| View previous topic :: View next topic |
| Author |
Message |
Centinul
Apprentice
Joined: 28 Jul 2005
Posts: 232
|
 Posted: Tue Jul 04, 2006 10:23 pm Post subject: Connecting to company VPN with unknow.n.... [SOLVED] |
 |
|
The network setup is as follows:
<PC THAT WANTS TO CONNECT TO VPN> --- <Linksys WRT54G> -- <Linux Firewall> -- Internet --- <Company VPN>
Issue:
My wife would like to connect her company laptop to her VPN at work. The laptop runs Windows 2000 and I'm not sure what the company runs for an OS. At this point I'm not sure what I need installed on the firewall. Do I need VPN software installed on the firewall? If not what sort of rules do I need to apply to the firewall to allow this functionality?
If you need more information please let me know...
Thanks.
Centinul
::EDIT::
After enabling AH ans ESP support in the Kernel I added the following rules to my firewall and it now works.
| Code: |
$IPT -A FORWARD -i <INTERNET INTERFACE> -p udp --dport <VPN PORT> -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p 47 -i <INTERNET INTERFACE> -d <VPN IP> -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p 50 -i <INTERNET INTERFACE> -d <VPN IP> -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p 51 -i <INTERNET INTERFACE> -d <VPN IP> -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p 47 -i <INTERNET INTERFACE> -d <VPN IP> -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p 50 -i <INTERNET INTERFACE> -d <VPN IP> -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p 51 -i <INTERNET INTERFACE> -d <VPN IP> -m state --state ESTABLISHED,RELATED -j ACCEPT
|
Thanks for all the help!!
Last edited by Centinul on Thu Jul 06, 2006 9:21 pm; edited 1 time in total |
|
| Back to top |
|
 |
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Tue Jul 04, 2006 10:42 pm Post subject: |
|
|
depends on the type of VPN the company uses
could be e.g. PPTP-based, IPSec-based, SSL-based, etc.
normally any kind of VPN client software on the firewall shouldn't be needed - unless they use some very weired setup 
more input please
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
Centinul
Apprentice
Joined: 28 Jul 2005
Posts: 232
|
| Posted: Wed Jul 05, 2006 12:56 am Post subject: |
|
|
To my knowledge it's IPSec based.
-- Side Note --
Just our of curiousity then what is the point of installing OpenVPN on firewalls if software isn't traditionally needed on firewalls? |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Wed Jul 05, 2006 7:56 am Post subject: |
|
|
| Centinul wrote: | To my knowledge it's IPSec based.
Just our of curiousity then what is the point of installing OpenVPN on firewalls if software isn't traditionally needed on firewalls? |
Thats due to the -from a security point of view- somewhat questionable 'behaviour' of 'modern admins' to mix up to different things on one box. A firewall should be installed with minimal software, i.e. only hardened OS+packet filter; a vpn endpoint as OpenVPN should be installed on a seperate machine - segregation of duties.
Mostly it is ok to have both on the same hardware (it works) but as said, one *should* seperate them.
Same goes for any other kind of software on the real packet filters/machines directly exposed to internet. If you're a real hardliner those machines aren't even reachable by ssh but only via serial console - nearly impossible to hack into such systems from remote.
For letting a IPSec based VPN 'through' your firewall you need to configure at least a forwarding/passthrough for IP protocol (*not* port!) 50, maybe 47 too plus udp port 500. If the VPN utilizes NAT-T the udp port used (often) is eiter 4500 or 10001.
In easiest case your wife has some VPN client on here windows machine which does the connection. Depending on the exact setup no changes might be needed on your firewall - e.g. mine has no special rules for IPSec treatment and i can open my IPSec-VPN tunnel to my office from inside.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
kashani
Advocate
Joined: 02 Sep 2002
Posts: 2032
Location: San Francisco
|
| Posted: Wed Jul 05, 2006 6:16 pm Post subject: |
|
|
| Think4UrS11 wrote: |
Thats due to the -from a security point of view- somewhat questionable 'behaviour' of 'modern admins' to mix up to different things on one box. A firewall should be installed with minimal software, i.e. only hardened OS+packet filter; a vpn endpoint as OpenVPN should be installed on a seperate machine - segregation of duties.
Mostly it is ok to have both on the same hardware (it works) but as said, one *should* seperate them.
Same goes for any other kind of software on the real packet filters/machines directly exposed to internet. If you're a real hardliner those machines aren't even reachable by ssh but only via serial console - nearly impossible to hack into such systems from remote. |
I can explain the motivation of the VPN/Firewall box. In a small office enviroment the firewall is usually the gateway. Doing VPN to anything but the gateway involves some routing or a VPN that will double NAT. Double NAT is fairly new in most VPN software at least at the low end and most people chose to use the firewall/gateway as their VPN device to keep the config simple and foolproof.
kashani
_________________
Will personally fix your server in exchange for motorcycle related shop tools in good shape. |
|
| Back to top |
|
|
Centinul
Apprentice
Joined: 28 Jul 2005
Posts: 232
|
| Posted: Thu Jul 06, 2006 12:28 am Post subject: |
|
|
Still no go, I've enabled everything that I can think of and when she tries to connect it acts like it's connecting and then it says "connection is lost." Monitoring my logs in real time doesn't seem to show anything hitting the firewall. I'm at a loss  |
|
| Back to top |
|
|
|
Networking & Security
