Admin_Axel@congos-tools.com
2003-Nov-11 11:55 UTC
[Shorewall-users] Maybe OT but still: Dynamic IP <-> Fix IP IPSEC tunnels from variousOS''s
Good evening, while this is off topic it might not be completely. What I am asking for is actually your opinion if I missed anything which might cause Shorewall/netfilter to fail on this setup. I already asked something Similar not that long ago but this is a variation of the concept. The basis setup should look as follows Big Bad Internet | | | IP NETA ------------- | | IP NETB1 IP NETB2 ------------- | |-()---------------------------()-| | | Checkpoint| | Shorewall | | FW | IP NETC1 IP NETC2 | Freeswan | | |-()---------------------------()-| | | | | | ------------- ------------- | IP NET D | ----------- | | | S1 S2 S3 The problem is with IPSEC tunnels, actually with tunnels from dialin (incl. DSL,CABLE) clients with no fix IP address. While the checkpoint NG does a great job managing up to 50 VPN''s (partly star topology, partly fully interconnected) it fails on allowing non Windows client to connect (L2TP is possible, I know). Linux clients won''t be supported at least not in a way I would call stable. The shorewall in this scenario would take a.) Roadworrier VPN''s and b.) SSH connections. It would need to take the traffic on IP NETB2, decrypt it and route it through IP NETC2 through IP NETC1 to IP NET D. This should work without any problem for the SSH users (at least those not using SSH tunnels but terminal like connections. To make this work securely for IPSEC tunnel users I would need to NAT traffic going out through IP NETC2 (for IPSEC AND SSH users). In this special case I am looking for negative feedback. I think this will work and I am wondering if I forgot something which might just kill the concept either by technical means or because of security implications. Axel Westerhold DTS Systeme GmbH Datacenter IT Security Team