From owner-freebsd-questions Sun Jan 12 17:43:38 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E9AA37B401 for ; Sun, 12 Jan 2003 17:43:34 -0800 (PST) Received: from pop017.verizon.net (pop017pub.verizon.net [206.46.170.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4432343F43 for ; Sun, 12 Jan 2003 17:43:33 -0800 (PST) (envelope-from leblanc@keyslapper.org) Received: from keyslapper.org ([68.160.2.29]) by pop017.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP id <20030113014332.XORY10203.pop017.verizon.net@keyslapper.org> for ; Sun, 12 Jan 2003 19:43:32 -0600 Received: from keyslapper.org (localhost [127.0.0.1]) by keyslapper.org (8.12.3/8.12.3) with ESMTP id h0D1hasP013155 for ; Sun, 12 Jan 2003 20:43:36 -0500 (EST) (envelope-from leblanc@keyslapper.org) Received: (from leblanc@localhost) by keyslapper.org (8.12.3/8.12.3/Submit) id h0D1hZeh013154 for freebsd-questions@FreeBSD.ORG; Sun, 12 Jan 2003 20:43:35 -0500 (EST) Date: Sun, 12 Jan 2003 20:43:35 -0500 From: Louis LeBlanc To: freebsd-questions@FreeBSD.ORG Subject: Re: VPN Newbie has a silly question Message-ID: <20030113014335.GJ33785@keyslapper.org> Reply-To: freebsd-questions@FreeBSD.ORG Mail-Followup-To: freebsd-questions@FreeBSD.ORG References: <20030112223203.GB33785@keyslapper.org> <20030112175907.S247@dhcp-17-14.kico2.on.cogeco.ca> <20030113002901.GI33785@keyslapper.org> <040701c2ba9b$a57d6170$7419cdcd@ticking> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <040701c2ba9b$a57d6170$7419cdcd@ticking> User-Agent: Mutt/1.5.3i X-Authentication-Info: Submitted using SMTP AUTH LOGIN at pop017.verizon.net from [68.160.2.29] at Sun, 12 Jan 2003 19:43:32 -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On 01/12/03 07:35 PM, Adam Maas sat at the `puter and typed: > Big question is 'Is that Cisco box doing NAT?' If so, you might as well > stick to SSH Tunneling, because IPSEC won't do encryption through a NAT'ing > firewall. Solution 3 is to look to see if anybody ported the GRE (CISCO > Proprietary VPN Protocol) support from Linux. I don't think it is doing NAT - I'll check before investing long nights into this. And the Cisco client has been ported, but it hasn't been made to work on FreeBSD in compatibility mode. One of the folks I work with tried for a while and gave up. Something to do with a hardcoded ethernet interface and some wierdness with making it configurable or changing it at all. I've never gotten a look at the code myself, but I've been severly discouraged from attempting it. I don't know why. Thanks for the heads up. Lou > --Adam > > ----- Original Message ----- > From: "Louis LeBlanc" > To: "FreeBSD Questions" > Sent: Sunday, January 12, 2003 7:29 PM > Subject: Re: VPN Newbie has a silly question > > > > On 01/12/03 06:22 PM, Dru sat at the `puter and typed: > > > > > > > > > On Sun, 12 Jan 2003, Louis LeBlanc wrote: > > > > > > > Here's a complicated VPN question: > > > > > > > > I have one FreeBSD machine behind a firewall (let's call it WORK), > > > > only way thru is via VPN - unfortunately, the VPN in use is an old > > > > proprietary Cisco deal that has no client ported to FreeBSD. > > > > > > > > The other machine (also FreeBSD, call it HOME), is on a dynamic IP, > > > > but with the dns name served thru Zoneedit.com - so anytime the IP > > > > changes, there's maybe an hour or two of lag time while the auto > > > > update scripts get the dns back on track. > > > > > > > > What I want to do is initiate a VPN connection from WORK to HOME, and > > > > here's where I show my VPN ignorance, connect thru that VPN connection > > > > from HOME to WORK. Basically I want to work from home on a secure > > > > connection rather than just getting my work machine to pop a terminal > > > > up on the home display over an insecure connection. > > > > > > > > I suspect this won't work this way, but I figure what the hell. The > > > > worst that can happen is someone tells me I'm a dope and it don't work > > > > that way. > > > > > > > > So will it, or not? > > > > > > > > > It should be doable. You may have less hair than you started out with > and > > > learn more than you ever cared to about IPSec on the way to getting it > to work, > > > but it should work. > > > > Ok, then no deadlines . . . Thanks! > > > > > Now, is this Cisco deal a concentrator, a PIX, or a router? (it makes a > > > difference) Do you have the flexibility of getting its admin to create > the > > > necessary IPSec policy and access lists to allow you through? Is your > new > > > IP address always within the same network range? (that will make access > > > lists much easier) > > > > No, it's a Cisco 5000, or some such thing. It isn't IPSEC compliant, > > but has like 2 general passwords - in addition to the user password. > > There was supposed to be some promotion from Cisco to upgrade it last > > year, with free hardware, but our sysadmins were swamped at the time > > and decided against it. Had they had the time, it would have become > > IPSEC compliant. > > > > > These will get you started: > > > > > > klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm > > > > > > > www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide > s_books_list.html > > > > > > you want SC: Part 4: IP Security and Encryption > > > > > > Make sure you create a "dynamic" crypto map in addition to the regular > > > crypto map. Authentication may prove interesting due to the dynamic IP; > > > you'll want to read up carefully on your possibilities. > > > > > > As a side note, it may prove easier to just configure ssh on the > > > destination computer and create the necessary rule to allow the > > > connection on the access list on the Cisco thingie. Just a thought. > > > > > > Good luck, > > > > > > Dru > > > > I'll start on that. What I'll do is look out for a connection failure > > hook of sorts, and just write a script to reinitialize the connection > > when the IP changes. Shouldn't be too hard to monitor that and write > > a catch script to fix the configs and reestablish the connection. > > > > Thanks a bunch. > > Lou > > -- > > Louis LeBlanc leblanc@keyslapper.org > > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > > http://www.keyslapper.org ԿԬ > > > > nolo contendere: > > A legal term meaning: "I didn't do it, judge, and I'll never do it > again." > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > -- Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Reporter, n.: A writer who guesses his way to the truth and dispels it with a tempest of words. -- Ambrose Bierce, "The Devil's Dictionary" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message