From owner-freebsd-questions Sun Jan 12 16:35:22 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3294D37B401 for ; Sun, 12 Jan 2003 16:35:19 -0800 (PST) Received: from empire.explosive.mail.net (empire.explosive.mail.net [205.205.25.120]) by mx1.FreeBSD.org (Postfix) with SMTP id 6112143E4A for ; Sun, 12 Jan 2003 16:35:18 -0800 (PST) (envelope-from mykroft@explosive.mail.net) Received: (qmail 3678 invoked from network); 13 Jan 2003 00:34:06 -0000 Received: from ticking.explosive.mail.net (HELO ticking) (205.205.25.116) by empire.explosive.mail.net with SMTP; 13 Jan 2003 00:34:06 -0000 Message-ID: <040701c2ba9b$a57d6170$7419cdcd@ticking> From: "Adam Maas" To: References: <20030112223203.GB33785@keyslapper.org> <20030112175907.S247@dhcp-17-14.kico2.on.cogeco.ca> <20030113002901.GI33785@keyslapper.org> Subject: Re: VPN Newbie has a silly question Date: Sun, 12 Jan 2003 19:35:17 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Big question is 'Is that Cisco box doing NAT?' If so, you might as well stick to SSH Tunneling, because IPSEC won't do encryption through a NAT'ing firewall. Solution 3 is to look to see if anybody ported the GRE (CISCO Proprietary VPN Protocol) support from Linux. --Adam ----- Original Message ----- From: "Louis LeBlanc" To: "FreeBSD Questions" Sent: Sunday, January 12, 2003 7:29 PM Subject: Re: VPN Newbie has a silly question > On 01/12/03 06:22 PM, Dru sat at the `puter and typed: > > > > > > On Sun, 12 Jan 2003, Louis LeBlanc wrote: > > > > > Here's a complicated VPN question: > > > > > > I have one FreeBSD machine behind a firewall (let's call it WORK), > > > only way thru is via VPN - unfortunately, the VPN in use is an old > > > proprietary Cisco deal that has no client ported to FreeBSD. > > > > > > The other machine (also FreeBSD, call it HOME), is on a dynamic IP, > > > but with the dns name served thru Zoneedit.com - so anytime the IP > > > changes, there's maybe an hour or two of lag time while the auto > > > update scripts get the dns back on track. > > > > > > What I want to do is initiate a VPN connection from WORK to HOME, and > > > here's where I show my VPN ignorance, connect thru that VPN connection > > > from HOME to WORK. Basically I want to work from home on a secure > > > connection rather than just getting my work machine to pop a terminal > > > up on the home display over an insecure connection. > > > > > > I suspect this won't work this way, but I figure what the hell. The > > > worst that can happen is someone tells me I'm a dope and it don't work > > > that way. > > > > > > So will it, or not? > > > > > > It should be doable. You may have less hair than you started out with and > > learn more than you ever cared to about IPSec on the way to getting it to work, > > but it should work. > > Ok, then no deadlines . . . Thanks! > > > Now, is this Cisco deal a concentrator, a PIX, or a router? (it makes a > > difference) Do you have the flexibility of getting its admin to create the > > necessary IPSec policy and access lists to allow you through? Is your new > > IP address always within the same network range? (that will make access > > lists much easier) > > No, it's a Cisco 5000, or some such thing. It isn't IPSEC compliant, > but has like 2 general passwords - in addition to the user password. > There was supposed to be some promotion from Cisco to upgrade it last > year, with free hardware, but our sysadmins were swamped at the time > and decided against it. Had they had the time, it would have become > IPSEC compliant. > > > These will get you started: > > > > klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm > > > > www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide s_books_list.html > > > > you want SC: Part 4: IP Security and Encryption > > > > Make sure you create a "dynamic" crypto map in addition to the regular > > crypto map. Authentication may prove interesting due to the dynamic IP; > > you'll want to read up carefully on your possibilities. > > > > As a side note, it may prove easier to just configure ssh on the > > destination computer and create the necessary rule to allow the > > connection on the access list on the Cisco thingie. Just a thought. > > > > Good luck, > > > > Dru > > I'll start on that. What I'll do is look out for a connection failure > hook of sorts, and just write a script to reinitialize the connection > when the IP changes. Shouldn't be too hard to monitor that and write > a catch script to fix the configs and reestablish the connection. > > Thanks a bunch. > Lou > -- > Louis LeBlanc leblanc@keyslapper.org > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > http://www.keyslapper.org ԿԬ > > nolo contendere: > A legal term meaning: "I didn't do it, judge, and I'll never do it again." > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message