Next
Previous
Contents
- Set up your routing so that the Linux firewall is your default
gateway:
- Open
Control Panel/Network
or right-click "Network
Neighborhood" and click on Properties
.
- Click on the
Configuration
tab.
- In the list of installed network components, double-click on the
"TCP/IP -> whatever-NIC-you-have" line.
- Click on the
Gateway
tab.
- Enter the local-network IP address of your Linux firewall. Delete any
other gateways.
- Click on the "OK" button.
- Test masquerading. For example, run "
telnet
my.isp.mail.server smtp
" and you should see the mail
server's welcome banner.
- Install and configure the VPN software. For IPsec software follow the
manufacturer's instructions. For MS PPTP:
- Open
Control Panel/Network
or right-click "Network
Neighborhood" and click on Properties
.
- Click on the
Configuration
tab.
- Click on the "Add" button, then double-click on the
"Adapter" line.
- Select "Microsoft" as the manufacturer and add the
"Virtual Private Networking Adapter" adapter.
- Reboot when prompted to.
- If you need to use strong (128-bit) encryption, download the
strong encryption DUN 1.3 update from the MS secure site at
http://mssecure.www.conxion.com/cgi-bin/ntitar.pl and
install it, then reboot again when prompted to.
- Create a new dial-up phonebook entry for your PPTP server.
- Select the VPN adapter as the device to use, and enter the PPTP
server's internet IP address as the telephone number.
- Select the
Server Types
tab, and check the compression and
encryption checkboxes.
- Click on the "TCP/IP Settings" button.
- Set the dynamic/static IP address information for your client as
instructed to by your PPTP server's administrator.
- If you wish to have access to your local network while the PPTP
connection is up, uncheck the "Use default gateway on remote
network" checkbox.
- Reboot a few more times, just from habit... :)
- Set up your routing so that the Linux firewall is your default
gateway and test masquerading as described above.
- Install and configure the VPN software. For IPsec software follow the
manufacturer's instructions. For MS PPTP:
- Open
Control Panel/Add or Remove Software
and click on the
Windows Setup
tab.
- Click on the
Communications
option and click the
"Details" button.
- Make sure the "Virtual Private Networking"
option is checked. Then click the "OK" button.
- Reboot when prompted to.
- If you need to use strong (128-bit) encryption, download the
strong encryption VPN Security update from the MS secure site at
http://mssecure.www.conxion.com/cgi-bin/ntitar.pl and
install it, then reboot again when prompted to.
- Create and test a new dial-up phonebook entry for your VPN server as
described above.
I haven't seen one of these yet. I expect the procedure is very similar to
that for W'98. Could someone who has done this let me know what, if any,
differences there are? Thanks.
Note: this section may be incomplete as it's been a while since I've
installed PPTP on an NT system.
- Set up your routing so that the Linux firewall is your default
gateway:
- Open
Control Panel/Network
or right-click "Network
Neighborhood" and click on Properties
.
- Click on the
Protocols
tab and double-click on the
"TCP/IP" line.
- Enter the local-network IP address of your Linux firewall in the
"Default Gateway" box.
- Click on the "OK" button.
- Test masquerading. For example, run "
telnet
my.isp.mail.server smtp
" and you should see the mail
server's welcome banner.
- Install and configure the VPN software. For IPsec software follow the
manufacturer's instructions. For MS PPTP:
- Open
Control Panel/Network
or right-click "Network
Neighborhood" and click on Properties
.
- Click on the
Protocols
tab.
- Click on the "Add" button, then double-click on the
"Point-to-Point Tunneling Protocol" line.
- When it asks for the number of Virtual Private Networks, enter the
number of PPTP servers you could possibly be communicating with.
- Reboot when prompted to.
- If you need to use strong (128-bit) encryption, download the
strong encryption PPTP update from the MS secure site at
http://mssecure.www.conxion.com/cgi-bin/ntitar.pl and
install it, then reboot again when prompted to.
- Create a new dial-up phonebook entry for your PPTP server.
- Select the VPN adapter as the device to use, and enter the PPTP
server's internet IP address as the telephone number.
- Select the
Server Types
tab, and check the compression and
encryption checkboxes.
- Click on the "TCP/IP Settings" button.
- Set the dynamic/static IP address information for your client as
instructed to by your PPTP server's administrator.
- If you wish to have access to your local network while the PPTP
connection is up, see
MS Knowledge Base article Q143168 for a registry fix.
(Sigh.)
- Make sure you reapply the most recent Service Pack, to ensure
that your RAS and PPTP libraries are up-to-date for security and
performance enhancements.
Yet to be written.
You really ought to look at FreeS/WAN (IPsec for Linux) at
http://www.xs4all.nl/~freeswan/ instead of masquerading.
It is possible to masquerade Checkpoint SecuRemote-based VPN traffic under
certain circumstances.
First, you must configure the SecuRemote firewall to allow masqueraded
sessions. On the SecuRemote firewall do the following:
- Run
fwstop
- Edit
$FWDIR/conf/objects.C
and after the
":props (
" line, add or modify the following lines
to read:
:userc_NAT (true)
:userc_IKE_NAT (true)
- Run
fwstart
- Re-install your security policy.
- Verify the change took effect by checking both
$FWDIR/conf/objects.C
and
$FWDIR/database/objects.C
If you use the IPsec protocols (called "IKE" by CheckPoint) you
don't have to do anything else special to masquerade the VPN traffic.
Simply configure your masquerading gateway to masquerade IPsec traffic as
described above.
Checkpoint's proprietary FWZ protocol is more complicated. There are two
modes that FWZ can be used in: encapsulated mode and transport mode. In
encapsulated mode, integrity checking is done over the whole IP packet,
just as in IPsec's AH protocol. Changing the IP address breaks this
integrity guarantee, thus encapsulated FWZ tunnels cannot be
masqueraded.
In transport mode, only the data portion of the packet is encrypted, and
the IP headers are not verified against changes. In this mode, masquerading
should work with the modifications described above.
The configuration for encapsulated or transport mode is done in the
FireWall-1 GUI. In the network object for the Firewall, under the VPN
tab, edit the FWZ properties. The third tab in FWZ properties allows you
to set encapsulated mode.
You will only be able to masquerade one client at a time.
Further information can be found at:
Next
Previous
Contents