates to the > Linux/firewall. Is the linux firewall like a Branch > Office. If im wrong let me know?Everything is in one network setup. It is not a road warrior type configuration where I am connecting to a subnet from elsewhere. The laptop connects to a DI 614+ to which 3 other machines are connected. One port of the DI614+ connects to the linux router. So all the machines are really on one side of the firewall. There is really no router in between these machines as they are all on the same network/netmask. One of the machines is a linux router with three interfaces: eth0 to the cable modem via dhcp, eth1 to the internal 192.168.1.0/24 network and eth2 to the 192.168.2.0 network DMZ. The rest only have one interface to connect to the 192.168.1.0/24 network. I am not using DMZ yet.> Once your athenticated to that firewall it should bind > an ip to ipsec0 (in most cases). And now its as though > your a virtual machine behind the firewall, as though > your apart of the firewalls internal lan now.The laptop is always a part of the internal lan in this configuration. I merely want to secure the wireless communication. In the future, If I get this working, I would want to put together a Road Warrior configuration where I can connect from the internet to the linuxrouter firewall into a host in the lan (going through the firewall this time).> Im on > the same page of music now as far as your setup is > concerned. > Now I''m not totally familar with how free/swan thier > muvpn ipsec clients and concepts work but most ipsec > implementations are pretty close to the same. > I would venture to say that someone at > linuxquestions.org would probably be able to help as > well here. > > ?Is the connection to the ISP via a Static ip address > PPOE? >It is via dhcp although I think, the IP does not change frequently. In the future, I will setup a dyndns account so I can locate the linux router from the internet side. And it is an external modem. Linux just sees the eth0 interface.> ?Are you able to ping any other machines behind the > Firewall once the tunnel is up? If so can you telnet > or ftp or hit a web page on any of those machines?In the current setup which is only on one side of the firewall, I can ping the linux router and get a reply with the tunnel up. Packets going from to laptop and linuxrouter are ESP encrypted.> > I know what you want to do but if you had a machine > behind the firewall that you could send any layer 7 > traffic to, this would help further isolate the > problem. >> I''ve seen where MTU size can be an issue either on the > client end because of the wireless setup or the > firewall end if the cable modem is using ppoe. This > might be why sending a ping is working. Thats only a > 64byte packet. > Assuming that the Firewall has and Eth0 and Eth1 has > an internal private address which one are you pinging?I ping the eth1 interface. Ipsec0 is set to use the eth1 interface.> The public one or the privat one? What Im getting at > is you want to prove the mtu theory wrong by either > pinging with an MTU option or by size forcing your > ping packet not to fragement. I don''t know how this is > done on linux/unix yet. I''ve never tried. > On windows you can "ping -l 1600 www.yaoo.com -f" > -l is for size and -f tells it not to fragement the > packet. So if your using linux/unix variation on your > lap top you should be able to send a unfragemented > ping packet to Eth1 on the Firewall of atleast > 1472bytes. > You''ll no if the packet gets to big because it should > tell "packet needs to be fragemented but DF bit set" > something like that anyway. > > > > >The laptop is a termination point, the linuxrouter is > a termination > point. > > I understand this now. > > > >I thought encryption will only happen if source and > destination of packets are the termination points of > the ipsec tunnel. > > As soon as the Laptop authenticates to the Linux > firewall Encyption/Decryption can begin. In your setup > every response coming back from the Firewall will be > encrypted and then your laptop decrypts it. > If you have the setup that I think that you do your > laptop sends mail to a mail server behind the > linux/firewall then the traffic is encrypted and > passed through the tunnel to the linux/firewall where > its decrypted and then sent plain text to the mail > server. The mail server responds in plain text back to > the linux/firewall where the firewall see''s that this > traffic is destined for an Ipsec tunnel and then > encrypts and push''s it through the ipsec tunnel.I have not setup a mail server yet although that is a future project of mine. I basically want to encrypt packets destined for the internet while they are "in the air" so to speak. When they have entered the linuxrouter they will be in a wired ethernet and considered secure.> > > >I am using Frees/wan. > if there is a firewall between the vpn termination > points, it just needs to allow the ipsec packets and > have the termination points do the encryption and > decryption. > >Am I understanding this wrong? > > Your correct. AH=IP 51 (Cannot be natted what so ever) > or ESP=IP 50 and UDP/IKE 500 (in most situations) Some > clients use a higher udp port like Cisco''s. >The IPsec encryption decryption should happen before the natting. laptop should send encrypted packets via eth1 (destined for the internet) to linuxrouter. Linuxrouter should decrypt them and then nat them and send them to eth0.> >I can ping and receive a reply when the tunnel is up > and tcpdump shows esp encryption on both ping and > reply. > > Again this could be an MTU issue. > > >I have default route set to point to the linuxrouter > also so packets destined for the internet are routed > to the linuxrouter as well. > >With the tunnel down, the packets make it to the > internet. > >With the tunnel up, they dont. > > Again you should try and try the ping test I talked > about and atleast try something other than ping. Like > telnet or SSH, something layer 7 through the tunnel. > Telnet is usually the easiest.I can ssh to the linuxrouter from the laptop with the tunnel up. I used scp to transfer a very large file from the linuxrouter to the laptop and tcpdump shows ESP encryption.> > >I have tried another setup as well: > > laptop <--802.11b--> machineA <--wired--> dlinkrouter > <--->cablemodem > vpn <--------------->vpn NAT > nofirewall shorewall > (no ip masq > but ip forwards) > > > >In this scenario, ping and reply between laptop and > machineA show esp encryption. > > But you said at the beginning of this post that you > got ping to work through the tunnel without the setup > you just described. >This is my old setup. the dlinkrouter has no possibility of becoming a vpn termination point.> >Ping and reply between laptop and dlinkrouter show no > encryption. > > They won''t because it''s probably on the same ethernet > (MAC) segment. >I dont understand this. I thought the reason was the dlinkrouter was not a vpn termination point.> >With the tunnel up between laptop and machineA, > packets for the internet make it to machineA (ipsec > makes the default route on laptop point to machineA) > and then since machine A does ip forwarding, the > packets continue on to dlinkrouter and to the > internet. > > So with this setup your telling this is working like > you want it to for the most part? >VERY IMPORTANT< >It is half working. Connections to machineA is encrypted for all packets with destination of machineA. If the destination of packets is to the internet, the packets from laptop to machineA to internet are not encrypted. This is possibly because the termination point of the vpn tunnel is laptop and machineA. When I send a packet to the internet, the endpoint is not machineA and so it is not encrypted. The packets do get to the internet though because I have IP forwarding turned on. These internet packets get forwarded to machineA defaultroute which is the dlinkrouter. This was my old setup. Seeing that i can never make the dlinkrouter a vpn termination point since there will be no rsa keys for it, I decided to turn one of my machines into a linux router with ip masq and put the rest of the home lan connected by the dlink port switch behind it and the cable modem in front of it.> > > >However these packets to the internet are not > encrypted. > > They won''t be, but the responses coming back from the > internet to the linux/firewall get encrypted and > passed back through the tunnel to the laptop. >They show no ESP encryption in my old setup. In my current setup I cannot test it because packets dont seem to get to the internet.> >My goal was to make the laptop to router connection > secure for packets that need to go to the internet. > > This is secure as far as I can see. > > >Is this even possible, as it is impossible to setup a > tunnel to every possible host on the internet, I > thought that I could do this If I setup a vpn tunnel > between the laptop and the router. > > Yes, hopefully I explained this 2 comments ago. > > Laptop A sends a UDP500 IKE packet to the > linux/firewall and authenticates which brings the > tunnel up and now ESP or encryption can start. > Laptop A wants to goto www.yahoo.com....the packet is > Encrypted and sent through the tunnel to the > linux/firewall where it is decrypted/unpackaged and > read and then is forewarded uncrypted out to the > appropriate Dns or WWW site. That site responds > sending the packet back to the linux router in plain > text, if its not SSH or HTTPS that is, and the > Linux/firewall see''s that the packet is destined for > the ipsec Laptop A and encrypts and sends the packet > through the tunnel to laptop A which receives the > packet and decrypts/unpackages it and is now able to > read it. > !!!This is exactly what I want to be able to do.However, it seems that it fails at the "forwarded uncrypted out to the DNS or WWW site.> Im out of breath just thinking about it. > > Hope this helps. > > JBanks >Thanks. Discussing this helps me learn about it. If anything, I know now that the my goal is realistic.> __________________________________ > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo. > http://search.yahoo.com
Joshua Banks
2003-Aug-01 22:20 UTC
[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access
Wow, I was way off, as far as your setup goes. So now what I see is your main concern is you want your wireless traffic to and from the firewall to be unsniffable? This is why your trying to setup a tunnel. To be honest, I don''t know how thats done. In my experience I''ve always put the Wireless lan on the DMZ so that they''re totally segragated. So how to accomplish what your trying to do is a little beyond me. The fact that you can bring the tunnel up is good. So when you try to ping out to the internet you don''t get replies correct? Or you do because the packets go around the tunnel. Shorewall logs should be telling you something here when this is failing to go out if it is. Sorry for the misunderstanding. JBanks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com