VPN with Free/SWan

Discussion in 'LnS English Forum' started by Max Franco, May 22, 2003.

Thread Status:
Not open for further replies.
  1. Max Franco

    Max Franco Guest

    has anyone has already configured a rule for make looknstop to work with Fee/SWan VPN Servero_O

    i tried but with no success..

    many thanks
     
  2. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Max Franco,

    a while ago I read an interesting article about VPN and how to set it with personal firewalls. First of all the firewall needs to be able to deal with the protocol GRE, which Look'n'Stop does. In every case you need to open the TCP port 1723 so that VPN will work.

    Hope that helps in a way! I never tested that myself. :doubt:

    Best regards,

    Patrice
     
  3. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hey Max Franco,

    did you already check that out:

    VPN (Virtual Private Network - Réseau Privé Virtuel):

    Si votre PC communique avec un réseau d'entreprise par VPN, ajoutez la règle IP 47 du fichier IP47.rie.

    Cette règle permet d'autoriser le protocole IP n°47 qui est utilisé par une grande majorité de logiciels VPN.

    VNC (Virtual Network Computing):

    Si votre PC utilise un logiciel d'affichage de l'écran d'un autre PC de type VNC, ajoutez la règle
    TCP : Autoriser Port 5900 du fichier vnc.rie.

    You find these rules here:

    http://www.looknstop.com/Fr/rules.htm#VPN

    Hope that helps & works! ;)

    Best regards,

    Patrice
     
  4. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    I'm currently trying to set this up.
    However both my (VPN)ISP and apparently the RFC's state that i'd need to allow UDP Port 500 and IP Protocols 50 (ESP) and 51 (AH). I haven't found a mention of Protocol 47...

    I have made the corresponding three rules now, but had to allow protocol 51 by a "other" protocol rule - quite leaky.

    Next, I'll install the client and hope that it doesn't wreak havoc my Network stack. I'll let you know if it works. If it does, then an option to (easily?) add protocol 51 would be great ;)

    CU,
    Andreas

    PS. My Provider uses Nortel VPN Server, so i'm first trying to install Nortel's client (free). If it works, I'll try my luck with freeswan - under linux.
     
  5. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Update:
    This is a bit messy...
    I suppose i have to decide whether I want to firewall against 'normal' Internet traffic, allowing for occasional vpn packets (with unknowable content), or 'inside' my VPN traffic. With the slight drawback that monitoring both seems not to be possible (or can i firewall two interfaces?).


    Firstly: When I change my firewalled interface to the VPN driver/interface, I can successfully establish a connection - i just have to add rules to allow new ARPs (new local MAC for the other IFace, new ARP server; new DNS servers.)
    But in this connection, i never see those UDP500, ESP, AH packets that i supposedly have to allow - i assume that's because they are on the other (the 'plain internet') interface.
    And that will leave me unprotected unless I am in fact using the VPN - which is not always the case.

    Secondly: When i *don't* change interfaces and try to add rules for allowing the vpn streams in and out, it works as well. I'm just getting UDP500 and ESP (protocol 50) in my logs, so maybe these two rules are sufficient after all. (First it didn't do it, but now it's working.) OTOH, i have no access to the contents of these IPSec packets, i.e. i cannot filter on IPs, ports etc. of the traffic within the stream. I'll surf a bit and tell you if i encounter any problems.

    HTHH,
    Andreas
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hallo Andreas,

    It sounds really interesting to me what you are doing! Unfortunately I cannot help you in this special case because I don't have a VPN for my system. And it really depends on which tool you are using for it.

    Actually you can start Look'n'Stop two times so that you are able to monitor the VPN traffic and the internet traffic. But honestly I don't think you need to monitor your VPN traffic... I mean you only allow yourself (and some other well known computers) to your system. Everything is logged and no one else can access it. So overall it's already very restrictive -why do you still want to monitor it? But nevertheless you should try it out to be sure, that everything works as fine as you want it! ;)

    Hope that helps so far!

    Regards,

    Patrice
     
  7. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    Normally there is no need to filter the IP connexion that is above the VPN.
    A VPN connection should already be secure.

    I also use a VPN sometimes, and I let the Look 'n' Stop configuration on the main adapter.
    I effectively added some rules to allow UDP 500 and IP 50.
    But not IP 51, and I didn't added any rules for DNS/ARP access.

    Regards,

    Frederic
     
  8. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi all,
    meanwhile I have read around a bit: protocol 51 (AH) is used for authenticated but unencrypted packets only. Most VPNs use authenticated and encrypted packets, so they only ever need protocol 50 (ESP).
    New ARP and DNS rules are needed only "within" the VPN traffic - so my setup is basically just the same that Frédéric has described.

    Concerning the need to firewall the VPN traffic, however:
    On the one hand, the VPN provider is my university so i should be shielded by the university's firewall already.
    But... on the other hand, the VPN tunnel opens to the university's subnet *and to the whole internet*. The service has been offered so that we people dialing up via third-party ISP could still access some services (libraries e.g.) which rely on the client having a university IP address. So I am opening the tunnel and go to the library on the internet which sees my university-IP and provides its service. This fact, that the whole internet is "on the other end" of the tunnel (and the fact that you cannot always trust all the university's students either ;) ) made me wonder if i could/should add a line of defense on my doorstep.

    I'm in linux now (setting up FreeS/WAN seems to be a bit more complicated than just installing the university's pre-configured W2k client...), but when i'm back in Windows i will try what two instances of Look'n'Stop will do...
    Thanks for your comments,
    CU,
    Andreas
     
Thread Status:
Not open for further replies.