Date: Sun, 12 Jan 2003 20:43:35 -0500 From: Louis LeBlanc <leblanc+freebsd@keyslapper.org> To: freebsd-questions@FreeBSD.ORG Subject: Re: VPN Newbie has a silly question Message-ID: <20030113014335.GJ33785@keyslapper.org> In-Reply-To: <040701c2ba9b$a57d6170$7419cdcd@ticking> References: <20030112223203.GB33785@keyslapper.org> <20030112175907.S247@dhcp-17-14.kico2.on.cogeco.ca> <20030113002901.GI33785@keyslapper.org> <040701c2ba9b$a57d6170$7419cdcd@ticking>
next in thread | previous in thread | raw e-mail | index | archive | help
On 01/12/03 07:35 PM, Adam Maas sat at the `puter and typed: > Big question is 'Is that Cisco box doing NAT?' If so, you might as well > stick to SSH Tunneling, because IPSEC won't do encryption through a NAT'ing > firewall. Solution 3 is to look to see if anybody ported the GRE (CISCO > Proprietary VPN Protocol) support from Linux. I don't think it is doing NAT - I'll check before investing long nights into this. And the Cisco client has been ported, but it hasn't been made to work on FreeBSD in compatibility mode. One of the folks I work with tried for a while and gave up. Something to do with a hardcoded ethernet interface and some wierdness with making it configurable or changing it at all. I've never gotten a look at the code myself, but I've been severly discouraged from attempting it. I don't know why. Thanks for the heads up. Lou > --Adam > > ----- Original Message ----- > From: "Louis LeBlanc" <leblanc+freebsd@keyslapper.org> > To: "FreeBSD Questions" <freebsd-questions@FreeBSD.ORG> > Sent: Sunday, January 12, 2003 7:29 PM > Subject: Re: VPN Newbie has a silly question > > > > On 01/12/03 06:22 PM, Dru sat at the `puter and typed: > > > > > > > > > On Sun, 12 Jan 2003, Louis LeBlanc wrote: > > > > > > > Here's a complicated VPN question: > > > > > > > > I have one FreeBSD machine behind a firewall (let's call it WORK), > > > > only way thru is via VPN - unfortunately, the VPN in use is an old > > > > proprietary Cisco deal that has no client ported to FreeBSD. > > > > > > > > The other machine (also FreeBSD, call it HOME), is on a dynamic IP, > > > > but with the dns name served thru Zoneedit.com - so anytime the IP > > > > changes, there's maybe an hour or two of lag time while the auto > > > > update scripts get the dns back on track. > > > > > > > > What I want to do is initiate a VPN connection from WORK to HOME, and > > > > here's where I show my VPN ignorance, connect thru that VPN connection > > > > from HOME to WORK. Basically I want to work from home on a secure > > > > connection rather than just getting my work machine to pop a terminal > > > > up on the home display over an insecure connection. > > > > > > > > I suspect this won't work this way, but I figure what the hell. The > > > > worst that can happen is someone tells me I'm a dope and it don't work > > > > that way. > > > > > > > > So will it, or not? > > > > > > > > > It should be doable. You may have less hair than you started out with > and > > > learn more than you ever cared to about IPSec on the way to getting it > to work, > > > but it should work. > > > > Ok, then no deadlines . . . Thanks! > > > > > Now, is this Cisco deal a concentrator, a PIX, or a router? (it makes a > > > difference) Do you have the flexibility of getting its admin to create > the > > > necessary IPSec policy and access lists to allow you through? Is your > new > > > IP address always within the same network range? (that will make access > > > lists much easier) > > > > No, it's a Cisco 5000, or some such thing. It isn't IPSEC compliant, > > but has like 2 general passwords - in addition to the user password. > > There was supposed to be some promotion from Cisco to upgrade it last > > year, with free hardware, but our sysadmins were swamped at the time > > and decided against it. Had they had the time, it would have become > > IPSEC compliant. > > > > > These will get you started: > > > > > > klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm > > > > > > > www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide > s_books_list.html > > > > > > you want SC: Part 4: IP Security and Encryption > > > > > > Make sure you create a "dynamic" crypto map in addition to the regular > > > crypto map. Authentication may prove interesting due to the dynamic IP; > > > you'll want to read up carefully on your possibilities. > > > > > > As a side note, it may prove easier to just configure ssh on the > > > destination computer and create the necessary rule to allow the > > > connection on the access list on the Cisco thingie. Just a thought. > > > > > > Good luck, > > > > > > Dru > > > > I'll start on that. What I'll do is look out for a connection failure > > hook of sorts, and just write a script to reinitialize the connection > > when the IP changes. Shouldn't be too hard to monitor that and write > > a catch script to fix the configs and reestablish the connection. > > > > Thanks a bunch. > > Lou > > -- > > Louis LeBlanc leblanc@keyslapper.org > > Fully Funded Hobbyist, KeySlapper Extrordinaire :) > > http://www.keyslapper.org ԿԬ > > > > nolo contendere: > > A legal term meaning: "I didn't do it, judge, and I'll never do it > again." > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > -- Louis LeBlanc leblanc@keyslapper.org Fully Funded Hobbyist, KeySlapper Extrordinaire :) http://www.keyslapper.org ԿԬ Reporter, n.: A writer who guesses his way to the truth and dispels it with a tempest of words. -- Ambrose Bierce, "The Devil's Dictionary" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030113014335.GJ33785>