Can IP Masquerading Handle L2TP Connections? 6
carrier lost asks: "I have to connect to my company's VPN using L2TP. I am masquerading my company-provided Windows boxes behind Linux 2.2.16. I have successfully configured the combination to provide PPTP, but now I have to figure out how to enable L2TP. Has anyone done this? Can you point me to a step-by-step tutorial?"
My vpn experiences... (Score:3)
I've never heard of L2TP before your post but here is the vpn I've recently setup.
I got vpnd [sunsite.auc.dk] and put it on two boxes on the internet. Each box was on the edge of a company network providing ip_masq and basic firewalling. The biggest problem I had was a conceptual problem with vpn'ing and it was that was you are effectivly creating one big network not two networks connected together. Maybe this is obivous to others but it wasn't on any web site I've read and networking isn't common enought for me to pay for a class or something.
Before I go any further the vpnd setup has been semi-reliable. This doesn't bother me because we have taken two average connections to the internet and created a convient, non-critical link for dirt cheap. If you need a reliable link put the money into it until it is as reliable as you need it. Open source and GNU/Linux are good but not the answer to everything ... yet. :-)
Here is the info that would have saved me a few hours. I'm assuming you've read the readme and faq from vpnd [sunsite.auc.dk]. You have two private networks, we'll call them 192.168.0.0/24 and 192.168.127.0/24 . Choose one to be the client and one the server. In our case one had a changing IP addr so we made that one the client. Then setup all the config options in vpnd.conf like it should be. Here's what got me, when you setup the route1 option the netmask needs to be a netmask that includes both sub-networks. In my case I used 255.255.0.0
If you need more help feel free to email me.
Leknor
You will choke on IPSec (Score:3)
Setup L2TP on your linux box (Score:2)
masquerading packets which have been already
checksummed.. You setup the vpn service on your
linux box. L2TP is essentially ipsec. If you follow the VPN howto.. avaliable at most Linux howto sites or visit the www.freeswan.org?? site
you should be able to get it up and running in
no time.
Malice95
This is how it works... (Score:2)
You can actually masquerade IPSec connections under the right circumstances, although I'd recommend patching your Linux firewall with the FreeS/WAN stuff and doing it from there unless you absolutely HAVE to.
From John Hardin's website:
"The IPsec AH protocol (51/ip) incorporates a cryptographic checksum including the IP addresses in the IP header. Since masquerading changes those IP addresses and since the cryptographic checksum cannot be recalculated by the masquerading firewall, the masqueraded packets will fail the checksum test and will be discarded by the remote IPsec gateway. Therefore, IPsec implementations that use the AH protocol cannot be successfully masqueraded. Sorry. (ESP with authentication can be masqueraded.)"
Some links you might find helpful:
Linux L2TP Daemon (rather old) [marko.net]
The Draft RFC mentioned above (from the same site) [marko.net]
John Hardin's VPN Masquerading Website [rubyriver.com]
FreeS/WAN home page (IPSec for Linux) [xs4all.nl]
It is possible..... (Score:1)
L2TP Router INT: 192.168.200.1
L2TP Router EXT: 192.168.0.50
|
|
MASQ BOX INT: 192.168.0.1
MASQ BOX EXT: 172.32.1.1 (or any GLOBAL IP)
MASQ BOX EXT: 172.32.1.2 (or any GLOBAL IP)
MASQ BOX INT: 192.168.0.50
|
|
L2TP Router EXT: 192.168.0.1
L2TP Router INT: 192.168.201.1
===============================================
Notice that the IP of each MASQ box is identical to the opposing L2TP Router.
Each MASQ box must have PORT FORWARDING enabled with the GRE/ESP patch to the Linux Kernal to enable IPCHAINS passthrough and proper forwarding.
Each MASQ box must have either 2 way MASQerading running or a combination of global IP's (headache time) that allow the packets to change origin at destination.
L2TP1 initiates a connection to 192.168.0.1, which is then forwarded by MASQ1 to MASQ2 on port 500, utilizing GRE/ESP packet encoding. MASQ2 is set to forward internally these packets to L2TP2 on it's internal network, with the "originating" system appearing to be the local MASQ2 system, which, by design has the same IP as the original L2TP system.
Now, this is an incredible waste of time, since you completely wreck the ability of L2TP to support multiple connections
Cheers (and I appologize for the headaches if you try to make this work)
Ugh (Score:1)
Layer 2 Tunneling Protocol, is basicly a revamped version of pptp w/o microsoft extentions by Cisco.
It it NOT IPSec. Nor is it tipiclly used with IPSec. It is one of the two options to create a tunnel between two windows boxes talking using IPSec in Windows 2000.
The ip_masq_pptp patch (witch I beleave is intergrated into the kernel now) basiclly allows for the masquerading of GRE tunnel traffic.
FreeS/WAN will not help you with this, unless you can convince the admins to let you connect using pptp w/o MS encryption and Authenication, Hidden inside IPSec encryption. Beleave it or not, I'm setting it up now so some remote offices of the company I work for can just power up pgpnet ( a free windows ipsec implementation) and then just create a pptp tunnel.
Hope this clears up a few things.
-LW