295 lines
9.6 KiB
HTML
295 lines
9.6 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Linux VPN Masquerade HOWTO: Configuring the VPN client</TITLE>
|
|
<LINK HREF="VPN-Masquerade-HOWTO-5.html" REL=next>
|
|
<LINK HREF="VPN-Masquerade-HOWTO-3.html" REL=previous>
|
|
<LINK HREF="VPN-Masquerade-HOWTO.html#toc4" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="VPN-Masquerade-HOWTO-5.html">Next</A>
|
|
<A HREF="VPN-Masquerade-HOWTO-3.html">Previous</A>
|
|
<A HREF="VPN-Masquerade-HOWTO.html#toc4">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s4">4. Configuring the VPN client</A></H2>
|
|
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss4.1">4.1 Configuring a MS W'95 client</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<OL>
|
|
<LI>Set up your routing so that the Linux firewall is your default
|
|
gateway:
|
|
|
|
<OL>
|
|
<LI>Open <CODE>Control Panel/Network</CODE> or right-click "Network
|
|
Neighborhood" and click on <CODE>Properties</CODE>.
|
|
</LI>
|
|
<LI>Click on the <CODE>Configuration</CODE> tab.
|
|
</LI>
|
|
<LI>In the list of installed network components, double-click on the
|
|
"TCP/IP -> whatever-NIC-you-have" line.
|
|
</LI>
|
|
<LI>Click on the <CODE>Gateway</CODE> tab.
|
|
</LI>
|
|
<LI>Enter the local-network IP address of your Linux firewall. Delete any
|
|
other gateways.
|
|
</LI>
|
|
<LI>Click on the "OK" button.
|
|
</LI>
|
|
</OL>
|
|
|
|
</LI>
|
|
<LI>Test masquerading. For example, run "<CODE>telnet
|
|
<EM>my.isp.mail.server</EM> smtp</CODE>" and you should see the mail
|
|
server's welcome banner.
|
|
</LI>
|
|
<LI>Install and configure the VPN software. For IPsec software follow the
|
|
manufacturer's instructions. For MS PPTP:
|
|
|
|
<OL>
|
|
<LI>Open <CODE>Control Panel/Network</CODE> or right-click "Network
|
|
Neighborhood" and click on <CODE>Properties</CODE>.
|
|
</LI>
|
|
<LI>Click on the <CODE>Configuration</CODE> tab.
|
|
</LI>
|
|
<LI>Click on the "Add" button, then double-click on the
|
|
"Adapter" line.
|
|
</LI>
|
|
<LI>Select "Microsoft" as the manufacturer and add the
|
|
"Virtual Private Networking Adapter" adapter.
|
|
</LI>
|
|
<LI>Reboot when prompted to.
|
|
</LI>
|
|
<LI>If you need to use strong (128-bit) encryption, download the
|
|
strong encryption DUN 1.3 update from the MS secure site at
|
|
<A HREF="http://mssecure.www.conxion.com/cgi-bin/ntitar.pl">http://mssecure.www.conxion.com/cgi-bin/ntitar.pl</A> and
|
|
install it, then reboot again when prompted to.
|
|
</LI>
|
|
<LI>Create a new dial-up phonebook entry for your PPTP server.
|
|
</LI>
|
|
<LI>Select the VPN adapter as the device to use, and enter the PPTP
|
|
server's internet IP address as the telephone number.
|
|
</LI>
|
|
<LI>Select the <CODE>Server Types</CODE> tab, and check the compression and
|
|
encryption checkboxes.
|
|
</LI>
|
|
<LI>Click on the "TCP/IP Settings" button.
|
|
</LI>
|
|
<LI>Set the dynamic/static IP address information for your client as
|
|
instructed to by your PPTP server's administrator.
|
|
</LI>
|
|
<LI>If you wish to have access to your local network while the PPTP
|
|
connection is up, uncheck the "Use default gateway on remote
|
|
network" checkbox.
|
|
</LI>
|
|
<LI>Reboot a few more times, just from habit... :)
|
|
</LI>
|
|
</OL>
|
|
</LI>
|
|
</OL>
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss4.2">4.2 Configuring a MS W'98 client</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<OL>
|
|
<LI>Set up your routing so that the Linux firewall is your default
|
|
gateway and test masquerading as described above.
|
|
</LI>
|
|
<LI>Install and configure the VPN software. For IPsec software follow the
|
|
manufacturer's instructions. For MS PPTP:
|
|
|
|
<OL>
|
|
<LI>Open <CODE>Control Panel/Add or Remove Software</CODE> and click on the
|
|
<CODE>Windows Setup</CODE> tab.
|
|
</LI>
|
|
<LI>Click on the <CODE>Communications</CODE> option and click the
|
|
"Details" button.
|
|
</LI>
|
|
<LI>Make sure the "Virtual Private Networking"
|
|
option is checked. Then click the "OK" button.
|
|
</LI>
|
|
<LI>Reboot when prompted to.
|
|
</LI>
|
|
<LI>If you need to use strong (128-bit) encryption, download the
|
|
strong encryption VPN Security update from the MS secure site at
|
|
<A HREF="http://mssecure.www.conxion.com/cgi-bin/ntitar.pl">http://mssecure.www.conxion.com/cgi-bin/ntitar.pl</A> and
|
|
install it, then reboot again when prompted to.
|
|
</LI>
|
|
</OL>
|
|
|
|
</LI>
|
|
<LI>Create and test a new dial-up phonebook entry for your VPN server as
|
|
described above.
|
|
</LI>
|
|
</OL>
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss4.3">4.3 Configuring a MS W'ME client</A>
|
|
</H2>
|
|
|
|
<P>I haven't seen one of these yet. I expect the procedure is very similar to
|
|
that for W'98. Could someone who has done this let me know what, if any,
|
|
differences there are? Thanks.
|
|
<P>
|
|
<H2><A NAME="ss4.4">4.4 Configuring a MS NT client</A>
|
|
</H2>
|
|
|
|
<P>
|
|
<BLOCKQUOTE>
|
|
Note: this section may be incomplete as it's been a while since I've
|
|
installed PPTP on an NT system.
|
|
</BLOCKQUOTE>
|
|
<P>
|
|
<OL>
|
|
<LI>Set up your routing so that the Linux firewall is your default
|
|
gateway:
|
|
|
|
<OL>
|
|
<LI>Open <CODE>Control Panel/Network</CODE> or right-click "Network
|
|
Neighborhood" and click on <CODE>Properties</CODE>.
|
|
</LI>
|
|
<LI>Click on the <CODE>Protocols</CODE> tab and double-click on the
|
|
"TCP/IP" line.
|
|
</LI>
|
|
<LI>Enter the local-network IP address of your Linux firewall in the
|
|
"Default Gateway" box.
|
|
</LI>
|
|
<LI>Click on the "OK" button.
|
|
</LI>
|
|
</OL>
|
|
|
|
</LI>
|
|
<LI>Test masquerading. For example, run "<CODE>telnet
|
|
<EM>my.isp.mail.server</EM> smtp</CODE>" and you should see the mail
|
|
server's welcome banner.
|
|
</LI>
|
|
<LI>Install and configure the VPN software. For IPsec software follow the
|
|
manufacturer's instructions. For MS PPTP:
|
|
|
|
<OL>
|
|
<LI>Open <CODE>Control Panel/Network</CODE> or right-click "Network
|
|
Neighborhood" and click on <CODE>Properties</CODE>.
|
|
</LI>
|
|
<LI>Click on the <CODE>Protocols</CODE> tab.
|
|
</LI>
|
|
<LI>Click on the "Add" button, then double-click on the
|
|
"Point-to-Point Tunneling Protocol" line.
|
|
</LI>
|
|
<LI>When it asks for the number of Virtual Private Networks, enter the
|
|
number of PPTP servers you could possibly be communicating with.
|
|
</LI>
|
|
<LI>Reboot when prompted to.
|
|
</LI>
|
|
<LI>If you need to use strong (128-bit) encryption, download the
|
|
strong encryption PPTP update from the MS secure site at
|
|
<A HREF="http://mssecure.www.conxion.com/cgi-bin/ntitar.pl">http://mssecure.www.conxion.com/cgi-bin/ntitar.pl</A> and
|
|
install it, then reboot again when prompted to.
|
|
</LI>
|
|
<LI>Create a new dial-up phonebook entry for your PPTP server.
|
|
</LI>
|
|
<LI>Select the VPN adapter as the device to use, and enter the PPTP
|
|
server's internet IP address as the telephone number.
|
|
</LI>
|
|
<LI>Select the <CODE>Server Types</CODE> tab, and check the compression and
|
|
encryption checkboxes.
|
|
</LI>
|
|
<LI>Click on the "TCP/IP Settings" button.
|
|
</LI>
|
|
<LI>Set the dynamic/static IP address information for your client as
|
|
instructed to by your PPTP server's administrator.
|
|
</LI>
|
|
<LI>If you wish to have access to your local network while the PPTP
|
|
connection is up, see
|
|
<A HREF="http://support.microsoft.com/support/kb/articles/q143/1/68.asp">MS Knowledge Base article Q143168</A> for a registry fix.
|
|
(<EM>Sigh</EM>.)
|
|
</LI>
|
|
<LI>Make sure you reapply the most recent Service Pack, to ensure
|
|
that your RAS and PPTP libraries are up-to-date for security and
|
|
performance enhancements.
|
|
</LI>
|
|
</OL>
|
|
</LI>
|
|
</OL>
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss4.5">4.5 Configuring for network-to-network routing</A>
|
|
</H2>
|
|
|
|
<P><EM>Yet to be written.</EM>
|
|
<P>You really ought to look at FreeS/WAN (IPsec for Linux) at
|
|
<A HREF="http://www.xs4all.nl/~freeswan/">http://www.xs4all.nl/~freeswan/</A> instead of masquerading.
|
|
<P>
|
|
<H2><A NAME="ss4.6">4.6 Masquerading Checkpoint SecuRemote-based VPNs</A>
|
|
</H2>
|
|
|
|
<P>It is possible to masquerade Checkpoint SecuRemote-based VPN traffic under
|
|
certain circumstances.
|
|
<P>First, you must configure the SecuRemote firewall to allow masqueraded
|
|
sessions. On the SecuRemote firewall do the following:
|
|
<P>
|
|
<OL>
|
|
<LI>Run <CODE>fwstop</CODE>
|
|
</LI>
|
|
<LI>Edit <CODE>$FWDIR/conf/objects.C</CODE> and after the
|
|
"<CODE>:props (</CODE>" line, add or modify the following lines
|
|
to read:
|
|
<BLOCKQUOTE>
|
|
<PRE>
|
|
:userc_NAT (true)
|
|
:userc_IKE_NAT (true)
|
|
</PRE>
|
|
</BLOCKQUOTE>
|
|
|
|
</LI>
|
|
<LI>Run <CODE>fwstart</CODE>
|
|
</LI>
|
|
<LI>Re-install your security policy.
|
|
</LI>
|
|
<LI>Verify the change took effect by checking both
|
|
<CODE>$FWDIR/conf/objects.C</CODE> and
|
|
<CODE>$FWDIR/database/objects.C</CODE>
|
|
</LI>
|
|
</OL>
|
|
<P>
|
|
<P>If you use the IPsec protocols (called "IKE" by CheckPoint) you
|
|
don't have to do anything else special to masquerade the VPN traffic.
|
|
Simply configure your masquerading gateway to masquerade IPsec traffic as
|
|
described above.
|
|
<P>Checkpoint's proprietary FWZ protocol is more complicated. There are two
|
|
modes that FWZ can be used in: encapsulated mode and transport mode. In
|
|
encapsulated mode, integrity checking is done over the whole IP packet,
|
|
just as in IPsec's AH protocol. Changing the IP address breaks this
|
|
integrity guarantee, thus encapsulated FWZ tunnels <EM>cannot</EM> be
|
|
masqueraded.
|
|
<P>In transport mode, only the data portion of the packet is encrypted, and
|
|
the IP headers are not verified against changes. In this mode, masquerading
|
|
should work with the modifications described above.
|
|
<P>The configuration for encapsulated or transport mode is done in the
|
|
FireWall-1 GUI. In the network object for the Firewall, under the VPN
|
|
tab, edit the FWZ properties. The third tab in FWZ properties allows you
|
|
to set encapsulated mode.
|
|
<P>You will only be able to masquerade one client at a time.
|
|
<P>Further information can be found at:
|
|
<UL>
|
|
<LI>
|
|
<A HREF="http://www.phoneboy.com/fw1/nat.html">http://www.phoneboy.com/fw1/nat.html</A>,</LI>
|
|
<LI>
|
|
<A HREF="http://www.phoneboy.com/fw1/faq/0141.html">http://www.phoneboy.com/fw1/faq/0141.html</A></LI>
|
|
<LI>
|
|
<A HREF="http://www.phoneboy.com/fw1/faq/0372.html">http://www.phoneboy.com/fw1/faq/0372.html</A></LI>
|
|
</UL>
|
|
<P>
|
|
<P>
|
|
<HR>
|
|
<A HREF="VPN-Masquerade-HOWTO-5.html">Next</A>
|
|
<A HREF="VPN-Masquerade-HOWTO-3.html">Previous</A>
|
|
<A HREF="VPN-Masquerade-HOWTO.html#toc4">Contents</A>
|
|
</BODY>
|
|
</HTML>
|