[Leaf-user] VPN Architecture Options
Hi all, I have a client with an interesting situation, regarding VPN needs. They are a small database consulting group, who need secure remote access across a variety of scenarios: 1. Sitting in their US office, accessing multi-vendor VPN systems at major corporations. 2. Sitting at the customer site, accessing their own US office LAN: a. using their own laptops (Linux and Windows) b. using "borrowed" machines (Linux and Windows) on the customers' LAN 3. One employee in Australia needs to: a. do all of the above, for both the US office and US customers b. have the local AU LAN securely access the US LAN, Windows shares and all c. Have his laptop access local Australia customers Given the nature of IPSec, it seems NAT'd addresses can't be relied upon in all scenarios. This tends to indicate we would be better off running routable addresses on the LANs in questions --- but are the risks of that manageable? They own a /25 subnet, but I'm not sure we want to expose the entire range to the Internet. Having read some about FreeS/WAN, I am still confused on what it takes to connect from a roaming laptop --- with a varying IP. Most of the instructions tend to be focused on gateway-to-gateway connections, not laptop-to-gateway -- and almost all doc uses non-routable IPs in the examples. Any pointers to configuring a single-address client to FreeS/WAN on LRP would be helpful. Has anyone used LRP routers in this varied a scenario? Any recommendations on VPN clients for roaming connections, both for Windows and Linux laptops? Any wisdom, advice, pointers? :) Thanks, Dan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN Architecture Options
> 1. Sitting in their US office, accessing multi-vendor VPN > systems at major > corporations. I have had success connecting to Cisco VPN concentrators and seen reports of connecting to others. One of the headache's I ran into was overlapping NAT's subnets which you mention below. > 2. Sitting at the customer site, accessing their own US office LAN: > a. using their own laptops (Linux and Windows) > b. using "borrowed" machines (Linux and Windows) on the > customers' LAN I have used SSH Sentinel from a client site. In my installations the client could 1-to-1 map their NAT'd address to a real address so I set up connections to each user using PreShared Keys (PSKs). The other 2 options are: - Do a standard road-warrior with PSKs, but that requires all clients to use the same PSK since they share one connection from a source IP of 0.0.0.0 - Use RSA sigs which is supported by SSH Sentinel and gives each roadwarrior their own RSA sig. I believe this you best bet, but haven't done it personally. > 3. One employee in Australia needs to: > a. do all of the above, for both the US office and US customers Same answer as above > b. have the local AU LAN securely access the US LAN, Windows > shares and all Use FreeSWAN IPSec gateways (LEAF of course) with both ends maintaining a gateway to gateway connection. This can conflict with (a.) since the Linux kernel allows you to do IPSec gateways or IPSec masquarading, but not both at once. I have a similar situation and have addressed it in 2 different ways - The VPN Masq connection uses a second parrallel router not running as an IPSec gateway - The client uses a PPTP (yuck) connection which works fine through the IPSec gateway. > c. Have his laptop access local Australia customers Need a VPN Client that is compatible with the customers VPNs, since most clients tend to conflict and can't be installed together. SSH Sentinel may work well since it seems to be a flexible client for access different IPSec gateways, although I don't from 1st hand experience. > > Given the nature of IPSec, it seems NAT'd addresses can't be > relied upon in all > scenarios. This tends to indicate we would be better off running > routable > addresses on the LANs in questions --- but are the risks of that > manageable? > They own a /25 subnet, but I'm not sure we want to expose the > entire range to > the Internet. I'm not a fan of inside machines using routable addresses, but it would ensure there is no overlap. > > Having read some about FreeS/WAN, I am still confused on what it takes to > connect from a roaming laptop --- with a varying IP. Most of the > instructions > tend to be focused on gateway-to-gateway connections, not > laptop-to-gateway -- > and almost all doc uses non-routable IPs in the examples. Any > pointers to > configuring a single-address client to FreeS/WAN on LRP would be helpful. Laptop to gateway is called the roadwarrior config, you should be able to find docs on it. Supposedly the Win2K IPSec client works with FreeSWAN, but I was never able to get it work. > > Has anyone used LRP routers in this varied a scenario? Any > recommendations on > VPN clients for roaming connections, both for Windows and Linux > laptops? Any > wisdom, advice, pointers? :) I'm not associated with SSH Sentinel, but found it fairly easy to configure/troubleshoot and some pretty good docs available for it. The downside is it is not free. As I mentioned before, Win2K's IPSec client should also work, as well sa PGPs commercial VPN client (I don't think the free version can connect to a gateway, only a single machine) You also may want to post questions to the FreeSWAN mailing list. Good luck. Todd ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN Architecture Options
> Having read some about FreeS/WAN, I am still confused on what it takes to > connect from a roaming laptop --- with a varying IP. Most of the instructions > tend to be focused on gateway-to-gateway connections, not laptop-to-gateway -- > and almost all doc uses non-routable IPs in the examples. Any pointers to > configuring a single-address client to FreeS/WAN on LRP would be helpful. This is really simple, especially if you're using RSA keying. On the VPN Gateway, simply create a connection with the ID and RSA sig. of your roadwarrior (roaming laptop) system. Set the IP address to %any. On the roadwarrior, set interfaces=%defaultroute and [left|right]=%defaultroute (as appropriate) Make sure you enter consistent ID's for [left|right]id...I like to use 'non-resolving' domain names (put an @ in front of the name so FreeS/WAN doesn't do a DNS lookup and turn the ID into an IP address) such as "@cruzin.core.newtek.com" I actually setup subnet-subnet tunnels this way, but you do it exactly the same way for a host-host or host-subnet connection. Just include or exclude the [left|right]subnet paramter(s), as required. The main thing to verify is that your id's, rsasigkey's, and connection details (ie [left|right]subnet) match on both ends. If not, you won't connect, and your logs will list something like "no valid connection description for ..." To make my semi-mesh network a bit easier to maintain, I have also somewhat standardized my ipsec.conf files. The local system is always 'left', with the remote end being 'right'. I create a "conn %default" section with all the left parameters, and have an /etc/ipsec directory with individual files for each of my VPN gateways. To create a link from the local system to the remote gateway, I simply add an "include ipsec/" to the ipsec.conf file, and the link gets created. This allows me to rsync my /etc/ipsec directory between all my remote systems as gateways are added or connection details change. There are many other (and probably better) ways to manage your VPN links...this is just what works OK for me. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN Architecture Options
> This is really simple, especially if you're using RSA keying. On the VPN > Gateway, simply create a connection with the ID and RSA sig. of your > roadwarrior (roaming laptop) system. Set the IP address to %any. > > On the roadwarrior, set interfaces=%defaultroute and > [left|right]=%defaultroute (as appropriate) > > Make sure you enter consistent ID's for [left|right]id...I like to use > 'non-resolving' domain names (put an @ in front of the name so FreeS/WAN > doesn't do a DNS lookup and turn the ID into an IP address) such as > "@cruzin.core.newtek.com" > > I actually setup subnet-subnet tunnels this way, but you do it exactly the > same way for a host-host or host-subnet connection. Just include > or exclude > the [left|right]subnet paramter(s), as required. Did I understand right that you use the IDs with %any IPs for your gateway to gateway connections? I currently have 2 users with home LANs that are on dynamic IPs. Since the IPs change rarely I treat them as static, but when they change I need update the ipsec.conf file. Currently one of my configs looks like this(left is remote dynamic treated as static, right is local static): # VPN Between TSPHouse and BWI Office conn TSPhouse-BWI # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 authby=rsasig # Left security gateway, subnet behind it, next hop toward right. left=24.180.130.196 leftsubnet=192.168.1.0/24 leftnexthop=24.180.130.1 leftid=@TSPHouse leftrsasigkey=0sAQN3BOhhNkqJZB... leftfirewall=yes # Right security gateway, subnet behind it, next hop toward left. right=65.120.71.240 rightsubnet=172.30.85.0/24 rightnexthop=65.120.71.253 rightid=@BWI rightrsasigkey=0x01037792d45de... rightfirewall=yes auto=start Are you saying I could do something like this (left is remote dynamic, right is local static): # VPN Between TSPHouse and BWI Office conn TSPhouse-BWI # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 authby=rsasig # Left security gateway, subnet behind it, next hop toward right. >> left=%any leftsubnet=192.168.1.0/24 >> #leftnexthop=24.180.130.1 leftid=@TSPHouse leftrsasigkey=0sAQN3BOhhNkqJZB... leftfirewall=yes # Right security gateway, subnet behind it, next hop toward left. right=65.120.71.240 rightsubnet=172.30.85.0/24 rightnexthop=65.120.71.253 rightid=@BWI rightrsasigkey=0x01037792d45de... rightfirewall=yes auto=start That would be a great solution to my dynamic gateways. Also, do you have any experience with Windoze VPN clients? I did some testing with several and SSH Sentinel seemed to be the easiest, but an Open Source and/or free solution would be better. Thanks, Todd ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN Architecture Options
> Did I understand right that you use the IDs with %any IPs for your gateway > to gateway connections? I currently have 2 users with home LANs that are on > dynamic IPs. Since the IPs change rarely I treat them as static, but when > they change I need update the ipsec.conf file. Yes...this is possible, and how I have configured the couple of systems in our VPN mesh that have dynamic connections. > Currently one of my configs looks like this(left is remote dynamic treated > as static, right is local static): > Are you saying I could do something like this (left is remote dynamic, right > is local static): Yes. Some details of one of my configs (just the connection specifications)...works with my IPSec V1.91 package & kernels. Dynamic system: conn %default type=tunnel auto=start [EMAIL PROTECTED] left=%defaultroute leftsubnet=10.31.32.0/24 leftfirewall=yes keyexchange=ike authby=rsasig leftrsasigkey=0x0103b... keylife=8h keyingtries=0 include ipsec/SanAntonio.conf conn SanAntonio [EMAIL PROTECTED] right=207.235.86.252 rightnexthop=207.235.86.1 rightsubnet=10.28.0.0/19 rightrsasigkey=0x0103c... Static system: conn %default type=tunnel auto=start [EMAIL PROTECTED] left=207.235.86.252 leftnexthop=207.235.86.254 leftsubnet=10.28.0.0/19 leftfirewall=yes keyexchange=ike authby=rsasig leftrsasigkey=0x0103c... keylife=8h keyingtries=1 include ipsec/Aptos.conf conn Aptos [EMAIL PROTECTED] right=%any rightsubnet=10.31.32.0/24 rightrsasigkey=0x0103b... Remote dynamic connections are identified initially by their ID, then authenticated using their RSA key. AFAIK, the same can be done with pre-shared secrets, but I'm not sure... NOTE: Reading over this, I should probably have auto=load instead of auto=start on the static side...it's impossible to start a connection from the static side, since the peer IP is unknown. > That would be a great solution to my dynamic gateways. Also, do you have > any experience with Windoze VPN clients? I did some testing with several > and SSH Sentinel seemed to be the easiest, but an Open Source and/or free > solution would be better. Sorry, I haven't used any windows VPN clients. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
