Charles Stack on Mon, 31 Jan 2000 12:31:46 -0500 (EST) |
Sorry..I was reading the "VPN Masquarade How-To". It goes into a lengthly discussion about patching the kernel and such. But, it is unclear as to what needs to be done for 2.2 kernel as it keeps switching back and forth between 2.0 and 2.2. In it they say the port forwarding and such work under 2.2 and the GRE and ISAKPM packets (needed by VPNS running IPSEC) can be passed by the stock kernel. Then, if you read further, they seem to reverse that position. So, I haven't a clue what needs to be done to get a 2.2. Linux box configured with IP Masq to pass encrypted packets created on a client workstatin by the likes of CheckPoint's SecureRemote software (which uses IPSEC). Does anybody understand what I'm talking about? I'm simply trying to get a Windows client running CheckPoint's SecureRemote software to pass its packets through my Linux router/gateway so I can communicate with another VPN. cjs -----Original Message----- From: plug-admin@lists.nothinbut.net [mailto:plug-admin@lists.nothinbut.net]On Behalf Of Kyle Burton Sent: Monday, January 31, 2000 11:08 AM To: plug@lists.nothinbut.net Subject: RE: [PLUG] request for help in testing something... Sorry, I don't know what you're talking about. I was trying to provide a solution, for 2.2 series kernels, that followed the information in the VPN mini howto, which is: /usr/doc/HOWTO/mini/VPN on my system. I have read that document, but do not posess 2 machines suitable for testing the informaion in the document. I haven't seen anything mentinoed about patching the kernel in that document. I was under the assuption that the methodology that the VPN mini HOWTO describes was a common way of creating a VPN with linux -- which I also had heard was broken under the 2.1 and up series of kernels. Thank you for your time. k ---------------------------------------------------------------------------- -- "Think determanisticly, act randomly." -- Unknown mortis@voicenet.com http://www.voicenet.com/~mortis ---------------------------------------------------------------------------- -- On Mon, 31 Jan 2000, Charles Stack wrote: > Kyle, have you had any luck? > > I was reading through the VPN How-To again last night and I'm confused. One > one hand, it says you have to apply the patches to pass GRE and ISAKMP > packets. Then, if you follow the links, it tells you that the stock 2.2 > kernel can pass those packets. You only need to make the mods if your > server is going to vpn masq the clients...not if the clients are running > something like CheckPoint's SecureRemote. > > But, it gets better. Reading the links, they also tell you that they have > had no sucess with Checkpoint's FWZ protocol. > > So...what is one to do? Is it all really necessarity to go through the > hassles of patching the 2.2 kernel? > > cjs > > -----Original Message----- > From: plug-admin@lists.nothinbut.net > [mailto:plug-admin@lists.nothinbut.net]On Behalf Of Kyle Burton > Sent: Friday, January 28, 2000 11:34 AM > To: PLUG - Philadelphia Area Linux Users Group > Subject: [PLUG] request for help in testing something... > > > First, I've heard that the 2.2 series of kernels breaks the methodology > used to create VPNs based on the VPN mini howto. The reason that 2.2 > breaks the methodology, afaik, is that it breaks the pty-redir utility. > The reason this happens, afaik, is because pty-redir looks for the > controlling pty by stepping through all of the ptys in the /dev directory > looking for the first one that it finds that is both readable and writable > by the uid of the process running pty-redir. Again, afaik, this breaks on > 2.2 because of the unix98 ptys -- they're in /dev/pts, and named differently > (eg: /dev/pts/1) instead of /dev/pty??. So, I looked at the sources for > pty-redir and tried to get it to work for the 2.2 kernel. > > One major change I made was to use ttyname(3) instead of trying to find > the name by searching the file system -- so this should deterministicly > get the pty name -- and, in theory, it should work for 2.2 and 2.0 series > kernels, as we're not searching for the file name, we're asking for the > name. > > Anyway, my problem is I can't really test the rest of the equasion -- I > don't have 2 boxes where I can try setting up a VPN between. > > My question to those of you on the list is: would anyone on the list be > will be willing to help me test this version of pty-redir2 to see if it > can be used under either kernel version to create a VPN based on the > instructions in the VPN howto. The 'new' version can be obtained from: > > http://www.bgw.org/projects/pty-redir2/ > > If you do wish to try it, please download the pty-redir2-20000128.tar.gz, > the pty-redir2.tar.gz was the first version and tried to follow the original > pty-redir's methodology for finding the controlling pty, which could have > lead to problems (I think), so it's probably best not to use it. > > Thanks for your time, > Kyle > > > -------------------------------------------------------------------------- -- > -- > Live fast, die young, and leave a good looking corpse. > -- James Dean > mortis@voicenet.com > http://www.voicenet.com/~mortis > -------------------------------------------------------------------------- -- > -- > > > ______________________________________________________________________ > Philadelphia Linux Users Group - http://plug.nothinbut.net > Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce > General Discussion - http://lists.nothinbut.net/mail/listinfo/plug > > > ______________________________________________________________________ > Philadelphia Linux Users Group - http://plug.nothinbut.net > Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce > General Discussion - http://lists.nothinbut.net/mail/listinfo/plug > > ______________________________________________________________________ Philadelphia Linux Users Group - http://plug.nothinbut.net Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce General Discussion - http://lists.nothinbut.net/mail/listinfo/plug ______________________________________________________________________ Philadelphia Linux Users Group - http://plug.nothinbut.net Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce General Discussion - http://lists.nothinbut.net/mail/listinfo/plug
|
|