Re: Linux box as an IPsec router

To: Olsen Gerhard-Just <Gerhard.J.Olsen@sbs.siemens.no>
Cc: Debian Security List <debian-security@lists.debian.org>
Subject: Re: Linux box as an IPsec router
From: "Noah L. Meyerhans" <frodo@morgul.net>
Date: Wed, 23 Jan 2002 09:39:28 -0500
Message-id: <[🔎] 20020123093928.J1098@morgul.net>
In-reply-to: <[🔎] 49996CDF755FD311AA640090274E650D0414C5DA@osll008a.siemens.no>; from Gerhard.J.Olsen@sbs.siemens.no on Wed, Jan 23, 2002 at 09:02:05AM +0100
References: <[🔎] 49996CDF755FD311AA640090274E650D0414C5DA@osll008a.siemens.no>

On Wed, Jan 23, 2002 at 09:02:05AM +0100, Olsen Gerhard-Just wrote:
> Hi I'm investigating the possibility to use Linux box as an IPsec router. I
> want to be able to connect win clients to a LAN over the internet using
> IPsec. there is a win2k server set up with IPsec. Has any one any experience
> with this?

Yes, the FreeS/WAN ipsec implementation for Linux (www.freeswan.org) can
interoperate with Win2k/XP, etc.  I have not used IPsec on Windows, but
am running an IPsec gateway on a Debian potato system, as well as
several IPsec hosts on various other Debian systems.

> It needs to completely block ALL other incoming and outgoing traffic. (I
> want to force the clients thru a proxy.)

iptables.

> It has to be rook stable.
> 

I've never had a Linux system crash.  The FreeS/WAN code is very high
quality, and has introduced no stability issues.

> Maybe it needs to have some form of local ip handling (DHCP etc.)
> 

apt-get install dhcpd

> The server has static ip but the IPsec router dose not.
> 

This is probably fine, but will require a bit of configuration magic.
The freeswan docs describe such a configuration as a "roadwarrior",
since it usually is used for mobile laptops.  I've got such a setup
running, however the machine with the dynamic IP is not a gateway.

> I think there are some plug and pray routers ho has these functions all
> ready, but if I can use a free Linux on a old pc.

Make sure the machine has enough CPU power to perform the encryption
fast enough to avoid any kind of performance hit.  I've got freeswan
running on a couple of fairly slow machines (a dual PPro 200 and a 300
MHz Apple PowerMac G3) and don't seem to have any problems.

> I herd something about the windows implementation of the Kerberos V5
> Protocol not being compatible with the Kerberos V5 Protocol. hens it dos not
> work with any thing else then Windows Is this true?

This isn't related to IPsec (unless you plan on using kerberos to
exchange IPsec auth info, which you con't do in Linux anyway).  But yes,
MS broke kerberos.  They bolted Windows ACLs on to it, but since
non-Windows implementations don't know anything about ACLs, bad things
can happen.  If your KDC is a Unix system, though, I think you can make
things work.  Interoperability is not completely broken.

> 
> Is there anything else I need to think about?

Make sure you read the interoperability docs.  Some tweaking must be
done to get different IPsec implementations to talk to each other.  This
info is linked from freeswan.org.

noah

-- 
 _______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html

Attachment: pgp1eUb6EUgPh.pgp
Description: PGP signature

Reply to:

References:
- Linux box as an IPsec router
  - From: Olsen Gerhard-Just <Gerhard.J.Olsen@sbs.siemens.no>

Prev by Date: Re: protection against buffer overflows
Next by Date: Re: Re[2]: protection against buffer overflows
Previous by thread: Linux box as an IPsec router
Next by thread: Re: SOME ITEMS THAT YOU MAY BE INTERESTED IN OR BE ABLE TO ADVISE ME ON
Index(es):
- Date
- Thread