Admin_Axel@congos-tools.com
2003-Nov-11 11:55 UTC
[Shorewall-users] Maybe OT but still: Dynamic IP <-> Fix IP IPSEC tunnels from variousOS''s
Good evening,
while this is off topic it might not be completely. What I am asking
for is actually your opinion if I missed anything which might cause
Shorewall/netfilter to fail on this setup. I already asked something
Similar not that long ago but this is a variation of the concept.
The basis setup should look as follows
Big Bad Internet
|
|
| IP NETA
-------------
| | IP NETB1 IP NETB2 -------------
| |-()---------------------------()-| |
| Checkpoint| | Shorewall |
| FW | IP NETC1 IP NETC2 | Freeswan |
| |-()---------------------------()-| |
| | | |
------------- -------------
| IP NET D
|
-----------
| | |
S1 S2 S3
The problem is with IPSEC tunnels, actually with tunnels from dialin
(incl. DSL,CABLE) clients with no fix IP address. While the checkpoint
NG does a great job managing up to 50 VPN''s (partly star topology,
partly fully interconnected) it fails on allowing non Windows client to
connect (L2TP is possible, I know).
Linux clients won''t be supported at least not in a way I would call
stable.
The shorewall in this scenario would take a.) Roadworrier VPN''s and
b.) SSH connections.
It would need to take the traffic on IP NETB2, decrypt it and route it
through IP NETC2 through IP NETC1 to IP NET D.
This should work without any problem for the SSH users (at least those
not using SSH tunnels but terminal like connections.
To make this work securely for IPSEC tunnel users I would need to NAT
traffic going out through IP NETC2 (for IPSEC AND SSH users).
In this special case I am looking for negative feedback. I think this
will work and I am wondering if I forgot something which might just kill
the concept either by technical means or because of security
implications.
Axel Westerhold
DTS Systeme GmbH
Datacenter IT Security Team