Date: Sun, 12 Jan 2003 19:35:17 -0500 From: "Adam Maas" <mykroft@explosive.mail.net> To: <freebsd-questions@FreeBSD.ORG> Subject: Re: VPN Newbie has a silly question Message-ID: <040701c2ba9b$a57d6170$7419cdcd@ticking> References: <20030112223203.GB33785@keyslapper.org> <20030112175907.S247@dhcp-17-14.kico2.on.cogeco.ca> <20030113002901.GI33785@keyslapper.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Big question is 'Is that Cisco box doing NAT?' If so, you might as well stick to SSH Tunneling, because IPSEC won't do encryption through a NAT'ing firewall. Solution 3 is to look to see if anybody ported the GRE (CISCO Proprietary VPN Protocol) support from Linux. --Adam ----- Original Message ----- From: "Louis LeBlanc" <leblanc+freebsd@keyslapper.org> To: "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG> Sent: Sunday, January 12, 2003 7:29 PM Subject: Re: VPN Newbie has a silly question > On 01/12/03 06:22 PM, Dru sat at the `puter and typed: > > > > > > On Sun, 12 Jan 2003, Louis LeBlanc wrote: > > > > > Here's a complicated VPN question: > > > > > > I have one FreeBSD machine behind a firewall (let's call it WORK), > > > only way thru is via VPN - unfortunately, the VPN in use is an old > > > proprietary Cisco deal that has no client ported to FreeBSD. > > > > > > The other machine (also FreeBSD, call it HOME), is on a dynamic IP, > > > but with the dns name served thru Zoneedit.com - so anytime the IP > > > changes, there's maybe an hour or two of lag time while the auto > > > update scripts get the dns back on track. > > > > > > What I want to do is initiate a VPN connection from WORK to HOME, and > > > here's where I show my VPN ignorance, connect thru that VPN connection > > > from HOME to WORK. Basically I want to work from home on a secure > > > connection rather than just getting my work machine to pop a terminal > > > up on the home display over an insecure connection. > > > > > > I suspect this won't work this way, but I figure what the hell. The > > > worst that can happen is someone tells me I'm a dope and it don't work > > > that way. > > > > > > So will it, or not? > > > > > > It should be doable. You may have less hair than you started out with and > > learn more than you ever cared to about IPSec on the way to getting it to work, > > but it should work. > > Ok, then no deadlines . . . Thanks! > > > Now, is this Cisco deal a concentrator, a PIX, or a router? (it makes a > > difference) Do you have the flexibility of getting its admin to create the > > necessary IPSec policy and access lists to allow you through? Is your new > > IP address always within the same network range? (that will make access > > lists much easier) > > No, it's a Cisco 5000, or some such thing. It isn't IPSEC compliant, > but has like 2 general passwords - in addition to the user password. > There was supposed to be some promotion from Cisco to upgrade it last > year, with free hardware, but our sysadmins were swamped at the time > and decided against it. Had they had the time, it would have become > IPSEC compliant. > > > These will get you started: > > > > klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm > > > > www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide s_books_list.html > > > > you want SC: Part 4: IP Security and Encryption > > > > Make sure you create a "dynamic" crypto map in addition to the regular > > crypto map. Authentication may prove interesting due to the dynamic IP; > > you'll want to read up carefully on your possibilities. > > > > As a side note, it may prove easier to just configure ssh on the > > destination computer and create the necessary rule to allow the > > connection on the access list on the Cisco thingie. Just a thought. > > > > Good luck, > > > > Dru > > I'll start on that. What I'll do is look out for a connection failure > hook of sorts, and just write a script to reinitialize the connection > when the IP changes. Shouldn't be too hard to monitor that and write > a catch script to fix the configs and reestablish the connection. > > Thanks a bunch. > Lou > -- > Louis LeBlanc leblanc@keyslapper.org > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > http://www.keyslapper.org ԿԬ > > nolo contendere: > A legal term meaning: "I didn't do it, judge, and I'll never do it again." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?040701c2ba9b$a57d6170$7419cdcd>