LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/VPN-Masquerade-HOWTO-1.html

176 lines
9.7 KiB
HTML
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Linux VPN Masquerade HOWTO: Introduction</TITLE>
<LINK HREF="VPN-Masquerade-HOWTO-2.html" REL=next>
<LINK HREF="VPN-Masquerade-HOWTO.html#toc1" REL=contents>
</HEAD>
<BODY>
<A HREF="VPN-Masquerade-HOWTO-2.html">Next</A>
Previous
<A HREF="VPN-Masquerade-HOWTO.html#toc1">Contents</A>
<HR>
<H2><A NAME="s1">1. Introduction</A></H2>
<P>
<P>
<H2><A NAME="ss1.1">1.1 Introduction </A>
</H2>
<P>This document describes how to configure masquerading of IPsec and PPTP VPN
traffic. SSH-based VPNs (such as that sold by F-Secure and outlined in the
<A HREF="http://www.linux.org/help/ldp/mini/VPN.html">VPN mini-HOWTO</A>)
are based on standard TCP traffic and do not need any special kernel
modifications.
<P>
<P>VPN Masquerade allows you to establish one or more IPsec and/or PPTP
sessions to internet-accessible VPN servers via your Linux
<A HREF="http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?firewall+machine">internet firewall</A> without forcing you to connect to your
<A HREF="http://foldoc.doc.ic.ac.uk/foldoc/foldoc.cgi?internet+service+provider">ISP</A>
directly from the VPN
client system - thus retaining all of the benefits of your Linux internet
firewall. It also allows you to set up a VPN server with a Private Network
IP address (as described in
<A HREF="http://andrew2.andrew.cmu.edu/rfc/rfc1918.html">RFC1918</A>) behind a masquerading Linux firewall, permitting you to
provide relatively secure access to a private network via only one
registered IP address - even if that IP address represents a dynamic
dial-up link.
<P>It is strongly recommended that you understand, configure and test regular
IP Masquerading before you attempt to set up VPN masquerading. Please see
the
<A HREF="http://members.home.net/ipmasq/ipmasq-HOWTO-1.82.html">IP Masquerade HOWTO</A> and the IP Masquerade Resource page at
<A HREF="http://ipmasq.cjb.net/">http://ipmasq.cjb.net/</A> before proceeding. Planning and setting
up your VPN and firewall is beyond the scope of this document. Here are
some resources:
<UL>
<LI>
<A HREF="http://www.linux.org/help/ldp/howto/Firewall-HOWTO.html">http://www.linux.org/help/ldp/howto/Firewall-HOWTO.html</A></LI>
<LI>
<A HREF="http://hal2000.hal.vein.hu/~mag/linux-security/VPN-HOWTO.html">http://hal2000.hal.vein.hu/~mag/linux-security/VPN-HOWTO.html</A></LI>
</UL>
<P>The patch for the 2.0.x-series kernels works well on Linux kernel version
2.0.36, has been incorporated into the 2.0.37 release, may work on versions
earlier than 2.0.36, and should work on Linux kernels up to about version
2.1.102. The IP masquerade code in the kernel was restructured at about
version 2.1.103, requiring a different patch for the 2.1.105+ and 2.2.x
series of kernels. A patch is available for kernels from 2.2.5 to 2.2.17,
and it may work on earlier kernels.
<P>
<P>
<H2><A NAME="ss1.2">1.2 Feedback, Credits &amp; Resources</A>
</H2>
<P>The home page for the Linux VPN Masquerade kernel patches
is
<A HREF="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</A><P>Please feel free to send any feedback or comments regarding this document
to me at
<A HREF="mailto:jhardin@wolfenet.com">&lt;jhardin@wolfenet.com&gt;</A>. The current version can be found at:
<UL>
<LI> HTML:
<A HREF="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquerade.html">ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquerade.html</A></LI>
<LI> Postscript:
<A HREF="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquerade.ps.gz">ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-howto/VPN-Masquerade.ps.gz</A></LI>
<LI> SGML source:
<A HREF="ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-Masquerade.sgml">ftp://ftp.rubyriver.com/pub/jhardin/masquerade/VPN-Masquerade.sgml</A></LI>
</UL>
If you are working with a kernel whose version number is higher than any
mentioned in this document, <EM>please</EM> see if there is an updated
version of the HOWTO at the above site before contacting me directly.
<P>It can also be found via the
<A HREF="http://metalab.unc.edu/LDP/">Linux Documentation Project</A>'s
<A HREF="http://metalab.unc.edu/LDP/HOWTO/">HOWTO repository</A> and in the
<CODE>
<A HREF="file:/usr/doc/HOWTO/">/usr/doc/HOWTO/</A></CODE>
directory on your nearest Linux system. These copies are not directly
updated by me, so they may be somewhat out of date.
<P>I personally have experience with masquerading IPsec and PPTP clients
running on MS W'98 and NT, configuring a registered-IP PPTP server, and
using PPTP for network-to-network routing.
<P>The information on masquerading a Private-IP PPTP server is from
discussions with
Len Bayles
<A HREF="mailto:len@isdi.com">&lt;len@isdi.com&gt;</A>,
Simon Cocking
<A HREF="mailto:simon@ibs.com.au">&lt;simon@ibs.com.au&gt;</A>
and
C. Scott Ananian
<A HREF="mailto:cananian@lcs.mit.edu">&lt;cananian@lcs.mit.edu&gt;</A>.
<P>The home page for the PPTP-only Masquerade kernel patch for the 2.1.105+
and early 2.2.x kernel series is
<A HREF="http://bmrc.berkeley.edu/people/chaffee/linux_pptp.html">http://bmrc.berkeley.edu/people/chaffee/linux_pptp.html</A>.
<P>The home page for the <CODE>ipportfw</CODE> port-forwarding kernel patch and
configuration tool for 2.0.x kernels is
<A HREF="http://www.ox.compsoc.org.uk/~steve/portforwarding.html">http://www.ox.compsoc.org.uk/~steve/portforwarding.html</A>.
Port forwarding is built into the 2.2.x kernel, and the <CODE>ipmasqadm</CODE>
configuration tool for controlling 2.2.x port forwarding can be obtained at
<A HREF="http://juanjox.kernelnotes.org/">http://juanjox.kernelnotes.org/</A>.
<P>The home page for the <CODE>ipfwd</CODE> generic IP redirector is
<A HREF="http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/">http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/</A>.
<P>Profuse thanks to Gordon Chaffee
<A HREF="mailto:chaffee@cs.berkeley.edu">&lt;chaffee@cs.berkeley.edu&gt;</A>
for coding and sharing a patch to traceroute that allows tracing GRE
traffic. It should prove invaluable in troubleshooting if your GRE traffic
is being blocked somewhere. The patch is available at
<A HREF="http://www.wolfenet.com/~jhardin/pptp-traceroute.patch.gz">http://www.wolfenet.com/~jhardin/pptp-traceroute.patch.gz</A><P>More thanks to Steve Chinatti
<A HREF="mailto:chinatti@alumni.Princeton.EDU">&lt;chinatti@alumni.Princeton.EDU&gt;</A>
for contributing his original IPsec masquerade hack, from
which I shamelessly stole some very important ideas...
<P>More information on setting up firewall rules to run automatically - including
how to automatically use the correct IP address in a dynamic-IP environment -
can be found at
<A HREF="http://www.wolfenet.com/~jhardin/ipfwadm/invocation.html">http://www.wolfenet.com/~jhardin/ipfwadm/invocation.html</A><P>The home page for Linux FreeS/WAN (IPsec for Linux) is
<A HREF="http://www.xs4all.nl/~freeswan/">http://www.xs4all.nl/~freeswan/</A> - this is the preferred Linux
VPN solution.
<P>A native Linux PPTP server called PoPToP is available at
<A HREF="http://www.moretonbay.com/vpn/pptp.html">http://www.moretonbay.com/vpn/pptp.html</A> - for the most
up-to-date information about PPTP on Linux, go there.
<P>Paul Cadach
<A HREF="mailto:paul@odt.east.telecom.kz">&lt;paul@odt.east.telecom.kz&gt;</A>
has made patches that add MS-CHAP-v2, MPPE and Multilink support to Linux pppd. See
<A HREF="ftp://ftp.east.telecom.kz/pub/src/networking/ppp/ppp-2.3.5-my.tgz">ftp://ftp.east.telecom.kz/pub/src/networking/ppp/ppp-2.3.5-my.tgz</A> for MS-CHAP and MPPE, and
<A HREF="ftp://ftp.east.telecom.kz/pub/src/networking/ppp/multilink/ppp-2.3.5-mp.tgz">ftp://ftp.east.telecom.kz/pub/src/networking/ppp/multilink/ppp-2.3.5-mp.tgz</A> for Multilink.
Another (possibly related) set of pppd patches are available at the PoPToP download site at
<A HREF="http://www.moretonbay.com/vpn/download_pptp.html">http://www.moretonbay.com/vpn/download_pptp.html</A>.
<P>The home page for the original Linux PPTP project is
<A HREF="http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP">http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP</A> and a patch
to add PPTP server capability to it is available at
<A HREF="http://debs.fuller.edu/cgi-bin/display?list=pptp&amp;msg=222">http://debs.fuller.edu/cgi-bin/display?list=pptp&amp;msg=222</A><P>Thanks to Eric Raymond for maintaining
<A HREF="http://www.tuxedo.org/jargon/">the Jargon File</A>, and Denis
Howe for
<A HREF="http://foldoc.doc.ic.ac.uk/">The Free On-line Dictionary of Computing</A>.
<P>
<P>
<H2><A NAME="ss1.3">1.3 Copyright &amp; Disclaimer</A>
</H2>
<P>This document is copyright &copy; 1999-2000 by John D. Hardin.
Permission is granted to redistribute it under the terms of the LDP
License, available at
<A HREF="http://www.linuxdoc.org/COPYRIGHT.html">http://www.linuxdoc.org/COPYRIGHT.html</A>
<P>The information presented in this document is correct to the best of my
knowledge. IP Masquerading is <EM>experimental</EM>, and it is possible
that I have made a mistake in writing or testing the kernel patch or
composing the instructions in this document; you should determine for
yourself if you want to make the changes outlined in this document.
<P>
<BLOCKQUOTE>
<B>THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS
TAKEN BASED ON THE INFORMATION IN THIS DOCUMENT. BACK UP ANY AND ALL
CRITICAL INFORMATION BEFORE IMPLEMENTING THE CHANGES OUTLINED IN THIS
DOCUMENT. MAKE SURE YOU HAVE A WORKING, BOOTABLE KERNEL AVAILABLE BEFORE
PATCHING AND RECOMPILING YOUR KERNEL AS OUTLINED IN THIS DOCUMENT.</B>
</BLOCKQUOTE>
In other words, take sensible precautions.
<P>
<P>
<HR>
<A HREF="VPN-Masquerade-HOWTO-2.html">Next</A>
Previous
<A HREF="VPN-Masquerade-HOWTO.html#toc1">Contents</A>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink