VPN behind dedicated home software firewall
#1
Scooby Regular
Thread Starter
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
Ive now got my hands on the software to connect to our work vpn... nortel contivity or summit... anyway I am using proxy server at the moment to provide our connection from our internal lan to our external lan... I want to be able to run vpn from behind here.. and Im sure it can be done with rras and proxy, but Im thinking of swapping to ISA server, anybody got any alternatives, preferably winnt 4 / 2k based but will go with others... must support port redirection inbound as well..
David
David
Trending Topics
#10
Scooby Regular
Thread Starter
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
OOPS... That didnt really read very well... its a contivity 1600 and thats at work.
I run proxy server at home... And am considering replacing it with ISA... Sorry Jeff, bet you thought you could sell something then when I mentioned proxy to ISA....
My home network is 192.168.0.x
External Ip is x.x.x.x
My pc is 192.168.0.6 or whatever...
I want to run nortel client on mine and connect to x.x.x.x through my gateway...
What should i run on my 'home gateway' as proxy server is poo...
dont really want to run linux, but if someone wants to give me detailed instructions... Whats about... suppose I could err download a trial of firewall 1 / raptor (used at work)
David
I run proxy server at home... And am considering replacing it with ISA... Sorry Jeff, bet you thought you could sell something then when I mentioned proxy to ISA....
My home network is 192.168.0.x
External Ip is x.x.x.x
My pc is 192.168.0.6 or whatever...
I want to run nortel client on mine and connect to x.x.x.x through my gateway...
What should i run on my 'home gateway' as proxy server is poo...
dont really want to run linux, but if someone wants to give me detailed instructions... Whats about... suppose I could err download a trial of firewall 1 / raptor (used at work)
David
#13
Scooby Regular
Thread Starter
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
My Connection is via tele2 terminated on rj45... im not up for changing to a hardware based hub / router... this must be software based to sit on my dedicated server... dont ask why... just must
Dont really care what the nortel uses, as I think the client software worries about that...
David
Dont really care what the nortel uses, as I think the client software worries about that...
David
#14
If you want to NAT (as you do) then you have to worry about the protocol to ensure a) the device Natting understands it and b) the correct ports/protocols are permitted through your security.
e.g. MS PPTP VPN needs TCP Port 1723 and IP Protocol 47
e.g. MS PPTP VPN needs TCP Port 1723 and IP Protocol 47
#16
Personally if you dont want a full linux distro then try smoothwall. Nice web interface takes all the linux hassle away.
Alternatively if you have access to an "eval" copy of fw-1 and your box is already NT,2K or Xp - stick that on. Very easy to configure fw-1 but make sure you lock the os down properly. plenty of articles around and its not my thing so cant advise exactly how.
Either would be streets ahead of a plain poxy server.
Deano
Alternatively if you have access to an "eval" copy of fw-1 and your box is already NT,2K or Xp - stick that on. Very easy to configure fw-1 but make sure you lock the os down properly. plenty of articles around and its not my thing so cant advise exactly how.
Either would be streets ahead of a plain poxy server.
Deano
#17
Scooby Regular
Thread Starter
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
NT / 2K is my thing so securing the box wouldnt be a problem... Ive heard that fw1 can be hard to config... just looking into isa at the moment... is smoothwall freeware / opensource or buy??? What does it run on RH 7.1 ?
Any sites to look at?
David
Any sites to look at?
David
#18
for a one box solution, with firewall, management and client all on the same box merely to allow specific (or all) outbound services and deny inbound plus Nat behind the red-side address.
You're looking at 5 mins tops.
Oh and www.phoneboy.com it goes over that.
Firewall one with huge rulesets and myriad of objects maintained by different people all with their own naming convention = hard to configure
One box, 2 rules and some Nat = P*** easy
Deano
You're looking at 5 mins tops.
Oh and www.phoneboy.com it goes over that.
Firewall one with huge rulesets and myriad of objects maintained by different people all with their own naming convention = hard to configure
One box, 2 rules and some Nat = P*** easy
Deano
#21
Scooby Regular
Thread Starter
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
Im Fairly sure it uses ipsec.... so how do I use IPSec from my own pc, apart from sticking the internet connection straight into this machine??
David
David
#23
Scooby Regular
Thread Starter
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
?? Anybody got any ideas?? just doing an install of ISA.. but dont think this supports it looking on isaserver.org
David
David
#25
Scooby Regular
Thread Starter
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
the client mentions traversing nat with ip/sec.. any ideas / other protocols? l2tp??
David
David
#26
There is a very good article here on IPSEC/Nat issues. VPNs do not have implement the AH mentioned by Andrew above. If its purely payload encryption then it can traverse NAT.
If the client you have is designed for home working its likely to be able to be configured to work through NAT. I'd stick with FW-1 have an "Any-Inside to Internet, Permit" rule and see how you get on.
Deano
If the client you have is designed for home working its likely to be able to be configured to work through NAT. I'd stick with FW-1 have an "Any-Inside to Internet, Permit" rule and see how you get on.
Deano
#28
Scooby Regular
David
I wasn't trying to sell you something......although I will if you want me too....
If your connection outbound is NAT'd then you need to use aggresive mode set-up which only relies on the outbound connection rather than trying to connect another session from the called VPN device.
Seriously, call me and we'll discuss your options (at no charge !)
Jeff
I wasn't trying to sell you something......although I will if you want me too....
If your connection outbound is NAT'd then you need to use aggresive mode set-up which only relies on the outbound connection rather than trying to connect another session from the called VPN device.
Seriously, call me and we'll discuss your options (at no charge !)
Jeff
#29
Scooby Regular
Thread Starter
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
couldnt find an eval of fw1
Jeff Ill give you a call in a bit... just sorting some other problems.
David
Jeff Ill give you a call in a bit... just sorting some other problems.
David
#30
Scooby Regular
Thread Starter
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
After an enlightening... (almost confusing ) conversation with jeff, I think I should be able to get this working... Just checked on the box and it looks like it does use agressive mode... heres a bit of the log..
06/11/2002 22:49:46 0 ISAKMP [02] Oakley Aggressive Mode proposal accepted from dw3101 (x.x.x.x)
06/11/2002 22:49:47 0 Security [12] Session: IPSEC[dw3101]:411 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:49:47 0 ISAKMP [02] ISAKMP SA established with dw3101 (x.x.x.x)
06/11/2002 22:49:47 0 Security [12] Session: IPSEC[dw3101]:411 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:49:48 0 Security [12] Session: IPSEC[dw3101]:411 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:49:48 0 Outbound ESP from x.x.x.x to x.x.x.x SPI 0x000f60c9 [03] ESP encap session SPI 0xc9600f00 bound to cpu 0
06/11/2002 22:49:48 0 Inbound ESP from x.x.x.x to x.x.x.x SPI 0x00061802 [03] ESP decap session SPI 0x2180600 bound to cpu 0
06/11/2002 22:49:48 0 ISAKMP [03] Established IPsec SAs with dw3101 (x.x.x.x):
06/11/2002 22:51:21 0 ISAKMP [03] Deleting IPsec SAs with dw3101 (x.x.x.x):
06/11/2002 22:51:21 0 ISAKMP [02] Deleting ISAKMP SA with dw3101 (x.x.x.x)
06/11/2002 22:57:59 0 ISAKMP [02] Oakley Aggressive Mode proposal accepted from dw3101 (x.x.x.x)
06/11/2002 22:57:59 0 Security [12] Session: IPSEC[dw3101]:412 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:58:00 0 ISAKMP [02] ISAKMP SA established with dw3101 (x.x.x.x)
06/11/2002 22:58:00 0 Security [12] Session: IPSEC[dw3101]:412 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:58:01 0 Security [12] Session: IPSEC[dw3101]:412 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:58:01 0 Outbound ESP from x.x.x.x to x.x.x.x SPI 0x000ad1bb [03] ESP encap session SPI 0xbbd10a00 bound to cpu 0
06/11/2002 22:58:01 0 Inbound ESP from x.x.x.x to x.x.x.x SPI 0x0020485e [03] ESP decap session SPI 0x5e482000 bound to cpu 0
06/11/2002 22:58:01 0 ISAKMP [03] Established IPsec SAs with dw3101 (x.x.x.x):
06/11/2002 22:59:41 0 ISAKMP [03] Deleting IPsec SAs with dw3101 (x.x.x.x):
06/11/2002 22:59:41 0 ISAKMP [02] Deleting ISAKMP SA with dw3101 (x.x.x.x)
David
06/11/2002 22:49:46 0 ISAKMP [02] Oakley Aggressive Mode proposal accepted from dw3101 (x.x.x.x)
06/11/2002 22:49:47 0 Security [12] Session: IPSEC[dw3101]:411 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:49:47 0 ISAKMP [02] ISAKMP SA established with dw3101 (x.x.x.x)
06/11/2002 22:49:47 0 Security [12] Session: IPSEC[dw3101]:411 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:49:48 0 Security [12] Session: IPSEC[dw3101]:411 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:49:48 0 Outbound ESP from x.x.x.x to x.x.x.x SPI 0x000f60c9 [03] ESP encap session SPI 0xc9600f00 bound to cpu 0
06/11/2002 22:49:48 0 Inbound ESP from x.x.x.x to x.x.x.x SPI 0x00061802 [03] ESP decap session SPI 0x2180600 bound to cpu 0
06/11/2002 22:49:48 0 ISAKMP [03] Established IPsec SAs with dw3101 (x.x.x.x):
06/11/2002 22:51:21 0 ISAKMP [03] Deleting IPsec SAs with dw3101 (x.x.x.x):
06/11/2002 22:51:21 0 ISAKMP [02] Deleting ISAKMP SA with dw3101 (x.x.x.x)
06/11/2002 22:57:59 0 ISAKMP [02] Oakley Aggressive Mode proposal accepted from dw3101 (x.x.x.x)
06/11/2002 22:57:59 0 Security [12] Session: IPSEC[dw3101]:412 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:58:00 0 ISAKMP [02] ISAKMP SA established with dw3101 (x.x.x.x)
06/11/2002 22:58:00 0 Security [12] Session: IPSEC[dw3101]:412 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:58:01 0 Security [12] Session: IPSEC[dw3101]:412 physical addresses: remote x.x.x.x local x.x.x.x
06/11/2002 22:58:01 0 Outbound ESP from x.x.x.x to x.x.x.x SPI 0x000ad1bb [03] ESP encap session SPI 0xbbd10a00 bound to cpu 0
06/11/2002 22:58:01 0 Inbound ESP from x.x.x.x to x.x.x.x SPI 0x0020485e [03] ESP decap session SPI 0x5e482000 bound to cpu 0
06/11/2002 22:58:01 0 ISAKMP [03] Established IPsec SAs with dw3101 (x.x.x.x):
06/11/2002 22:59:41 0 ISAKMP [03] Deleting IPsec SAs with dw3101 (x.x.x.x):
06/11/2002 22:59:41 0 ISAKMP [02] Deleting ISAKMP SA with dw3101 (x.x.x.x)
David