loop_until
asked on
Complex VPN Configuration - XP>Iptables>BEFVP41
Hi networking experts,
I need help with a complex (well for me at the moment) VPN configuration for my office. Basically, what I want to accomplish is to connect roadwarriors or home workers to the office so they can securely access ressources such as windows file systems and so on.
Here is the setup:
- I have a Linksys BEFVP41 router that will be used as a IPSec endpoint with a static address (123.456.789.195).
- All workers have Windows 2000 and Windows XP computers and highspeed connections with dynamic IP addresses.
- I have a XP laptop behind a Linux box with iptables doing masquerade and a dynamic address (but I have a static whatever.dyndns.org address if it helps).
- The office network has a free 192.168.1.200/24 to 192.168.1.225/24 address range. All the network ressources are contained within the 192.168.1.0/24 network.
- At home, my network is 192.168.0.0/24 with my laptop having a local address given by DHCP.
I want my laptop behind my Linux box to connect to the BEFVP41 so I can test my whole setup. I'll deal with the other roadwarriors after. I know there is a Linksys tutorial (http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=207) to connect my Windows box to the router but I'm not sure what configuration to setup on the BEFVP41 to access the office network. Also, I know passing the Linux box will be difficult and I'll probably have to setup a IPSec passthru of some kind.
Here's the deal: I know there a lot of points to answer within this question so 500 points will be the start. If someone can help me setup my laptop behind the Linux firewall/gateway to the BEFVP41 while explaining everything so I can understand what I'm doing, I'll raise those points for your help. I have some networking knowledge so you can explain quickly the steps you want me to take, I'll ask if I need further explanations. I'm also willing to share if more than one expert can contribute.
And please don't bother to give me the support page and the manual from Linksys, I've read them already.
If you have a different setup to propose, I'll listen but it should not requires other hardware than the BEFVP41 or non-free software. It is the Windows boxes that should connect to the IPSec endpoint, not the Linux box.
Thanks in advance for your help everyone!
I need help with a complex (well for me at the moment) VPN configuration for my office. Basically, what I want to accomplish is to connect roadwarriors or home workers to the office so they can securely access ressources such as windows file systems and so on.
Here is the setup:
- I have a Linksys BEFVP41 router that will be used as a IPSec endpoint with a static address (123.456.789.195).
- All workers have Windows 2000 and Windows XP computers and highspeed connections with dynamic IP addresses.
- I have a XP laptop behind a Linux box with iptables doing masquerade and a dynamic address (but I have a static whatever.dyndns.org address if it helps).
- The office network has a free 192.168.1.200/24 to 192.168.1.225/24 address range. All the network ressources are contained within the 192.168.1.0/24 network.
- At home, my network is 192.168.0.0/24 with my laptop having a local address given by DHCP.
I want my laptop behind my Linux box to connect to the BEFVP41 so I can test my whole setup. I'll deal with the other roadwarriors after. I know there is a Linksys tutorial (http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=207) to connect my Windows box to the router but I'm not sure what configuration to setup on the BEFVP41 to access the office network. Also, I know passing the Linux box will be difficult and I'll probably have to setup a IPSec passthru of some kind.
Here's the deal: I know there a lot of points to answer within this question so 500 points will be the start. If someone can help me setup my laptop behind the Linux firewall/gateway to the BEFVP41 while explaining everything so I can understand what I'm doing, I'll raise those points for your help. I have some networking knowledge so you can explain quickly the steps you want me to take, I'll ask if I need further explanations. I'm also willing to share if more than one expert can contribute.
And please don't bother to give me the support page and the manual from Linksys, I've read them already.
If you have a different setup to propose, I'll listen but it should not requires other hardware than the BEFVP41 or non-free software. It is the Windows boxes that should connect to the IPSec endpoint, not the Linux box.
Thanks in advance for your help everyone!
ASKER
Thanks for jumping in grblades.
Ok, so how would I forward the traffic to my laptop correctly if I work in DROP mode for the INPUT and FORWARD?
### basic rules
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
### enable masquerade and forwarding
/sbin/iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
/sbin/iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
### state RELATED for router
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ipsec passtrough
/sbin/iptables -t nat -A POSTROUTING -p udp --dport 500 ### how to forward here?
/sbin/iptables -t nat -A POSTROUTING -p esp ### do I have to hardcode DHCP-provided IP address of my laptop?
### servers
# ...
### enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw ard
### save
/sbin/iptables-save > /etc/sysconfig/iptables
We're on the right track. Thanks again grblades. I just need a little more precision for this point.
Ok, so how would I forward the traffic to my laptop correctly if I work in DROP mode for the INPUT and FORWARD?
### basic rules
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
### enable masquerade and forwarding
/sbin/iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
/sbin/iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
/sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
### state RELATED for router
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### ipsec passtrough
/sbin/iptables -t nat -A POSTROUTING -p udp --dport 500 ### how to forward here?
/sbin/iptables -t nat -A POSTROUTING -p esp ### do I have to hardcode DHCP-provided IP address of my laptop?
### servers
# ...
### enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw
### save
/sbin/iptables-save > /etc/sysconfig/iptables
We're on the right track. Thanks again grblades. I just need a little more precision for this point.
Aren't you establishing the VPN from the Windows box behind the Linux router?
If you are then you done need to forward the ports. The firewall will see the outgoing traffic and allow the replies back in. If it is not inteligent then you may need to permantly direct ESP to your Windows notebook.
I haven't done much with iptables so cannot say exactly how to do it.
If you are then you done need to forward the ports. The firewall will see the outgoing traffic and allow the replies back in. If it is not inteligent then you may need to permantly direct ESP to your Windows notebook.
I haven't done much with iptables so cannot say exactly how to do it.
ASKER
Yes, the traffic is issued from the Windows box behind the router, so I guess it can remember when a packet was sent and needs an answer. Altought, I'm not sure to understand what's happening when the network on the VPN endpoint side needs to send something to my laptop when the tunnel is established.
Normally when it sees you send an ESP packet the firewall will permit all replies until nothing has been sent for a specific period of time. You just need to hope that iptables is inteligent enough to track the ESP session and allow the replies back.
ASKER
Ok, that's definitively an interesting answer. I won't forget your contribution while distributing the points.
Does somebody knows if iptables is intelligent enough to track the ESP session?
I still need answers about configuring my BEFVP41 correctly to allow simulateous roadwarriors to connect with dynamic IPs and what addresses to specify in the secpol.msc program on the Windows boxes as we have dynamic IPs on one end and static IP on the BEFVP41 end.
Does somebody knows if iptables is intelligent enough to track the ESP session?
I still need answers about configuring my BEFVP41 correctly to allow simulateous roadwarriors to connect with dynamic IPs and what addresses to specify in the secpol.msc program on the Windows boxes as we have dynamic IPs on one end and static IP on the BEFVP41 end.
There are known issues with Linksys routers - upgrade to the latest firmware before you try anything else !
ASKER
Ok, thanks for trying but I did not have a answer close of what I was asking for (for a 500 points question).
I will ask for a refund if nobody can help me more with this.
I will ask for a refund if nobody can help me more with this.
ASKER
grblades, you might claim some points here for trying to help:
https://www.experts-exchange.com/questions/21226691/Points-for-grblades.html
Have a nice day.
https://www.experts-exchange.com/questions/21226691/Points-for-grblades.html
Have a nice day.
There is some usefull information here. You might wish to consider PAQ/Refund instead.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To forward esp you can just specify esp as the protocol ("-p esp" in the iptables line) in iptables.