On Fri, Nov 10, 2006 at 02:06:42PM -0600, Albert Chin wrote:
> On Fri, Nov 10, 2006 at 07:11:41PM +0100, Joachim Schipper wrote:
> > On Fri, Nov 10, 2006 at 09:34:42AM -0600, Albert Chin wrote:
> > > With the following firewall configuration, what recommendations does
> > > anyone have for how we should handle VPN? I see two solutions:
> > > 1. Forward ipsec from FIREWALL 1 to FIREWALL 2 with isakmpd running
> > > on FIREWALL 2.
> > > 2. Run isakmpd on FIREWALL 1 and nat the traffic from the VPN
> > > network to FIREWALL 2.
> > >
> > > I like method #2 because it doesn't allow direct access to isakmpd
> > > from the Internet.
> > >
> > > -----------------
> > > | INTERNET |
> > > --------o--------
> > > |
> > > |
> > > ------------o------------
> > > | |(dmz)
> > > +--------o FIREWALL 1 o-----
> > > | | |
> > > | -------------------------
> > > |
> > > |
> > > | -------------------------
> > > | | |
> > > +--------o FIREWALL 2 |
> > > | |
> > > -------------------------
> > > |(internal network)
> >
> > I'd just run isakmpd on FW1, especially if the VPN is mostly used to
> > access the internal network.
>
> Yes, the VPN will _only_ be used to access the internal network.
>
> > If there happens to be a big bug in isakmpd, you only expose the DMZ;
> > and if you misconfigure the firewall, which is a lot more likely, you
> > only expose the DMZ.
> >
> > Of course, if server A is only reachable internally and via VPN, FW2
> > must still trust FW1 to only feed it connections to server A that are
> > actually initiated by a VPN client. FW2 doing a second layer of
> > filtering seems to be the main point of the setup, so handle that.
>
> Yes. On FW2, we'll probably limit VPN connections to ssh, http, imap,
> etc.
>
> Expanding on the config some more:
> (fxp0)|(internal network - 192.168.0.0/24)
> --------o--------
> | VPN CLIENT |
> --------o--------
> |(fxp1 - 1.2.3.4)
> |
> --------o--------
> | INTERNET |
> --------o--------
> |
> |(fxp1 - 1.2.3.5)
> ------------o------------
> 192.168.10.1|(fxp0) |(dmz)
> +--------o FIREWALL 1 o-----
> | | |(fxp2)
> | -------------------------
> |
> |
> | -------------------------
> | | |
> +--------o FIREWALL 2 |
> 192.168.10.2|(fxp0) |
> ----------------o--------
> (fxp1)|(internal network - 192.168.1.0/24)
>
> If my ipsec.conf on the VPN CLIENT looks like:
> ike esp from 1.2.3.4 to 1.2.3.5
> ike esp from 1.2.3.4 to 192.168.1.0/24 peer 1.2.3.5
> ike esp from 192.168.0.0/24 to 192.168.1.0/24 peer 1.2.3.5
>
> And, on FW1, looks like:
> ike passive esp from 1.2.3.5 to 1.2.3.4
> ike passive esp from 1.2.3.5 to 192.168.0.0/24 peer 1.2.3.4
> ike passive esp from 192.168.1.0/24 to 192.168.0.0/24 peer 1.2.3.4
>
> Then, from the VPN CLIENT, how would an ssh connection to 192.168.1.1,
> server A on the internal network behind FW2, work? IPsec would encrypt
> the packet between 1.2.3.4 and 1.2.3.5, where it would be unencrypted,
> but on the external, fxp1 interface. How do I get 192.168.0.0/24
> traffic to the fxp0 interface, from fxp1, when fxp1 is on a private
> network between FW1 and FW2?
On a similar setup, /etc/hostname.$ext_if reads:
inet 192.168.X.Y 255.255.255.0 192.168.X.255
!route add 192.168.Z.0/24 192.168.X.1
If I understand the question correctly, this should solve your problem.
Joachim