Hi Jim.
Indeed, you are missing a small point, and I only point it out as I have been
researching on this very topic, as I support various VPN and RAS clients at work.
For VPNing, there are two protocols, PPTP, and IPSec. PPTP works through most
firewalls with little or no modification (Opening port UDP port 500 usually does the
trick). However, the IPSec protocol which Nortel equipment and many others use does
not work without problems. To quote from Linux VPN Masquerade HOWTO: (Large chunks of
quote, sorry to those this doesn't apply to.)
2.10 Why patch the Linux kernel?
The largest problem in masquerading VPN traffic is that the stock Linux IP masquerade
has no special awareness of IP protocols other than TCP, UDP and ICMP.
All IP traffic may be forwarded and filtered by IP address, but masquerading IP
protocols other than TCP, UDP and ICMP requires modifying the kernel.
The PPTP control channel is plain TCP and requires no special setup beyond letting it
through the firewall and masquerading it.
Masquerading the IPsec and PPTP data channels requires a modification that adds
support for the ESP and GRE protocols to the masquerading code, and masquerading the
ISAKMP key exchange protocol requires a modification that prevents masquerade from
altering the UDP source port number and adds tracking of the ISAKMP cookie values
instead of the port
number.
2.2 What is IPsec?
IPsec is a set of standard protocols for implementing secure communications and
encryption key exchange between computers. It can be used to implement a VPN.
An IPsec VPN generally consists of two communications channels between the endpoint
hosts: a key-exchange channel over which authentication and encryption key information
is passed, and one or more data channels over which private network traffic is
carried.
The key-exchange channel is a standard UDP connection to and from port 500. The data
channels carrying the traffic between the client and server use IP protocol number 50
(ESP).
More information is available in F-Secure's IPsec FAQ at
http://www.Europe.F-Secure.com/support/vpn+/faq/techfaq.html, and in RFC2402 (the AH
protocol, IP protocol number 51),
RFC2406 (the ESP protocol, IP protocol number 50), and RFC2408 (the ISAKMP
key-exchange protocol).
IPsec is a peer-to-peer protocol. However, since most people will be exposed to it in
the form of an originate-only Windows client being used to access a central network
security gateway, "client" will be used to refer to the endpoint host that the user is
sitting in front of and "server" will be used to refer to the central network security
gateway.
Important note: If your VPN is based on the AH protocol (including AH+ESP), it cannot
be masqueraded. The AH protocol specifies a cryptographic checksum across portions of
the IP header, including the IP addresses. IP Masquerade is implemented by modifying
the source IP address for outbound packets and the destination IP address for inbound
packets.
Since the masquerading gateway cannot participate in the encryption key exchange, it
cannot generate the correct cryptographic checksums for the modified IP headers. Thus
themodified IP packets will be discarded by the recipient as invalid, because they
fail the cryptographic checksum test.
2.3 What is PPTP?
PPTP stands for Point-to-Point Tunnelling Protocol. It is a Microsoft-proposed
protocol for implementing a VPN.
The PPTP VPN protocol consists of two communications channels between the client and
server: a control channel over which link-management information is passed, and a data
channel over which (possibly encrypted) private network traffic is carried.
The control channel is a standard TCP connection to port 1723 on the server. The data
channel carrying the private network traffic uses IP protocol number 47 (GRE), a
generic encapsulation protocol described in RFC1701. The transparent transmission of
data over the data channel is achieved by negotiating a standard PPP connection over
it, just as if it were a dialup connection directly from the client to the server. The
options negotiated over the tunnel by PPP control whether the data is compressed
and/or encrypted, thus PPTP itself has nothing to do with encryption.
The details of the PPTP protocol are documented in RFC2637.
Microsoft's implementation of the PPTP protocol is not considered very secure. If
you're interested in the details, here are three separate analyses:
http://www.counterpane.com/pptp.html
http://www.geek-girl.com/bugtraq/1999_1/0664.html
http://oliver.efri.hr/~crv/security/bugs/NT/pptp2.html
Hope this clears up any confusion.
If you want to read the full story, go here.
http://www.impsec.org/linux/masquerade/VPN-howto/VPN-Masquerade-2.html
Also note that Freesco seems to support IPSec with a precompiled kernal that you
subsitute for the base... However, I haven't gotten this working yet, I will let all
know when I do. And to John, I'm really not surprised you've given up, with people
giving away the same thing for free and lots of different groups and teams working on
a project like Freesco, its hard to keep up as a one man team.
Craig.
--
On Tue, 29-May-2001 02:26:30
Jim Harris wrote:
>I am a little confused here.....
>
>Ian (and others) are clambering for IPSEC masq, (and I'll vote for that
>too. . . but...)
>
>1. Will someone please remind me what it -IS-??
>2. Stan is making noises like this means STN does not support outbound
>(from home to work via STN) VPN...... it either does not work - or does
>not masq properly???
>
>The version of STN -I- have, does, repeat DOES support outbound VPN. (I
>think, but am not sure, that it does not support -INBOUND- VPN)
>
>I have a work laptop that I can plug into the network at my job, and due
>to the way I have DNS configured on my "home" network - I can plug it in
>here, and it can find the gateway, etc. just fine. In fact, I often use
>my home network, and associated cable connection thru STN, to make
>outbound VPN connects to my job. I connect thru to the network -
>download test files, start servers and services, and otherwise go hog
>wild. No problem....
>
>Maybe I am missing something??
>
>Jim
>
>Stan Simmons wrote:
>> I second that! My company will be closing all holes in the firewall and
>> putting in a VPN system this summer. I am going to have to leave STN
>> (after
>> several years of happy use) when this happens unless an update happens
>> soon.
>> I am not happy about this.
>>
>> Stan
>>
>> > -----Original Message-----
>> > From: Ian McDermid [mailto:[EMAIL PROTECTED]]
>> > Sent: Monday, May 28, 2001 6:42 PM
>> > To: '[EMAIL PROTECTED]'
>> > Subject: [STN] A Final plea to John Lombardo
>> >
>> >
>> > John,
>> >
>> > Would you consider releasing a new version say 2.1.4 that
>> > incorporates kernel 2.0.39. This kernel supports IPSEC
>> > masquerade. This forum is full of people who want this facility
>> > so they communicate with PIX/Firewall1 systems.
>> >
>> > Regards
>> >
>> > Ian
>> >
>> > ====================
>> > Transfer balances from high-interest credit cards to your
>> > NextCard� Visa� and start saving money instantly! Apply Now!
>> > http://click.topica.com/caaacd1bz8Rp2bAfyGsf/NextCard
>> > ====================
>> >
>> > --
>> > Visit http://www.ShareTheNet.com for info about ShareTheNet
>> > Visit http://www.topica.com/lists/sharethenet for info about this list
>> > To Unsubscribe send email to: [EMAIL PROTECTED]
>> >
>> >
>>
>
>============================================================
>Visit Ancestry.com for a FREE 14-Day Trial and enjoy access
>to the No. 1 Source for Family History Online. Search over 1
>Billion names and trace your family tree today. Click here:
>http://click.topica.com/caaab7bbz8Rp2bAnyJXf/MyFamily
>============================================================
>
>--
>Visit http://www.ShareTheNet.com for info about ShareTheNet
>Visit http://www.topica.com/lists/sharethenet for info about this list
>To Unsubscribe send email to: [EMAIL PROTECTED]
>
>
>
Get 250 color business cards for FREE!
http://businesscards.lycos.com/vp/fastpath/
============================================================
How do you want to save today?
29 ways to save big bucks on stuff you want - FREE.
http://click.topica.com/caaab58bz8Rp2bAfyICf/TopOffers
============================================================
--
Visit http://www.ShareTheNet.com for info about ShareTheNet
Visit http://www.topica.com/lists/sharethenet for info about this list
To Unsubscribe send email to: [EMAIL PROTECTED]
==^================================================================
EASY UNSUBSCRIBE click here: http://topica.com/u/?bz8Rp2.bAfyIC
Or send an email To: [EMAIL PROTECTED]
This email was sent to: [email protected]
T O P I C A -- Register now to manage your mail!
http://www.topica.com/partner/tag02/register
==^================================================================
