| Pete Foley on Fri, 6 Oct 2000 10:57:36 -0400 (EDT) |
|
Hey Group,
I just wanted to initiate a discussion about using a VPN client
when on a masq'ed LAN. It seemed to me that at the meeting on
Wednesday it was determined that it is not possible. However, I
have had this working at home for some time now but I wanted to
verify my current network setup (so I could provide details) before
I began to discuss this. Now, all that I basically know is that it
works, and maybe as a result of this I have opened a security hole
on my system, but I am sure that someone will let me know if I have
done so. So anyway, onto the details.
I have a DSL connection with one static IP. I have a firewall box
that has (obviously) a firewall script on it (I mainly set it up
using the linux-firewall-tools site and then customized for the
stuff that I wanted enabled). I also have TCP Wrappers setup. My
IP is masq'ed and the line is shared between 5 other boxes (one
being my work laptop - the machine with the VPN Client on it.) The
VPN software that my company uses is Shiva.
When I was first attempting to get the VPN Client to work at home,
I basically just plugged the laptop into the hub, started the
client and hoped for the best. However it was no surprise to me
when it did not work. My first thought that it was the firewall
blocking it out. I did some research on Shiva and on their site
they provided a list of ports that the client used. I slapped
those rules into my firewall and tried it again. Still a no go.
Then I thought it might be my TCP Wrappers (I do not know if this is needed,
but I did it anyway. I have never tried "undoing it" so this may
not have any effect at all.) I checked with the network guys at
work and got the IP of the server. I then allowed that IP (I kind of
trust the people I work with) in my hosts.allow (Now that I think
about it this is probably not needed at all, since it is not a
service that any of my systems are really providing - oh well).
Tried it again and still no luck.
I then talked this over with some of the network guys at work and
they said that it was because I was in a masq'ed LAN at home, and
changing my network setup to use DHCP may fix the problem. So I
spent a lot of time setting that up and it still did not do
anything. I then undid the DHCP stuff and reverted back to my old
setup. I did some searching about this, and somewhere I read (I
forget where) that VPN works through an IP Tunnel. Hmm. I checked
my kernel setup and I did not have IP Tunneling enabled. I did a
recompile with IP Tunneling enabled and tried it again, and what do
you know, it worked!
So it looked to me that having IP Tunneling on the firewall box
made this work. Does having IP Tunneling enable pose a security
threat? I am in no way a network guru so I have no idea. My main
question is this: Is the problem of using a VPN client from within
a masq'ed LAN the problem or is the fact that a firewall is present
the problem? (Or what do people believe is the root cause of this
issue). So now that I have spent so much time working on this, I
can now even work more (since I can now work at home at night and
on the weekend). Joy.
If it helps at all, the firewall box (and all of the other boxes
that I run except my laptop) run Debian (Woody). On my laptop I
use Windoze 2000 when I have to run the Shiva VPN Client. Any
comments, questions, or "Dude, you are gonna get hacked quick with
this setup" suggestions are welcome. I just thought that I would
show that this is in fact possible and how I got it to work.
-Pete
-------------------------------------------------------
Pete Foley | Windows hasn't increased
lynchman@speakeasy.org | computer literacy. It's
| just lowered the standard.
-------------------------------------------------------
Attachment:
pgpikXmHwuyKV.pgp
|
|