Peter Rundle <prun...@aerodonetix.com.au> writes:
> I've been asked by a friend to help configure a VPN between a Linux
> (CentOS) box (which he's given me control of) and a corporate network
> accessed via a Juniper Network VPN device.
>
> I'm in need of a few clue sticks and would appreciate some advice
> about what software to install on the Linux machine and pointers to
> good URL's etc to read up on.
>
> The corporate VPN policy only supports network to network VPN's and I
> have been provided with the following info:
>
> 202.X.X.X The IP address of the corporate VPN server,
> 10.Y.Y.0/24 The private network on the corporate side that will be
> accessed via the VPN.
Did they give you a local network IP address or range that you can route?
(Ah, reading on, I see you answer that below. :)
> ************ A Pre-Shared key
>
> VPN Peers
> Phase 1 Encryption 3DES, Hash SHA,
> Phase 2 Encryption 3DES, Hash SHA, PFS
>
> Now I don't have a network on my side, just the one box, so a road
> warrior config is what is really required but see Corporate policy
> above.
Well, the only real difference is that one policy expects a local
network range separate from the link address, and the other doesn't.
> I have provided the fixed real world IP of the Linux box to them and
> they are now asking for the address range of my private network so
> that they can set up the route on their side to send reply packets
> back via the Juniper VPN device.
>
> So I'm thinking that I can add a private address or two to the Nic
> card and using IPtables source nat the packets so that when an
> application on the linux box sends a packet to 10.Y.Y.1 I can mangle
> the packet sufficiently for it to be routed down the VPN and come back
> again.
That would work. The actual deployment should be easier than that, in
fact, but whatever. Just make up any range and give it to them.
Then, just make sure your client connections out over the VPN look to
come from that range and you are good to go. Static NAT is a reasonable
choice, or just assigning a secondary address to the VPN link and
setting that as the preferred source IP should be fine.
> Questions:
> Recommended Linux Software?
Use the in-kernel IPSec stack together with a suitable IKE
implementation. I can't specifically recommend one, but have
successfully used pipsecd[1], pluto from {Open,Strong}SWAN, and the
OpenBSD isakmpd implementation.
Anything compliant with the standards should work, though, and many of
those should have examples of a suitable tunnel-mode setup with Juniper
equipment.
> Is my idea for the "faux" network on my side realistic?
Yeah, no problem. They are kind of dopey but, hey, whatever. If they
can't vary their policy then they can't vary their policy.
All "network to network VPN" means is:
1. IPSec in tunnel mode.
2. Routing IP traffic through the IPSec tunnel.
> Open VPN is installed on the Linux box but from what I've read it's
> talking about public/private key openSSL kinda stuff with a ca.key,
> certificates etc, where as this setup is a pre-shared key
> arrangement.
...uh. OpenVPN and IPSec VPNs are completely different protocols.
You can't use OpenVPN to talk to the Juniper equipment, I fear.
Regards,
Daniel
Footnotes:
[1] Doesn't use the in-kernel IPSec layer, isn't packaged much any
more. It is probably the absolute simplest tunnel-mode IPSec
option available though.
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
