Your whole office (or family) can surf the World Wide Web, chat, do file transfers, play games and telecommute at the same time.
VPN Masquerade is the part of IP Masquerade which enables you to use IPSec-based and PPTP-based Virtual Private Network clients from behind a shared-access firewall.
This is primarily used for masquerading IPSec and PPTP VPN clients:
No other software is needed to masquerade VPN clients.IPSec Client -. | Linux IPSec PPTP -+-> Masq and --> Internet --> Firewall --> or PPTP Client | Firewall Server | Others -+ |
It can also be used to provide access to a
Private Network
IPSec or PPTP server behind a Linux firewall...
To do this you will also need the ipportfw port-forwarding kernel patch and configuration tool to forward the initial 500/udp ISAKMP key-exchange and/or 1723/tcp PPTP control channel traffic in to the server, and the IPFwd generic IP forwarding utility to forward the initial IPSec ESP and/or PPTP GRE traffic in to the server. Details are available in the VPN Masquerade HOWTO.IPSec Linux Private-IP or PPTP --> Internet --> Firewall --> PPTP or IPSec Client Server
If your VPN is based on tunnelling PPP over Secure Shell (as described in the VPN mini-HOWTO) it is handled by the standard IP Masquerade code, as ssh is a purely TCP protocol. You'll still need ipportfw if the VPN server is masqueraded (behind the firewall, with a private-network IP address) rather than on the firewall itself.
Once VPN Masquerade is configured you will no longer need to dial your ISP directly from your VPN client (or plug your VPN client into your cable modem) when you wish to access your VPN server. This means that all of the benefits of Linux shared access to the Internet remain available even while you are using your VPN to access a remote network - assuming, of course, your VPN server is available over the Internet. (If it isn't then VPN Masquerade probably won't buy you much.)
In fact, with proper configuration of your local network you can simultaneously access the Internet and your private (corporate?) network (over the VPN) from all of the computers on your local network. I do this every day while working from my home.
Note for W'95/'98 VPN client users: sorry, but the W'95/'98 IP stack does not support IP forwarding (can we say "Brain Dead"?) or more than one simultaneous PPTP session.
If you are using a kernel release earlier than 2.0.37 you can download the patch from:
[
FTP Mirror 1
|
HTTP Mirror 1
]
To download using Lynx: highlight the link, press "d" (download), and select "Save to Disk".
Second, make sure that you have IP Masquerading compiled into your kernel and working properly. Setting up masquerading itself is beyond the scope of this document, and there is a HOWTO already available that describes the process. Also, I have written a GUI wrapper for the ipfwadm command that makes managing firewall and masquerade setup easier.
Third, make sure that your VPN connection works when you dial your ISP directly from your VPN client system.
This modification will go down much more easily if you take small bites and
chew them thoroughly. Said another way, don't try to change six things
simultaneously...
To install and configure VPN Masquerade, follow the directions given in
the
VPN Masquerade HOWTO, available at:
[
FTP Mirror 1
|
HTTP Mirror 1
]
Notes and other sites of interest
The IPSec AH
protocol (51/ip) incorporates a cryptographic checksum including
the IP addresses in the IP header. Since masquerading changes those IP
addresses and since the cryptographic checksum cannot be recalculated by
the masquerading firewall, the masqueraded packets will fail the checksum
test and will be discarded by the IPSec server. Therefore, IPSec
implementations that use the AH protocol cannot be successfully
masqueraded. Sorry.
If you want to implement an IPSec-based VPN on Linux, please visit the Linux FreeS/WAN site.
Please visit the Microsoft security announcements site for an important PPTP security update for Microsoft PPTP clients and servers. You may also be interested in an analysis of Microsoft's implementation of the PPTP protocol by one of the most respected members of the Crypto community. A second analysis and third analysis by others are also available.
There is also a freely-available native Linux PPTP client and server. Note that this software currently does not include encryption, but see this site or send email to Paul Cadach <paul@odt.east.telecom.kz> for M$-compatible encryption/compression patches for pppd.
Profuse thanks to Gordon
Chaffee for coding and sharing a
patch
to traceroute that allows tracing GRE traffic. It should prove
invaluable in troubleshooting if your GRE traffic is being blocked
somewhere. Get the patch from:
[
FTP Mirror 1
|
HTTP Mirror 1
]
I've been using a masqueraded VPN through various incarnations of this patch with great success since September 7, 1997.
I only have an x86 box to test this on. Comments from users on other architectures are solicited.
The 2.1.65+ kernels natively support a tunnelling protocol based on GRE, but do not support PPTP natively in any way. See the HOWTO for more details on 2.1.x and 2.2.x kernels.
The patch conflicts with the IP Firewall Chains and ipportfw patches in trying to patch the kernel config files. This is non-critical. See the HOWTO for more details.
Yes, I know that IPSec is peer-to-peer.
Disclaimer: No guarantees of functionality. Keep a working compiled kernel around in case this blows up.
The Linux Webring:
[ Home |
Index |
Next |
Prev |
Random |
Stats ]
Best viewed with
Any Browser