Pete Foley on Fri, 6 Oct 2000 10:57:36 -0400 (EDT) |
Hey Group, I just wanted to initiate a discussion about using a VPN client when on a masq'ed LAN. It seemed to me that at the meeting on Wednesday it was determined that it is not possible. However, I have had this working at home for some time now but I wanted to verify my current network setup (so I could provide details) before I began to discuss this. Now, all that I basically know is that it works, and maybe as a result of this I have opened a security hole on my system, but I am sure that someone will let me know if I have done so. So anyway, onto the details. I have a DSL connection with one static IP. I have a firewall box that has (obviously) a firewall script on it (I mainly set it up using the linux-firewall-tools site and then customized for the stuff that I wanted enabled). I also have TCP Wrappers setup. My IP is masq'ed and the line is shared between 5 other boxes (one being my work laptop - the machine with the VPN Client on it.) The VPN software that my company uses is Shiva. When I was first attempting to get the VPN Client to work at home, I basically just plugged the laptop into the hub, started the client and hoped for the best. However it was no surprise to me when it did not work. My first thought that it was the firewall blocking it out. I did some research on Shiva and on their site they provided a list of ports that the client used. I slapped those rules into my firewall and tried it again. Still a no go. Then I thought it might be my TCP Wrappers (I do not know if this is needed, but I did it anyway. I have never tried "undoing it" so this may not have any effect at all.) I checked with the network guys at work and got the IP of the server. I then allowed that IP (I kind of trust the people I work with) in my hosts.allow (Now that I think about it this is probably not needed at all, since it is not a service that any of my systems are really providing - oh well). Tried it again and still no luck. I then talked this over with some of the network guys at work and they said that it was because I was in a masq'ed LAN at home, and changing my network setup to use DHCP may fix the problem. So I spent a lot of time setting that up and it still did not do anything. I then undid the DHCP stuff and reverted back to my old setup. I did some searching about this, and somewhere I read (I forget where) that VPN works through an IP Tunnel. Hmm. I checked my kernel setup and I did not have IP Tunneling enabled. I did a recompile with IP Tunneling enabled and tried it again, and what do you know, it worked! So it looked to me that having IP Tunneling on the firewall box made this work. Does having IP Tunneling enable pose a security threat? I am in no way a network guru so I have no idea. My main question is this: Is the problem of using a VPN client from within a masq'ed LAN the problem or is the fact that a firewall is present the problem? (Or what do people believe is the root cause of this issue). So now that I have spent so much time working on this, I can now even work more (since I can now work at home at night and on the weekend). Joy. If it helps at all, the firewall box (and all of the other boxes that I run except my laptop) run Debian (Woody). On my laptop I use Windoze 2000 when I have to run the Shiva VPN Client. Any comments, questions, or "Dude, you are gonna get hacked quick with this setup" suggestions are welcome. I just thought that I would show that this is in fact possible and how I got it to work. -Pete ------------------------------------------------------- Pete Foley | Windows hasn't increased lynchman@speakeasy.org | computer literacy. It's | just lowered the standard. ------------------------------------------------------- Attachment:
pgpikXmHwuyKV.pgp
|
|