[NCLUG] cipe "virtual identity"
listz at hate.cx
listz at hate.cx
Thu May 8 16:28:35 MDT 2003
but what about if the firewall and gateway are seperated by the internet. lets
assume 192.168.0.10 is a real address. does the tunnel have its own addresses
inside the tunnel? like a real address of 216.17.172.1 on eth0 of the laptop,
and the firewall has an address of 192.168.0.11 (again, assuming its routable).
maybe i'm being confusing, and maybe i just need to play around with it some.
on Thu May 08 14:04, Kevin Fenzi disclosed:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> >>>>> "listz" == listz <listz at hate.cx> writes:
>
> listz> i know i'm jumping the gun on the cipe presentation planned for
> listz> later, but i'm trying to implement vpn's on my firewalls at
> listz> work. basically i want laptops to be able to authenticate via
> listz> pre-installed keys
>
> CIPE supports this. By default you can use static keys, but there is a
> pkcipe that lets you use public keys.
>
> listz> to some vpn software on the firewall and
> listz> then have all traffic act as if its coming from an interface on
> listz> the firewall (eg. laptop with IP 192.168.0.10 connects to
> listz> firewall and then any traffic to networks 10.0.0.0/8 or
> listz> 172.16.0.0/12 will appear to be coming from firewall ip
> listz> 1.2.3.4). i can make frees/wan do this with some policy
> listz> routing, but i may need windows clients to connect as well, and
> listz> i don't think windows is smart enough for that sort of policy
> listz> routing. will cipe support "virtual identities", and if not
> listz> does anyone know of a way to accomplish what i'm looking for?
>
> CIPE will do this, you setup a cipe connection between the laptop and
> the firewall. At the firewall you setup a forward rule to forward anything
> from the laptop going to internal ip's. The laptop still needs to know
> that it can use the cipe tunnel for the internal ip's tho. Not sure if
> thats easy to do on windows or not.
>
> So, the laptops cipe interface is 192.168.0.10, the firewalls cipe
> interface for that connection is 192.168.0.11. The laptop needs to
> have a route for 172.16.0.0. and 10.0.0.0 to use 192.168.0.11 as it's
> gateway. The hosts internally need to know that 192.168.0.x addresses
> are handled by the firewall.
>
> Should work fine.
>
> On my (linux) laptop I setup CIPE to use my tunnel for all traffic
> except a host route to the host at the other end of the cipe tunnel
> and the local network.
>
> kevin
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
>
> iD8DBQE+urg53imCezTjY0ERAvlnAJ9ZIB4Aa4zf6kGgEMZYJza2xO67sQCdF4dM
> nLUypbRlL77UGArgJwyVrSM=
> =vF+H
> -----END PGP SIGNATURE-----
> _______________________________________________
> NCLUG mailing list NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug
<EOF>
::[ RFC 2795 ]::
"Democracy means simply the bludgeoning of the
people by the people for the people."
-Oscar Wilde
More information about the NCLUG
mailing list