LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/VPN-Masquerade-HOWTO-4.html

295 lines
9.6 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Linux VPN Masquerade HOWTO: Configuring the VPN client</TITLE>
<LINK HREF="VPN-Masquerade-HOWTO-5.html" REL=next>
<LINK HREF="VPN-Masquerade-HOWTO-3.html" REL=previous>
<LINK HREF="VPN-Masquerade-HOWTO.html#toc4" REL=contents>
</HEAD>
<BODY>
<A HREF="VPN-Masquerade-HOWTO-5.html">Next</A>
<A HREF="VPN-Masquerade-HOWTO-3.html">Previous</A>
<A HREF="VPN-Masquerade-HOWTO.html#toc4">Contents</A>
<HR>
<H2><A NAME="s4">4. Configuring the VPN client</A></H2>
<P>
<P>
<H2><A NAME="ss4.1">4.1 Configuring a MS W'95 client</A>
</H2>
<P>
<OL>
<LI>Set up your routing so that the Linux firewall is your default
gateway:
<OL>
<LI>Open <CODE>Control Panel/Network</CODE> or right-click &quot;Network
Neighborhood&quot; and click on <CODE>Properties</CODE>.
</LI>
<LI>Click on the <CODE>Configuration</CODE> tab.
</LI>
<LI>In the list of installed network components, double-click on the
&quot;TCP/IP -&gt; whatever-NIC-you-have&quot; line.
</LI>
<LI>Click on the <CODE>Gateway</CODE> tab.
</LI>
<LI>Enter the local-network IP address of your Linux firewall. Delete any
other gateways.
</LI>
<LI>Click on the &quot;OK&quot; button.
</LI>
</OL>
</LI>
<LI>Test masquerading. For example, run &quot;<CODE>telnet
<EM>my.isp.mail.server</EM> smtp</CODE>&quot; and you should see the mail
server's welcome banner.
</LI>
<LI>Install and configure the VPN software. For IPsec software follow the
manufacturer's instructions. For MS PPTP:
<OL>
<LI>Open <CODE>Control Panel/Network</CODE> or right-click &quot;Network
Neighborhood&quot; and click on <CODE>Properties</CODE>.
</LI>
<LI>Click on the <CODE>Configuration</CODE> tab.
</LI>
<LI>Click on the &quot;Add&quot; button, then double-click on the
&quot;Adapter&quot; line.
</LI>
<LI>Select &quot;Microsoft&quot; as the manufacturer and add the
&quot;Virtual Private Networking Adapter&quot; adapter.
</LI>
<LI>Reboot when prompted to.
</LI>
<LI>If you need to use strong (128-bit) encryption, download the
strong encryption DUN 1.3 update from the MS secure site at
<A HREF="http://mssecure.www.conxion.com/cgi-bin/ntitar.pl">http://mssecure.www.conxion.com/cgi-bin/ntitar.pl</A> and
install it, then reboot again when prompted to.
</LI>
<LI>Create a new dial-up phonebook entry for your PPTP server.
</LI>
<LI>Select the VPN adapter as the device to use, and enter the PPTP
server's internet IP address as the telephone number.
</LI>
<LI>Select the <CODE>Server Types</CODE> tab, and check the compression and
encryption checkboxes.
</LI>
<LI>Click on the &quot;TCP/IP Settings&quot; button.
</LI>
<LI>Set the dynamic/static IP address information for your client as
instructed to by your PPTP server's administrator.
</LI>
<LI>If you wish to have access to your local network while the PPTP
connection is up, uncheck the &quot;Use default gateway on remote
network&quot; checkbox.
</LI>
<LI>Reboot a few more times, just from habit... :)
</LI>
</OL>
</LI>
</OL>
<P>
<P>
<H2><A NAME="ss4.2">4.2 Configuring a MS W'98 client</A>
</H2>
<P>
<OL>
<LI>Set up your routing so that the Linux firewall is your default
gateway and test masquerading as described above.
</LI>
<LI>Install and configure the VPN software. For IPsec software follow the
manufacturer's instructions. For MS PPTP:
<OL>
<LI>Open <CODE>Control Panel/Add or Remove Software</CODE> and click on the
<CODE>Windows Setup</CODE> tab.
</LI>
<LI>Click on the <CODE>Communications</CODE> option and click the
&quot;Details&quot; button.
</LI>
<LI>Make sure the &quot;Virtual Private Networking&quot;
option is checked. Then click the &quot;OK&quot; button.
</LI>
<LI>Reboot when prompted to.
</LI>
<LI>If you need to use strong (128-bit) encryption, download the
strong encryption VPN Security update from the MS secure site at
<A HREF="http://mssecure.www.conxion.com/cgi-bin/ntitar.pl">http://mssecure.www.conxion.com/cgi-bin/ntitar.pl</A> and
install it, then reboot again when prompted to.
</LI>
</OL>
</LI>
<LI>Create and test a new dial-up phonebook entry for your VPN server as
described above.
</LI>
</OL>
<P>
<P>
<H2><A NAME="ss4.3">4.3 Configuring a MS W'ME client</A>
</H2>
<P>I haven't seen one of these yet. I expect the procedure is very similar to
that for W'98. Could someone who has done this let me know what, if any,
differences there are? Thanks.
<P>
<H2><A NAME="ss4.4">4.4 Configuring a MS NT client</A>
</H2>
<P>
<BLOCKQUOTE>
Note: this section may be incomplete as it's been a while since I've
installed PPTP on an NT system.
</BLOCKQUOTE>
<P>
<OL>
<LI>Set up your routing so that the Linux firewall is your default
gateway:
<OL>
<LI>Open <CODE>Control Panel/Network</CODE> or right-click &quot;Network
Neighborhood&quot; and click on <CODE>Properties</CODE>.
</LI>
<LI>Click on the <CODE>Protocols</CODE> tab and double-click on the
&quot;TCP/IP&quot; line.
</LI>
<LI>Enter the local-network IP address of your Linux firewall in the
&quot;Default Gateway&quot; box.
</LI>
<LI>Click on the &quot;OK&quot; button.
</LI>
</OL>
</LI>
<LI>Test masquerading. For example, run &quot;<CODE>telnet
<EM>my.isp.mail.server</EM> smtp</CODE>&quot; and you should see the mail
server's welcome banner.
</LI>
<LI>Install and configure the VPN software. For IPsec software follow the
manufacturer's instructions. For MS PPTP:
<OL>
<LI>Open <CODE>Control Panel/Network</CODE> or right-click &quot;Network
Neighborhood&quot; and click on <CODE>Properties</CODE>.
</LI>
<LI>Click on the <CODE>Protocols</CODE> tab.
</LI>
<LI>Click on the &quot;Add&quot; button, then double-click on the
&quot;Point-to-Point Tunneling Protocol&quot; line.
</LI>
<LI>When it asks for the number of Virtual Private Networks, enter the
number of PPTP servers you could possibly be communicating with.
</LI>
<LI>Reboot when prompted to.
</LI>
<LI>If you need to use strong (128-bit) encryption, download the
strong encryption PPTP update from the MS secure site at
<A HREF="http://mssecure.www.conxion.com/cgi-bin/ntitar.pl">http://mssecure.www.conxion.com/cgi-bin/ntitar.pl</A> and
install it, then reboot again when prompted to.
</LI>
<LI>Create a new dial-up phonebook entry for your PPTP server.
</LI>
<LI>Select the VPN adapter as the device to use, and enter the PPTP
server's internet IP address as the telephone number.
</LI>
<LI>Select the <CODE>Server Types</CODE> tab, and check the compression and
encryption checkboxes.
</LI>
<LI>Click on the &quot;TCP/IP Settings&quot; button.
</LI>
<LI>Set the dynamic/static IP address information for your client as
instructed to by your PPTP server's administrator.
</LI>
<LI>If you wish to have access to your local network while the PPTP
connection is up, see
<A HREF="http://support.microsoft.com/support/kb/articles/q143/1/68.asp">MS Knowledge Base article Q143168</A> for a registry fix.
(<EM>Sigh</EM>.)
</LI>
<LI>Make sure you reapply the most recent Service Pack, to ensure
that your RAS and PPTP libraries are up-to-date for security and
performance enhancements.
</LI>
</OL>
</LI>
</OL>
<P>
<P>
<H2><A NAME="ss4.5">4.5 Configuring for network-to-network routing</A>
</H2>
<P><EM>Yet to be written.</EM>
<P>You really ought to look at FreeS/WAN (IPsec for Linux) at
<A HREF="http://www.xs4all.nl/~freeswan/">http://www.xs4all.nl/~freeswan/</A> instead of masquerading.
<P>
<H2><A NAME="ss4.6">4.6 Masquerading Checkpoint SecuRemote-based VPNs</A>
</H2>
<P>It is possible to masquerade Checkpoint SecuRemote-based VPN traffic under
certain circumstances.
<P>First, you must configure the SecuRemote firewall to allow masqueraded
sessions. On the SecuRemote firewall do the following:
<P>
<OL>
<LI>Run <CODE>fwstop</CODE>
</LI>
<LI>Edit <CODE>$FWDIR/conf/objects.C</CODE> and after the
&quot;<CODE>:props&nbsp;(</CODE>&quot; line, add or modify the following lines
to read:
<BLOCKQUOTE>
<PRE>
:userc_NAT (true)
:userc_IKE_NAT (true)
</PRE>
</BLOCKQUOTE>
</LI>
<LI>Run <CODE>fwstart</CODE>
</LI>
<LI>Re-install your security policy.
</LI>
<LI>Verify the change took effect by checking both
<CODE>$FWDIR/conf/objects.C</CODE> and
<CODE>$FWDIR/database/objects.C</CODE>
</LI>
</OL>
<P>
<P>If you use the IPsec protocols (called &quot;IKE&quot; by CheckPoint) you
don't have to do anything else special to masquerade the VPN traffic.
Simply configure your masquerading gateway to masquerade IPsec traffic as
described above.
<P>Checkpoint's proprietary FWZ protocol is more complicated. There are two
modes that FWZ can be used in: encapsulated mode and transport mode. In
encapsulated mode, integrity checking is done over the whole IP packet,
just as in IPsec's AH protocol. Changing the IP address breaks this
integrity guarantee, thus encapsulated FWZ tunnels <EM>cannot</EM> be
masqueraded.
<P>In transport mode, only the data portion of the packet is encrypted, and
the IP headers are not verified against changes. In this mode, masquerading
should work with the modifications described above.
<P>The configuration for encapsulated or transport mode is done in the
FireWall-1 GUI. In the network object for the Firewall, under the VPN
tab, edit the FWZ properties. The third tab in FWZ properties allows you
to set encapsulated mode.
<P>You will only be able to masquerade one client at a time.
<P>Further information can be found at:
<UL>
<LI>
<A HREF="http://www.phoneboy.com/fw1/nat.html">http://www.phoneboy.com/fw1/nat.html</A>,</LI>
<LI>
<A HREF="http://www.phoneboy.com/fw1/faq/0141.html">http://www.phoneboy.com/fw1/faq/0141.html</A></LI>
<LI>
<A HREF="http://www.phoneboy.com/fw1/faq/0372.html">http://www.phoneboy.com/fw1/faq/0372.html</A></LI>
</UL>
<P>
<P>
<HR>
<A HREF="VPN-Masquerade-HOWTO-5.html">Next</A>
<A HREF="VPN-Masquerade-HOWTO-3.html">Previous</A>
<A HREF="VPN-Masquerade-HOWTO.html#toc4">Contents</A>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink