176 lines
9.7 KiB
HTML
176 lines
9.7 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Linux VPN Masquerade HOWTO: Introduction</TITLE>
|
|
<LINK HREF="VPN-Masquerade-HOWTO-2.html" REL=next>
|
|
|
|
<LINK HREF="VPN-Masquerade-HOWTO.html#toc1" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="VPN-Masquerade-HOWTO-2.html">Next</A>
|
|
Previous
|
|
<A HREF="VPN-Masquerade-HOWTO.html#toc1">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s1">1. Introduction</A></H2>
|
|
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss1.1">1.1 Introduction </A>
|
|
</H2>
|
|
|
|
<P>This document describes how to configure masquerading of IPsec and PPTP VPN
|
|
traffic. SSH-based VPNs (such as that sold by F-Secure and outlined in the
|
|
<A HREF="http://www.linux.org/help/ldp/mini/VPN.html">VPN mini-HOWTO</A>)
|
|
are based on standard TCP traffic and do not need any special kernel
|
|
modifications.
|
|
<P>
|
|
<P>VPN Masquerade allows you to establish one or more IPsec and/or PPTP
|
|
sessions to internet-accessible VPN servers via your Linux
|
|
<A HREF="http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?firewall+machine">internet firewall</A> without forcing you to connect to your
|
|
<A HREF="http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?internet+service+provider">ISP</A>
|
|
directly from the VPN
|
|
client system - thus retaining all of the benefits of your Linux internet
|
|
firewall. It also allows you to set up a VPN server with a Private Network
|
|
IP address (as described in
|
|
<A HREF="http://andrew2.andrew.cmu.edu/rfc/rfc1918.html">RFC1918</A>) behind a masquerading Linux firewall, permitting you to
|
|
provide relatively secure access to a private network via only one
|
|
registered IP address - even if that IP address represents a dynamic
|
|
dial-up link.
|
|
<P>It is strongly recommended that you understand, configure and test regular
|
|
IP Masquerading before you attempt to set up VPN masquerading. Please see
|
|
the
|
|
<A HREF="http://members.home.net/ipmasq/ipmasq-HOWTO-1.82.html">IP Masquerade HOWTO</A> and the IP Masquerade Resource page at
|
|
<A HREF="http://ipmasq.cjb.net/">http://ipmasq.cjb.net/</A> before proceeding. Planning and setting
|
|
up your VPN and firewall is beyond the scope of this document. Here are
|
|
some resources:
|
|
<UL>
|
|
<LI>
|
|
<A HREF="http://www.linux.org/help/ldp/howto/Firewall-HOWTO.html">http://www.linux.org/help/ldp/howto/Firewall-HOWTO.html</A></LI>
|
|
<LI>
|
|
<A HREF="http://hal2000.hal.vein.hu/~mag/linux-security/VPN-HOWTO.html">http://hal2000.hal.vein.hu/~mag/linux-security/VPN-HOWTO.html</A></LI>
|
|
</UL>
|
|
<P>The patch for the 2.0.x-series kernels works well on Linux kernel version
|
|
2.0.36, has been incorporated into the 2.0.37 release, may work on versions
|
|
earlier than 2.0.36, and should work on Linux kernels up to about version
|
|
2.1.102. The IP masquerade code in the kernel was restructured at about
|
|
version 2.1.103, requiring a different patch for the 2.1.105+ and 2.2.x
|
|
series of kernels. A patch is available for kernels from 2.2.5 to 2.2.17,
|
|
and it may work on earlier kernels.
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss1.2">1.2 Feedback, Credits & Resources</A>
|
|
</H2>
|
|
|
|
<P>The home page for the Linux VPN Masquerade kernel patches
|
|
is
|
|
<A HREF="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</A><P>Please feel free to send any feedback or comments regarding this document
|
|
to me at
|
|
<A HREF="mailto:jhardin@wolfenet.com"><jhardin@wolfenet.com></A>. The current version can be found at:
|
|
<UL>
|
|
<LI> HTML:
|
|
<A HREF="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquerade.html">ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquerade.html</A></LI>
|
|
<LI> Postscript:
|
|
<A HREF="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquerade.ps.gz">ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquerade.ps.gz</A></LI>
|
|
<LI> SGML source:
|
|
<A HREF="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-Masquerade.sgml">ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-Masquerade.sgml</A></LI>
|
|
</UL>
|
|
|
|
If you are working with a kernel whose version number is higher than any
|
|
mentioned in this document, <EM>please</EM> see if there is an updated
|
|
version of the HOWTO at the above site before contacting me directly.
|
|
<P>It can also be found via the
|
|
<A HREF="http://metalab.unc.edu/LDP/">Linux Documentation Project</A>'s
|
|
<A HREF="http://metalab.unc.edu/LDP/HOWTO/">HOWTO repository</A> and in the
|
|
<CODE>
|
|
<A HREF="file:/usr/doc/HOWTO/">/usr/doc/HOWTO/</A></CODE>
|
|
directory on your nearest Linux system. These copies are not directly
|
|
updated by me, so they may be somewhat out of date.
|
|
<P>I personally have experience with masquerading IPsec and PPTP clients
|
|
running on MS W'98 and NT, configuring a registered-IP PPTP server, and
|
|
using PPTP for network-to-network routing.
|
|
<P>The information on masquerading a Private-IP PPTP server is from
|
|
discussions with
|
|
Len Bayles
|
|
<A HREF="mailto:len@isdi.com"><len@isdi.com></A>,
|
|
Simon Cocking
|
|
<A HREF="mailto:simon@ibs.com.au"><simon@ibs.com.au></A>
|
|
and
|
|
C. Scott Ananian
|
|
<A HREF="mailto:cananian@lcs.mit.edu"><cananian@lcs.mit.edu></A>.
|
|
<P>The home page for the PPTP-only Masquerade kernel patch for the 2.1.105+
|
|
and early 2.2.x kernel series is
|
|
<A HREF="http://bmrc.berkeley.edu/people/chaffee/linux_pptp.html">http://bmrc.berkeley.edu/people/chaffee/linux_pptp.html</A>.
|
|
<P>The home page for the <CODE>ipportfw</CODE> port-forwarding kernel patch and
|
|
configuration tool for 2.0.x kernels is
|
|
<A HREF="http://www.ox.compsoc.org.uk/~steve/portforwarding.html">http://www.ox.compsoc.org.uk/~steve/portforwarding.html</A>.
|
|
Port forwarding is built into the 2.2.x kernel, and the <CODE>ipmasqadm</CODE>
|
|
configuration tool for controlling 2.2.x port forwarding can be obtained at
|
|
<A HREF="http://juanjox.kernelnotes.org/">http://juanjox.kernelnotes.org/</A>.
|
|
<P>The home page for the <CODE>ipfwd</CODE> generic IP redirector is
|
|
<A HREF="http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/">http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/</A>.
|
|
<P>Profuse thanks to Gordon Chaffee
|
|
<A HREF="mailto:chaffee@cs.berkeley.edu"><chaffee@cs.berkeley.edu></A>
|
|
for coding and sharing a patch to traceroute that allows tracing GRE
|
|
traffic. It should prove invaluable in troubleshooting if your GRE traffic
|
|
is being blocked somewhere. The patch is available at
|
|
<A HREF="http://www.wolfenet.com/~jhardin/pptp-traceroute.patch.gz">http://www.wolfenet.com/~jhardin/pptp-traceroute.patch.gz</A><P>More thanks to Steve Chinatti
|
|
<A HREF="mailto:chinatti@alumni.Princeton.EDU"><chinatti@alumni.Princeton.EDU></A>
|
|
for contributing his original IPsec masquerade hack, from
|
|
which I shamelessly stole some very important ideas...
|
|
<P>More information on setting up firewall rules to run automatically - including
|
|
how to automatically use the correct IP address in a dynamic-IP environment -
|
|
can be found at
|
|
<A HREF="http://www.wolfenet.com/~jhardin/ipfwadm/invocation.html">http://www.wolfenet.com/~jhardin/ipfwadm/invocation.html</A><P>The home page for Linux FreeS/WAN (IPsec for Linux) is
|
|
<A HREF="http://www.xs4all.nl/~freeswan/">http://www.xs4all.nl/~freeswan/</A> - this is the preferred Linux
|
|
VPN solution.
|
|
<P>A native Linux PPTP server called PoPToP is available at
|
|
<A HREF="http://www.moretonbay.com/vpn/pptp.html">http://www.moretonbay.com/vpn/pptp.html</A> - for the most
|
|
up-to-date information about PPTP on Linux, go there.
|
|
<P>Paul Cadach
|
|
<A HREF="mailto:paul@odt.east.telecom.kz"><paul@odt.east.telecom.kz></A>
|
|
has made patches that add MS-CHAP-v2, MPPE and Multilink support to Linux pppd. See
|
|
<A HREF="ftp://ftp.east.telecom.kz/pub/src/networking/ppp/ppp-2.3.5-my.tgz">ftp://ftp.east.telecom.kz/pub/src/networking/ppp/ppp-2.3.5-my.tgz</A> for MS-CHAP and MPPE, and
|
|
<A HREF="ftp://ftp.east.telecom.kz/pub/src/networking/ppp/multilink/ppp-2.3.5-mp.tgz">ftp://ftp.east.telecom.kz/pub/src/networking/ppp/multilink/ppp-2.3.5-mp.tgz</A> for Multilink.
|
|
Another (possibly related) set of pppd patches are available at the PoPToP download site at
|
|
<A HREF="http://www.moretonbay.com/vpn/download_pptp.html">http://www.moretonbay.com/vpn/download_pptp.html</A>.
|
|
<P>The home page for the original Linux PPTP project is
|
|
<A HREF="http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP">http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP</A> and a patch
|
|
to add PPTP server capability to it is available at
|
|
<A HREF="http://debs.fuller.edu/cgi-bin/display?list=pptp&msg=222">http://debs.fuller.edu/cgi-bin/display?list=pptp&msg=222</A><P>Thanks to Eric Raymond for maintaining
|
|
<A HREF="http://www.tuxedo.org/jargon/">the Jargon File</A>, and Denis
|
|
Howe for
|
|
<A HREF="http://foldoc.doc.ic.ac.uk/">The Free On-line Dictionary of Computing</A>.
|
|
<P>
|
|
<P>
|
|
<H2><A NAME="ss1.3">1.3 Copyright & Disclaimer</A>
|
|
</H2>
|
|
|
|
<P>This document is copyright © 1999-2000 by John D. Hardin.
|
|
Permission is granted to redistribute it under the terms of the LDP
|
|
License, available at
|
|
<A HREF="http://www.linuxdoc.org/COPYRIGHT.html">http://www.linuxdoc.org/COPYRIGHT.html</A>
|
|
<P>The information presented in this document is correct to the best of my
|
|
knowledge. IP Masquerading is <EM>experimental</EM>, and it is possible
|
|
that I have made a mistake in writing or testing the kernel patch or
|
|
composing the instructions in this document; you should determine for
|
|
yourself if you want to make the changes outlined in this document.
|
|
<P>
|
|
<BLOCKQUOTE>
|
|
<B>THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS
|
|
TAKEN BASED ON THE INFORMATION IN THIS DOCUMENT. BACK UP ANY AND ALL
|
|
CRITICAL INFORMATION BEFORE IMPLEMENTING THE CHANGES OUTLINED IN THIS
|
|
DOCUMENT. MAKE SURE YOU HAVE A WORKING, BOOTABLE KERNEL AVAILABLE BEFORE
|
|
PATCHING AND RECOMPILING YOUR KERNEL AS OUTLINED IN THIS DOCUMENT.</B>
|
|
</BLOCKQUOTE>
|
|
|
|
In other words, take sensible precautions.
|
|
<P>
|
|
<P>
|
|
<HR>
|
|
<A HREF="VPN-Masquerade-HOWTO-2.html">Next</A>
|
|
Previous
|
|
<A HREF="VPN-Masquerade-HOWTO.html#toc1">Contents</A>
|
|
</BODY>
|
|
</HTML>
|