Re: [Leaf-user] Connecting to my company's Win2k server via VPN with L2TP/IPsec
At 2002-01-14 09:37 -0600, Charles Steinkuehler wrote: >There's a VPN-Masquerading HOWTO available: >http://linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html Charles, There is an article in issue 93 of Linux Journal that may help Eric. He can read it on-line at: Issue 93: Setting up a VPN Gateway January 01, 2002 by Duncan Napier http://linuxjournal.com/article.php?sid=4772 -- Mike Noyes <[EMAIL PROTECTED]> http://leaf.sourceforge.net/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Connecting to my company's Win2k server via VPN
DOH. Forgot a small piece: as Charles pointed out, in order to get VPN passthru to work, you need to uncomment the ip_masq_ipsec line in your /etc/modules file, backup the changes, and reboot. Since you're running Dachstein, you don't need to upgrade the kernel or anything too tricky. Good luck! -Scott On Mon, 14 Jan 2002, Scott C. Best wrote: > Eric: > Heya. My wife connects to her corporate VPN server in very > much the same way. Yes, it's true: I keep echoWall well-maintained > because she makes me. :) > Give echowall.lrp a try. I do not think you need to install > ipsec.lrp into your firewall: that will connect your entire home > LAN into the corporate LAN and you probably want just one machine. > That is, if you put ipsec.lrp onto your firewall, all of your home > machine's requests to the Internet will "emerge" from behind your > company's firewall. If you simply connect your one machine, though, > your other machines will be unaffected. > > I refer to this easier mode of IPSec usage as "VPN passthru", > and I'm fairly confident your IT group at work will support it. Most > home users have some "DSL router" appliance, like a LinkSys box, on > their broadband connection, and the low-end boxes don't support the > more complicated "VPN endpoint" mode. So, give echowall.lrp a try, > and see if it flies for you. You'll notice in the .conf file that > IPSec is already in the WANTED_SERVICES list. Yes, really, blame my > wife for that one. :) > > cheers, > Scott > > > First, let me apologize if I get any (or all!) of the technical jargon > > here confused, backwards, or just plain wrong. > > > > Second, let me describe my situation. I am using a Pentium 133mhz with > > 16MB RAM to run Dachstein 1.0.2 to share my internet connection among > > the numerous computers in my house. The router runs a DHCP server for > > the computers on my internal network and runs a DHCP client to connect > > with my ISP, but this is just for convienence as my ISP provides me with > > a static IP. The computers (Win98, Win2k, and WinXP) on my internal > > network all work flawlessly through the router for "normal" internet > > access. > > > > My company provides access to its network over the Internet in the form > > of a VPN (operated by a Windows 2000 Server, I believe). I connect to > > this VPN using Windows 2000 Professional. All worked fine connecting to > > the VPN through my home router until my company began using L2TP/IPsec > > for the VPN connections. Now, I get no response from the company VPN > > server when trying to connect. (Note, however, that I *can* connect > > just fine when my computer is connected directly to my ISP, i.e. without > > the interference of my LRP box. So my sense is that there are no > > configuration problems on the client computer, but rather something > > wrong with my LRP configuration.) > > > > Third, I know very little about Linux -- largely because I lack > > experience -- but I was wondering if someone might point me in the right > > direction on this problem. As an additional bit of information, a guy > > in the IS department informed me that UDP ports 500 and 1701 would be > > involved in the solution, but I am not certain how to act on this > > information in configuring my router. > > > > I have begun to look at the ipsec.lrp package available for Dachstein, > > but I have not been able to use it to solve my problems. I do not know, > > however, if this is a fault in my configuration of the package or if the > > package does not support Level 2 Tunneling (L2TP). > > > > If anyone has some experience in a similar situation or would be willing > > to help a poor old guy trying to get his LRP box to work again, I would > > much appreciate it. > > > > Thanks, > > Eric Friedman > > > > > > P.S. Please note as well that while I am currently running Dachstein off > > of a single floppy, I also have access to a CD or additional floppy > > drive that I could install in the router box. So do not worry about > > offering solutions that may require more space than is available on a > > single floppy: I just want something that will work. > > > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Connecting to my company's Win2k server via VPN
Eric: Heya. My wife connects to her corporate VPN server in very much the same way. Yes, it's true: I keep echoWall well-maintained because she makes me. :) Give echowall.lrp a try. I do not think you need to install ipsec.lrp into your firewall: that will connect your entire home LAN into the corporate LAN and you probably want just one machine. That is, if you put ipsec.lrp onto your firewall, all of your home machine's requests to the Internet will "emerge" from behind your company's firewall. If you simply connect your one machine, though, your other machines will be unaffected. I refer to this easier mode of IPSec usage as "VPN passthru", and I'm fairly confident your IT group at work will support it. Most home users have some "DSL router" appliance, like a LinkSys box, on their broadband connection, and the low-end boxes don't support the more complicated "VPN endpoint" mode. So, give echowall.lrp a try, and see if it flies for you. You'll notice in the .conf file that IPSec is already in the WANTED_SERVICES list. Yes, really, blame my wife for that one. :) cheers, Scott > First, let me apologize if I get any (or all!) of the technical jargon > here confused, backwards, or just plain wrong. > > Second, let me describe my situation. I am using a Pentium 133mhz with > 16MB RAM to run Dachstein 1.0.2 to share my internet connection among > the numerous computers in my house. The router runs a DHCP server for > the computers on my internal network and runs a DHCP client to connect > with my ISP, but this is just for convienence as my ISP provides me with > a static IP. The computers (Win98, Win2k, and WinXP) on my internal > network all work flawlessly through the router for "normal" internet > access. > > My company provides access to its network over the Internet in the form > of a VPN (operated by a Windows 2000 Server, I believe). I connect to > this VPN using Windows 2000 Professional. All worked fine connecting to > the VPN through my home router until my company began using L2TP/IPsec > for the VPN connections. Now, I get no response from the company VPN > server when trying to connect. (Note, however, that I *can* connect > just fine when my computer is connected directly to my ISP, i.e. without > the interference of my LRP box. So my sense is that there are no > configuration problems on the client computer, but rather something > wrong with my LRP configuration.) > > Third, I know very little about Linux -- largely because I lack > experience -- but I was wondering if someone might point me in the right > direction on this problem. As an additional bit of information, a guy > in the IS department informed me that UDP ports 500 and 1701 would be > involved in the solution, but I am not certain how to act on this > information in configuring my router. > > I have begun to look at the ipsec.lrp package available for Dachstein, > but I have not been able to use it to solve my problems. I do not know, > however, if this is a fault in my configuration of the package or if the > package does not support Level 2 Tunneling (L2TP). > > If anyone has some experience in a similar situation or would be willing > to help a poor old guy trying to get his LRP box to work again, I would > much appreciate it. > > Thanks, > Eric Friedman > > > P.S. Please note as well that while I am currently running Dachstein off > of a single floppy, I also have access to a CD or additional floppy > drive that I could install in the router box. So do not worry about > offering solutions that may require more space than is available on a > single floppy: I just want something that will work. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Connecting to my company's Win2k server via VPN with L2TP/IPsec
Eric, In the how-to Charles refered to, read section 6.1. It basically says that you may not be able to masquared your IPSec connection, based on the AH and ESP protocols that are used. There-in is the problem for connecting to a Win2000 VPN server. You IS people may be able to find a way around this, but it weakens security. PPTP may be easier for them to configure and it masquared better, but that goes back to security. cheers edt - Original Message - From: "Charles Steinkuehler" <[EMAIL PROTECTED]> To: "Eric Friedman" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, January 14, 2002 11:37 AM Subject: Re: [Leaf-user] Connecting to my company's Win2k server via VPN with L2TP/IPsec > > Third, I know very little about Linux -- largely because I lack > > experience -- but I was wondering if someone might point me in the right > > direction on this problem. As an additional bit of information, a guy > > in the IS department informed me that UDP ports 500 and 1701 would be > > involved in the solution, but I am not certain how to act on this > > information in configuring my router. > > > > I have begun to look at the ipsec.lrp package available for Dachstein, > > but I have not been able to use it to solve my problems. I do not know, > > however, if this is a fault in my configuration of the package or if the > > package does not support Level 2 Tunneling (L2TP). > > You probably don't want the IPSec software running on your firewall. You > can leave the IPSec client on your windows box, but you'll need masquerading > support for the IPSec protocol. There's a VPN-Masquerading HOWTO available: > http://linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html > > Basically, you need to load the ip_masq_ipsec masquerade helper module, and > allow UDP port 500 and IP protocol 50 traffic between your firewall and the > VPN peer. > > For the kernel module, just make sure ip_masq_ipsec.o is in /lib/modules, > and make sure it's being loaded in /etc/modules. > > To setup the firewall rules, you'll need something like: > EXTERN_UDP_PORTS="0/0_500" > EXTERN_PROTO0="50 0/0" > > NOTE: You can change the 0/0 (the whole internet) to the particular IP > address(es) of the far end of your VPN system, if there's a short list of > IP's you'll be connecting to. > > Charles Steinkuehler > http://lrp.steinkuehler.net > http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Connecting to my company's Win2k server via VPN with L2TP/IPsec
> Third, I know very little about Linux -- largely because I lack > experience -- but I was wondering if someone might point me in the right > direction on this problem. As an additional bit of information, a guy > in the IS department informed me that UDP ports 500 and 1701 would be > involved in the solution, but I am not certain how to act on this > information in configuring my router. > > I have begun to look at the ipsec.lrp package available for Dachstein, > but I have not been able to use it to solve my problems. I do not know, > however, if this is a fault in my configuration of the package or if the > package does not support Level 2 Tunneling (L2TP). You probably don't want the IPSec software running on your firewall. You can leave the IPSec client on your windows box, but you'll need masquerading support for the IPSec protocol. There's a VPN-Masquerading HOWTO available: http://linuxdoc.org/HOWTO/VPN-Masquerade-HOWTO.html Basically, you need to load the ip_masq_ipsec masquerade helper module, and allow UDP port 500 and IP protocol 50 traffic between your firewall and the VPN peer. For the kernel module, just make sure ip_masq_ipsec.o is in /lib/modules, and make sure it's being loaded in /etc/modules. To setup the firewall rules, you'll need something like: EXTERN_UDP_PORTS="0/0_500" EXTERN_PROTO0="50 0/0" NOTE: You can change the 0/0 (the whole internet) to the particular IP address(es) of the far end of your VPN system, if there's a short list of IP's you'll be connecting to. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Connecting to my company's Win2k server via VPN with L2TP/IPsec
Hi Eric, Here are two main points about IP/Sec, which is the problem you are having. * IP/Sec can be configured in two methods, Endpoint and Tunnel. * The IP address of the encrypting computer is used in the encryption algorithm. (So it cannot be modified). I believe that most people who are using ipsec.lrp are using it as a tunnel between two LRP boxes. This allows all traffic flowing between two segments, separated by the Internet to be encrypted. In this case, both computers have non-translated(non-masq'ed), public addresses, but the computers on the segment can have translated addresses, since they are doing the encryption. The other method of using IP/Sec is endpoints. If you Lan is not using a tunnel to create a secure connection, then an individual host can; but, that host must have a public, non-translated address as that would invalidate the encrpytion. In your case, that is why your system works when plugged directly into, but not when translated. Your department was correct about the ports, but that would only apply if you were using a non-translating firewall. Most home users are not using these, but some corporate LANs are. I hope that helps, and if anybody has *first hand* knowledge that disagrees with this, please let me know. I teach security courses, and this has been true to the extent of my testing, but I haven't tried this with LRP or DCD. Cheers edt - Original Message - From: "Eric Friedman" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, January 11, 2002 11:23 PM Subject: [Leaf-user] Connecting to my company's Win2k server via VPN with L2TP/IPsec > First, let me apologize if I get any (or all!) of the technical jargon > here confused, backwards, or just plain wrong. > > Second, let me describe my situation. I am using a Pentium 133mhz with > 16MB RAM to run Dachstein 1.0.2 to share my internet connection among > the numerous computers in my house. The router runs a DHCP server for > the computers on my internal network and runs a DHCP client to connect > with my ISP, but this is just for convienence as my ISP provides me with > a static IP. The computers (Win98, Win2k, and WinXP) on my internal > network all work flawlessly through the router for "normal" internet > access. > > My company provides access to its network over the Internet in the form > of a VPN (operated by a Windows 2000 Server, I believe). I connect to > this VPN using Windows 2000 Professional. All worked fine connecting to > the VPN through my home router until my company began using L2TP/IPsec > for the VPN connections. Now, I get no response from the company VPN > server when trying to connect. (Note, however, that I *can* connect > just fine when my computer is connected directly to my ISP, i.e. without > the interference of my LRP box. So my sense is that there are no > configuration problems on the client computer, but rather something > wrong with my LRP configuration.) > > Third, I know very little about Linux -- largely because I lack > experience -- but I was wondering if someone might point me in the right > direction on this problem. As an additional bit of information, a guy > in the IS department informed me that UDP ports 500 and 1701 would be > involved in the solution, but I am not certain how to act on this > information in configuring my router. > > I have begun to look at the ipsec.lrp package available for Dachstein, > but I have not been able to use it to solve my problems. I do not know, > however, if this is a fault in my configuration of the package or if the > package does not support Level 2 Tunneling (L2TP). > > If anyone has some experience in a similar situation or would be willing > to help a poor old guy trying to get his LRP box to work again, I would > much appreciate it. > > Thanks, > Eric Friedman > > > P.S. Please note as well that while I am currently running Dachstein off > of a single floppy, I also have access to a CD or additional floppy > drive that I could install in the router box. So do not worry about > offering solutions that may require more space than is available on a > single floppy: I just want something that will work. > > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Connecting to my company's Win2k server via VPN with L2TP/IPsec
First, let me apologize if I get any (or all!) of the technical jargon here confused, backwards, or just plain wrong. Second, let me describe my situation. I am using a Pentium 133mhz with 16MB RAM to run Dachstein 1.0.2 to share my internet connection among the numerous computers in my house. The router runs a DHCP server for the computers on my internal network and runs a DHCP client to connect with my ISP, but this is just for convienence as my ISP provides me with a static IP. The computers (Win98, Win2k, and WinXP) on my internal network all work flawlessly through the router for "normal" internet access. My company provides access to its network over the Internet in the form of a VPN (operated by a Windows 2000 Server, I believe). I connect to this VPN using Windows 2000 Professional. All worked fine connecting to the VPN through my home router until my company began using L2TP/IPsec for the VPN connections. Now, I get no response from the company VPN server when trying to connect. (Note, however, that I *can* connect just fine when my computer is connected directly to my ISP, i.e. without the interference of my LRP box. So my sense is that there are no configuration problems on the client computer, but rather something wrong with my LRP configuration.) Third, I know very little about Linux -- largely because I lack experience -- but I was wondering if someone might point me in the right direction on this problem. As an additional bit of information, a guy in the IS department informed me that UDP ports 500 and 1701 would be involved in the solution, but I am not certain how to act on this information in configuring my router. I have begun to look at the ipsec.lrp package available for Dachstein, but I have not been able to use it to solve my problems. I do not know, however, if this is a fault in my configuration of the package or if the package does not support Level 2 Tunneling (L2TP). If anyone has some experience in a similar situation or would be willing to help a poor old guy trying to get his LRP box to work again, I would much appreciate it. Thanks, Eric Friedman P.S. Please note as well that while I am currently running Dachstein off of a single floppy, I also have access to a CD or additional floppy drive that I could install in the router box. So do not worry about offering solutions that may require more space than is available on a single floppy: I just want something that will work. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user