Date: Fri, 25 Jan 2002 00:11:32 +0200 From: "Vadim E. Martysh" <vadim@offshorecode.com> To: dr3node <rtfm@webburo.ru> Cc: freebsd-security@freebsd.org Subject: Re: Can't set up an IPsec tunnel. Message-ID: <20020125001132.A856@kuguar.offshorecode.com> In-Reply-To: <200201241551.AHW96968@vmms1.verisignmail.com>; from rtfm@webburo.ru on Thu, Jan 24, 2002 at 06:47:26PM %2B0300 References: <200201241551.AHW96968@vmms1.verisignmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 24, 2002 at 06:47:26PM +0300, dr3node wrote:
> The situation is:
>
> [office network 192.168.0.0/24]
> |
> \/
> [gate: FreeBSD 4.5-RC]
> [fxp1 192.168.0.1]
> [natd]
> [fxp0 192.168.4.11]
> [default gateway 192.168.4.1]
> |
> \/
> [gate: 192.168.4.1 (not mine)]
> [RedHat 6.1]
> [masquarade everything(tcp, udp) going from my fbsd gate as from 111.111.11.1]
> [masquarade everything(tcp, udp) coming from internet to 111.111.11.1 to my
> fbsd gate so i almost have real ip on my gate]
> |
> \/
> (internet)
> |
> \/
> [host on collocation: FreeBSD 4.5-RC]
> [ip: 222.222.22.2]
>
> i need to set up the tunnel between my 2 freebsd hosts so everything in and
> out the office network'll go trough the host on collocation.
> (office)->(fbsd gate)->(tunnel)->(fbsd host)->(internet)
> and i just can't do that.
> and nobody knows how to do that.
> please help me somebody or my boss will rape and kill me(or kill and rape me).
>
> Thank you.
The thing below is not really IPSec (although, you might run real IPSec on
top of the link described), but anyways.....
If you can get (which you most probably can) port 22/tcp (in fact,
anything/tcp) from one host to
another, there can be a very easy way to get a secure IP link between the
two points. It is very much like demand-dialing, except you don't dial a
number.
ppp(8) or pppd(8) might be very very helpful (pppd is prefered to ppp if
building a tunnel between different environments, eg., a linux and *bsd box).
2.3.7+ pppds support 'pty' option that allows a program's stdin/stdout
pair to be used instead of a conventional character device
(a pseudo-tty is allocated).
The algorithm is straightforward:
user@host1:~>pppd pty 'ssh -t [-i identityfile] user@host2 \
/path/to/pppd [options]' [options]
-t (force pty allocation) is important. The question 'why' is probably a
little more complicated than what it might seem from the first glance, so
skip it for now.
pppd(8) and ppp(8) provide comparatively easy ways to recover the link loss
("persistant dialing") as well as "demand-dialing" to save traffic.
This odd method of setting up a secure tunnel between hosts has a number of
positive issues about it (ie, only 1 tcp port has to be reachable through
all of the masqarades and firewalls with even a single-direction connection
setup being quite enough), however, there are negative ones as well.
The one I've used to suffer from is a flush of the translation table on a
box in between (eg., someone does ipnat -F -C -f /etc/ipnat.rules).
An extra suid program (or a public key to a priveledged account) is yet
another one.
Also, pppd 2.3.9 I've used (which was a pretty long time ago) has to be
patched a little bit to compile under FreeBSD 4.x.
(Hm..just discovered
pppd(8) is 2.3.5 as my 4.3-RELEASE box with a minimal set of security
fixes...well, nowdays ppp(8) is even better)
I anyway found the idea worth sharing after having played with it for some time.
'Conventional' IPsec (which I happen to be using since OpenBSD 2.6 out) is
nice, but sometimes an easy straightforward solution happens to better than
a lot of time spent on its nontrivial onetime configuration.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
Vadim E. Martysh
Chief Researcher
Offshorithms Co.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020125001132.A856>