Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
International Medical Corps

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Glossary
MoreInfo
Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
FAQ
Copyright Info
Terms of Use
Privacy Info
Disclaimer
WorkBoard
Thanks
Donations
Advertising
Masthead / Impressum
Your Account

Communication
Feedback
Forums
Private Messages
Surveys

Features
HOWTOs
News Archive
Submit News
Topics
User Articles
Web Links

Google
Google


The Web
linux-tutorial.info

Who's Online
There are currently, 54 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

  

HOWTO Home

Current HOWTO: Linux VPN Masquerade HOWTO


Linux VPN Masquerade HOWTO: Introduction Next Previous Contents

1. Introduction

1.1 Introduction

This document describes how to configure masquerading of IPsec and PPTP VPN traffic. SSH-based VPNs (such as that sold by F-Secure and outlined in the VPN mini-HOWTO) are based on standard TCP traffic and do not need any special kernel modifications.

VPN Masquerade allows you to establish one or more IPsec and/or PPTP sessions to internet-accessible VPN servers via your Linux internet firewall without forcing you to connect to your ISP directly from the VPN client system - thus retaining all of the benefits of your Linux internet firewall. It also allows you to set up a VPN server with a Private Network IP address (as described in RFC1918) behind a masquerading Linux firewall, permitting you to provide relatively secure access to a private network via only one registered IP address - even if that IP address represents a dynamic dial-up link.

It is strongly recommended that you understand, configure and test regular IP Masquerading before you attempt to set up VPN masquerading. Please see the IP Masquerade HOWTO and the IP Masquerade Resource page at http://ipmasq.cjb.net/ before proceeding. Planning and setting up your VPN and firewall is beyond the scope of this document. Here are some resources:

The patch for the 2.0.x-series kernels works well on Linux kernel version 2.0.36, has been incorporated into the 2.0.37 release, may work on versions earlier than 2.0.36, and should work on Linux kernels up to about version 2.1.102. The IP masquerade code in the kernel was restructured at about version 2.1.103, requiring a different patch for the 2.1.105+ and 2.2.x series of kernels. A patch is available for kernels from 2.2.5 to 2.2.17, and it may work on earlier kernels.

1.2 Feedback, Credits & Resources

The home page for the Linux VPN Masquerade kernel patches is http://www.impsec.org/linux/masquerade/ip_masq_vpn.html

Please feel free to send any feedback or comments regarding this document to me at <jhardin@wolfenet.com>. The current version can be found at:

If you are working with a kernel whose version number is higher than any mentioned in this document, please see if there is an updated version of the HOWTO at the above site before contacting me directly.

It can also be found via the Linux Documentation Project's HOWTO repository and in the /usr/doc/HOWTO/ directory on your nearest Linux system. These copies are not directly updated by me, so they may be somewhat out of date.

I personally have experience with masquerading IPsec and PPTP clients running on MS W'98 and NT, configuring a registered-IP PPTP server, and using PPTP for network-to-network routing.

The information on masquerading a Private-IP PPTP server is from discussions with Len Bayles <len@isdi.com>, Simon Cocking <simon@ibs.com.au> and C. Scott Ananian <cananian@lcs.mit.edu>.

The home page for the PPTP-only Masquerade kernel patch for the 2.1.105+ and early 2.2.x kernel series is http://bmrc.berkeley.edu/people/chaffee/linux_pptp.html.

The home page for the ipportfw port-forwarding kernel patch and configuration tool for 2.0.x kernels is http://www.ox.compsoc.org.uk/~steve/portforwarding.html. Port forwarding is built into the 2.2.x kernel, and the ipmasqadm configuration tool for controlling 2.2.x port forwarding can be obtained at http://juanjox.kernelnotes.org/.

The home page for the ipfwd generic IP redirector is http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/.

Profuse thanks to Gordon Chaffee <chaffee@cs.berkeley.edu> for coding and sharing a patch to traceroute that allows tracing GRE traffic. It should prove invaluable in troubleshooting if your GRE traffic is being blocked somewhere. The patch is available at http://www.wolfenet.com/~jhardin/pptp-traceroute.patch.gz

More thanks to Steve Chinatti <chinatti@alumni.Princeton.EDU> for contributing his original IPsec masquerade hack, from which I shamelessly stole some very important ideas...

More information on setting up firewall rules to run automatically - including how to automatically use the correct IP address in a dynamic-IP environment - can be found at http://www.wolfenet.com/~jhardin/ipfwadm/invocation.html

The home page for Linux FreeS/WAN (IPsec for Linux) is http://www.xs4all.nl/~freeswan/ - this is the preferred Linux VPN solution.

A native Linux PPTP server called PoPToP is available at http://www.moretonbay.com/vpn/pptp.html - for the most up-to-date information about PPTP on Linux, go there.

Paul Cadach <paul@odt.east.telecom.kz> has made patches that add MS-CHAP-v2, MPPE and Multilink support to Linux pppd. See ftp://ftp.east.telecom.kz/pub/src/networking/ppp/ppp-2.3.5-my.tgz for MS-CHAP and MPPE, and ftp://ftp.east.telecom.kz/pub/src/networking/ppp/multilink/ppp-2.3.5-mp.tgz for Multilink. Another (possibly related) set of pppd patches are available at the PoPToP download site at http://www.moretonbay.com/vpn/download_pptp.html.

The home page for the original Linux PPTP project is http://www.pdos.lcs.mit.edu/~cananian/Projects/PPTP and a patch to add PPTP server capability to it is available at http://debs.fuller.edu/cgi-bin/display?list=pptp&msg=222

Thanks to Eric Raymond for maintaining the Jargon File, and Denis Howe for The Free On-line Dictionary of Computing.

1.3 Copyright & Disclaimer

This document is copyright © 1999-2000 by John D. Hardin. Permission is granted to redistribute it under the terms of the LDP License, available at http://www.linuxdoc.org/COPYRIGHT.html

The information presented in this document is correct to the best of my knowledge. IP Masquerading is experimental, and it is possible that I have made a mistake in writing or testing the kernel patch or composing the instructions in this document; you should determine for yourself if you want to make the changes outlined in this document.

THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THE INFORMATION IN THIS DOCUMENT. BACK UP ANY AND ALL CRITICAL INFORMATION BEFORE IMPLEMENTING THE CHANGES OUTLINED IN THIS DOCUMENT. MAKE SURE YOU HAVE A WORKING, BOOTABLE KERNEL AVAILABLE BEFORE PATCHING AND RECOMPILING YOUR KERNEL AS OUTLINED IN THIS DOCUMENT.
In other words, take sensible precautions.


Next Previous Contents

The Linux Tutorial completely respects the rights of authors and artists to decide for themselves if and how their works can be used, independent of any existing licenses. This means if you are the author of any document presented on this site and do no wish it to be displayed as it is on this site or do not wish it to be displayed at all, please contact us and we will do our very best to accommodate you. If we are unable to accommodate you, we will, at your request, remove your document as quickly as possible.

If you are the author of any document presented on this site and would like a share of the advertising revenue, please contact us using the standard Feedback Form.


  




Login
Nickname

Password

Security Code
Security Code
Type Security Code


Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!


Amazon Wish List

Did You Know?
The Linux Tutorial can use your help.


Friends



Tell a Friend About Us

Bookmark and Share



Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 1.26 Seconds