Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
The ONE Campaign to make poverty history

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Glossary
MoreInfo
Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
FAQ
Copyright Info
Terms of Use
Privacy Info
Disclaimer
WorkBoard
Thanks
Donations
Advertising
Masthead / Impressum
Your Account

Communication
Feedback
Forums
Private Messages
Surveys

Features
HOWTOs
News Archive
Submit News
Topics
User Articles
Web Links

Google
Google


The Web
linux-tutorial.info

Who's Online
There are currently, 76 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

  

HOWTO Home

Current HOWTO: Linux VPN Masquerade HOWTO


Linux VPN Masquerade HOWTO: Configuring the VPN client Next Previous Contents

4. Configuring the VPN client

4.1 Configuring a MS W'95 client

  1. Set up your routing so that the Linux firewall is your default gateway:
    1. Open Control Panel/Network or right-click "Network Neighborhood" and click on Properties.
    2. Click on the Configuration tab.
    3. In the list of installed network components, double-click on the "TCP/IP -> whatever-NIC-you-have" line.
    4. Click on the Gateway tab.
    5. Enter the local-network IP address of your Linux firewall. Delete any other gateways.
    6. Click on the "OK" button.
  2. Test masquerading. For example, run "telnet my.isp.mail.server smtp" and you should see the mail server's welcome banner.
  3. Install and configure the VPN software. For IPsec software follow the manufacturer's instructions. For MS PPTP:
    1. Open Control Panel/Network or right-click "Network Neighborhood" and click on Properties.
    2. Click on the Configuration tab.
    3. Click on the "Add" button, then double-click on the "Adapter" line.
    4. Select "Microsoft" as the manufacturer and add the "Virtual Private Networking Adapter" adapter.
    5. Reboot when prompted to.
    6. If you need to use strong (128-bit) encryption, download the strong encryption DUN 1.3 update from the MS secure site at http://mssecure.www.conxion.com/cgi-bin/ntitar.pl and install it, then reboot again when prompted to.
    7. Create a new dial-up phonebook entry for your PPTP server.
    8. Select the VPN adapter as the device to use, and enter the PPTP server's internet IP address as the telephone number.
    9. Select the Server Types tab, and check the compression and encryption checkboxes.
    10. Click on the "TCP/IP Settings" button.
    11. Set the dynamic/static IP address information for your client as instructed to by your PPTP server's administrator.
    12. If you wish to have access to your local network while the PPTP connection is up, uncheck the "Use default gateway on remote network" checkbox.
    13. Reboot a few more times, just from habit... :)

4.2 Configuring a MS W'98 client

  1. Set up your routing so that the Linux firewall is your default gateway and test masquerading as described above.
  2. Install and configure the VPN software. For IPsec software follow the manufacturer's instructions. For MS PPTP:
    1. Open Control Panel/Add or Remove Software and click on the Windows Setup tab.
    2. Click on the Communications option and click the "Details" button.
    3. Make sure the "Virtual Private Networking" option is checked. Then click the "OK" button.
    4. Reboot when prompted to.
    5. If you need to use strong (128-bit) encryption, download the strong encryption VPN Security update from the MS secure site at http://mssecure.www.conxion.com/cgi-bin/ntitar.pl and install it, then reboot again when prompted to.
  3. Create and test a new dial-up phonebook entry for your VPN server as described above.

4.3 Configuring a MS W'ME client

I haven't seen one of these yet. I expect the procedure is very similar to that for W'98. Could someone who has done this let me know what, if any, differences there are? Thanks.

4.4 Configuring a MS NT client

Note: this section may be incomplete as it's been a while since I've installed PPTP on an NT system.

  1. Set up your routing so that the Linux firewall is your default gateway:
    1. Open Control Panel/Network or right-click "Network Neighborhood" and click on Properties.
    2. Click on the Protocols tab and double-click on the "TCP/IP" line.
    3. Enter the local-network IP address of your Linux firewall in the "Default Gateway" box.
    4. Click on the "OK" button.
  2. Test masquerading. For example, run "telnet my.isp.mail.server smtp" and you should see the mail server's welcome banner.
  3. Install and configure the VPN software. For IPsec software follow the manufacturer's instructions. For MS PPTP:
    1. Open Control Panel/Network or right-click "Network Neighborhood" and click on Properties.
    2. Click on the Protocols tab.
    3. Click on the "Add" button, then double-click on the "Point-to-Point Tunneling Protocol" line.
    4. When it asks for the number of Virtual Private Networks, enter the number of PPTP servers you could possibly be communicating with.
    5. Reboot when prompted to.
    6. If you need to use strong (128-bit) encryption, download the strong encryption PPTP update from the MS secure site at http://mssecure.www.conxion.com/cgi-bin/ntitar.pl and install it, then reboot again when prompted to.
    7. Create a new dial-up phonebook entry for your PPTP server.
    8. Select the VPN adapter as the device to use, and enter the PPTP server's internet IP address as the telephone number.
    9. Select the Server Types tab, and check the compression and encryption checkboxes.
    10. Click on the "TCP/IP Settings" button.
    11. Set the dynamic/static IP address information for your client as instructed to by your PPTP server's administrator.
    12. If you wish to have access to your local network while the PPTP connection is up, see MS Knowledge Base article Q143168 for a registry fix. (Sigh.)
    13. Make sure you reapply the most recent Service Pack, to ensure that your RAS and PPTP libraries are up-to-date for security and performance enhancements.

4.5 Configuring for network-to-network routing

Yet to be written.

You really ought to look at FreeS/WAN (IPsec for Linux) at http://www.xs4all.nl/~freeswan/ instead of masquerading.

4.6 Masquerading Checkpoint SecuRemote-based VPNs

It is possible to masquerade Checkpoint SecuRemote-based VPN traffic under certain circumstances.

First, you must configure the SecuRemote firewall to allow masqueraded sessions. On the SecuRemote firewall do the following:

  1. Run fwstop
  2. Edit $FWDIR/conf/objects.C and after the ":props (" line, add or modify the following lines to read:
    :userc_NAT (true) 
    :userc_IKE_NAT (true)
    
  3. Run fwstart
  4. Re-install your security policy.
  5. Verify the change took effect by checking both $FWDIR/conf/objects.C and $FWDIR/database/objects.C

If you use the IPsec protocols (called "IKE" by CheckPoint) you don't have to do anything else special to masquerade the VPN traffic. Simply configure your masquerading gateway to masquerade IPsec traffic as described above.

Checkpoint's proprietary FWZ protocol is more complicated. There are two modes that FWZ can be used in: encapsulated mode and transport mode. In encapsulated mode, integrity checking is done over the whole IP packet, just as in IPsec's AH protocol. Changing the IP address breaks this integrity guarantee, thus encapsulated FWZ tunnels cannot be masqueraded.

In transport mode, only the data portion of the packet is encrypted, and the IP headers are not verified against changes. In this mode, masquerading should work with the modifications described above.

The configuration for encapsulated or transport mode is done in the FireWall-1 GUI. In the network object for the Firewall, under the VPN tab, edit the FWZ properties. The third tab in FWZ properties allows you to set encapsulated mode.

You will only be able to masquerade one client at a time.

Further information can be found at:


Next Previous Contents

The Linux Tutorial completely respects the rights of authors and artists to decide for themselves if and how their works can be used, independent of any existing licenses. This means if you are the author of any document presented on this site and do no wish it to be displayed as it is on this site or do not wish it to be displayed at all, please contact us and we will do our very best to accommodate you. If we are unable to accommodate you, we will, at your request, remove your document as quickly as possible.

If you are the author of any document presented on this site and would like a share of the advertising revenue, please contact us using the standard Feedback Form.


  




Login
Nickname

Password

Security Code
Security Code
Type Security Code


Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!


Amazon Wish List

Did You Know?
You can choose larger fonts by selecting a different themes.


Friends



Tell a Friend About Us

Bookmark and Share



Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 1.19 Seconds