VPN between two masqued subnets

Deven Phillips dphillips at viata.com
Fri Apr 27 04:18:00 PDT 2001 

Jesse,

	Have I got an answer for you!! We just did a similar setup for our
co-location facility using FreeS/WAN. We have a Linux firewall in our
office (Linux 2.4.3 w/ FreeS/WAN) and another Linux firewall at our colo
facility with the same kernel. We sec up FreeS/WAN to allow us tunneled
access to the masqued networks behind the firewalls. That means from my
workstation in the office I can telnet to our cobalts across the VPN
without the data ever having a chance of being compromised.
Additionally, FreeS/WAN can do inline compression to allow for faster
transfer rates across the VPN. As for setting up the firewall rules, you
need only the following iptables rules:

	iptables -A INPUT -p esp -s <REMOTE> -d <VPN Interface> -j ACCEPT
	iptables -A INPUT -p ah -s <REMOTE> -d <VPN Interface> -j ACCEPT
	iptables -A INPUT -p udp -s <REMOTE> -d <VPN Interface> -j ACCEPT
	iptables -A INPUT -p tcp -s <REMOTE> -d <VPN Interface> -j ACCEPT
	iptables -A INPUT -j DROP

	This will allow only the ports and protocols needed to form the IPSEC
tunnel on each end. The rules should be pretty much the same on each
end, and the only thing that will be different is the IP addresses. The
FreeS/WAN configuration is actually pretty well documented on their web
site, and tends to make a lot of sense. The only problem thaqt we had
was configuring the routing to work properly, but that wasn't too hard
after we had a mental meltdown. Here's the basic idea:

	the [left/right]subnet parameters in the ipsec.conf file represent the
subnets that you you want routed through. If you want all traffic
destined for 192.168.10.0/24 to pass across the VPN, set the subnet
parameter to that even if the subnet on the other end of the VPN is not
that subnet. I know it sounds stupid, but for some reason the insane
routing works.

	I caqn attest that FreeS/WAN is fast and stable. We have had no
problems with it other than getting our firewall rules tuned right, an
you can benefit from our experience. 

I hope that this helps

Deven Phillips, CISSP
Network Architect
Viata Online, Inc.

Jesse Manibusan wrote:
> 
> I am interested in establishing a VPN over RoadRunner and securely connect 2
> masqueraded networks over the internet.  Also, I would like to learn how to
> open up the firewall to allow a trusted user from the outside to access
> https, ftps and and some kind of secure email running behind a firewall.
> 
> Has anyone tried any of the above?
> 
> _________________________________________________________
> 
> Do You Yahoo!?
> 
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> ---
> You are currently subscribed to luau as: dphillips at viata.com
> To unsubscribe send a blank email to $subst('Email.Unsub')

-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d+ s: a- C++++ UL++++ P- L+++ E- W+ N++ o-- K w---
O M-- V- PS+ PE Y+ PGP++ 5+++ X+ R tv+ b+ DI+ D-
G e* h--- r++ y+++
------END GEEK CODE BLOCK------

More information about the LUAU mailing list