[NCLUG] cipe "virtual identity"

Kevin Fenzi kevin at scrye.com
Thu May 8 14:04:05 MDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "listz" == listz  <listz at hate.cx> writes:

listz> i know i'm jumping the gun on the cipe presentation planned for
listz> later, but i'm trying to implement vpn's on my firewalls at
listz> work. basically i want laptops to be able to authenticate via
listz> pre-installed keys 

CIPE supports this. By default you can use static keys, but there is a
pkcipe that lets you use public keys. 

listz> to some vpn software on the firewall and
listz> then have all traffic act as if its coming from an interface on
listz> the firewall (eg. laptop with IP 192.168.0.10 connects to
listz> firewall and then any traffic to networks 10.0.0.0/8 or
listz> 172.16.0.0/12 will appear to be coming from firewall ip
listz> 1.2.3.4). i can make frees/wan do this with some policy
listz> routing, but i may need windows clients to connect as well, and
listz> i don't think windows is smart enough for that sort of policy
listz> routing. will cipe support "virtual identities", and if not
listz> does anyone know of a way to accomplish what i'm looking for?

CIPE will do this, you setup a cipe connection between the laptop and
the firewall. At the firewall you setup a forward rule to forward anything
from the laptop going to internal ip's. The laptop still needs to know
that it can use the cipe tunnel for the internal ip's tho. Not sure if
thats easy to do on windows or not. 

So, the laptops cipe interface is 192.168.0.10, the firewalls cipe
interface for that connection is 192.168.0.11. The laptop needs to
have a route for 172.16.0.0. and 10.0.0.0 to use 192.168.0.11 as it's
gateway. The hosts internally need to know that 192.168.0.x addresses
are handled by the firewall. 

Should work fine. 

On my (linux) laptop I setup CIPE to use my tunnel for all traffic
except a host route to the host at the other end of the cipe tunnel
and the local network. 

kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQE+urg53imCezTjY0ERAvlnAJ9ZIB4Aa4zf6kGgEMZYJza2xO67sQCdF4dM
nLUypbRlL77UGArgJwyVrSM=
=vF+H
-----END PGP SIGNATURE-----



More information about the NCLUG mailing list