Hello All!
I finally have to break down and ask the list for help! Here is what I
have:
***************
* Private Net *
***************
|
|
***************
* VPN GATEWAY *
* 200.0.0.1 *
***************
|
| < - Internet
LRP: |
**************************
* *
* eth0: 66.156.xxx.xxx *
* *
* eth1: 192.168.1.254 *
* *
**************************
|
|
Internal network
192.168.1.0/24
|
|
hub/switch
| | | INTERNAL WORKSTATIONS
| | |
| | | **********
| | +---* Ravlin *
| | **********
| | | 172.30.8.0
| | |dhcp **********
| | +-----* LAPTOP *
| | **********
| |
| |
| +-------- 192.168.1.252
|
+---------- 192.168.1.253
The Ravlin device, has two interfaces (Local and Remote) The local
interface faces the laptop, and the remote interface faces the
LRP box. The Remote port accepts a DHCP address from the LRP
and assigns an address (out of the local port) to the laptop.
The Ravlin is configured to try to establish the IPSec tunnel with
the remote VPN Device (at 200.0.0.1). Also, I am not using AH, which
I have read, can not be masqueraded).
I'm using the EigerStein2BETA floppy image, and I have tried using various
modules, firewalls, and kernels to try to get this working, but for the
life of me I have not gotten it working.
I think what I need is to get the LRP to "passthrough" the IPSec traffic.
At one point I tried some implementation of FreeS/WAN, but I'm thinking now
that is more applicable when I want the IPSec Tunnel to originate on the
LRP.
I need the tunnel established behind the LRP.
So. It's my understanding, after several very late nights of reading,
building
images, moving kernels, etc, that what I need, is to "establish a
masqueraded
IPSec/VPN tunnel from a private network"
Here are some of the places where I been gathering information. Some of
these
docs have confused me, and others have really helped me out.
1. First I tried the ipsec.lrp module at
http://lrp1.steinkuehler.net/Packages/ipsec1.5.htm
I replaced my kernel, and added the package. But after looking through the
ipsec.conf file, I started to think this would put the tunnel _ON_ the lrp,
as opposed to having the LRP, _pass_ the tunnel.
2. So then I started looking at "SeaWall" because in some of the
documentation
is states it has support for "VPN via ipip tunnels, IPSec..." and even makes
a differentiation about the tunnel being ON the gateway machine or it being
masqueraded behind it. So I thought I was really on to something here, but
I couldn't get it right. Maybe I was configuring the /etc/seawall/tunnels
file
incorrectly. I had an entry like this:
ipsec 200.0.0.1 192.168.1.254 192.168.1.0/24
but this didn't seem to work. And additionally, the documentation at
http://seawall.sourceforge.net/3.2/IPSEC.html suggests that running an
IPSec tunnel on a masqueraded system is completely reasonable, but
needs John Hardin's VPN Masquerading patch and ipfwd. It would appear that
the kernels at http://lrp1.steinkuehler.net/files/kernels/Eiger-VPNMasq/
have this patch. So I built my new disk image with this kernel and gave
things
a go. But no luck. I also got and installed the ip_masq_ipsec.o to go
along
with the above kernel.
I'm feeling like I'm running in circles, and probably making this a LOT
harder
than it has to be. I got really excited when I found:
http://www.linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO-3.html
and thought, hey all I really have to do is allow (or masquerade) the
traffic,
and I'll be good to go. I did my best to get these ipchains rules applied
to my configuration, but again. No luck.
I just can't believe this is that hard. I'm really thinking that I'm
missing
something pretty simple here.
If anyone can point me in the right direction, I sure would appreciate it.
Even if you can just help me understand what documentation actually applies
to
me and which docs are just confusing me, I sure would appreciate it :)
Thanks so much...
Chris Hackett
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
