From owner-freebsd-security Thu Feb 24 6:48:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from sprig.tougas.net (h24-66-217-148.xx.wave.shaw.ca [24.66.217.148]) by hub.freebsd.org (Postfix) with ESMTP id 0CBBB37BD05 for ; Thu, 24 Feb 2000 06:48:52 -0800 (PST) (envelope-from dtougas@sprig.tougas.net) Received: (from dtougas@localhost) by sprig.tougas.net (8.9.3/8.9.3) id HAA04743; Thu, 24 Feb 2000 07:50:32 -0700 (MST) (envelope-from dtougas) Date: Thu, 24 Feb 2000 07:50:32 -0700 From: Damien Tougas To: David Pick Cc: freebsd-security@freebsd.org Subject: Re: SSH port forwarding Message-ID: <20000224075032.A4699@tougas.net> References: <20000223170457.A2185@tougas.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from D.M.Pick@qmw.ac.uk on Thu, Feb 24, 2000 at 10:29:47AM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Thanks for your detailed diagram, that is great. I realized a while after I sent the question, that I was being brain dead, and did not fully grasp what was going on and was in fact not setting up my connection properly. Now that I have it set it up correctly, it all makes sense to me now. This seems like an easy way to set up a VPN. The box is both doing NAT and the VPN, and hence makes it easy to use it as both an internet gateway as well as a VPN. I have heard this method referred to as a poor man's VPN, why? Are there better/more preferred methods of setting up a VPN? SKIP or IPSEC? Why would I want to use one of those instead? Would I need two boxes to achieve the same functionality? -- Damien Tougas, P.Eng. Phone: (780)434-5889 Fax: (780)434-5889 E-mail: damien@tougas.net http://www.tougas.net On Thu, Feb 24, 2000 at 10:29:47AM +0000, David Pick wrote: > > > I am looking at setting up a VPN using the SSH port forwarding > > features, but I have a question: > > > > I have inetd listening on port X for ppp connections. I set > > up SSH on the client machine to pass all packets going from port X > > on the client to port X on the server through the secure channel. > > > > After starting ppp, I do netstat -a and realize that the actual ppp > > connection is taking place on random port Y. My question is, is SSH > > smart enough to realize this has taken place and encrypt the session > > on port Y as well? If not, how do I set it up so that the random > > port picked during the negotiation process is also sent through > > the secure channel? > > Ah, which ports are you talking about? A typical port-forwarding > setup looks like this when in progress: > > Client Machine Server Machine > +----------------------+ +-----------------------+ > ! User process ! ! Server process ! > ! +--------------+ ! ! +----------------+ ! > ! ! ! ! ! ! ! ! > ! ! --+--+ ! <- A D -> ! +--+-- ! ! > ! ! ! ! ! ! ! ! ! ! > ! +--------------+ ! ! ! ! +----------------+ ! > ! ! ! ! ! ! > ! SSH client ! ! ! ! SSH server ! > ! +--------------+ ! ! ! ! +----------------+ ! > ! ! ! ! ! ! ! ! ! ! > ! ! (--+--+ ! <- B C -> ! +--+--) ! ! > ! ! ( ! ! SSH tunnel ! ! ) ! ! > ! ! (==+================================+====+==) ! ! > ! ! ! ! ! ! ! ! > ! +--------------+ ! ! +----------------+ ! > ! ! ! ! > +----------------------+ +-----------------------+ > > Your server process will be listening on its normal port number (D). > > The ssh client will often be listening on the same port number (B). It has > to be told which port to linten on and what address and port the SSH server > should be told to use at the other end. > > The user process will use an arbitary port (A). It has to be told to contact > the SSH client (on port (B)) instead of contacting the server process directly. > > The SSH server will use an arbitary port when forwarding the connection > from itself to the server process (C). > > So which ports do you think are wrong? And on which machine? > > -- > David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message