Re: VPN on Kernel 2.4.18

To: Debian User <debian-user@lists.debian.org>
Subject: Re: VPN on Kernel 2.4.18
From: Jeff <jcoppock1@attbi.com>
Date: Wed, 6 Mar 2002 21:53:25 -0800
Message-id: <[🔎] 20020307055325.GA27785@jc.oftheinter.net>
Mail-followup-to: Debian User <debian-user@lists.debian.org>
In-reply-to: <[🔎] 001e01c1c566$d7035360$0a0a0a0a@gimp>
References: <[🔎] 20020306181341.GA26375@jc.oftheinter.net> <[🔎] 001e01c1c566$d7035360$0a0a0a0a@gimp>

Dave Scott, 2002-Mar-06 15:30 -0800:
> Thanks Jeff.
> 
> Wow, I thought this was going to be an easy task. :(
> Surely there must be thousands of others that have done just this.  
> 
>   |---------------------|
> |-|----Client(9x,2K)----|
> | |---------------------|
> | 	    |DSL Modem
> | 	    |
> | 	    |
> | |---------------------|
> | |-----Internet--------|
> | |---------------------|
> |	    |
> VPN	    |
> |	    |Public IP
> | |--------------------------|    Nat   |------------|
> | |----Firewall--------------|----------|Workstations|
> | |--Debian 2.2 W2.4Kernel---|          |------------|
> | |--------------------------|          192.168.0.10-200
> |	NAT |192.168.0.1
> |	    |
> |	    |
> | |----------------------------|
> | |---Windows NT 4.0 Server----|
> |-|---PP2P Installed-----------|
>   |----------------------------|
>            192.168.0.2
> 
> Need up to 6 VPN connections to the NT Server
> Is this possible.  Or is there just a better way to go about this.
> They don't have any money for Cisco or Hard Firewall.
> 
> At first I was going to use 2.2 Kernel because I read if you recompile
> the kernel and install ipfwd you can GRE multi connections across, but
> now I just read that 2.4 hasn't been configured to allow multi connects
> across, but the date of the article is old.
> Oh how confusing this is.
> 
> 
> Cheers 
> -Dave

Nice work on the ascii diagram!  :-)

Personally, I wouldn't use GRE for a VPN for the reasons I stated
on my previous response.  I'd say you have 2 solutions worth
considering:

1.  Use PPTP.  This works and the encryption is adequate, unless
anyone with some resources thinks you're hiding something
special  :-)   You'll need to open port 1723 on your firewall for
the incoming connections.  Just don't use MS-CHAPv2 for auth
here, there's a well-known vulnerability with it.  So, the remote
clients will run the native PPTP to connect directly to the NT
server, having turned on the PPTP support to recieve connections.
Oh, and you'll actually need to port forward through the firewall
since you have NAT.  Or, you could run the Linux pptpd server on
the firewall to terminate the connections there and just route
normally on the private side.  I like the later.

2.  Use Freeswan.  This is an IPSec solution that is much more
secure, but more complex too.  There are interworking issues
between Linux and Windows but there is some good information on
that on the web (a google search for "freeswan windows" will turn
up some of them).  So, in this scenario you'd run the Freeswan
server on the Firewall and terminate the connections there.  Be
sure to allow port 500 to connect to the firewall, and I think
protocol ESP as well.  That's what IPSec runs over.  You'll find
everything you'll need on the Freeswan website, and you'll need
to patch the kernel too.

That's all I can think of at the moment.  Having only time in
your budget is not so uncommon.  With VPN's, like with any other
security, the more secure the more complex...most of the time.

cya,
jc


-- 
Jeff Coppock		Systems Engineer
Diggin' Debian		Admin and User

Reply to:

Follow-Ups:
- Re: VPN on Kernel 2.4.18
  - From: "Vector" <debian@itpsg.com>

References:
- Re: VPN on Kernel 2.4.18
  - From: Jeff <jcoppock1@attbi.com>
- RE: VPN on Kernel 2.4.18
  - From: "Dave Scott" <dscott@globalinfosystems.com>

Prev by Date: Re: XDMCP Howto?
Next by Date: Re: Sun hardware
Previous by thread: RE: VPN on Kernel 2.4.18
Next by thread: Re: VPN on Kernel 2.4.18
Index(es):
- Date
- Thread