Shorewall users - Apr 2009 - Site-to-site "Cisco" VPN?

Hi,

I would appreciate any advice to solve the following situation: 

I have an IP phone that needs to be on a VPN network; it also needs to get its
IP address through the VPN. To connect to the VPN, the only solution I have is
Cisco AnyConnect. When the AnyConnect client connects, it creates a tun
interface that gets a dynamic IP address. Is there any way to turn the
AnyConnect machine into a site-to-site VPN gateway? I went through the
OpenVPN-related documentation () but I am not clear.

Concretely, the configuration I am thinking of is (hopefully it will not wrap):


                                          +-------------------------------+
                                          |   cscotun0 (AnyConnect)       |
                                          |   (172.10.10.x; DHCP)         |     
+--------+    +-------+
                                          |                          eth1
|-------| Switch |----| Phone |
+-------+    +--------+        192.1.0.x  |                               |     
+--------+    +-------+
| Modem |----| Router |-------------------|eth0                           |     
Must get a 172.x IP
+-------+    +--------+    (through DHCP) |                               |
                                          +-------------------------------+

Thanks,
a.

-- 
Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für
nur 17,95 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a

------------------------------------------------------------------------------

ame01@gmx.net wrote:
> Hi,
> 
> I would appreciate any advice to solve the following situation:
> 
> I have an IP phone that needs to be on a VPN network; it also needs
> to get its IP address through the VPN. To connect to the VPN, the
> only solution I have is Cisco AnyConnect. When the AnyConnect client
> connects, it creates a tun interface that gets a dynamic IP address.
> Is there any way to turn the AnyConnect machine into a site-to-site
> VPN gateway? I went through the OpenVPN-related documentation () but
> I am not clear.
What do you want the AnyConnect machine to do that it is not already
doing? From your description, it is unclear to me how this whole thing
is supposed to work.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

> > I would appreciate any advice to solve the following situation:
> > 
> > I have an IP phone that needs to be on a VPN network; it also needs
> > to get its IP address through the VPN. To connect to the VPN, the
> > only solution I have is Cisco AnyConnect. When the AnyConnect client
> > connects, it creates a tun interface that gets a dynamic IP address.
> > Is there any way to turn the AnyConnect machine into a site-to-site
> > VPN gateway? I went through the OpenVPN-related documentation () but
> > I am not clear.
> 
> What do you want the AnyConnect machine to do that it is not already
> doing? From your description, it is unclear to me how this whole thing
> is supposed to work.
I would like the AnyConnect machine to behave like a gateway for the IP phones -
basically all the traffic from eth1 to go through cscotun0. In other words, to
behave like a Cisco ASA device (which is a site to site VPN).

My first thought was that a bridge between cscotun0 and eth1 would suffice but
this fails short - I think because the VPN interface is tun.

I know I am expressing poorly what I am looking for, please bear with me. 

Regards,
a.

-- 
Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für
nur 17,95 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a

------------------------------------------------------------------------------

ame01@gmx.net wrote:
> 
> I would like the AnyConnect machine to behave like a gateway for the
> IP phones - basically all the traffic from eth1 to go through
> cscotun0. In other words, to behave like a Cisco ASA device (which is
> a site to site VPN).
> 
> My first thought was that a bridge between cscotun0 and eth1 would
> suffice but this fails short - I think because the VPN interface is
> tun.
> 
> I know I am expressing poorly what I am looking for, please bear with
> me.
I''m assuming that the Phone expects to use DHCP to acquire an IP
address? If so and if the VPN software you are using is incapable of
creating/using a tap device, I see no way to accomplish your goal.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

Tom Eastep wrote:
> ame01@gmx.net wrote:
>> I would like the AnyConnect machine to behave like a gateway for the
>> IP phones - basically all the traffic from eth1 to go through
>> cscotun0. In other words, to behave like a Cisco ASA device (which is
>> a site to site VPN).
>>
>> My first thought was that a bridge between cscotun0 and eth1 would
>> suffice but this fails short - I think because the VPN interface is
>> tun.
>>
>> I know I am expressing poorly what I am looking for, please bear with
>> me.
> 
> I''m assuming that the Phone expects to use DHCP to acquire an IP
> address? If so and if the VPN software you are using is incapable of
> creating/using a tap device, I see no way to accomplish your goal.
You could try running dhcrelay on your local interface and specify the
DHCP server from the VPN. By setting the proxy arp flag on the local
interface (echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp), you might
be able to get the phone to work (if the phone doesn''t depend on
broadcast for anything except DHCP).

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------

> >> I would like the AnyConnect machine to behave like a gateway for
the
> >> IP phones - basically all the traffic from eth1 to go through
> >> cscotun0. In other words, to behave like a Cisco ASA device (which
is
> >> a site to site VPN).
> >>
> >> My first thought was that a bridge between cscotun0 and eth1 would
> >> suffice but this fails short - I think because the VPN interface
is
> >> tun.
> >>
> >> I know I am expressing poorly what I am looking for, please bear
with
> >> me.
> > 
> > I''m assuming that the Phone expects to use DHCP to acquire an
IP
> > address? If so and if the VPN software you are using is incapable of
> > creating/using a tap device, I see no way to accomplish your goal.
> 
> You could try running dhcrelay on your local interface and specify the
> DHCP server from the VPN. By setting the proxy arp flag on the local
> interface (echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp), you might
> be able to get the phone to work (if the phone doesn''t depend on
> broadcast for anything except DHCP).
Wow, thanks! That is a nice thing to know. The phone needs DHCP indeed and
AnyConnect is just tun (and, what''s more seems to use its own SSL
brew).

Regards,
a.

-- 
Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für
nur 17,95 Euro/mtl.!* http://dsl.gmx.de/?ac=OM.AD.PD003K11308T4569a

------------------------------------------------------------------------------

ame01@gmx.net wrote:
>>>> I would like the AnyConnect machine to behave like a gateway
>>>> for the IP phones - basically all the traffic from eth1 to go
>>>> through cscotun0. In other words, to behave like a Cisco ASA
>>>> device (which is a site to site VPN).
>>>> 
>>>> My first thought was that a bridge between cscotun0 and eth1
>>>> would suffice but this fails short - I think because the VPN
>>>> interface is tun.
>>>> 
>>>> I know I am expressing poorly what I am looking for, please
>>>> bear with me.
>>> I''m assuming that the Phone expects to use DHCP to acquire
an IP
>>> address? If so and if the VPN software you are using is incapable
>>> of creating/using a tap device, I see no way to accomplish your
>>> goal.
>> You could try running dhcrelay on your local interface and specify
>> the DHCP server from the VPN. By setting the proxy arp flag on the
>> local interface (echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp),
>> you might be able to get the phone to work (if the phone
doesn''t
>> depend on broadcast for anything except DHCP).
> 
> Wow, thanks! That is a nice thing to know. The phone needs DHCP
> indeed and AnyConnect is just tun (and, what''s more seems to use
its
> own SSL brew).
Also be sure to echo 1 > /proc/sys/net/ipv4/ip_forward ....

-Tom

------------------------------------------------------------------------------